# USBNinja

TLDR; A bunch of hackers went and created a BadUSB, in cable form, where charging of the phone works.

## Introduction <a href="#introduction" id="introduction"></a>

As Red Teamers we are always looking for means to compromise machines. Karsten Nohl had released his research on BadUSB: <https://threatpost.com/badusb-patch-skirts-more-effective-options/108775/>

Looking around, there was soon devices such as Hak5's RubberDucky\[1] and BashBunny which were created to emulate a Human Interface Device (HID). Essentially these were programmable USB drives that would simulate a keyboard, or mouse, and enter keystrokes into the target machine it's plugged into.

The most common form of this attack is whereby the attacker plugs in a USB physically into an unlocked machine and the device will input the necessary keyboard shortcuts and keystrokes to execute a malware implant. On Windows this could be `Windows Key + R` to trigger the Run prompt, then typing in a command to fetch and execute a payload. On Mac it could be launching Terminal then typing in a payload.

## Masquerade <a href="#masquerade" id="masquerade"></a>

We've always known that users cannot be trusted. Social Engineering has proven this greatly over the years with it being at the root cause of many breaches. In my opinion the RubberDucky, the BadUSB, just looks too suspicious. Many users are now being made aware that USBs are bad, and we shouldn't just plug them in.

We set out to make a different device, one that is more covert and can masquerade as a legitimate day-to-day device.

## USBNinja <a href="#usbninja" id="usbninja"></a>

My friends have worked closely with our Red Team expertise and practical experience to craft a new device known as the USBNinja. The USBNinja can come in many forms, the one that we will show you in this blog post is the USB charging cable. We've got other options such as conference dongles, USB fans\[2], and more.

![](https://vincentyiu.co.uk/content/images/2018/08/WeChat-Image_20180817213230.jpg)

Of course, images don't really demonstrate capabilities as all you can see is cable. We've uploaded a quick demonstration video to YouTube:

{% embed url="<https://youtu.be/6mDspyi5ROw>" %}

## Conclusion <a href="#conclusion" id="conclusion"></a>

I've spoken to people at different labs who have had hardware expertise. Some also attempted the same project, but were not able to make the cable charge for whatever reason. My team of friends have managed to weaponize this capability to make a fully working USB cable also a compatible HID device.

Next-generation are coming with hidden contraptions using triggers such as Magnets for physical mode switching, or even Bluetooth for arbitrary on the fly execution from a distance. These are under progress as we speak.

## Credits <a href="#credits" id="credits"></a>

Vincent Yiu - Blog post, software, weaponization\
Olaf Tan - ProxGrind\
Dennis Goh - RFID Research Group\
Kevin Mitnick - Mitnick Security Consulting

![](https://vincentyiu.co.uk/content/images/2018/07/qr.png)

## References <a href="#references" id="references"></a>

\[1]: <https://hakshop.com/products/usb-rubber-ducky-deluxe>\
\[2]: <https://www.washingtonpost.com/technology/2018/07/03/what-was-usb-fan-given-trump-kim-summit-security-experts-say-nothing-but-dont-plug-it/?noredirect=on&utm_term=.e0362077a5d0>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.vincentyiu.com/red-team/hardware-and-gadgets/usbninja.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.