BadUSB cable based on Attiny85 microcontroller with data line enabled.
Idea: Joel Serna & Ernesto Sánchez
Development and implementation: Joel Serna & Ernesto Sánchez
PCB design: AprilBrother
Manufacturer and distributor: AprilBrother (@aprbrother).
Distributor from United Kingdom: KSEC Worldwide (@KSEC_KC).
Other collaborators: Ignacio Díaz & Forensic Security, Innovart & Jorge Mata, Roland Santiago, Luca Bongiorni, Marcus Mengs, Mike Groover...
The developers and collaborators of this project do not earn money with this. You can invite me for a coffee to further develop Low-Cost hacking devices. If you don't invite me for a coffee, nothing happens, I will continue developing devices.
For sale with April Brother (shipping from China):
For sale with KSEC Worldwide (shipping from United Kingdom):
- Evil Crow Cable: https://labs.ksec.co.uk/product/evil-crow-cable/
Summary:
- Acknowledgement
- Introduction
- Disclaimer
- Installation
- Bootloader
- Basic requirements (Ubuntu and Windows)
- Installation of Digispark USB Driver (Only Windows)
- Installation and update of Micronucleus Windows (Only Windows, not tested)
- Installation and update of Micronucleus Ubuntu (Only Ubuntu)
- Upload Payloads (Ubuntu and Windows)
- Payloads (Ubuntu and Windows)
- VM for dummies
- Data line information
- Attack options
PCB design first version (Rev0): Innovart & Innovart
* Jorge Mata: @jor_mata
* Innovart: @innovart_cc
* https://innovart.cc
PCB design Rev version (Rev1, Rev2, Rev3 and Rev3.1): Ignacio Díaz & ForensicSecurity
* Ignacio Díaz: @Ignacio Díaz Álvarez
* Forensic & Security: @ForensicSec
* https://forensic-security.com
PCB design final version, manufacturer and distributor: AprilBrother
* Website: https://aprbrother.com
* Twitter: @aprbrother
Tests and information:
* Roland Santiago (@Santpapen)
* Luca Bongiorni (@LucaBongiorni)
* Marcus Mengs (@mame82)
* Mike Groover (@_MG_)
Evil Crow cable is a BadUSB device based on Attiny85 microcontroller with data line enabled. For more information you can read the following repository:
https://github.com/joelsernamoreno/BadUSB-Cable
Evil Crow Cable is a basic device for professionals and cybersecurity enthusiasts. This device was developed to show security breaches in USB peripherals.
AprilBrother and the collaborators of this project are not responsible for the incorrect use of Evil Crow cable.
We recommend using this device for testing, learning and fun :D
AprilBrother burned the bootloader at Evil Crow cable. You don't have to do anything in this section.
- Update Ubuntu packages with the following commands (only Ubuntu):
- sudo apt update
- sudo apt upgrade
- Download Arduino IDE: https://www.arduino.cc/en/Main/Software
- Install libusb and lib32stdc with the following commands (only Ubuntu):
- sudo apt install libusb-dev
- sudo apt install lib32stdc++6
- Install build-essential with the following command (only Ubuntu):
- sudo apt install build-essential
- Download DigisparkKeyboard library with multiple layout support: https://github.com/ernesto-xload/DigisparkKeyboard
- Unzip library in Arduino/libraries/directory
- Edit DigiKeyboard.h file and uncomment #define kbd_es_es
- Change #define kbd_es_es for your keyboard layout and save the changes
- Run Arduino IDE with the following commands (NOTE: Don't install the Arduino IDE, just run it!)
- cd arduino-1.X.XX-linux64/arduino-1.X.XX/ (example: cd arduino-1.8.10-linux64/arduino-1.8.10/)
- ./arduino (NOTE: Do not run the Arduino IDE with root permissions!)
- Click File and then Preferences
- Add the JSON URL to the Additional Boards Manager text box: http://digistump.com/package_digistump_index.json
- Click OK
- Click Tools > Board > Board Manager
- Search and Install: Digistump AVR Boards
- Close the Arduino IDE
- Download Arduino IDE: https://www.arduino.cc/en/Main/Software
- Install drivers: https://raw.githubusercontent.com/digistump/DigistumpArduino/master/tools/micronucleus-2.0a4-win.zip
- Download DigisparkKeyboard library with multiple layout support (Ubuntu and Windows): https://github.com/ernesto-xload/DigisparkKeyboard
- Unzip library in Arduino/libraries/directory
- Edit DigiKeyboard.h file and uncomment #define kbd_es_es
- Change #define kbd_es_es for your keyboard layout and save the changes
- Run Arduino IDE
- Click File and then Preferences
- Add the JSON URL to the Additional Boards Manager text box: http://digistump.com/package_digistump_index.json
- Click OK
- Click Tools > Board > Board Manager
- Search and Install: Digistump AVR Boards
- Close the Arduino IDE
- Download Arduino for Digispark which come with USB driver: http://sourceforge.net/projects/digistump/files/
- Extract the file (DigisparkArduino-Win32-1.0.4-March29.zip) to any folder
- Execute DigisparkArduino-Win32\DigisparkWindowsDriver\InstallDriver.exe to start installing the USB driver
https://github.com/micronucleus/micronucleus
- Create the 49-micronucleus.rules file in the /etc/udev/rules.d/ directory.
