PENTESTING USING ARDUINO

Submitted in partial fulfilment of the requirements of the degree of

Bachelor of Engineering

By
Miss. POURNIMA GHUDE ARMIET/IT21/GP218
Miss. JYOTI JADHAV ARMIET/IT21/JJ219
Mr. SANDIP PASHTE ARMIET/IT21/SP226
Mr. VIKAS SHARMA ARMIET/IT21/SV222
Supervisor:
Prof. Swati Sanap

ALAMURI RATNAMALA INSTITUTE OF ENGINEERING AND

TECHNOLOGY

Affiliated to
UNIVERSITY OF MUMBAI

Department of Information Technology (IT)

Academic Year – 2022-2023
 CERTIFICATE

This mini project report entitled “Pentesting using Arduino” by Miss. Pournima
Ghude, Miss. Jyoti Jadhav, Mr. Vikas Sharma, Mr. Sandip Pashte is approved for
the degree of Bachelor of Engineering in Information Technology for academic
year 2022 – 2023.

Examiners
1.

2.

Supervisor
1.
Prof. Swati Sanap

Head of the Department Principal

Prof. Shailesh Nandgaonkar

Date:

Place:
 Declaration
We declare that this written submission represents my ideas in my own words and where others' ideas
or words have been included, We have adequately cited and referenced the original sources. We also
declare that we have adhered to all principles of academic honesty and integrity and have not
misrepresented or fabricated or falsified any idea/data/fact/source in my submission. We understand
that any violation of the above will be cause for disciplinary action by the Institute and can also evoke
penal action from the sources which have thus not been properly cited or from whom proper permission
has not been taken when needed.

_______________ _________________ __________________ ___________________

Sandip Pashte Pournima Ghude Jyoti Jadhav Vikas Sharma
 TABLE OF CONTENTS
CH.NO
TOPIC NAME PAGE NO.

LIST OF FIGURES I
LIST OF TABLES I
LIST OF SYMBOLS AND ABBREVATION I
ABSTRACT 1
INTRODUCTION 2
1
1.1 Introduction 3

1.2 Objective of the project 3

2 LITERATURE REVIEW 4
2.1 Exploit 5
2.2 Arduino UNO R3 5
2.3 The Metasploit Framework 5
SYSTEM DESIGN AND ARCHITECTURE 6

3 3.1 Existing System 7

3.2 Proposed System and Methodology 7
3.3 Stage 1 8
3.4 Stage 2 8
3.5 Stage 3 8
3.6 Exploit Flowchart 9
3.7 Arduino Flowchart 10
3.8 System Architecture 11
HARDWARE AND SOFTWARE 12
4
4.1 Hardware Requirement 13
4.2 Software Requirement 13
PROJECT IMPLEMENTATION 14

5 5.1 Implementation 15-21

CONCLUSION 22

FUTURE WORK 23

REFERENCE 22
ANNEXURE 1- SOURCE CODE 24

ACKKNOWLEDGMENT 25
 LIST OF FIGURES

Sr. No. Fig. No. Figure Name Page No.

1 3.6 Exploit Flowchart 9

2 3.7 Arduino Flowchart 10

3 3.8 System Architecture 11

 List of tables

Sr.No. Table No. Table Name Page No.

1 2.1 Review of Literatures 5

 LIST OF SYMBOLS AND ABBREVIATIONS

IDE Integrated Development Environment

MSF Metasploit Framework

SE Standard Edition

VMS Virtual Machine Specification

API Application Programming Interface

 PENTESTING USING ARDUINO

ABSTRACT

The development of technology in this digital era has made people smarter so that
they can find weaknesses in information technology. There are several studies that use
weaknesses in open USB ports to inject attacks on remote exploits. The author conducts research
on controlling a target computer or laptop using remote exploits by utilizing a gap in a computer
system, the USB port. Exploitation of remote attacks is done by utilizing a gap in the open USB
port. Test automated scripts that are integrated on the Arduino board to be integrated into an
open USB port. The script tries to download the backdoor file that was created on the metasploit
work task and runs automatically on the target. The impact maker remote exploits the attack gets
access control of the target computer or laptop from the operating system Windows, Linux and
Mac OS with the help of port forwarding. The most dangerous effects are those that can be done
in the background which cannot be seen on the screen for the target computer or storing important
data in the target file or directory.

