Today marks the inaugural "Dark Tips" post on this blog. In these posts I will be covering aspects of technology that are more focused around security auditing, and are therefore associated with the "darker" sides of technology (e.g. hackers). My hope is to be able to share things that I have come across that I find helpful when performing security audits, or things that I just find fascinating. For this first post, I will be going over Hak5's wonderful USB Rubber Ducky. While the USB Rubber Ducky has been around in the security industry for quite some time, I have just now gotten my hands on one.
Introducing the USB Rubber Ducky
The USB Rubber Ducky is a portable USB device that houses a custom built board with a 60 MHz 32-bit Processor with an SD card slot for expandable memory. While on the surface it has the appearance of a typical USB thumb-drive, to your PC it is seen as a keyboard. That's right, the Rubber Ducky is able to emulate a standard Human Interface Device, and is therefore trusted and able to function on most Operating Systems. The Rubber Ducky also offers the ability to fully script its "keystrokes" via its simplistic scripting language. This allows for payloads to be created that can run at over 1,000 words per minute!
On the left, the USB Rubber Ducky in its USB case. On the right, the provided SD card reader.
The USB Rubber Ducky can be used as part of a penetration test to gather data off of a PC, create a reverse shell, etc. Essentially, whatever you could perform while sitting at an unattended PC, the Ducky can do faster!
Writing Your First Ducky Script
To get started with writing your first Ducky script, you will first need to ensure that you have Oracle's Java Runtime Environment installed onto your PC. If you do not, then you can quickly download and install it from Oracle's website. Once you have verified that it is installed, you will need to download the Duck Encoder. This can be obtained from Github.
Creating a Ducky script is simple, and can be performed within Notepad. Go ahead and paste the following code into a Notepad file.
DELAY 750
GUI R
DELAY 50
STRING notepad.exe
ENTER
DELAY 150
STRING Hello, World!
Before we encode this script to run on the Ducky, let's go over what exactly is happening in each step:
DELAY 750
Causes a 750ms pause to occur before the next line of code is executed
GUI R
Mimics the keyboard shortcut of Windows+R which launches the Run command
DELAY 50
Another pause, this time 50ms
STRING notepad.exe
Types "notepad.exe" into the Run command that was spawned
ENTER
The equivalent of hitting "Enter" on the keyboard in order to begin running Notepad
DELAY 150
Another pause
STRING Hello, World!
Types "Hello, World!" into the spawned Notepad file for demonstration
Now that you have a fairly basic understanding of how the syntax for Ducky script works, let's go ahead and encode this program to be able to run on the USB Rubber Ducky. This is where you will be utilizing both the JRE and the Duck Encoder you downloaded previously.
1.) Start a Command Shell and navigate to the directory where your Ducky script is. Make sure you have placed the Duck Encoder into this directory as well.
2.)Run the following command:
java.exe -jar duckencode.jar -i [SOURCE.TXT]
In this example, The path to "java.exe" had to be included within the encode command.
3.) The file inject.bin should now have been created within this directory. This file will need to be copied over to the Rubber Ducky's SD card via the provided card reader (or a similar device).
Now that you have copied this demo script over to your Rubber Ducky's SD card, you can place it back into the Ducky itself. In order to test it out, you only have to plug it into a PC which will cause the correct HID drivers to be installed. In some cases, you may have to remove the Ducky and plug it back in after the drivers have been installed so that the payload will execute. If everything has worked correctly, you should see the Ducky go to work by opening up Notepad and typing "Hello, World!" into it.
Upgrading to the Twin Duck Firmware
While the Rubber Ducky is an amazing device, it can become a bit of a chore to go back and forth with removing the SD card from the Ducky, placing it into the card reader, and vice versa whenever you are testing out your scripts. Thankfully, there are some firmware upgrades available that will allow the device to work as both a HID and standard storage device at the same time.
If you choose to upgrade your USB Rubber Ducky's firmware, you will need to follow the steps outlined below.
1.) Download the Duck Programming zip file from Github.
2.) Extract the contents of this zip file into the directory you will be using.
3.) Ensure that you have Microsoft's Visual C++ Redistributable Package installed. If not, you can download it from Microsoft's website.
4.) Download and install FLIP.
5.) Copy the two files AtJniIsp.dll & AtLibUsbDfu.dll from the FLIP Program Files directory into the directory you have the Duck Programming files within.
6.) Download the Hex file of the firmware you wish to install from Github and place it into the same directory as the Duck Programming files. For this example c_duck_v2.1 was utilized.
7.) Place the USB Rubber Ducky into dfu-mode by holding down the button on the Rubber Ducky while inserting it into your PC.
8.) Manually select the Atmel drivers for the Rubber Ducky, which are within the directory atmel-flip-3.4.2-signed-driver that was extracted during Step 1.
9.) From a Command Shell within the directory containing the Duck Programming files, you should now be able to flash the new firmware onto the Ducky via the following command:
program.bat c_duck_v2.1.hex
If everything went smoothly, you should see output similar to the following, which shows that the firmware was upgraded successfully.
Twin Duck firmware has been successfully loaded!
