USB RUBBER DUCKY #TOOLS

USB Rubber Ducky :

The USB Rubber Ducky is a keystroke injection tool disguised as a generic flash drive. Computers recognize it as a regular keyboard and automatically accept its pre-programmed keystroke payloads at over 1000 words per minute.

ABOUT :

It was developed by the Hak5 community after the success of the USB Switchblade, where the attack platform that was super effective against local Windows targets from USB Switchblade. The USB Rubber Ducky works on cross-platform (Windows, Mac, Linux) which achieves deadly results by posing as a ubiquitous keyboard.

The USB Rubber Ducky isn't the ordinary HID (Human Interface Device). Coupled with a powerful 60 MHz 32-bit processor and a simple scripting language anyone is able to craft payloads capable of changing system settings, opening backdoors, retrieving data, initiating reverse shells, or basically anything that can be achieved with physical access which are all automated and executed in a matter of seconds.

The first ever USB Rubber Ducky was invented by Hak5 founder Darren Kitchen while working in systems administration. He was tired of typing the same commands to fix printers and network shares again and again, the device evolved out of laziness. Kitchen programmed a development board to emulate the typing for him, and thus the keystroke injection attack was born. Since 2010 the USB Rubber Ducky has been a favourite among hackers, pentesters and IT pros. With its debut, keystroke injection attacks were invented and since it has captured the imagination with its simple scripting language, formidable hardware, and covert design.

Key features :

• Cross-Platform: Attacks any OS that supports USB Keyboards
• Simple Scripting language: Start writing payloads in minutes
• Open Source Firmware: Add functionality using included libraries
• Expandable Storage: Micro SD cards make it possible to carry multiple payloads
• Community Support: Share sample scripts, complete payloads and get help online

Working of a USB Rubber Ducky :

When a USB device is connected to a system the system will query the device to determine its use and device type. The device type allows the system to load the appropriate driver so the USB device can be used on the system. For example, a WiFi adapter can be inserted into a system. The system queries the device and finds it is a specific model of a RealTek Wi-Fi adapter. The system will the load the appropriate driver for the device and start it, if possible. Once started the system will attempt to use the Wi-Fi adapter to connect to a network. If needed, a configuration window may appear to help configure the device properly as needed.

Most USB devices are automatically detected and used by the system, such as keyboards. A keyboard is seen by a system as sending input to the system which the system will accept. The USB Rubber Ducky will be seen as a keyboard device. Because of the device type most systems will start accepting data from the keyboard.

Scripts can be created and placed on the USB Rubber Ducky memory to allow them to be pushed into the system. These scripts can be used to gain a lot of information from the system in which the USB Rubber Ducky is inserted.

Because of the widespread use and acceptance of USB devices the Rubber Ducky works on all devices which support USB Keyboard interface.

Ducky Script :

Ducky Script is the language of the USB Rubber Ducky. Writing scripts for can be done from any common ASCII text editor such as Notepad, VI, emacs, Nano, gedit, kedit, TextEdit, etc. The Ducky Script language is a very straight forward language. The language is based off of keystrokes to act as a keyboard.

Syntax :

Ducky Script syntax is simple. Each command resides on a new line and may have options follow. Commands are written in ALL CAPS, because ducks are loud and like to quack with pride. Most commands invoke keystrokes, key-combos or strings of text, while some offer delays or pauses. 

The commands are as follows:

• DEFAULT_DELAY ### - sets a default delay in milliseconds to occur between each command within the whole script. Delays are necessary to allow windows to open, characters to be sent to the system, etc.
• DELAY ### - sets a default delay in milliseconds to occur when the command is given. The Rubber Ducky can send around 16 keystrokes a second to the system.
• GUI x – the command is the same as pressing the Window key. An additional key is also pressed to perform a certain task in Windows or other Operating System (OS). For example, the Window key and 'r' opens a run command window. You can also use the command WINDOW.
• STRING xxxx – sends the string of characters to the system.
• MENU or APP – performs the same action as a right-click.
• REPLAY x – cause the last command to be repeated x number of times.
• Key presses to the system (these are the same as pressing the designated key)
• BREAK
• PAUSE
• CTRL
• ALT
• BREAK
• CAPSLOCK
• DELETE
• END
• ESC (ESCAPE)
• HOME
• INSERT
• NUMLOCK
• PAGEUP
• PAGEDOWN
• PRINTSCREEN
• SCROLLLOCK
• SPACE
• TAB
• F1..F12
• UP (UPARROW)
• DOWN (DOWNARROW)
• LEFT (LEFTARROW)
• RIGHT (RIGHTARROW)

