USB Army Knife

<div align="center"> Introducing the USB Army Knife – the ultimate tool for penetration testers and red teamers. <img src="./docs/images/t-dongle-s3-side.png" width="400px"</img> </div>

Compact and versatile, this device packs a punch with its extensive capabilities, including USB HID attacks, mass storage emulation, network device impersonation and WiFi/Bluetooth exploits (thanks to our forked version of ESP32 Marauder).

Complete control over how and when your payloads are run. Plug in and execute, leave behind and trigger over WiFi, run on a timer or build a Hollywood-esq UI. Manage and deploy your attacks effortlessly using just a phone using a user-friendly Bootstrap web interface.

Want more? Deploy the agent and execute commands even when the machine is locked. Working over the serial interface egress is incredibly hard to detect. You can even view the victims screen over the devices' dedicated WiFi connection.

Equip yourself with the USB Army Knife and elevate your local access toolkit to the next level.

Testimonials

"Your device is evil. You are doing evil." - Mr. Peoples via X

Intro

There is a problem with physical access/USB attacks today. On their own, each attack doesn't provide enough of a solution to meet most objectives.

USB keyboard attacks (Ducky, HID&Run) require a logged on machine and even the best tools don’t provide a solution to this.
Networking attacks (poison tap and alike) might get you a password hash but often require something complex hanging out of an Ethernet port to get this back for offline cracking.
When you get on a box, what options do you still have for exfiltrating data when anything that opens a socket is getting sent to VT.

What was needed is a physical access platform that enables a suitable rogue to take the best bits of each attack and workaround their respective problems with another attack. Ideally this platform would be so cheap and covert that losing one wouldn't be an issue.

This is why I decided to create the USB Army Knife.

Want to become a USB Ethernet adapter PCAP the interface and egress it over WiFI? USB Army Knife.
Want to wrap your attacks in custom UI or just show a Hollywood interface when your attack has worked? USB Army Knife
Want a covert storage device? USB Army Knife
Want to deauth everyone on the WiFi, PCAP the renegotiation and email this to yourself when the machine has been left unlocked for offline cracking? USB Army Knife
Want your attack to destroy itself when it’s been found? USB Army Knife
What to connect to other bits of hardware, motion sensors and alike? USB Army Knife.
Want to view what’s on the victim's screen over WiFi? USB Army Knife.
Want to record what your victim is saying? USB Army Knife.

Video

This video shows how the ultimate rick roll works

https://github.com/user-attachments/assets/f373e18e-5cad-4871-9f2a-17523fa33398

This video shows how the USB PCAP functionality and has a brief peak at the web interface

https://github.com/user-attachments/assets/0d5b1485-b808-46c6-aaf7-7cf016088b8f

This video shows how to pull the victims machine once the agent has been installed

https://github.com/user-attachments/assets/3c866d29-ef26-4eaf-943b-1206b8c40101

Features

This project implements a variety of attacks based around an easily concealable USB/WiFi/BT dongle. The attacks include sending BadUSB (USB HID commands using DuckyScript), appearing as mass storage devices, appearing as USB network devices, and performing WiFi and Bluetooth attacks with ESP32 Marauder. Attacks are deployed using a Ducky-like language you probably already know and love. This language has been agumented with a raft of custom commands and even the entire ESP32 Marauder capability (improved). Attacks include:

USB HID Attacks: Send custom HID commands using DuckyScript, supports BadUSB & USB HID and run style attacks. Supports multiple keyboard layouts/languages.
Mass Storage Device: Emulate a USB mass storage device (USB drive and CDROM).
USB Network Device: Appear as a USB network device.
WiFi and Bluetooth Attacks: Utilize ESP32 Marauder for WiFi and Bluetooth attacks. Include EvilAP, Deauth and pcap.
Hot Mic: Plug in a USB device and stream audio over WiFi

Examples

| Name | Description | | ------------- | ------------- | | Covert Storage | Example showing how to masquerade as two different USB mass storage devices. The first time the device is plugged in the devices appears with the full contents of the micro SD card. In all subsequence attempts a different 'benign' drive appears. | | Progress Bar | Images are displayed on the devices LCD screen showing a progress bar. Great for those Hollywood style attacks or if you want a visual indicator to show an attack has deployed. | | Ultimate RickRoll | Inject keystrokes to display the famous rickroll video but also uses ESP32 Marauder to blast the lyrics over WiFi. | | USB Ethernet PCAP | Turns the device into a USB network adapter and collects a PCAP of the first few seconds of network traffic. | | Deploy the serial agent | Deploys the agent if it isn't already installed and sends commands over the serial port. Command output can be seen in the web interface| | Pull the screen | Deploys the agent, the agent includes a tiny VNC server. Now the screen can be viewed via the web interface| | Simple UI | A simple yet powerful UI to select scripts/images and run these using the hardware button. Shows how you can build complex UI interactions simply. | | Stream Mic audio over WiFi | The M5Stack AtomS3U has a microphone that you can stream over WiFi. | | Instantly crash Linux boxes | Deploy a bad filesystem which cause Linux machines which automount to panic. | | Evil USB CDROM/NIC | Pretend to be a USB NICs which requires a driver from a CDROM device that appears when you plug the NIC in. | | Use different keyboard layouts | Automatically support different keyboard layouts without rewriting your payloads |

Supported Hardware

| Hardware | Supported | Purchase Links | | ------------ | -------------- | -------------- | | LilyGo T-Dongle S3 (Recommended) screenshot | The LilyGo T-Dongle S3 is a USB pen drive shaped ESP32-S3 development board. It features a colour LCD screen, physical button, hidden/covert micro SD card adapter (inside the USB-A connector) as well as a SPI adapter. It has 16MB of flash. It is based on the ESP32-S3 chipset which enables it to host a WiFi station as well as support a range of WiFi and Bluetooth attacks. It is incredibly cheap! There are two versions of this device with and without the screen. Only the version with the screen has been tested. | <ul><li>AliExpress</li><li>Amazon UK</li><li>Amazon US</li><li>eBay UK</li></ul> | Evil Crow Cable Wind screenshot | The Evil Crow Cable Wind is a malicious implanted USB cable with a ESP32-S3 hidden inside, it comes in a couple of different variations. One end can be used for active USB attacks whilst the other is intended to charge a device. Its unique design makes it one of the most covert USB Army Knife capable devices. For this reason the device doesn't have a screen, SD card or LEDs or a good hardware button (there is one inside that requires the use of a magnet). Instead of an SD card, flash memory is used to store files. NOTE Whilst it's possible to run a wireless access point on these devices the unit can get very hot. To counter this USB Army Knife supports thermal throttling and will turn the WiFi off if the device is overheating. To completely avoid this issue you should connected to an existing wireless network (that than host an access point) or disable WiFI, the device then does not overheat. This device has specific install instructions | <ul><li>USB-A to USB-C AliExpress</li> <li>USB-C to USB-C AliExpress</li> </ul> | T-Watch S3 screenshot | The T-Watch S3 is a smart watch platform with a a ton of hardware packed inside including screen, WiFi, real time clock, mic, accelerometer, infrared, haptic feedback and a LoRa transceiver. Much of this is already suppo

USBArmyKnife

Install / Use

README