BadUSB devices in pentesting: a practical guide
In the strict sense, BadUSB means reprogramming the firmware of a USB controller so that the device emulates an HID keyboard and injects commands into the system without any authorization (the concept was demonstrated by Karsten Nohl and Jakob Lell at BlackHat 2014). In pentesting practice the term covers an entire class of keystroke injection tools - from a microcontroller costing a few dollars to a cable with its own Wi-Fi C2 panel. This is not an academic curiosity: in January 2022 the FBI issued a FLASH alert about the FIN7 group, which mailed out rigged USB devices (LilyGO hardware) posing as gifts from Amazon and the US Department of Health, with BlackMatter/REvil ransomware at the end of the chain.
Table of contents
-
1. Criteria for evaluating and choosing BadUSB devices for pentesting
-
2. Overview of the most popular BadUSB devices for pentesting
Key takeaways
| Point | Details |
|---|---|
| HID emulation as the foundation of the attack | Every BadUSB device acts as a virtual keyboard, which lets it bypass most safeguards. |
| The right device depends on the scenario | Bash Bunny fits advanced audits, Digispark fits education and budget testing. |
| Antivirus alone is not enough | Signature-based AV does not see the fileless injection, but behavioral EDR catches the chain after the injection, and the downloaded second stage is already a file to be scanned. |
| Defense requires layered safeguards | An effective USB policy combines VID/PID whitelisting, USBGuard and physical port locks. |
| Documentation is mandatory | Every use of a BadUSB device in an audit must be embedded in a written scope of engagement. |
1. Criteria for evaluating and choosing BadUSB devices for pentesting
Choosing a BadUSB device for a specific engagement starts with analyzing a few key parameters. Skipping this analysis leads to situations where expensive hardware adds nothing beyond what a cheaper equivalent would do.
Device emulation capability is the first criterion. Some devices emulate only an HID keyboard. Others can simultaneously pose as a network card, mass storage and a keyboard, which opens entirely different attack vectors.
Configuration and programming options determine flexibility in the field. Devices with their own scripting language (Ducky Script, Bunny Script) allow payloads to be quickly adapted to the specific environment being tested.
Price versus capability is the practical aspect. The price range is wide. A Digispark clone costs a few dollars (28 PLN with us), the USB Rubber Ducky is around 60-90 USD (675 PLN), and the Bash Bunny Mark II around 210 USD (1458 PLN). The engagement budget should map directly to the choice of hardware - a more expensive device only makes sense when the audit scope will use its extra modes.
Ease of use and integration determine how much time it takes to deploy the device in a test environment. For pentesters working in the field, what counts is the time from plugging in to executing the payload.
Legal and ethical aspects are non-negotiable. Every use of a BadUSB device must be covered by a written scope of engagement and the consent of the system owner. Owning the hardware is legal, using it without consent is not.
Firmware security is an issue many overlook. Devices with open-source software allow the code to be audited. Cheap clones from unknown sources may contain backdoors of their own.
Pro tip: Always test a new BadUSB device first in an isolated virtual environment before using it in a client environment. A bug in the payload on a production machine can end the engagement faster than any security system.
2. Overview of the most popular BadUSB devices for pentesting
The market for USB pentesting devices is more diverse than most "top 5" lists suggest. Below are the models that actually end up in pentesters' hands.
USB Rubber Ducky
USB Rubber Ducky is considered the standard for HID command injection tests. Payloads are written in DuckyScript - a simple example that opens Notepad and types text demonstrates the key trait of the attack: commands reach the system at interface speed, not human speed.
REM Demonstracja szybkosci wstrzykiwania - otwiera Notatnik
DELAY 1000
GUI r
DELAY 500
STRINGLN notepad
DELAY 1000
STRINGLN Ten tekst wpisalo urzadzenie HID w ulamku sekundy.
Every command is literal: GUI r is the Windows+R shortcut, STRINGLN types text and confirms with Enter, and DELAY waits the given number of milliseconds. In a real payload you have to account for the target's keyboard layout - the device sends key codes, not characters, so a payload written for US-QWERTY will type gibberish on a keyboard with a different layout. The Ducky V2 itself is no longer "just a keyboard": DuckyScript 3.0 adds a mass storage mode, VID/PID cloning and data exfiltration via Keystroke Reflection. What it lacks is network card emulation - and that is what sets it apart from the Bash Bunny.
-
Emulation: HID (keyboard) + mass storage mode
-
Scripting language: DuckyScript 3.0
-
Price at SAPSAN: 675 PLN (approx. 60-90 USD)
-
Use case: fast command injection, social engineering tests, exfiltration via Keystroke Reflection
Hak5 Bash Bunny
Bash Bunny Mark II is a higher-class device, capable of simultaneously emulating a keyboard, an Ethernet network card and mass storage. Modes are declared in a single line, e.g. ATTACKMODE HID RNDIS_ETHERNET STORAGE. This allows complex sequences: in the QuickCreds attack the device first poses as a network card to force a locked workstation to authenticate and capture the NTLMv2 hash (Responder), then switches to keyboard mode to run the payload. Switching between modes takes seconds.
