The MalDuino is an Arduino-powered USB that can be used by attackers during a RTE/penetration testing activity. This device has a keyboard injection capability and runs the commands within fraction of second. These devices are extremely useful during physical security with access to the organization's building. Often, people inside the organization rarely lock their computer, assuming the physical access restrictions are safeguards and no one would do anything. Even if attackers gain access physically to the system, staff can arguably say we have no USB policy, well its good. But disabling USB does not disable USB-based keyboards—when attackers plugs in the MalDuino, it acts as a keyboard, typing commands exactly how a human being would run a specified payload and execute.

There are two flavors of MalDuino, Elite and Lite. The difference is Elite provides an SD card option for you dump around 16 different payloads with the hardware switches on the device, so that you don't need to reconfigure the entire device. With of MalDuino Lite, you have to configure the device everytime you change the payload.

The board supports the Ducky Scripts templates, making it easy to build custom scripts. The following photo depicts the MalDuino Elite hardware:

Instructions on how to set up the board can be found at https://malduino.com/wiki/doku.php?id=setup:elite.

We will focus on setting up a PowerShell Empire script for the board by following these steps:

1. Generate the PowerShell payload in Empire.
2. Ensure the listeners are up and listening for any connections.
3. Convert the PowerShell launcher into strings, since MalDuino has a buffer size of 256 bytes, so the payloads must be fragmented. This can be achieved by visiting https://malduino.com/converter/.
4. Once the strings are converted, it should look something like the following screenshot:

5. The next step is to build the ducky script, as shown in the following screenshot:

6. The final action is to plug the device into the victim machine; you should now be able to see an agent reporting back, as shown in the following screenshot: