About Me

My photo
JHC Technology is a Service Disabled, Veteran-Owned, Small Business based in the Washington, DC Metro area. Our primary focus is to offer customized solutions and IT consulting to our Commercial and Government clients. Our experts have a broad experience delivering and managing Microsoft Enterprise applications and Cloud and Virtualization Solutions, as well as mobilizing Enterprise data.

Tuesday, September 17, 2013

Rubber Ducky Attack…with Simple-Ducky

This Demo is for testing purposes, not malicious activity

First, you must ask yourself, what is a Rubber Ducky and what would I use it for? The Rubber Ducky is essentially an HID (Human Interface Device).  For example, your keyboard, mouse and trackpad are HID's. Basically, a computer sees these devices differently than it would a USB thumb drive.  The mouse and keyboard in itself are non-threatening, meaning that they are not devices that would pull data from a computer and store that data. The keyboard and mouse are just simply an interface to type commands, documents or control your operating system.

Well, the Rubber Ducky is the same thing.  However, it looks like a thumb drive. The Rubber Ducky types and clicks things on your system (as if magic) and the whole time your computer thinks it is a keyboard. Below is a demonstration of how the Rubber Ducky works.

First, make sure you have the equipment and software (and Linux distro).

You can order your own Rubber Ducky here: http://hakshop.myshopify.com/products/usb-rubber-ducky


As you can see, the rubber ducky is not a USB drive, but a HID computer if you will. A HID is a Human Interface Device, much like your keyboard and mouse.



Make sure you visit this page to download the latest Simple-Ducky payload generator.
The site will explain what you need and how to install it. It is fairly simple. No pun intended.



I highly recommend you take the time to read the site and get familiar with the capacity of the payload generator software.

Also note that I used Kali Linux  for this demo.  I downloaded it here: http://www.kali.org
Kali Linux is a Debian based Linux Distro and is loaded with Security tools. It was previously known as Backtrack.

Here is a picture of my Rubber Ducky.  Looks innocent enough:


If you take it apart and see under the hood you can see that is looks simple. It also has a micro SD card slot.  You will also receive a micro SD to USB converter and a 256MB micro SD card when you order your rubber ducky.



Lets get started.

Grab your micro SD card and put it in the converter. Insert/connect the converter into your system and make sure your Linux distro sees your removable USB drive. In my case, it was automatically labeled 256MB removable.


Normally, the newer Linux distros have a quick shortcut that allows you to open the terminal (aka command prompt).



At the prompt, type in simple-ducky and hit Enter



Your menu should load up and look like this. Take some time to read all your options, especially #9:



Type "9" and hit Enter.



It will go to a series of checks and installs to make sure you have everything you need to create your own exploits/payloads.


When it is all done type "2" (Windows Reverse Shell Payloads) and Enter.
Then, you will see another menu. Again, take time to review your options.

Type in Option "3" (Persistence Reverse Shell (Win Vista/7)) and hit Enter.

There you will be prompted with a series of wizard questions to set the payload up for you.
The first question was to set username and then password:



The next question is asking for the IP of the system that your victim PC will connect to.  In this case I type 1.2.3.4 as a sample:

This next quest is in regards to what port your victim will connect on. I used 1337 in this sample.  So the victim will connect to IP 1.2.3.4 on port 1337.



You will also have to set a URL for the victim to go to, instead of the IP.  There are times where your listening server may be different than where you are creating this exploit. In this example, I name the URL www.h4ckm3-sys.com:



This next step is simply to set the time to wait to launch the exploit.  It is supposed to be set in milliseconds. I set this one in 5000 milliseconds (5 seconds).



The last question is in regards to see if you are using Kali.  If you are the software knows where to locate the ncat file and put it in the make believe webserver you just created. If you are not using Kali type n and Enter:



Now you should see the software generating the code (inject.bin file) with all the settings you just defined. Hopefully it all goes well.



You should see the files inject.bin and payload.txt in the /usr/share/simple-ducky folder. Make sure you copy the inject.bin file onto your micro SD card now, and you should review the payload.txt file.


The payload.txt is written in human readable code, so you should be able to see what it is doing.   For instance if you look at the things that are circled in the next screenshot, you can see some of the parameters that we set during the previous wizard:



You will be prompted to start listening on this machine.  In this case I said "yes" and was able to see this. It is just waiting for victim machines to make a call back.



Once you copied the inject.bin file to your drive/micro SD card, pull the card out and take the micro SD card out of the converter.



Put the micro SD card into your Rubber Ducky micro SD card slot and then insert into your victim’s pc.



If you put it back together, it should look like this. It looks like an innocent harmless USB drive.



If you connected the rubber ducky to test victim's PC you should see that it was able to connect back to the listening server.

The rubber ducky is not a USB thumb drive, but it looks like one. The sample payloads provided are good, but feel free to create your own.  You can always pair it up with other tools or software, but always keep in mind what your victim is using. You need to tailor your payloads, based on your victims OS and settings.

Thanks to Travis “Skysploit” Weather for the neat Simple-Ducky tool.

Here is another site with other payloads.  However, these payloads you have to create yourself, but the hard part is already done for you.

Have fun Rubber Ducking.

Ernesto Fuller is the Senior Security Administrator for JHC Technology.  He can be reached at efuller (at) jhctechnology.com or connect with him on LinkedIn.

3 comments: