Overview

A custom-built BadUSB using an Arduino Micro, designed to emulate a malicious USB device for privilege escalation and payload delivery.

Hardware Used

• Arduino Micro
• USB Stick (purchased online ~£5)
• Micro USB to USB adapter
• Plastic glue
• Heat gun (for disassembling the USB stick)

Software Used

• Arduino IDE (for programming the Arduino)
• Custom HID (Human Interface Device) script for payload delivery — a compiler was used to convert Rubber Ducky payloads from Hak5 into Arduino code
• Duckyscript (for scripting payload execution)

Features

• Emulates a USB keyboard or mouse, enabling automatic payload execution on the target system.
• Executes predefined scripts on the target machine (e.g., open a terminal and run commands).
• Concealed in a regular USB casing for stealthy deployment.

Result

A fully functional BadUSB that mimics a regular USB stick but can execute commands on any machine it is plugged into, enabling remote control via reverse shells or privilege escalation.

My Thoughts

I really enjoyed this project as it allowed me to experiment with software as well as modifying hardware.

The process of hiding the Arduino inside the USB was challenging due to space limitations. If I revisit this I would add features like a micro SD slot for copying files from targets.

This project shows the potential risks of Bad-USB attacks, and highlights the importance of good security habits such as locking computers when not in use.