Since the first public appearance of HID Attacks (i.e. PHUKD, Kautilya, Rubberducky), many awesome researches and results have been published [i.e. Iron HID, Mousejack and the coolest USaBUSe].
Due this increased amount of nifty software, as Pentester and Red-Teamer, I wanted a cheap and dedicated hardware that I could remotely control (i.e. over WiFi or BLE). And this is how WHID was born.
Since the inception of my first HID injecting devices (based on Teensy boards, see photo below), I always faced the need to decide when deliver a certain payload. This was partially achieved by using Irongeek’s photoresistor and dip-switch tricks [1].
However, I soon realized that would be cool the full remote control over a radio channel. At the beginning, years ago, I was thinking to use some cheap 433 MHz TRX modules connected to the Teensy board… sadly due lack of time and other cool projects… this idea was dropped into my awesome-pentesting-tools to-do-list. 😋
What is WHID Injector?
At this point you are wondering what is behind WHID Injector and what are its capabilities. 😎
WHID stands for WiFi HID injector. It is a cheap but reliable piece of hardware designed to fulfill Red-Teamers & Pentesters needs related to HID Attacks, during their engagements.
The core of WHID is mainly an Atmega 32u4 (commonly used in many Arduino boards) and an ESP-12s (which provides the WiFi capabilities and is commonly used in IoT projects).
WHID’s Software
When I started to think about a remotely controlled HID injector and thus adding an ESP chipset to an Arduino-like board, I soon figured out that already exists some hardware that could fulfill my need: AprBrother’s Cactus Micro Rev2 (which was at EOL).
Nonetheless, I started to read ESP specs and think how to create a simple PoC sketch that would let me to upload remotely malicious payloads through the WiFi AP. And here it is [2] (I would like to thanks Corey from http://www.LegacySecurityGroup.com for his initial experiments).
Afterwards, with a working software on my hands, I wanted to improve the EOL Cactus Micro rev2 hardware (considering that is also compatible with USaBUSe [3]).
Overall, this is how my simple GUI looks (I know it looks awful, but works! 😁):
Third-Party Software Supported:
· ESPloit V2 — https://github.com/exploitagency/ESPloitV2
This is the upgraded version of my WHID GUI, which was developed by Corey from Exploit Agency! (Since July it is the default software you will find pre-installed into Cactus WHID!)
· USaBUSe — Github Repo
This awesome tool has been created by @RoganDawes from @SensePost.
It is more than a simple remote HID injector! It permits to bypass air-gapped environments and have a side-channel C&C communication over WHID’s ESP wifi!
o Further links:
· WiFi Ducky — Github Repo
This is a nice project developed by @spacehuhn and it brings even further my simplistic WHID’s software, by adding cool features like: realtime injection, ESP fw OTA update, etc.
· WiDucky — Github Repo
An older-but-cool project, which has the pro feature to use the ESP’s wifi as C&C communication channel. It also has its own Android app for remote control.
Some Video Tutorials
I will leave here a couple of videos about WHID Injector’s installation and capabilities.
Possible Applications
Classic — Remote Keystrokes Injection Over WiFi
Deploy WHID on Victim’s machine and remotely control it by accessing its WiFi AP SSID. (eventually, you can also setup WHID to connect to an existing WiFi network)
Social Engineering — Deploy WHID inside an USB-enable gadget
The main idea behind it, is to test for Social Engineering weaknesses within your target organization (e.g. DLP policy violations) and to bypass physical access restrictions to the victim’s PC.
Usually, I create a fancy brochure (sample template https://github.com/whid-injector/WHID/tree/master/tools/Social_Engineering_Lures ) attached with a weaponized USB gadget and then use a common delivery carrier (e.g. UPS, DHL, FedEx).
Conclusion
As you noticed from the 3rd Party Softwares above, WHID has a lot of potential. Not only to play the usual role of HID injector but also to bypass Air-Gapped environments.
If you would like to play with it… is FOR SALE on:
Aliexpress or eBay
So far, beta testers already provided very precious feedbacks to improve the final version of WHID. I’d like to thank @RoganDawes for suggesting to add the Hall Sensor as reset switch!
How To Weaponize USB Gadgets!
Finally I had some spare time to Weaponize a new Mouse, in order to show you how easy is possible to create malicious HID devices.
Materials Needed:
WHID Injector [x1]
Mini USB HUB [x1]
Wired USB Mouse [1]
Soldering Kit (Iron, Flux, etc.)
Wires
Rubber Tape
Bit of Hot Glue
First of all let’s start ripping a part one mini USB HUB.
Usually I do use one of these two:
Mini USB Mouse from Aliexpress
NanoHub USB from Tindie
For this project I have used the first one, since was cheaper and already available in my lab.
Next step is to desolder all those wires, while keeping notes of its pinouts (i.e. GND, D+, D-, Vcc) since we will have to match the USB pinouts with the WHID Injector.
Afterwards, we will have to solder the wires to the WHID Injector as explained in its Wiki.
GND D+ D- Vcc
At this point, we need to solder back the wires in the USB HUB and connect WHID Injector to it. In my case the colors were:
Here below how it looks like once everything is assembled:
Now the tricky part is to put everything back into the plastic case… and voila’ the final result!
Now we test if everything work properly and start thinking of which payloads we can deploy, on-demand and remotely, into the targeted machines. 😎
Here below I recorded a couple of PoCs about some useful payloads I am used to use during engagements. Enjoy!
You will see how WHID can easily help pentesters to exfiltrate domain credentials with both Phishing Technique and Mimikatz (FUDed) In-Memory.
P.S. These payloads are available at: