USB Rubber Ducky
This documentation is about the USB Rubber Ducky, a keystroke injection tool. It will explain USB Rubber Ducky basics, show some available tools for writing and encoding/decoding scripts, as well to change Rubber Ducky's firmware.
Rubber Ducky itself is operating system independent but you will need a pc with an USB A port in order to be able to create and deploy your own payloads.
USB Rubber Ducky, is a keyboard injection tool, mainly used from penetration testers and system administrators. The Rubber Ducky comes disguised with an innocent USB flash drive chassis, to aid in social engineering. But under the hood hides a 60 MHz 32-bit AT32UC3B1256 CPU with 256K onboard flash, and a micro SD card storage to host the payload, which is ready to deploy with over 9000 characters per minute, once connected into an USB slot.
The device where Rubber Ducky is connected, recognizes it as a USB Keyboard. But it is also possible to change the PID/VID (Product ID/Vendor ID), so Rubber Ducky can claim to be any USB Human Interface Device (HID). The payload, is written in Ducky Script, which is a very simple scripting language. Its syntax consists of just a few keywords, so everyone can directly start developing their own ducky scripts.
If you purchase the USB Rubber Ducky form Hak5 you will find this content:
- USB Rubber Ducky
- 128 MB micro SD Card
- The casing of the USB Rubber Ducky
- USB micro SD Card reader
- USB A female to micro USB male adapter
- USB Rubber Ducky field guide
The USB micro SD Card reader to transfer the encoded the program onto the micro SD Card. The USB A female to micro USB male adapter allows to use the USB Rubber Ducky on mobile devices.
Rubber Ducky Basics
Before diving into the world of keystroke injection attacks, a reader should be familiar with the following terms:
The payload tells USB Rubber Ducky what keystroke sequence shall be injected, once connected into a USB jack. Payloads are written in a language called Ducky Script.
Ducky Script is the script language, in which payloads are written. Ducky Scripts are pure text, so any ascii based text editor can be used. The syntax is very easy, each command (all capital letters) resides on a new line with options to follow. See here a list of commands and their functions.
Since Rubber Ducky is not able to interpret text files natively, the scripts need to be encoded into a binary keystroke injection file. There are many tools out there and they come in different flavors, as a browser app, a cli program or with a VB GUI. They all work the same, and produce an inject.bin file. There are also decoder tools available to reverse the process and produce ducky scripts from binary files.
The inject.bin file is the compiled version of the ducky script. This file is then transferred on to a micro SD card and placed in Rubber Ducky's SD card reader, in order to be read and processed by the firmware.
Rubber Ducky's source code is open, so many different firmware alternatives are published from the community. Depending on the attack strategy, choose the firmware with specialized functionality, like:
- Multi Operating System Support (Duck)
- Mass Storage (FAT Duck)
- Multiple Payload Delivery (Detour Duck)
- Mass Storage & HID Keyboard Emulation (Twin Duck)
No matter what kind of device the chosen target will be, the workflow will be basically similar for all devices.
Since Rubber Ducky acts as a simple preprogrammed input device, an attack is more likely to be successful, the more detailed information is gathered during reconnaissance phase, using social engineering and open source intelligence gathering techniques. Once you know details about the used hardware and software running on it, try to rebuild the setup in bare metal or in a virtual environment, to test and optimize payload.
Writing ducky scripts always starts with trying out the payload by typing it directly into the test machine using the keyboard, and make step by step notes how you completed some tasks. Once all the necessary keystroke and shortcut combinations are found to complete the attack, the actual writing of the ducky script can start. But keep in mind that all machines vary in performance, especially when dealing with GUI elements. So be sure to add enough delay in the script, so the victim hosts has time enough to follow the keystrokes. A payload generator for multiple OS platforms can be found here.
Once the ducky script is completed, it's time to convert the human readable file into the binary formatted inject.bin file. There is an online Encoder IDE which can be found on ducktoolkit.com. Or download an offline version from here. After encoding place the inject.bin file to the root folder of your micro SD card. In case you need to convert back a binary file to ascii, use this or other decoding tools.
Test and Optimize
Once the tests succeeded on a test environment, it's time to optimize the code in sense of speed (number of keystrokes and delays) and discreetness (to make the attack stealthier). But keep in mind, a less optimized version of your script might be slower, but more reliable when run on different devices.
- Deploy the encoded script on the USB Rubber Ducky by Pasting the inject.bin file onto the micro SD Card.
- Use the USB Rubber Ducky and watch it type