A hardware USB keylogger, Bad-USB device, Virtual Keyboard, and Remote WiFi Shell for $10 using the Pi Pico, Pi Pico W, Pi Pico 2, & Pi Pico 2 W!
- Flash, plug and play
- Bad-USB Functionality using Duckyscript
- Virtual 'in browser' keyboard (Pico W & Pico 2 W only)
- Hidden Remote Shell for Windows and Linux (Pico W & Pico 2 W only)
- Remote screenshots for Windows (Pico W & Pico 2 W only)
- Webserver to display results, payload management and more. (Pico W & Pico 2 W only)
- Multi keypress handling for key combinations
- WiFi ON/OFF serial control (Pico W & Pico 2 W only)
- Run Bad-USB payloads on boot
- Create, run, edit and delete Bad-USB payloads (Pico W & Pico 2 W only)
- Change wifi settings and others
- Optional screen + nav-switch and USB-male port mods.
- USB mouse support (for keyboard/mouse combo functionality)
- Sudo Password sniffer
- Keyboard layout switching (Pico W & Pico 2 W only)
- Windows File Exfiltration (Pico W & Pico 2 W only)
- Password Manager with Autofill functionality
- Basic secure login system for web UI and Pass Manager menu option.
- Mobile-Friendly Web UI
IMPORTANT : Use the PicoLoggerW files if you are NOT using the screen and navigation switch
- Hold down the
BOOTSELbutton on your Pico or Pico W - Connect your Pico or Pico W to your computer via USB
- A new drive named something like
RPI-UF2orRP2350should appear - Copy the .uf2 file from the
UF2folder for your specific Pico to theRPI-UF2drive (use OLED verion if you are using the screen mod) - The Pico should now restart as a picologger!
- Download Arduino 1.8.x (Legacy Version)
- Goto File > Preferences > then add this line to Additional Boards Manager URLs :
https://github.com/earlephilhower/arduino-pico/releases/download/global/package_rp2040_index.json
- Goto Tools > Board > Boards Manager > then search and install Raspberry Pi Pico/RP2040/RP2350
- Goto Sketch > Include Library > Add ZIP Library > then add the files from
libraresfolder- libraries/Pico-PIO-USB-0.6.1.zip
- libraries/HIDKeyboard.zip [Deprecated] (No longer required PicoLogger-v2.0 and above)
- (For Screen mod ONLY) - Goto Tools > Manage Libraries > then search for Adafruit_SSD1306 and click install.
- Goto Tools > then change all options below
Options for Pico and Pico W
Options for Pico 2 and Pico 2 W
- Once you have the correct options selected, upload the sketch to your Pico.
- A Raspberry Pi Pico, Pico W, Pi Pico 2, or Pi Pico 2 W
- USB-A female port
- Thin gauge wire (22awg solid copper core wire is good)
- A glue gun to secure components (for 3D printed case)
- USB-A Male port (optional mod)
- SD1306 OLED screen 128x32px (optional mod)
- 5-Way Thru-Hole Nav Switch
SKRHADE010small orADA504large (optional mod)
Although PicoLogger works fine without any of these additions, a USB-A female port is needed for keylogging functionality.
Wiring for USB Female Connector
- To use the keylogging functionality, wire a female USB port to host a keyboard.
Pico/Pico-W || USB-A Port
GND => GND (PIN 1)
GPIO 19 => D+ (PIN 2)
GPIO 20 => D- (PIN 3)
VCC => 5v (PIN 4)
Wiring for USB Male Connector
- If you don't want to use the Pi's built in Micro-USB, you can use the test pads on the back of the Pico to attach a USB male connector.
Pico/Pico-W || USB-A Port
TP1 => GND (PIN 1)
TP3 => D+ (PIN 2)
TP2 => D- (PIN 3)
VCC => 5v (PIN 4)
OLED User Interface (Pico W & Pico 2 W only)
Using an SD1306 128x32 screen and 5-way nav-switch, you can control PicoLogger on-device using the PicoLogger UI!
Wiring for SD1306 OLED screen
- If you are using PicoLogger-OLED, you will need to wire a screen and nav switch (wiring and pinout images are in /Images)
Pico/Pico-W || SD1306 128x32
GND => GND
GPIO 4 => SDA
GPIO 5 => SCL
3v3 => VCC
Wiring for 5-Way Thru-Hole Nav Switch
- the smaller button
SKRHADE010is recomended for space constraints inside a case.
Pico/Pico-W || 5-Way Nav Switch
GND => GND
GPIO 6 => PIN 1 (Up)
GPIO 7 => PIN 2 (Down)
GPIO 8 => PIN 3 (Left)
GPIO 9 => PIN 4 (Right)
GPIO 10 => PIN 5 (Center)
- Serial Control
Using a serial monitor like Putty or alike,
Choose your COM port for your Pico and use 115200 baudrate
read: Output logged keys to serialclear: Delete all logsformat: Format file system (LittleFS)wifion: Enable WiFi AP (Pico W & Pico 2 W only)wifioff: Disable WiFi AP (Pico W & Pico 2 W only)ssid <yourssid>: Change the SSID (requires restart)password <newpassword>: Change the password (requires restart)pobenabled: Enable payload on boot (non-wifi version only)pobdisabled: Disable payload on boot (non-wifi version only)
(All logs, WiFi state & settings will be saved to survive restarts and reflashing - use format command to reset defaults & remove ALL files)
- Web Interface (Pico W & Pico 2 W only)
- Connect to the WiFi network - (Default SSID >
PicoLoggerPASSWORD >12345678) - Goto
http://192.168.42.1to login. (Default USERNAME >adminPASSWORD >password) - Use menu icon (top left) view logs, manage payloads and change settings etc.