Now you will not only be able to create and load Ducky scripts easier onto the device when testing them, but you can also reference the SD storage space as part of the scripts themselves. Consider the possibilities, you can create scripts that save their output to the SD card or even run additional executables off of the SD card itself.
Introducing the USB Rubber Ducky
The USB Rubber Ducky is a portable USB device that houses a custom built board with a 60 MHz 32-bit Processor with an SD card slot for expandable memory. While on the surface it has the appearance of a typical USB thumb-drive, to your PC it is seen as a keyboard. That's right, the Rubber Ducky is able to emulate a standard Human Interface Device, and is therefore trusted and able to function on most Operating Systems. The Rubber Ducky also offers the ability to fully script its "keystrokes" via its simplistic scripting language. This allows for payloads to be created that can run at over 1,000 words per minute!
The USB Rubber Ducky can be used as part of a penetration test to gather data off of a PC, create a reverse shell, etc. Essentially, whatever you could perform while sitting at an unattended PC, the Ducky can do faster!
Writing Your First Ducky Script
To get started with writing your first Ducky script, you will first need to ensure that you have Oracle's Java Runtime Environment installed onto your PC. If you do not, then you can quickly download and install it from Oracle's website. Once you have verified that it is installed, you will need to download the Duck Encoder. This can be obtained from Github.
Creating a Ducky script is simple, and can be performed within Notepad. Go ahead and paste the following code into a Notepad file.
DELAY 750
GUI R
DELAY 50
STRING notepad.exe
ENTER
DELAY 150
STRING Hello, World!
Before we encode this script to run on the Ducky, let's go over what exactly is happening in each step:
DELAY 750
Causes a 750ms pause to occur before the next line of code is executed
GUI R
Mimics the keyboard shortcut of Windows+R which launches the Run command
DELAY 50
Another pause, this time 50ms
STRING notepad.exe
Types "notepad.exe" into the Run command that was spawned
ENTER
The equivalent of hitting "Enter" on the keyboard in order to begin running Notepad
DELAY 150
Another pause
STRING Hello, World!
Types "Hello, World!" into the spawned Notepad file for demonstration
Now that you have a fairly basic understanding of how the syntax for Ducky script works, let's go ahead and encode this program to be able to run on the USB Rubber Ducky. This is where you will be utilizing both the JRE and the Duck Encoder you downloaded previously.
1.) Start a Command Shell and navigate to the directory where your Ducky script is. Make sure you have placed the Duck Encoder into this directory as well.
2.)Run the following command:
3.) The file inject.bin should now have been created within this directory. This file will need to be copied over to the Rubber Ducky's SD card via the provided card reader (or a similar device).
Now that you have copied this demo script over to your Rubber Ducky's SD card, you can place it back into the Ducky itself. In order to test it out, you only have to plug it into a PC which will cause the correct HID drivers to be installed. In some cases, you may have to remove the Ducky and plug it back in after the drivers have been installed so that the payload will execute. If everything has worked correctly, you should see the Ducky go to work by opening up Notepad and typing "Hello, World!" into it.
Upgrading to the Twin Duck Firmware
While the Rubber Ducky is an amazing device, it can become a bit of a chore to go back and forth with removing the SD card from the Ducky, placing it into the card reader, and vice versa whenever you are testing out your scripts. Thankfully, there are some firmware upgrades available that will allow the device to work as both a HID and standard storage device at the same time.
If you choose to upgrade your USB Rubber Ducky's firmware, you will need to follow the steps outlined below.
1.) Download the Duck Programming zip file from Github.
2.) Extract the contents of this zip file into the directory you will be using.
3.) Ensure that you have Microsoft's Visual C++ Redistributable Package installed. If not, you can download it from Microsoft's website.
4.) Download and install FLIP.
5.) Copy the two files AtJniIsp.dll & AtLibUsbDfu.dll from the FLIP Program Files directory into the directory you have the Duck Programming files within.
6.) Download the Hex file of the firmware you wish to install from Github and place it into the same directory as the Duck Programming files. For this example c_duck_v2.1 was utilized.
7.) Place the USB Rubber Ducky into dfu-mode by holding down the button on the Rubber Ducky while inserting it into your PC.
8.) Manually select the Atmel drivers for the Rubber Ducky, which are within the directory atmel-flip-3.4.2-signed-driver that was extracted during Step 1.
9.) From a Command Shell within the directory containing the Duck Programming files, you should now be able to flash the new firmware onto the Ducky via the following command:
If everything went smoothly, you should see output similar to the following, which shows that the firmware was upgraded successfully.
Now you will not only be able to create and load Ducky scripts easier onto the device when testing them, but you can also reference the SD storage space as part of the scripts themselves. Consider the possibilities, you can create scripts that save their output to the SD card or even run additional executables off of the SD card itself.
Thanks for the help. Just got mine today.
ReplyDeleteJust remember to save the hex file properly (simply right clicking on 'save link' will not work). You will need to copy and past the hex text into a text editor and save it as the hex file needed for flashing...
ReplyDeletei am having trouble doing this, i am at the part where it says to manually select the drivers, im on win 10 btw
ReplyDeleteI am having trouble at the manually selecting drivers part, im on windows 10 if that makes a difference
ReplyDelete