This project upgrades from WiFi Duck and utilizes the native USB function of ESP32 S/3 chip. It further containes specific adaptations for the ThingPulse Pendrive S3
Please read the install and flash parts below. They are different from the original project.
Want to learn more about BadUSBs? Check out WIFIDuck's online course: learnbadusb.com
Video Demo:
- Super WiFi Duck
WiFi Duck: This open-source project aims to provide a user-friendly tool to learn about keystroke injection attacks and 'BadUSBs'.
By emulating a USB keyboard, tools like this can gain full access to any computer with a USB port in a matter of seconds!
This is made possible by the fact that keyboards are trusted by computers. You can have full control over a computer with just a keyboard.
A BadUSB pretends to be a keyboard to the computer to send keystrokes.
But unlike a human, it can type hundreds of characters per second.
By using a simple scripting language, it's easy to make BadUSBs type whatever you want.
With the WiFi Duck, you can simply connect via WiFi to manage all scripts from within a web interface. This means that, unlike other BadUSBs, you don't need to install an app, log in, compile or copy scripts to an SD card.
- Plug in your WiFi Duck
- Connect to the WiFi network
wifiduck
with the passwordwifiduck
- Open a browser and visit
192.168.4.1
- Write, save and run your first Ducky Script
- [Recommended] Open
Settings
(top right corner) and update SSID and password
Help I forgot the password:
Flash the ESP32, but make sure that you select Erase Flash: Sketch + WiFi Settings
under Tools in the Arduino IDE.
If you have further questions, check out the issue section.
- Install PlatformIO
pio run -e thingpulse-pendrive-s3 -t upload
- See usage chapters
Keys are separated by a single space.
Everything written in a single line gets pressed and released at the same time.
To write text, use the STRING function.
It's compatible to Ducky Script, which was developed by the wonderful people at Hak5.
Example | Explanation |
---|---|
WINDOWS r |
Type the Windows key and then the r key |
WINDOWS r | Press the Windows key and the r key simultaneously |
STRING WINDOWS r | Write WINDOWS r |
Command | Example | Description |
---|---|---|
REM |
REM Hello World! |
Comment |
DEFAULTDELAY or DEFAULT_DELAY |
DEFAULTDELAY 200 |
Time in ms between every command |
DELAY |
DELAY 1000 |
Delay in ms |
STRING |
STRING Hello World! |
Types the following string |
REPEAT or REPLAY |
REPEAT 3 |
Repeats the last command n times |
LOCALE |
LOCALE DE |
Sets the keyboard layout. List |
KEYCODE |
KEYCODE 0x02 0x04 |
Types a specific key code (modifier, key1[, ..., key6]) in decimal or hexadecimal |
LED |
LED 40 20 10 |
Changes the color of the LED in decimal RGB values (0-255) |
MOUSE |
MOUSE 40 -30 |
Moves the mouse cursor 40 pixels to the right and 30 pixels up |
CLICK or MOUSE_CLICK |
MOUSE_CLICK 1 |
Simulates a mouse left click (Left: 1, right: 2, middle: 4, back: 8, forward: 16, all: 31) |
PRESS or MOUSE_PRESS |
MOUSE_PRESS 2 |
Simulates a mouse right press (Left: 1, right: 2, middle: 4, back: 8, forward: 16, all: 31) |
RELEASE or MOUSE_RELEASE |
MOUSE_RELEASE 4 |
Simulates a mouse forward release (Left: 1, right: 2, middle: 4, back: 8, forward: 16, all: 31) |
SCROLL or MOUSE_SCROLL |
MOUSE_SCROLL 0 10 |
Simulates a usage of the mouse wheel by 10 pixels vertically |
Key |
---|
a - z |
A - Z |
0 - 9 |
F1 - F12 |
Key |
---|
CTRL or CONTROL |
SHIFT |
ALT |
WINDOWS or GUI |
Key |
---|
ENTER |
MENU or APP |
DELETE |
HOME |
INSERT |
PAGEUP |
PAGEDOWN |
UP or UPARROW |
DOWN or DOWNARROW |
LEFT or LEFTARROW |
RIGHT or RIGHTARROW |
TAB |
END |
ESC or ESCAPE |
SPACE |
PAUSE or BREAK |
CAPSLOCK |
NUMLOCK |
PRINTSCREEN |
SCROLLLOCK |
Key |
---|
PLAYPAUSE |
STOP |
NEXTTRACK |
PREVTRACK |
VOLUME_MUTE |
VOLUME_UP |
VOLUME_DOWN |
BRIGHTNESS_UP |
BRIGHTNESS_DOWN |
SUSPEND |
CALCULATOR |
SEARCH |
HOME |
BACK |
FORWARD |
STOP |
REFRESH |
POWER |
RESET |
SLEEP |
Key |
---|
NUM_0 - NUM_9 |
NUM_ASTERIX |
NUM_ENTER |
NUM_MINUS |
NUM_DOT |
NUM_PLUS |
REM Hello World for Windows PCs
DEFAULTDELAY 200
GUI r
STRING notepad
ENTER
STRING Hello World!
