USB Rubber Ducky


USB Rubber Ducky

Introduction: What’s USB Rubber Ducky?

The USB Rubber Ducky is a keystroke injection tool disguised as a generic flash drive. Computers recognize it as a regular keyboard. Once it’s plugged in your/target machine it will mimics the keyboard, although it’s not really a keyboard. It will allow you to create keyboard scripts that will run as soon as you plug in the device.


Simple, powerful platform.
Hardware Specs:

  • Fast 60 MHz 32-bit Processor
  • Convenient Type A USB Connector
  • Expandable Memory via Micro SD
  • Hideable inside an in an innocuous looking case
  • Onboard Payload Replay Button
Rubber Ducky Hardware Specs

Payloads are crafted using a simple scripting language, DuckyScript which can be used to drop reverse shells, inject binaries, brute force pin codes, stealing passwords, and many other automated functions if you are pentester, sysadmin or ethical hacker, of course.

How it works?

The Rubber Ducky is a really fast, automated and scriptable HID (Human Interface Device) device which convinces us that it is a keyboard. Masked as the average flash drive it can perform all kind of actions on a machine, within 15 seconds after plugging in. Specially crafted payloads mimic a trusted user, so anyone with social engineering or physical access skills can deploy payloads with ease and enter some keystrokes into the target machine trough them.

The Rubber Ducky Workflow:

  1. Writing the Payload – to write payloads we are using DuckyScript – a very simple scripting language. Everything you’ll need is an ordinary text editor (e.g. notepad).
  2. Encode the Payload – this step implies converting human-readable ducky script into a USB Rubber Ducky compatible inject.bin file, with  one of the many duck encoders. The USB Rubber Ducky is expecting an inject.bin file on the root of its microSD card.
  3. Loading – putting the microSD card into the ducky and placing inside generic USB drive enclosure for the covert deployment.
  4. Deploying – after payload testing and optimization, it can be deployed on a target machine.

Features:

  • Cross-Platform: Attacks any OS that supports USB Keyboards
  • Simple Scripting language: Start writing payloads in minutes
  • Open Source Firmware: Add functionality using included libraries
  • Expandable Storage: Micro SD cards make it possible to carry multiple payloads
  • Community Support: Share sample scripts, complete payloads and get help online

The DuckyScript & The DuckToolKit

DuckScript code tells the USB device what keystrokes to send after it is plugged in. Basic DuckyScript code:

  • WIN r – pulls up the Windows run dialog
  • DELAY 1500 – pauses for 1.5 seconds.
  • STRING Hello World – types “Hello World”
  • ALT F4 – closes the window

DuckToolkit is an open source Penetration Testing tool for authorized network auditing and security analysis purposes. It contains Encoding Tools for Rubber Ducky. Tools are available here, and you can also  generate payloads from a selection of predefined scripts and templates. It is very easy to install it. Just follow the installation steps from the DuckTollkit Github repo.

Hacking with Rubber Ducky

The USB Rubber Ducky has been a favorite among hackers, pentesters, cybersecurity and IT professionals. Many hackers have figured out how to create their own small USB keys that can act like Human Interface Devices (HID) for just $8. But why Rubber Ducky?

Rubber Ducky in Mr. Robot
Mr. Robot S2 E9: Angela plugs a USB Rubber Ducky in to her boss’s computer. The Rubber Ducky gets to work, leveraging “mimikatz” to steal her boss’s password and copy it to the USB. She waits 15-30 seconds, then head’s back to her desk. She grabs the micro SD card from the rubber ducky, pops it into a micro SD reader, and plugs that into her own machine. While Angela browsing through the contents of the SD card, we can see that there’s a text file that contains her boss’s password.
  • For just a 15 seconds of physical access and a USB Rubber Ducky is all it takes to swipe passwords from an unattended PC.
  • With the Ducky Mimikatz payload, it’s possible to grab a user’s password/credentials  just by plugging in this small little devil. Mimikatz exploit can actually recover the plain text password of the logged in user.
  • Ducky provides simple scripting language – DuckyScript. You can craft custom payloads capable of changing system settings, opening backdoors, retrieving data, initiating reverse shells, or basically anything that can be achieved with physical access, all automated and executed in a matter of seconds.
  • It looks like any other USB storage key, so you can easily and unnoticedly plug it in. It’s very unlikely that someone will notice it. Can be use with Raspberry Pi, also (for Wi-Fi handshake harvesting without using screen).
  • It’s also cross-platform, so it attacks any OS that supports USB Keyboards (Windows, Mac, Linux, Android, etc.).
  • USB Rubber Ducky can also be used for targeting vulnerable systems or programming processes and save times.
  • Implementation of the USB Rubber Ducky is basic and easy to follow, but if you find yourself getting lost, there are plenty of guides, tutorials, forums on “how to set up and use”, all over the Internet.


Conclusion

When you plug in this small USB Rubber Ducky, which look like any other USB storage key, they can automatically launch a command prompt, hide it, and take control of the target computer. It’s very affordable, you can get it for $45 in the Hack5 online shop. There is a chance that you’ll need a little more than 15 seconds to take control of the desired machine, but to be honest – it’s worth it.