How to add a local administrator with the Arduino Leonardo.

For a while now security researchers have been using the Teensy for HID attacks. Which really is the way to go if that’s all you want to do. However, if you are like me you want to do other things as well you need something bigger. Enter the Arduino Leonardo, this Arduino board supports emulating a HID (Human Interface Device) out of the box. It’s not tiny like the Teensy but it is only 2.7” x 2.1” in size which is still small. It would be very easy to just leave the Leonardo in a backpack and just run the USB cable to the victim device, especially since the whole attack takes about 5 seconds.

When programming the Leonardo to emulate a HID I really recommend using a button in conjunction with the device, see image below.  This way if you make a mistake you can upload a new sketch.  It would be very difficult to reprogram it if it kept typing add user over and over again.

 

 

Here is the attack in action via screen recording.

In the first part of the video I show what users are on the system. Then the device is plugged in and the attack launches.  The Leonardo starts to emulate a keyboard by activating the windows key and then types in cmd.exe. Next it uses the keyboard shortcut for run as admin (ctrl+shift). Then the Leonardo hits tab 3 times to select OK on the UAC protection and hits enter. Finally, an administrator command prompt is open and the Leonardo types out the commands to add user and adds the user to the local administrators group and closes the prompt. The nice part about this is since you write the program there are no typing errors and it types about a hundred times faster than you do. 

The following code is for use with a button. However, feel free to remove that part if you wish



 

Thanks to  @irongeek_adc for pointing out the Leonardo and answering my questions and to @matthewneely, @SoapyWetDish and @dave_rel1k for other guidance.