- Copy the contents to the file you just created: https://github.com/micronucleus/micronucleus/wiki/Ubuntu-Linux
- Reboot the computer or run the following command to update the UDEV rules: udevadm control --reload-rules
- Download Micronucleus with the following command: git clone https://github.com/micronucleus/micronucleus.git
- Access the micronucleus/commandline directory with the following command: cd micronucleus/commandline
- Compile with the following command: make
- Access the .arduino15/packages/digistump/tools/micronucleus/2.0a4 directory with the following command: cd ~/.arduino15/packages/digistump/tools/micronucleus/2.0a4/
- Create a backup of Micronucleus with following command: mv micronucleus micronucleus.old
- Copy the latest version of Micronucleus to this directory with the following command: cp ~/PATH/micronucleus/commandline/micronucleus .
- Reboot
- Download payloads: https://github.com/joelsernamoreno/badusb_examples/tree/master/attiny85_digispark
- Run Arduino IDE with the following commands (NOTE: Don't install the Arduino IDE, just run it!)
- cd arduino-1.X.XX-linux64/arduino-1.X.XX/ (example: cd arduino-1.8.10-linux64/arduino-1.8.10/)
- ./arduino (NOTE: Do not run the Arduino IDE with root permissions!)
- Open Payload with Arduino IDE
- Click tools and select Board: Digispark (Default - 16.5 Mhz)
- Click Upload
- Connect the BadUSB cable when the Arduino IDE says to connect it.
- Download payloads: https://github.com/joelsernamoreno/badusb_examples/tree/master/attiny85_digispark
- Run Arduino IDE
- Open Payload with Arduino IDE
- Click tools and select Board: Digispark (Default - 16.5 Mhz)
- Click Upload
- Connect the BadUSB cable when the Arduino IDE says to connect it.
Demo video: https://twitter.com/JoelSernaMoreno/status/1181296289323130882?s=19
You can get payloads in the following repository:
https://github.com/joelsernamoreno/badusb_examples/tree/master/attiny85_digispark
- Download VM: https://mega.nz/#!dtBmgQIY!4iiRBmrM1v42V-EDzVBr9dvOznbAHK-9jp3wK9BgMlo
- Download and install VMWare: https://www.vmware.com/
- Run VMware
- Import Ubuntu.ova
- Install VMWare-Tools: https://vitux.com/how-to-install-vmware-tools-in-ubuntu/
- Add serial port with the following steps:
- Click on VM -> Settings
- Click on +Add...
- Select serial port
- Click on finish
- Add USB controller with the following steps:
- Click on VM -> Settings
- Click on +Add...
- Select USB controller
- Click on finish
- Run Ubuntu VM
- Enter password (password: evilcrowcable)
- Open a terminal (CTRL+ALT+T)
- Run Arduino IDE with the following commands:
- cd arduino-1.8.10-linux64/arduino-1.8.10/
- ./arduino (NOTE: Do not run the Arduino IDE with root permissions!)
- Open a payload /home/evilcrowcable/attiny85_digispark/
- Click tools and select Board: Digispark (Default - 16.5 Mhz)
- Click Upload
- Connect the BadUSB cable when the Arduino IDE says to connect it.
Demo video: https://twitter.com/JoelSernaMoreno/status/1181296289323130882?s=19
Before using the data line in Evil Crow cable, read the following information:
The data line has been enabled with the published basic schema. Controlling the data line in Evil Crow cable is difficult because it does not have a USB hub inside.
When you connect a multimedia device (e.g. smartphone, mp3, etc.) to Evil Crow cable, the data line is in front of the Attiny85 microcontroller. This blocks the execution of the payload while the multimedia device is connected.
You can understand this with the following basic image. Anyway, in the section "Attack options", you can see the payload execution situations with/without the data line:
The following attack scenarios show the correct use of payload and data line execution:
- Evil Crow cable is connected to a PC: the payload is executed.
- Evil Crow cable and a multimedia device are connected at the same time to a PC: The data line is enabled and you can see the Mass Storage of the multimedia device, but the payload does not run.
- Evil Crow cable is connected to a PC and after running the payload, you connect a multimedia device: The data line is enabled, but you have to wait 10-15 seconds before connecting the multimedia device. If you connect before 10-15 seconds the multimedia device, you may have errors.
- First Evil Crow cable and a multimedia device connect to a PC at the same time (Mass Storage enabled), then disconnect the multimedia device: the payload is executed.
Demo video: https://twitter.com/JoelSernaMoreno/status/1189658626929111040?s=19
Note: You can consider the data line as proof of concept (PoC). In future versions the data line may be more advanced.
Contact for questions: * Twitter: @JoelSernaMoreno