Alamuri Ratnamala Institute of Engineering and Technology 1

 PENTESTING USING ARDUINO

CHAPTER 1
INTRODUCTION

Alamuri Ratnamala Institute of Engineering and Technology 2

 PENTESTING USING ARDUINO

INTRODUCTION

1.1 Introduction

Computer systems that are vulnerable to many attacks where the system that can be opened is
seriously protected. Security software, firewalls, antiviruses and the like have been implemented to
protect valuable data on computers. There is no 100% anti-approved system that is claimed to be
the most sophisticated computer system ever. Many do not realize that computer attacks can be
done by using a common interface display such as Universal Serial Bus (USB) on a computer or
laptop USB port. The USB port on a computer system is basically an open port, so many people
abuse these security weaknesses on the computer. Raising computer compilation is very risky to
cause USB keystroke injection attacks, such as being able to restore important data files in
system32 in Windows C. This open port on USB makes a computer machine can cause viruses or
malware, and antivirus cannot be used to fight this system attack . The Metasploit framework is a
penetration tool that is strong enough to penetrate into a system. Metasploit is a free and open
source computer network framework created by H.D. Metasploit is usually opposed to the term
remote exploitation, meaning the depreciation of a remote system that can control the victim's
computer. Metasploit is considered multi-platform that runs on most Unix and Windows variations.
A new invention to start a keystroke injection tool or USB Rubber Ducky is to use Arduino.
Arduino can be launched an injection tool to an automatic keyboard that is already in the library.
The goal is to send and download the backdoor of an attacker so that it can manage and exploit the
target computer. The advantage of Arduino is winning the Arduino driver, not as an automatic HID
keyboard or mouse. In this study, we will discuss how to use the Arduino board to carry out remote
attacks to exploit the use of injection tools with the help of the metasploit framework.

1.2 Objective of the Project

Arduino is one of those boards that has become synonymous with hacking and making. Since its
introduction in 2005, over 700,000 official Arduino boards have been sold, along with untold
millions of compatible and clone boards. Arduino as we know are programmable boards and we can
use this to make a handheld device for pentesting. Through this process, businesses discover
specific weaknesses in their IT systems at the time of testing. Leveraging this understanding
empowers proactive mitigation and remediation for these potential exploits.

Alamuri Ratnamala Institute of Engineering and Technology 3

 PENTESTING USING ARDUINO

CHAPTER 2
LITERATURE REVIEW

Alamuri Ratnamala Institute of Engineering and Technology 4

 PENTESTING USING ARDUINO

LITERATURE REVIEW

2.1 Exploit

This information can prove to be very useful in penetrating the target machine as can quickly look
for exploits and vulnerabilities of the operating system in use. Well, the process is not
straightforward, but knowledge about the target operating system can ease task to much extent.
After it was launched, the development process was exploited to get started. Systems that are not
patched are safe for hackers, because they immediately launch exploits to compromise targets.
Therefore, a regular and complex operating system is very important. In this research, focus on
supported in some of the most popular operating systems. In the testing process, information about
the target operating system is available, testing for exploits is available for certain operating system
weaknesses. This study focuses on several operating systems such as Microsoft, Linux and Mac OS.

2.2 Arduino UNO R3

Many methods were developed to penetrate the network as hackers or operating system testers One
practical strategy is to hack networks using an open USB port connected to a PC or laptop. USB
Vulnerabilities allow attackers to relatively easily perform and implement attacks. This can be done
using a USB device issued by the victim's computer as a Human Interface Device (recognized as a
keyboard) and running the code without the user's knowledge or use. USB is referred to as 'bad
USB. However, bad USB attacks are often underestimated, perhaps considering that they are asking
for more technical knowledge. The purpose of this project is to make evidence of the concept of
feasibility and poor distribution of USB using Arduino Micro as a USB implementation.

2.3 The Metasploit Framework

The Metasploit framework is a computer security project that can provide information about
security and assistance in testing and development. Metasploit has several sub-projects which are
most well known as open source. The metasploit framework, a tool for development and an
exploiting code for exploiting remote target machines, an opcode database included, shell code
archives and other related research. Additionally, Metasploit is considered a multi-platform running
on the most variations of Unix and Windows.