The USB Rubber Ducky sends data to the system as hex just as a keyboard. To convert the text file to hex you use 'duckencoder'.

Compiling a Ducky script :

Ducky Scripts are compiled into hex files ready to be named inject.bin and moved to the root of a micro SD card for execution by the USB Rubber Ducky. This is done with the tool duckencoder.

Duckencoder is a cross-platform command-line Java program which converts the Ducky Script syntax into hex files. Usage is:

As of duckencoder 1.X usage is:

Usage: duckencode -i [file ..]                                          Encode specified file

Or: duckencode -i [file ..] -o [file ..] encode to specified file

For example on a Linux system:

java -jar duckencoder.jar -i exploit.txt -o /media/microsdcard/inject.bin

Payloads :

In the context of a cyber-attack, a payload is the component of the attack which causes harm to the victim. Malicious payloads can sit dormant on a computer or network for seconds or even months until triggered. These malicious payloads are the parts of cyber-attacks.

Some payloads which are developed by hak5 are:

• Payload - Non-Malicious Auto Defacer
• Payload - Lock Your Computer Message
• Payload - Ducky Downloader
• Payload - Ducky Phisher
• Payload - FTP Download / Upload
• Payload - Restart Prank
• Payload - Silly Mouse, Windows is for Kids
• Payload - Windows Screen rotation hack
• Payload - Powershell Wget + Execute
• Payload - mimikatz payload
• Payload - MobileTabs
• Payload - Create Wireless Network Association (AUTO CONNECT) PINEAPPLE
• Payload - Retrieve SAM and SYSTEM from a live file system
• Payload - Ugly Rolled Prank
• Payload - XMAS
• Payload - Pineapple Assocation (VERY FAST)
• Payload - WiFun v1.1
• Payload - MissDirection
• Payload - Remotely Possible
• Payload - Batch Wiper/Drive Eraser
• Payload - Generic Batch
• Payload - Paint Hack
• Payload - Local DNS Poisoning
• Payload - Deny Net Access
• Payload - RunEXE from SD
• Payload - Run Java from SD
• Payload - OSX Inject an EggShell RAT payload
• Payload - OSX Sudo Passwords Grabber
• Payload - OSX Root Backdoor
• Payload - OSX User Backdoor
• Payload - OSX Local DNS Poisoning
• Payload - OSX Youtube Blaster
• Payload - OSX Photo Booth Prank
• Payload - OSX Internet Protocol Slurp
• Payload - OSX Ascii Prank
• Payload - OSX iMessage Capture
• Payload - OSX Grab Minecraft Account Password and upload to FTP
• Payload - OS X Wget and Execute
• Payload - OSX Passwordless SSH access (ssh keys)
• Payload - OSX Bella RAT Installation
• Payload - OSX Sudo for all users without password
• Payload - MrGray's Rubber Hacks
• Payload - Copy File to Desktop
• Payload - Youtube Roll
• Payload - Disable AVG 2012
• Payload - Disable AVG 2013
• Payload - EICAR AV test
• Payload - Download mimikatz, grab passwords and email them via gmail
• Payload - Hotdog Wallpaper
• Payload - Android 5.x Lockscreen
• Payload - Chrome Password Stealer
• Payload - Website Lock
• Payload - Windows 10 : Download & Change Wallpaper
• Payload - Windows 10 : Download & Change Wallpaper another version
• Payload - Windows 10 : Download and execute file with Powershell
• Payload - Windows 10 : Disable windows defender
• Payload - Windows 10 : Disable Windows Defender through powershell
• Payload - Windows 10 : Wifi, Chrome Dump & email results
• Payload - Windows 7 : Logoff Prank
• Payload - Netcat Reverse Shell
• Payload - Fake Update screen
• Payload - Rickroll
• Payload - Fast Meterpreter
• Payload - Data-Exfiltration / Backdoor

