whatisgithub

What is usb-monitor-bof?

jakobfriedl/usb-monitor-bof — explained in plain English

Analysis updated 2026-05-18

39CAudience · developerComplexity · 4/5Setup · hard

In one sentence

A C-based Beacon Object File that monitors Windows USB device activity and can trigger file listing, uploads, or credential-capturing shortcuts for authorized red team testing.

Mindmap

mindmap
  root((usb-monitor-bof))
    What it does
      Monitors USB events
      Reports device info
      Triggers configurable actions
    Tech stack
      C
      BOF
      Conquest framework
    Use cases
      Red team simulation
      File listing and upload
      NetNTLMv2 hash capture
    Audience
      Security researchers
      Penetration testers
    Requirements
      Windows target
      Conquest framework

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Simulate a red team USB drop attack during an authorized penetration test.

USE CASE 2

Monitor USB connect and disconnect events on a Windows target during a security engagement.

USE CASE 3

Capture NetNTLMv2 authentication hashes when a crafted shortcut file on a USB drive is opened.

What is it built with?

CBOFConquest frameworkWindows API

How does it compare?

jakobfriedl/usb-monitor-bofhomemadegarbage/selfrisingrobotradareorg/r2garlic
Stars393840
LanguageCCC
Setup difficultyhardhardmoderate
Complexity4/54/53/5
Audiencedeveloperresearcherdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · hard Time to first run · 1h+

Requires the Conquest C2 framework to load and run asynchronously.

So what is it?

usb-monitor-bof is a C-based security research tool that runs as an asynchronous BOF (Beacon Object File), which is a small program that executes inside a command-and-control agent without blocking it. The tool monitors a Windows machine for USB devices being plugged in or removed and reports device information like vendor ID, product ID, and device name. When a USB storage drive is connected, it can automatically perform configurable actions: listing the files on the drive, uploading a file to it, or placing a specially crafted shortcut file that forces the victim's computer to send a network authentication request (called a NetNTLMv2 hash) to an attacker-controlled server when opened. Security researchers and penetration testers use tools like this during authorized red team engagements to simulate physical attacks where an adversary gains access to USB ports on a target system. It requires the Conquest framework to load and run asynchronously. Written in C and built with make.

Copy-paste prompts

Prompt 1
Explain how this BOF hooks into Windows USB events and what NetNTLMv2 hash capture means.
Prompt 2
Help me build this project with make and load it into the Conquest framework.
Prompt 3
Walk me through the configurable actions this tool can trigger when a USB drive connects.

Frequently asked questions

What is usb-monitor-bof?

A C-based Beacon Object File that monitors Windows USB device activity and can trigger file listing, uploads, or credential-capturing shortcuts for authorized red team testing.

What language is usb-monitor-bof written in?

Mainly C. The stack also includes C, BOF, Conquest framework.

How hard is usb-monitor-bof to set up?

Setup difficulty is rated hard, with roughly 1h+ to a first successful run.

Who is usb-monitor-bof for?

Mainly developer.

Open on GitHub → Ask about another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.