Alamuri Ratnamala Institute of Engineering and Technology 5

 PENTESTING USING ARDUINO

CHAPTER 3
SYSTEM DESIGN AND ARCHITECTURE

Alamuri Ratnamala Institute of Engineering and Technology 6

 PENTESTING USING ARDUINO

SYSTEM DESIGN AND ARCHITECTURE

3.1 Existing System

A penetration test (pen test) is an authorized simulated attack performed on a computer system to
evaluate its security. Penetration testers use the same tools, techniques, and processes as attackers to
find and demonstrate the business impacts of weaknesses in a system. Penetration tests usually
simulate a variety of attacks that could threaten a business. They can examine whether a system is
robust enough to withstand attacks from authenticated and unauthenticated positions, as well as a
range of system roles. With the right scope, a pen test can dive into any aspect of a system.
Embedded devices (IoT). Embedded / Internet of Things (IoT) devices such as medical devices,
automotives, in-home appliances, oil rig equipment, and watches have unique software testing
requirements due to their longer life cycles, remote locations, power constraints, regulatory
requirements, and more. Experts perform a thorough communication analysis along with a
client/server analysis to identify defects that matter most to the relevant use case.

3.2 Proposed System and Methodology

Payload and listener: Payload and listeners are two things that are interrelated and connected. A
payload is a file that will be executed or run on the target computer, while the listener tries to set the
target computer that has a payload.

Draft attack: The design of attack has 3 stages where each stage has a different path but is still
related to each other. At this stage it must be done sequentially. The following are 2 stages of attack
design

Alamuri Ratnamala Institute of Engineering and Technology 7

 PENTESTING USING ARDUINO

3.3 Stage 1: Exploit flow - For this second stage, the researcher made a step in the exploit path to
run the exploitation process, before entering the first exploit stage, it was necessary to create a
backdoor payload first through msfvenom.

3.4 Stage 2: Arduino flow - For this third stage, the author makes the Arduino flow stage to be
programmed so that it can run an automatic keyboard according to the author's wishes as an
attacker.

3.5 Stage 3: Flow of attacks - In the flow of the attack in this study, the authors made the initial
steps until the attacker can get full access to the target laptop through a remote exploit attack.

In Stage 3, the steps that must be done are:

i. Laptop attackers use a network connection on a USB modem

ii. Connect to port forwarding ngrok

iii. Attackers get dynamic links and ports from ngrok

iv. Create an automatic keyboard script on Arduino and import it on the Arduino board

v. The attacker plugs the Arduino board into the target laptop through the laptop's USB port

vi. The Arduino board runs automatic keyboard commands

vii. The Arduino board downloads and runs the payload file from ngrok Link

viii. Enter a meterpreter session, the target is connected and connected to the attacker

ix. Finished

Alamuri Ratnamala Institute of Engineering and Technology 8

 PENTESTING USING ARDUINO

3.6 Exploit Flowchart

Alamuri Ratnamala Institute of Engineering and Technology 9

 PENTESTING USING ARDUINO

3.7 Arduino UNO R3 Flowchart

Alamuri Ratnamala Institute of Engineering and Technology 10

 PENTESTING USING ARDUINO

3.8 System Architecture

Keyboard
HID Script
Ngrok Exploit Listening Port & Payload
execute

GET & Arduino UNO

POST R3
reques
t

Payload
Victim’s PC
Metasploit

Attacker

Alamuri Ratnamala Institute of Engineering and Technology 11

 PENTESTING USING ARDUINO

CHAPTER 4
HARDWARE AND SOFTWARE REQUIREMENT

Alamuri Ratnamala Institute of Engineering and Technology 12

 PENTESTING USING ARDUINO

HARDWARE AND SOFTWARE REQUIREMENT

4.1 Hardware Requirements:

• Laptop or Computer

• ARDUINO UNO R3

• Laptop or Computer

• 100nF capacitor

• Jumper Wires: Female to Female (3) and Female to Male (1)