Hardware Owerview :

• Atmel 32bit AVR Microcontroller AT32UC3B1256
• MicroSD card reader
• Micro push-button
• Multi-color LED indicator
• JTAG Interface (can be used for I/O)
• Standard “Type A” USB connector

 Atmel AT32UC3B1256 Features :

• High Performance, Low Power AVR 32 UC 32-Bit Microcontroller
• Compact Single-cycle RISC Instruction Set Including DSP Instruction Set
• Read-Modify-Write Instructions and Atomic Bit Manipulation
• Performing up to 1.39 DMIPS / MHz
• Up to 83 DMIPS Running at 60 MHz from Flash
• Up to 46 DMIPS Running at 30 MHz from Flash
• Memory Protection Unit
• Multi-hierarchy Bus System
• High-Performance Data Transfers on Separate Buses for Increased Performance
• 7 Peripheral DMA Channels Improves Speed for Peripheral Communication
• Internal High-Speed Flash
• 512K Bytes, 256K Bytes, 128K Bytes, 64K Bytes Versions
• Single Cycle Access up to 30 MHz
• Prefetch Buffer Optimizing Instruction Execution at Maximum Speed
• 4ms Page Programming Time and 8ms Full-Chip Erase Time
• 100,000 Write Cycles, 15-year Data Retention Capability
• Flash Security Locks and User Defined Configuration Area
• Internal High-Speed SRAM, Single-Cycle Access at Full Speed
• 96K Bytes (512KB Flash), 32K Bytes (256KB and 128KB Flash), 16K Bytes (64KB Flash)
• Interrupt Controller
• Autovectored Low Latency Interrupt Service with Programmable Priority
• System Functions
• Power and Clock Manager Including Internal RC Clock and One 32KHz Oscillator
• Two Multipurpose Oscillators and Two Phase-Lock-Loop (PLL) allowing Independant CPU Frequency from USB Frequency
• Watchdog Timer, Real-Time Clock Timer
• Universal Serial Bus (USB)
• Device 2.0 and Embedded Host Low Speed and Full Speed
• Flexible End-Point Configuration and Management with Dedicated DMA Channels
• On-chip Transceivers Including Pull-Ups
• USB Wake Up from Sleep Functionality
• One Three-Channel 16-bit Timer/Counter (TC)
• Three External Clock Inputs, PWM, Capture and Various Counting Capabilities
• One 7-Channel 20-bit Pulse Width Modulation Controller (PWM)
• Three Universal Synchronous/Asynchronous Receiver/Transmitters (USART)
• Independant Baudrate Generator, Support for SPI, IrDA and ISO7816 interfaces
• Support for Hardware Handshaking, RS485 Interfaces and Modem Line
• One Master/Slave Serial Peripheral Interfaces (SPI) with Chip Select Signals
• One Synchronous Serial Protocol Controller
• Supports I2S and Generic Frame-Based Protocols
• One Master/Slave Two-Wire Interface (TWI), 400kbit/s I2C-compatible
• One 8-channel 10-bit Analog-To-Digital Converter, 384ks/s
• 16-bit Stereo Audio Bitstream DAC
• Sample Rate Up to 50 KHz
• QTouch Library Support
• Capacitive Touch Buttons, Sliders, and Wheels
• QTouch and QMatrix Acquisition

 USB Rubber Ducky purchase :

The USB Rubber Ducky can be purchased at https://hakshop.com/products/usb-rubber-ducky-deluxe

The cost of USB Rubber Ducky was around $50 USD.

References:

The information in this article is taken from the github.com from hack5darren profile.You can visit the real article in github from this link.

·       https://github.com/hak5darren/USB-Rubber-Ducky/wiki