USB Ninja

From Embedded Lab Vienna for IoT & Security
Jump to: navigation, search

Summary

The USB Ninja is a USB cable that has the capability to infect connected devices with malware through the injection of keystrokes or mouse movement. It does so by exploiting the capability of writing/changing the firmware on the USB. Since the firmware isn't fully checked by operating systems, it is easy to insert malicious payloads on it which can be triggered automatically or remotely on the targets device. This device can also be used for data transfer and charging, just like any other USB cable. One of the founders of USB Ninja, Kevin Mitnick, defines the USB Ninja as the "spiritual successor" of BadUSB.[1][2] In this article USB Ninja and USB Ninja Pro will both be used synonymously since different sellers have different ways of differentiating them. Generally the USB Ninja Pro includes all the different cables and also a bluetooth remote, which differs depending which version has been obtained. Here one can find the kit that was used whilst creating this article.

How-To Basic

The following requirements are valid for both versions, USB Ninja and USB Ninja Pro. It is highly recommended to first go through the getting started documentation offered on the official website. This document assumes that the reader is already familiar with scripting languages as a concept.[3] Also this wikipage depends on the setup of the USB Ninja being done on a Windows OS, installation could be different on another OS.

Step 0: Assembling the remote

Turn off the power switch before installing the battery in the proper direction. Insert the copper bolts on the board. The single head ones from the top and the double-pass ones from the back. Finally, screw the cover on, for that use the screwdriver that comes with the USB Ninja.

Step 1: Installing Arduino IDE

Download the appropriate version of the Arduino IDE here. Arduino IDE is an open-source IDE that makes it easy to implement code for microcontroller boards and USB devices.

Step 2: Installing the required drivers

To download the required drivers to recognize the device for setup, please click here.

Step 3: Arduino Setup

Now you should be able to start the Arduino IDE application. Thanks to the board manager feature of Arduino, it is easy to add third-party boards to the IDE, in our case we want to add the USB Ninja package. Go under File and then Preferences. The screen in front of you should look like the screenshot below.

USBNinja Preferences.png

In the text field Additional Boards Manager URLs you should add the following URL

http://usbninja.com/arduino/package_USBNinja_index.json

With this URL the USB Ninja boards will be able to be installed by the IDE. To actually install the USB Ninja board package, go under Tools then select Board and then Board Manager. There select Contributed in the drop down selection. Select the USB Ninja package and install it. After the installation is successful, select the USB Ninja board after selecting Tools in the Board selection. Be sure to select the board named USB Ninja cable (BLE+Hall sensor). This concludes the setup and one can now start scripting.

Step 4: Configuring and uploading

In terms of setup we are basically done, but connectivity is missing. For us to actually load scripts/payloads on the USB Ninja and be able to insert it somewhere to execute them, we need to execute a few extra steps. Through the package we selected in the above step, we gain access to some examples that include some configurations that are useful.

Bluetooth Name and Password

The default Bluetooth device name is "Ninja" and the default bluetooth password is "8888". To change these values go under File, Example, NinjaBLESetup and then select NinjaBLESetup. This opens the setup code for the BLE (Bluetooth Low Energy) module. Find the following line:

SetBLE("Ninja", "8888");

There you can change the values as you want. Note that the name is how it appears on your PC when connecting with it and also how it appears when pairing with it via Android phone. If you haven't changed these settings or you are not using a remote, skip the below section and go to the uploading section.

Bluetooth Name and Password Remote Edition

If you are connecting with it via the remote (standard or pro remote doesn't matter), you'll also need to reconfigure the remote since it automatically finds the device connection with the same name and password. To do that download the following application here. After unzipping, execute the .exe file. Select the correct serial port number after you plugged in the remote. Press Open to open the port. Change the BLE Name and Password accordingly to how you changed it on the cable. Then press the Set BLE Name and Set BLE Password buttons. If it was successful you should get a notification saying Operation Succeeded.

Uploading

Whatever changes you do that apply to the Ninja cable need to be uploaded, the NinjaBLESetup included. For that you simply have to click the Verify button followed by the Upload button in the IDE. After pressing it you will have about 1 minute to do the following: While pluging in the USB Ninja Cable hold the magnetic ring, which is included in the package, against the plastic shell surrounding the USB section you insert in. If this does not happen or this happens after plugging in the device will not activate the DFU mode. The DFU mode stands for Device Firmware Upgrade mode, it can regarded as a programming. Only when this mode is active can one write and upload on the firmware of the USB Ninja.

Execute

Now you should be ready and able to upload scripts on this device. For execution you have multiple variations. You could let the payloads (A and/or B) execute at arbitrary times or when something specific happens. You could also trigger them with the remote, just turn it on and it will connect automatically with the cable connected to the target device. Then just press payload A and/or B, it will then execute the script asociated with the corresponding payload. Another option is using the application, which I will mention below. Just play around, I would recommend using the example keystroke injection code, it can be found under File, Examples, NinjaKeyboard and then BLERemoteKeyboard. This example payload injects keyboard strokes on the target device, a lot can be done with this. Don't forget to adjust the define line to your keyboard layout, for example like this:

#define LAYOUT_GERMAN

With this in mind, you can now add whatever script you want and execute it through the help of the USBNinja, even Ducky Script payloads work. For more inspiration besides the examples given with the package, I would recommend going through GitHub. [4]

Using the Android Application

The Android App can be downloaded here, keep in mind this is a .apk file so some phones will not accept them unless your phone is set to developer mode. After installation start up the app. You need to have bluetooth and location activated to be able to connect/find the cable. Connect with the cable and input password. Now pressing the buttons on the screen is the same as using the remote. There are some benefits compared to the remote in my opinion though. First using a phone is more covert and comfortable. Secondly you can have 9 payloads on the app where as the two remotes can have either 2 or 8 payloads. Lastly, you can edit the buttons directly on the app if you wish to do so. Please note that this the code there is written in hexadecimal.

References

  1. Wikipage of Kevin Mitnick. https://wikipedia.org/wiki/Kevin_Mitnick
  2. BadUSB Overview including presentation slides and video link. https://adsecurity.org/?p=362
  3. Getting Started with USB Ninja. https://usbninja.com/help/
  4. GitHub. https://github.com/