• USB cable

4.2 Software Requirements:

• Kali Linux OS

• Metasploit – Kali Linux

• Veil – Kali Linux

• NetCat – Kali Linux

• Ngrok/IPjetable

• Arduino Software

Alamuri Ratnamala Institute of Engineering and Technology 13

 PENTESTING USING ARDUINO

CHAPTER 5
IMPLEMENTATION

Alamuri Ratnamala Institute of Engineering and Technology 14

 PENTESTING USING ARDUINO

IMPLEMENTATION

Alamuri Ratnamala Institute of Engineering and Technology 15

 PENTESTING USING ARDUINO

Alamuri Ratnamala Institute of Engineering and Technology 16

 PENTESTING USING ARDUINO

Alamuri Ratnamala Institute of Engineering and Technology 17

 PENTESTING USING ARDUINO

Alamuri Ratnamala Institute of Engineering and Technology 18

 PENTESTING USING ARDUINO

Alamuri Ratnamala Institute of Engineering and Technology 19

 PENTESTING USING ARDUINO

Alamuri Ratnamala Institute of Engineering and Technology 20

 PENTESTING USING ARDUINO

Alamuri Ratnamala Institute of Engineering and Technology 21

 PENTESTING USING ARDUINO

CONCLUSION

A remote exploit attack can work or can be run on Windows, Linux, or Mac OS operating systems.
In the process of a remote exploit attack, the payload is an important role in the success or failure of
the attack. A remote exploit attack will fail if the payload doesn't match the executable format on
the target operating system. Remote exploit attacks can be carried out on different networks, or
generally referred to as public networks. Through tunnels on port forwarding, attacks that are
initially on a local network or LAN can be transformed into attacks on public networks through
dynamic ports provided by network, so that remote exploit attacks can work on different networks
and at different distances. A remote exploit can be optimized by using Arduino IDE software and
Arduino boards.

Alamuri Ratnamala Institute of Engineering and Technology 22

 PENTESTING USING ARDUINO

FUTURE SCOPE

As the number, frequency, and sophistication of cyberattacks has grown over the last year, so have
organizations' needs for increased, on-demand visibility into their attack surfaces and
vulnerabilities. Traditionally, the model for achieving this visibility has relied on a tiered approach
starting with vulnerability scanning, moving to penetration testing, and finally engaging in red
teaming. However, as the number of vulnerabilities reported daily continues to climb, it's become
clear that a purely human-driven effort to identify vulnerabilities in an environment and test against
them is a losing battle.

To meet the organizational need to simplify operations and reduce costs in an increasingly complex
and expensive cybersecurity landscape, I believe that penetration testing will evolve beyond the
traditional, point-in-time approach. Organizations and providers will move towards a continuous
penetration testing model that offers an automated framework to test an environment and validate
controls, all while maintaining the human expertise associated with more traditional testing.

By leveraging automation, continuous penetration testing can rapidly identify and test for
vulnerabilities as they are disclosed, giving organizations and businesses the data they need to
remediate swiftly. As we move into this new mode of operation, I believe it will change the
cybersecurity profession in the following ways over the next year and beyond.

Alamuri Ratnamala Institute of Engineering and Technology 23

 PENTESTING USING ARDUINO

REFERENCES

• Wahab H and Zain J M 2018 Windows Privilege Escalation Through Network Backdoor
And Information Mining Using USB Hacktool. Malaysian Journal of Computing.
• Bang and J E A 2010 Secure USB bypassing tool Digital Investigation 7, S114 - S120.

• Yang, B., Feng, D., Qin, Y., Zhang, Y., Wang, W.: TMSUI: A trust management scheme of
USB storage devices for industrial control systems. In: Information and Communications
Security:

• 17th International Conference, ICICS 2015, Beijing, China, December 9-11, 2015, Revised
Selected Papers, pp. 152{168. Springer International Publishing, Cham (2016)

• Cannols B and Ghafarian A 2017 Hacking Experiment by Using USB Rubber Ducky
Scripting vol 15 (Systemics, Cybernetics and Informatics) pp 66-71.

Alamuri Ratnamala Institute of Engineering and Technology 24

 PENTESTING USING ARDUINO

ACKNOWLEDGEMENT

In our project we are extremely thankful to our project guide Prof. Swati Sanap for his valuable
support and time. We would like to take this opportunity to acknowledgement the innumerable
guidance and support extended to us by our co guide in preparation of the synopsis. We also want to
thank our honourable principle for his support. Our foremost thanks go to my well-wishers and
colleagues. We are graceful to all staff members, non-teaching staff and all our friends us the
helping hand.

Alamuri Ratnamala Institute of Engineering and Technology 25