Friday, February 2, 2018

USB Rubber Ducky

Introduction


The USB Rubber Ducky is a product by Hak5. It is HID(Human Interface Device) a.k.a a keyboard, disguised as a USB thumb drive. Inside this device is a micro SD memory card containing a programmable executable for predefined keystroke commands, it works against different Operating Systems.

Product Details


This product can be purchased at hak5 website for around 45 Dollars (US). There are several components inside the package.


Figure A:Packaging containing the product



Figure B: (From Left to Right) USB housing, HID, Cradle, OTG connector




Figure C: The USB housing is used to disguise the HID to look like a regular USB thumb drive.

Practical Usage


The Rubber Ducky is designed to run a series of preset keystroke commands as directed via a keyboard when plugged into a PC's USB port. For example, it can be programmed to invoke a shutdown sequence, deactivate AntiVirus software or Windows Defender, brute force pin-codes on Android mobile devices. It can also be used to exfiltrate user credentials via SMB, steal documents, download scripts, wipe out drives or anything you can conjure from an attached keyboard. All of this is done using a simple scripting language affectionately called the Ducky script. For practical usage, pentesters can utilize it as part of a social engineering scheme into tricking unsuspecting users in an organization. For example, simply drop a few Rubber Ducks on the office floor and wait for someone to pick it up and insert it into his PC. The rubber ducky was also featured in the award winning TV series, Mr Robot. Where the hacker dropped several devices outside a police station, the next scene showed a police officer plugging it into the station's PC. You guess what happened next...

Programming the HID


Before finding practical usages for it, you will first need to write its payload. Firstly, place the Micro SD memory chip into the cradle as pictured below. 


By placing it in the cradle, the HID is now detected as a regular USB drive, thus making it safe for you to plug it into your PC's USB port.



Figure D: Snapshot of a ducky code. This payload is designed to connect to a netcat listener on a VPS, simply a reverse shell invoked when this USB drive is plugged into the victim's PC. 

Luckily, Hak5 has loads of prewritten ducky code, you may download it or write your own custom code. There are loads of material on the web for those of you interested in developing custom payloads.

Next, the ducky code will need to be compiled using the duckencoder into an 'inject.bin' format that is placed inside the memory card.

$ ./duckencoder.jar -i payloads/reverseshell.txt -o /media/usb/inject.bin
Hak5 Duck Encoder 2.6.3

Loading File ..... [ OK ]
Loading Keyboard File ..... [ OK ]
Loading Language File ..... [ OK ]
Loading DuckyScript ..... [ OK ]
DuckyScript Complete ..... [ OK ]

Figure E: illustrates the compilation of the revershell duckcode into binary format.

After compilation, the memory card can be transferred back to the HID device and disguised as a USB thumb drive. See figure below:

  

Figure F: Illustrates the memory card placed inside the HID device before the housing is completely assembled.


Once that is done, insert the disguised 'USB thumb drive' into the victim's PC and watch it in action:





Figure G: This video demonstrates automatic keystroke injection on a Virtual Guest Host when a USB Rubber Ducky is plugged-in. The window on the right displays a netcat listener on a VPS, waiting to receive its payload which happens to be a Windows cmd.exe reverse shell. 

The USB Rubber Ducky also works on Android Mobile devices, the supplied OTG connector allows it to be plugged into a micro USB port commonly available on Android phones. The Ducky code will need to be adjusted to suit Android keystrokes. It is commonly used to brute force pin-codes to unlock phones.

Caveats

For starters, most canned payloads can be easily detected by commercial AVs. You might want to write your own payload if you are serious about bypassing Windows Defender or commercial AV products. Secondly, the Ducky executes keystrokes only when a user is logged-on his PC. Just as any connected Keyboard, you will first need to be authenticated and able to type commands into the OS. Furthermore, Ducky runs with the same privilege as the logged-on user. Thirdly, on Windows OS, some keystroke commands might require UAC bypass like the 'run as' command.

Conclusion


In a nutshell, the USB Rubber Ducky is a smart programmable automated keystroke injector. Allowing pentesters to exfiltrate data or test an endpoint security policy. Conversely, it can be used for malicious purposes. It exploits the fundamental flaw in the USB design; upon connection into a PC, the USB device is allowed to declare itself as anything (mobile phone, mouse, pendrive, etc), there is no sanity check performed, after all, this device is seen as a harmless keyboard. The moral of the story, never insert an unknown USB device into your PC! You'll never know what you might unravel ;-) 
at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)