Analysis updated 2026-05-18
Simulate a red team USB drop attack during an authorized penetration test.
Monitor USB connect and disconnect events on a Windows target during a security engagement.
Capture NetNTLMv2 authentication hashes when a crafted shortcut file on a USB drive is opened.
| jakobfriedl/usb-monitor-bof | homemadegarbage/selfrisingrobot | radareorg/r2garlic | |
|---|---|---|---|
| Stars | 39 | 38 | 40 |
| Language | C | C | C |
| Setup difficulty | hard | hard | moderate |
| Complexity | 4/5 | 4/5 | 3/5 |
| Audience | developer | researcher | developer |
Figures from each repo's GitHub metadata at analysis time.
Requires the Conquest C2 framework to load and run asynchronously.
usb-monitor-bof is a C-based security research tool that runs as an asynchronous BOF (Beacon Object File), which is a small program that executes inside a command-and-control agent without blocking it. The tool monitors a Windows machine for USB devices being plugged in or removed and reports device information like vendor ID, product ID, and device name. When a USB storage drive is connected, it can automatically perform configurable actions: listing the files on the drive, uploading a file to it, or placing a specially crafted shortcut file that forces the victim's computer to send a network authentication request (called a NetNTLMv2 hash) to an attacker-controlled server when opened. Security researchers and penetration testers use tools like this during authorized red team engagements to simulate physical attacks where an adversary gains access to USB ports on a target system. It requires the Conquest framework to load and run asynchronously. Written in C and built with make.
A C-based Beacon Object File that monitors Windows USB device activity and can trigger file listing, uploads, or credential-capturing shortcuts for authorized red team testing.
Mainly C. The stack also includes C, BOF, Conquest framework.
Setup difficulty is rated hard, with roughly 1h+ to a first successful run.
Mainly developer.
This repo across BitVibe Labs
Verify against the repo before relying on details.