-
Emulation: HID, Ethernet (RNDIS/ECM), mass storage, serial port
-
Scripting language: Bash, Python, DuckyScript
-
Price at SAPSAN: 1458 PLN (approx. 210 USD)
-
Use case: advanced network and Active Directory audits
OMG Cable
O.MG Cable looks identical to an ordinary USB cable, but inside the housing it has a microcontroller with Wi-Fi and its own C2 panel controlled from a browser. This is not "HID over Wi-Fi" but a complete implant: it injects keyboard and mouse, the Elite version has a hardware keylogger storing around 650,000 characters, supports geofencing (the payload only fires at a set location) and self-destruct, which renders the cable useless once it leaves the defined area. A pentester can control the attack from the next room.
-
Emulation: HID (keyboard + mouse) controlled over Wi-Fi
-
Features: browser-based C2 panel, keylogger (Elite), geofencing, self-destruct
-
Price at SAPSAN: 968-1298 PLN (depending on version)
-
Use case: tests at a physical distance, covert form factor
Digispark
Digispark is a tiny microcontroller based on the ATtiny85, the cheapest and most accessible of all the solutions discussed. It is programmed in the Arduino environment, has limited memory (around 6 KB for the payload) and emulates only a keyboard. It lacks advanced features, but as an educational platform and a tool for basic command injection tests it works well - especially for a narrow scope where pricier hardware adds nothing.
-
Emulation: HID (keyboard)
-
Programming: Arduino IDE
-
Price at SAPSAN: 28 PLN (clones from a few USD)
-
Use case: education, budget test environments
WHID Injector and Packet Squirrel
WHID Injector (Cactus WHID) combines HID injection with a Wi-Fi module in a pen drive form factor - a cheaper, open-source alternative for remote payload control, based on the ESP8266 chip (169 PLN). It is still a keystroke injection class device.
A different class is the Packet Squirrel Mark II - it is a network implant, not a BadUSB device. It does not inject a keyboard; it plugs inline into an Ethernet cable between the workstation and the network and acts as a device-in-the-middle: it captures traffic (PCAP), does DNS spoofing, sets up a VPN/SSH and provides remote access to the target network. It is the successor to the veteran LAN Turtle, which has long been unavailable and never got a new version. It is worth understanding this difference: a Rubber Ducky or O.MG attack through the USB port as a keyboard, while the Packet Squirrel sits on the network cable.
3. BadUSB device comparison: a table for pentesters
The table below gathers the most important device parameters in one place to make the purchasing and operational decision easier.
| Model | Class | Emulation / function | Programming | Price at SAPSAN |
|---|---|---|---|---|
| USB Rubber Ducky V2 | HID injection | HID + mass storage mode | DuckyScript 3.0 | 675 PLN |
| Bash Bunny Mark II | HID + network | HID, Ethernet (RNDIS/ECM), storage, serial | Bash / Python / DuckyScript | 1458 PLN |
| O.MG Cable | HID injection (Wi-Fi C2) | HID keyboard+mouse, keylogger, geofencing | DuckyScript + web panel | 968-1298 PLN |
| Digispark | HID injection (budget) | HID (keyboard) | Arduino IDE | 28 PLN |
| WHID Injector | HID injection (Wi-Fi) | HID + remote Wi-Fi | Web panel / Arduino | 169 PLN |
| Packet Squirrel Mark II | Network implant | Ethernet MITM, PCAP, VPN/SSH (not HID) | Bash / Python / DuckyScript | 780 |
Tips for matching the device to the scenario:
If the audit concerns employee reactions to dropped USB devices, a USB Rubber Ducky or Digispark is enough. If the scope covers hijacking a domain session or extracting credentials from Active Directory, the right tool is the Bash Bunny. The O.MG Cable works when the pentester needs to keep a physical distance from the attacked workstation. And when the test concerns a wired network and traffic capture, you reach not for keyboard-style BadUSB but for a network implant - the Packet Squirrel Mark II.
Pro tip: When buying a BadUSB device, check whether the vendor maintains an active community and a payload repository. Hardware without up-to-date resources quickly loses its usefulness in changing test environments.
4. Challenges and defense techniques against BadUSB attacks
Knowing defensive methods is just as important for a pentester as knowing attack techniques. When carrying out USB security tests, you need to know what works on the defender's side and what only looks like an effective safeguard.
-
USB device control and VID/PID whitelisting. Filtering by vendor (VID) and product (PID) identifiers is the most commonly deployed mechanism. The problem is that these identifiers are firmware values fully controlled by the attacker - a device can be configured to impersonate the VID/PID of an allowed keyboard (a Rubber Ducky or WHID can clone the descriptors of a legitimate device). VID/PID whitelisting is therefore a measure that raises the bar, not one that blocks the attack; stronger binding uses the serial number and a descriptor hash, but those can be forged too.