- Connect to the WiFi network - (Default SSID >
USB Keylogger
Place in between a keyboard and host system (PicoLogger is powered by the host).
All keystrokes from that keyboard will be collected in a log file that can be read over serial (all Pico's), or over the webserver (Pico W & Pico 2 W only).
Virtual Keyboard (Pico W & Pico 2 W only)
With the Pico W & Pico 2 W you can use the Virtual Keyboard webpage to send keystrokes to the host!
CTRL, ALT, GUI and SHIFT can be toggled for key combinations.
Windows Remote Shell (Pico W & Pico 2 W only)
Navigate to the Remote Shell page. (you can use the hidden switch to hide the console once running)
- Click
Deploy Windows Agentwhile connected to a Windows host. - Wait 10 - 20 seconds for the agent to start on the host (the Powershell script for this can be found in
Scriptsfolder. Remote-Shell-Agent.ps1 - Use the command input to send Powershell commands to the host and receive output.
Linux Remote Shell (Pico W & Pico 2 W only)
The Linux agent requires a sudo password - if it has not been automatically sniffed (see sudo pass sniffing below), it can be specified in the password box.
- Click
Deploy Linux Agentwhile connected to a Linux host. - Wait 10 - 20 seconds for the agent to start on the host (the Bash script for this can be found in
Scriptsfolder. Remote-Shell-Agent.sh - Use the command input to send Bash commands to the host and receive output.
Remote Screenshots (Pico W & Pico 2 W only)
For Windows systems you can use the Screenshots page.
- Click
Deploy Agentwhile connected to a Windows host. (you can use the hidden switch to hide the console once running) - Wait 10 - 20 seconds for the agent to start on the host (the Powershell script for this can be found in
Scriptsfolder. Remote-Screenshot-Agent.ps1 - Use the
Take Screenshotbutton to receive screenshots of the host display.
This function can be tempremental.. it may take 2-3 Take Screenshot button presses
Sudo Password Sniffing
PicoLogger has an automatic password sniffer - it works by listening for any sudo command, and assumes the next line will be the password in between enter keypresses.
if the password has already been found the sniffer will be deactivated until Picologger has been powered off or restarted.
Keyboard Layout Selection
On both the web UI and screen UI, you can now select the keyboard layout for using Bad-USB, Remote Shell, and Remote Screenshot functions.
This changes the selected layout without needing to reboot PicoLogger!
File Explorer (Pico W & Pico 2 W only)
Navigate to the File Explorer page.
This allows you to download, edit, and delete all files on the file system.
Windows File Exfiltration (Pico W & Pico 2 W only)
Navigate to the Exfiltration page.
Here you can deploy a file exfiltration agent to run on windows. this allows you to navigate all drives on the host and save them to Picologger (3MB max for pico 2w) over serial
- Click
Deploy Agentwhile connected to a Windows host. (you can use the hidden switch to hide the console once running) - Wait 10 - 20 seconds for the agent to start on the host (the Powershell script for this can be found in
Scriptsfolder. Remote-Exfiltration-Agent.ps1 - You should now be able to navigate any specified drive (C:\ by default)
- you can also use Picologger as a wireless usb drive this way.
Password Manager
Store, Edit, Delete and View Username and Password information. Autofill feature types the information on connected host.
- Navigate to
Pass Managerwebpage. - Create an entry and click save
- You can edit and delete entries.
- Autofill will send Username and Password seperated by prompt intervals.
Warning - Credentials Are Stored As Plain Text! Anyone with physical access to the device can recover them easily! Encryption will be in a future update soon :)
Web UI Secure Login
For the Web UI and Pass Manager menu on screen, any user is required to authenticate in the Web UI.
- Goto
http://192.168.42.1to login. - Enter your credentials (Default USERNAME >
adminPASSWORD >password) - Once authenticated you can navigate the Web UI and access the Pass Manager menu.
Live Capture
Can be found in System menu. This is a feature for testing and debugging. It displays live information of keys pressed, webserver activity etc..
Bad-USB Functionality
The Pi Pico (non-W) can be setup to run a pre-coded payload on boot using the command pobenabled.
You will need to flash the pico after editing the payload() function in the PicoLogger.ino file.
An example payload is provided to show some basic functionality using this (non-W) version
void payload() {
// Example Payload - modify this as needed.
delay(2000);
// key press
Keyboard.press(KEY_LEFT_GUI);
Keyboard.press('r');
delay(100);
// keys release (for multi keypresses)
Keyboard.releaseAll();
delay(1500);
// print string
Keyboard.print("notepad");
delay(1000);
Keyboard.press(KEY_RETURN);
delay(100);
Keyboard.releaseAll();
delay(3000);
// print string + return
Keyboard.println("Hello World!");
}
With the Pico W you can use the 'Payload Manager' webpage to create, run, edit and delete payloads as well as enable any payload on boot. The Pico W version has it's own handler so you can use basic Duckyscript commands to create Bad-USB scripts in the editor.
example rickroll duckyscript
REM rickroll!
REM delay 750ms before running to make sure everything is connected
DELAY 750
REM GUI r holds down the "windows" key and R at the same time, opening the run box
GUI r
REM Delay for 500ms (half a second)
DELAY 500
REM type in the rickroll youtube link
STRING https://www.youtube.com/watch?v=dQw4w9WgXcQ
DELAY 500
REM press the enter key
ENTER
- Add SD card support for larger exfiltration storage
- Add Encryption
- Change Hardware ID etc (settings)
- Virtual Keyboard special character handling
- Virtual Keyboard arrow keys and others