First, you must ask yourself, what is a Rubber Ducky
and what would I use it for? The Rubber Ducky is essentially an HID (Human Interface
Device). For example, your keyboard, mouse and trackpad are HID's. Basically, a computer sees these devices differently than it would a USB
thumb drive. The mouse and keyboard in
itself are non-threatening, meaning that they are not devices that would pull data from a computer and store that data. The keyboard and mouse are just simply an
interface to type commands, documents or control your operating system.
Well, the Rubber Ducky is the same thing. However, it looks like a thumb drive. The Rubber Ducky types and clicks things on your system (as if magic) and the whole time your computer thinks it is a keyboard. Below is a demonstration of how the Rubber Ducky works.
Well, the Rubber Ducky is the same thing. However, it looks like a thumb drive. The Rubber Ducky types and clicks things on your system (as if magic) and the whole time your computer thinks it is a keyboard. Below is a demonstration of how the Rubber Ducky works.
First, make sure you have the equipment and software (and Linux
distro).
As you can see, the rubber ducky is not a USB drive, but a
HID computer if you will. A HID is a Human Interface Device, much like your
keyboard and mouse.
Make sure you visit this page to download the latest
Simple-Ducky payload generator.
The site will explain what you need and how to install it.
It is fairly simple. No pun intended.
I highly recommend you take the time to read the site and
get familiar with the capacity of the payload generator software.
Kali Linux is a Debian based Linux Distro and is loaded with Security tools. It was
previously known as Backtrack.
Here is a picture of my Rubber Ducky. Looks innocent enough:
If you take it apart and see under the hood you can see that
is looks simple. It also has a micro SD card slot. You will also receive a micro SD to USB converter and a 256MB
micro SD card when you order your rubber ducky.
Lets get started.
Grab your micro SD card and put it in the converter. Insert/connect the converter into your system and make sure your Linux distro sees your removable USB drive. In my case, it was automatically labeled 256MB removable.
Normally, the newer Linux distros have a quick shortcut that allows
you to open the terminal (aka command prompt).
At the prompt, type in simple-ducky
and hit Enter
Your menu should load up and look like this. Take some time to read all your options, especially #9:
Type "9" and hit
Enter.
It will go to a series of checks and installs to make sure
you have everything you need to create your own exploits/payloads.
When it is all done type "2"
(Windows Reverse Shell Payloads) and Enter.
Then, you will see another menu. Again, take time to review your
options.
Type in Option "3" (Persistence Reverse Shell (Win Vista/7))
and hit Enter.
There you will be prompted with a series of wizard questions to set the payload up for you.
The first question was to set username and then password:
The next question is asking for the IP of the system that your victim PC will connect to. In this case I type 1.2.3.4 as a sample:
This next quest is in regards to what port your victim will
connect on. I used 1337 in this sample.
So the victim will connect to IP 1.2.3.4 on port 1337.
You will also have to set a URL for the victim to go to,
instead of the IP. There are times where
your listening server may be different than where you are creating this
exploit. In this example, I name the URL www.h4ckm3-sys.com:
This next step is simply to set the time to wait to launch
the exploit. It is supposed to be set in milliseconds.
I set this one in 5000 milliseconds (5 seconds).
The last question is in regards to see if you are using
Kali. If you are the software knows
where to locate the ncat file and put it in the make believe webserver you
just created. If you are not using Kali type n and Enter:
Now you should see the software generating the code
(inject.bin file) with all the settings you just defined. Hopefully it all goes
well.
You should see the files inject.bin and payload.txt in the
/usr/share/simple-ducky folder. Make sure you copy the inject.bin file onto
your micro SD card now, and you should review the payload.txt file.
The payload.txt is written in human readable code, so you
should be able to see what it is doing.
For instance if you look at the things that are circled in the next
screenshot, you can see some of the parameters that we set during the previous wizard:
You will be prompted to start listening on this
machine. In this case I said "yes" and was able to see this. It is just waiting for victim machines to make a call back.
Once you copied the inject.bin file to your drive/micro SD card, pull the card out and take the micro SD card out of the converter.
Put the micro SD card into your Rubber Ducky micro SD card
slot and then insert into your victim’s pc.
If you put it back together, it should look like this. It
looks like an innocent harmless USB drive.
If you connected the rubber ducky to test victim's PC you should
see that it was able to connect back to the listening server.
The rubber ducky is not a USB thumb drive, but it looks like
one. The sample payloads provided are good, but feel free to create your
own. You can always pair it up with
other tools or software, but always keep in mind what your victim is using. You
need to tailor your payloads, based on your victims OS and settings.
Thanks to Travis “Skysploit” Weather for the neat
Simple-Ducky tool.
Here is another site with other payloads. However, these payloads you have to create
yourself, but the hard part is already done for you.
Have fun Rubber Ducking.
Ernesto Fuller is the Senior Security Administrator for JHC Technology. He can be reached at efuller (at) jhctechnology.com or connect with him on LinkedIn.
Ernesto Fuller is the Senior Security Administrator for JHC Technology. He can be reached at efuller (at) jhctechnology.com or connect with him on LinkedIn.
Thanks for all the tips and advice and your story truly is amazing.
ReplyDeleteMalware and How You Can Prevent It
Very nice blog, you given useful information, Very great article, Thank you for sharing this wonderful article.
ReplyDeleteamazon cloud computing in india
Nice Blog
ReplyDeleteaws training in noida
aws training in kochi
aws training in bhubaneswar
aws training in tirunelveli