-
Physical USB port locks. Mechanical port locks or disabling them in the BIOS/UEFI are methods that defenders use as a supplement to software policies. Effective in high-risk environments. The downside is a significant reduction in user ergonomics.
-
USBGuard and Endpoint Protector. USBGuard on Linux lets you create policies that only allow predefined devices. Endpoint Protector runs on Windows and macOS, offering centrally managed USB policies. Both tools require proper configuration, because default settings often do not block new HID devices.
-
Limitations of signature-based antivirus. The injection itself is fileless - keystrokes from the virtual keyboard never hit the disk, so a signature scanner has nothing to analyze. But that does not mean the defender is helpless: behavioral EDR detects the chain after the injection (e.g. explorer.exe launching PowerShell seconds after a USB is plugged in), the superhuman and uniform "typing" pace gives away the automation, and any downloaded second stage of the attack is already a file to be scanned. This distinction - signatures blind, behavior not - is something the pentester should clearly describe in the report.
-
User education. The hardest aspect of defending against BadUSB is that the attacks rely on emulating a keyboard, a device essential for normal work. Users have no easy way to tell an attacking device from a real keyboard without additional tools.
-
Event monitoring and behavioral detection. Plugging in a new "keyboard" generates Windows event 6416 (recognition of a new external device) - especially suspicious when a second keyboard registers on a workstation that already has one. A SIEM can also correlate anomalous process creation (PowerShell launched seconds after a USB is plugged in) with keystroke timing. Ready-made tools exist: DuckHunt and Beamgun monitor typing cadence and USB connections and can lock the workstation once an injection is detected. This is detection, not prevention - a slowed, "jittered" payload can evade it, and fast clipboard pasting generates false positives.
-
An effective USB security policy requires combining device control, user education and physical port protection. None of these elements alone is enough.
5. My experience with BadUSB devices in pentests
I have worked with BadUSB devices long enough to have a few observations you will not find in the manufacturer's documentation.
First: the effectiveness of these tools in real audits is far higher than most clients assume before the test. Commands injected via HID reach the system at interface polling speed, not at the speed of a human typing on a keyboard. In practice the payload runs within a few seconds of plugging the device in.
Second: the most common mistake pentesters make is failing to test the payload on the exact same operating system version as the client's. A payload written for Windows 10 may behave differently on Windows 11, especially when it runs PowerShell commands with security flags changed by Microsoft.
Third: a Bash Bunny in the hands of a pentester with a weak grasp of network protocols is a device that does less than it costs. Advanced hardware requires advanced knowledge to be used sensibly. I have seen engagements where a Digispark for 15 USD achieved the same effect as a Bash Bunny for 120 USD, because the audit scope was narrow.
What actually works: combining the USB Rubber Ducky for physical social engineering tests with the Bash Bunny for Active Directory audits. I only add the O.MG Cable when the audit requires the device to be present at the workstation for a longer time and controlled remotely. Documenting every use is just as important as the attack itself - a report without precise reproduction steps is useless to the client's IT department.
BadUSB gear for pentesters in the Sapsan-sklep range
Sapsan-sklep, as a European distributor of cybersecurity hardware, offers the BadUSB devices discussed in this article with delivery across the entire European Union and to the USA.
In our range you will find the full keystroke injection class: USB Rubber Ducky (675 PLN), Bash Bunny Mark II (1458 PLN), O.MG Cable (from 968 PLN), the budget Digispark (28 PLN) and the WHID Injector (169 PLN). For wired network testing, the Packet Squirrel Mark II implant (780 PLN) is available. All devices are intended exclusively for legal security testing with the written consent of the system owner. Full range: sapsan-sklep.pl.
FAQ
How does BadUSB differ from a regular pen drive?
BadUSB is a device with reprogrammed firmware that emulates an HID keyboard and injects commands into the system. A regular pen drive only stores data and performs no actions when plugged in.
Which BadUSB device should you choose for a first USB audit?
The USB Rubber Ducky is the most frequently recommended choice for pentesters starting out with USB security testing. Its simple scripting language and large base of ready-made payloads cut the entry time to a minimum.
Will antivirus detect a BadUSB attack?
Signature-based antivirus will not detect the injection itself - the system treats commands from the virtual keyboard as normal input, and the attack is fileless. It is detected, however, by behavioral EDR, by its effects: an unusual process chain and a downloaded second stage of the attack, which is already an ordinary file.
How do you use BadUSB devices legally?
Every use of a BadUSB device requires the written consent of the owner of the tested system and must be covered by the scope of the pentesting engagement. Using it without consent is illegal regardless of intent.
Is Digispark suitable for professional audits?
Digispark works for simple HID injection tests and in educational environments. For professional audits involving network emulation or complex payloads, a Bash Bunny class device is required.