The command line interface or CLI is accessible using a serial connection to the ESP8266 (115200 baud, Newline ending) or via the web interface at 192.168.4.1/terminal.html
.
Command | Description | Example |
---|---|---|
help | Returns all available commands | help |
ram | Returns available memory in bytes | ram |
version | Returns version number | version |
settings | Returns list of settings | settings |
set -n/ame -v/alue | Sets value of a specific setting | set ssid "why fight duck" |
reset | Resets all settings to their default values | reset |
status | Returns status of i2c connection with Atmega32u4 | status |
run <...> | Starts executing a Ducky script | run example.txt |
stop <...> | Stops executing a Ducky script | stop example.txt |
Command | Description | Example |
---|---|---|
mem | Returns available, used and free memory of SPIFFS in bytes | mem |
format | Formats SPIFFS | format |
ls <...> | Returns list of files | ls / |
create <...> | Creates file | create example.duck |
remove <...> | Deletes file | remove example.duck |
cat <...> | Returns content of file | cat example.duck |
rename -fileA,a -fileB,b | Renames file | rename example.duck example.txt |
write -f/ile -c/ontent | Writes (appends) data to file | write example.txt "Hello World!" |
stream <...> | Opens file stream | stream example.txt |
close | Closes file stream | close |
read | Read and return the result from file stream | read |
If a stream is open, everything you type (except messages containing exactly close
or read
) will be written to the file until you type close
!
The original debug module doesn't work right now.
To debug, please use ESP_LOGE
to display information via the COM port
If you would like to modify the web interface, you can!
The web/
folder contains all .html
, .css
, .js
files.
You can edit and test them locally as long as you're connected to the WiFi Duck
network thanks to the websocket connection handled by JavaScript in the background.
The files in the web/
folder are listed in platformio.ini
and linked into the firmware
binary.
The default VendorID/ProductID is Expressif Systems.
To emulate a different brand of keyboard, modify the build parameters in platform.ini
For example:
To emulate an Apple Keyboard
-D USB_VID=0x05ac
-D USB_PID=0x0267
-D USB_MANUFACTURER='"Apple Inc."'
-D USB_PRODUCT='"Apple Magic Keyboard"'
To emulate an IBM Keyboard
-D USB_VID=0x04b3
-D USB_PID=0x4604
-D USB_MANUFACTURER='"IBM Corp."'
-D USB_PRODUCT='"IBM Keyboard"'
Additional VendorID/ProductIDs available on devicehunt.com
Currently supported keyboard layouts:
- ๐ฉ๐ช DE
- ๐ฌ๐ง GB
- ๐บ๐ธ US
- ๐ช๐ธ ES
- ๐ฉ๐ฐ DK
- ๐ท๐บ RU
- ๐ซ๐ท FR
- ๐ง๐ช BE
- ๐ต๐น PT
- ๐ฎ๐น IT
- ๐ธ๐ฐ SK
- ๐จ๐ฟ CZ
- ๐ธ๐ฎ SI
- ๐ง๐ฌ BG
- ๐จ๐ฆ CA-FR
- ๐จ๐ญ CH-DE
- ๐จ๐ญ CH-FR
- ๐ญ๐บ HU
All standard keys are defined in usb_hid_keys.h.
To translate a keyboard layout, you have to match each character on
your keyboard to the one(s) of a US keyboard.
