Hacking Hello Ducky......................
The USB Rubber Ducky looks like a standard thumbdrive, but types like a keyboard. Nate Drake helps you to master this compact attack platform.
Nate Drake invites you to play with his little rubber ducky and a USB slot. Don’t do it!
Computers trust humans. Humans use keyboards. This means if the wrong sort of person had physical access to your computer keyboard, then they could wreak all kinds of havoc.
The USB Rubber Ducky, despite its benign name, is one such device. In technical terms it’s an evil HID (human interface device), which can plug into a computer or mobile USB port and run thousands of commands in the space of a few seconds. Fans of the TV series Mr.Robot may remember that the character Angela Moss used a Ducky in this way on FBI computers with devastating effect.
The origins of the USB Rubber Ducky device can be traced back to 2010. It’s undergone several iterations since then, mostly focused on making the device as affordable and efficient as possible. The Ducky project itself was partly inspired by an Arduino project named Teensy ( www.pjrc. com/teensy), which can also be used for pen-testing but isn’t quite so simple to use out of the box.
A lawful way to stay safe
This is an excellent way to overcome objections by people who don’t believe there are lawful uses for the Rubber Ducky. Black hat hackers already know how to build similar devices themselves, so as a pen-tester you need to be sure your own devices are safe against such attacks.
Some of the basic scripts you can download include a simple payload to create a new administrator, disabling firewalls, enabling remote access, creating hidden Wi-Fi networks and much more. The official tool for encoding payloads from the simple scripting language (Ducky Script) into a .bin file is DuckEncoder. In this guide we’ll explore the basics of setting up DuckEncoder to run a simple payload.
Duck Duck Go
If you’re keen to get started, we recommend ordering at least two Rubber Ducky devices from Hak5 ( seeQuicktip,left). Not only will this save you on shipping, but you can give the other device to a fellow pen-tester. That means that, if you prefer, someone else can choose the payloads to try and execute on your devices. This better simulates the experience of an actual hacker trying to sneak into your home and office. If you can persuade your fellow pen-tester to give your permission to do the same to their devices, you can enjoy the thrill as you try to surreptitiously hack one another’s machines.
The basic kit consists of the Rubber Ducky itself, a 128MB microSD card, casing to disguise the Rubber Ducky as a USB stick, a microSD card USB reader and an OTG Micro USB adapter. There’s also some stickers and a reference guide.
The only thing missing is a computer to prepare your payloads and a target machine to deploy them. For this guide the computer used to prepare the payloads was a virtual machine running Ubuntu 17.04 (Zesty Zapus) and the target machine was a Lenovo netbook running Windows 10. The DuckEncoder is cross-platform, in that it’ll run on any device which supports Java, so feel free to use a different version of Linux, provided you have Java Runtime Environment installed.
The payload used will open Notepad on a Windows machine and type the message “YOU’VE BEEN QUACKED!”. You can find examples of more impressive payloads on Hak5’s Github page ( https://github.com/hak5darren/ USB-Rubber-Ducky/wiki/Payloads), the Hak5 forums ( https://forums.hak5.org) and the Duck Toolkit site.
While this simple payload shouldn’t harm the target system in any way, make sure both you and your pen-testing buddy (if you have one) have backed up any devices on which the Rubber Ducky will be used. Although the Rubber Ducky does contain some casing to disguise itself as a USB device, you may prefer not to use it at first, as it’s likely you’ll want to remove and replace the microSD card a number of times.
Talking Ducky Script
Payloads are prepared using Ducky Script. For anyone who used the BASIC Programming language back in the day, this will be child’s play. Otherwise, it can be mastered in minutes. To write a payload, open any text editor and write REM on the
first line. As BASIC die-hards will know, the Ducky will ignore text after ‘REM’ statements, enabling you to enter a description for your script such as ‘Disable Firewall’.
Except when writing a description, captialisation is crucial. All commands should be in upper case and start on a new line. The first command in a script is usually DELAY <value> where you can give a value in milliseconds for the Rubber Ducky to wait before trying to execute the rest of the script. This is important because the Ducky types much faster than an ordinary keyboard user and the machine may need some time to recognise the device and/or launch programs. The delays used in the sample scripts in the tutorial are five seconds (5,000 milliseconds) so you can follow the steps the Ducky goes through but you can change these if you wish.
Special keys are invoked through typing their name in upper case on a new line. For instance, WINDOWS simulates pressing the Windows key on a Microsoft keyboard. Other commands such as CTRL, ESC and SPACE are self-evident. Use the STRING command to type actual text, for instance
STRING YOU’VE BEEN QUACKED!!. Then congratulate yourself on mastering an entire programming language in just a few minutes, and save your script as a plain text (. txt) file.
A ducky toolkit
The tutorial covers using the official DuckyEncoder to take your newly created .txt file you’ve written in Ducky Script and transform it into a deployable payload (the inject.bin file). The syntax for the commands isn’t very complicated but if you need to refresh your memory, run java -jar duckencode. jar to see a list of available commands. Be sure to specify the exact location of your microSD card when copying a payload or the .bin file will simply appear in the same folder where you ran the DuckEncoder. If you prefer to use a GUI, consider visiting https://
ducktoolkit.com. The Duck Toolkit contains some readymade Payloads for Windows, Mac and Linux. Click Payload Generator to view these. Click the Encode tab to write a script directly in your browser, then click the Generate Script button on the right. The Duck Toolkit will generate an inject.bin file for you which you can download directly to your microSD card, saving you the trouble of using the command line.
We can’t emphasise strongly enough that you must have the permission of the system owner before deploying the Ducky. This is true, even (and especially) if you feel that they’re particularly vulnerable and would benefit from your expertise. An unauthorised hack is unlikely to engender their trust, whereas a friendly offer of a demonstration can do wonders... LXF