This stuff is hard to explain in writing and requires a lot of manual work and testing.
- Copy one of the existing layouts files, like locale_us.h.
Preferably one that is close to your keyboard layout, it will save you time! - Add
#include "locale_xx.h"
to the end of the locales.h file. - Rename the file and its variables to your language code.
For example:
locale_xx.h
->locale_de.h
,
ascii_xx
->ascii_de
,
locale_xx
->locale_de
,
utf8_xx
->utf8_de
.
combinations_xx
->combinations_de
, - Modify the ASCII array.
The ASCII array has a fixed size. Each row describes a key. First a modifier key likeKEY_MOD_LSHIFT
, then a character key. Some ASCII characters can't be typed or don't require a modifier, that's where you must placeKEY_NONE
. Check usb_hid_keys.h for the available keys.
If multiple modifiers are required, you must use a bitwise OR to connect them:KEY_MOD_RALT | KEY_MOD_LSHIFT
.
For example, in locale_de.hZ
is saved asKEY_MOD_LSHIFT, KEY_Y
.
This is because German keyboards use QWERTZ instead of the QWERTY layout and since the letter is uppercase, shift must be pressed as well.
Thankfully you don't have to trial and error everything, the Hak5 Community translated a lot of layouts already here. It's just written in a different syntax. For example,ASCII_20
(20 in hexadecimal) is the 32th character in our ascii array. - [deprecated]
Modify or create the extended ASCII array.
The extended ASCII array doesn't have a fixed size and is only as long as you make it. First the character code. For example, รค has the index 132, or 84 in hex. It doesn't use a modifier and sits where the apostrophe key is on a US keyboard:0x84, KEY_NONE, KEY_APOSTROPHE, // รค
. - Modify or create the UTF-8 array.
The UTF-8 array is variable in length, too.
The first 4 bytes are the character code.
For example, ร has the hex code c384 or 0xc3 0x84. The other 2 bytes are not used so we set them to 0. Because the letter is uppercase, we need to press the shift key and like before, the letter is typed by pressing the same key as the apostrophe key of a US keyboard:0xc3, 0x84, 0x00, 0x00, KEY_MOD_LSHIFT, KEY_APOSTROPHE, // ร
. - Edit the hid_locale_t structure.
If you renamed all variables accordingly, there's nothing left to do. - Go to duckparser.cpp at
// LOCALE (-> change keyboard layout)
you can see a bunch of else if statements. You need to copy one for your layout.
Before adding GB layout:
if (compare(w->str, w->len, "US", CASE_SENSETIVE)) {
keyboard::setLocale(&locale_us);
} else if (compare(w->str, w->len, "DE", CASE_SENSETIVE)) {
keyboard::setLocale(&locale_de);
}
After adding GB layout:
if (compare(w->str, w->len, "US", CASE_SENSETIVE)) {
keyboard::setLocale(&locale_us);
} else if (compare(w->str, w->len, "DE", CASE_SENSETIVE)) {
keyboard::setLocale(&locale_de);
} else if (compare(w->str, w->len, "GB", CASE_SENSETIVE)) {
keyboard::setLocale(&locale_gb);
}
- Test your layout with a Ducky Script that contains all characters of your keyboard. For example:
LOCALE DE
STRING !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_abcdefghijklmnopqrstuvwxyz{|}~ยฒยณรครถรผรรรรโฌยฐยง`
ENTER
- Add a link to your layout to README, to web/index.html and please feel free to improve this tutorial to help future translators!
- Create a Pull Request
This tool is intended to be used for testing, training, and educational purposes only.
Never use it to do harm or create damage!
The continuation of this project counts on you!
This software is licensed under the MIT License. See the license file for details.
Software libraries used in this project:
- Arduino
- Neopixel Library
- Dotstar Library
- AVR, ESP8266 & SAMD Arduino Core
- ESPAsyncTCP
- ESPAsyncWebServer
- SimpleCLI
Hey, do you like this kind of project?
It took a huge amount of effort to create!
To make sure we can keep working on free and open-source projects like this,
please consider becoming a โค๏ธ Sponsor or support us via โ Ko-fi.
Visit spacehuhn.com to learn more about us. ๐