USB “Rubber Ducky” Attack Tool

The USB Rubber Ducky is getting better and better.

Already, previous versions of the Rubber Ducky could carry out attacks like creating a fake Windows pop-up box to harvest a user’s login credentials or causing Chrome to send all saved passwords to an attacker’s webserver. But these attacks had to be carefully crafted for specific operating systems and software versions and lacked the flexibility to work across platforms.

The newest Rubber Ducky aims to overcome these limitations. It ships with a major upgrade to the DuckyScript programming language, which is used to create the commands that the Rubber Ducky will enter into a target machine. While previous versions were mostly limited to writing keystroke sequences, DuckyScript 3.0 is a feature-rich language, letting users write functions, store variables, and use logic flow controls (i.e., if this… then that).

That means, for example, the new Ducky can run a test to see if it’s plugged into a Windows or Mac machine and conditionally execute code appropriate to each one or disable itself if it has been connected to the wrong target. It also can generate pseudorandom numbers and use them to add variable delay between keystrokes for a more human effect.

Perhaps most impressively, it can steal data from a target machine by encoding it in binary format and transmitting it through the signals meant to tell a keyboard when the CapsLock or NumLock LEDs should light up. With this method, an attacker could plug it in for a few seconds, tell someone, “Sorry, I guess that USB drive is broken,” and take it back with all their passwords saved.

Tags: , , ,

Posted on August 18, 2022 at 6:45 AM10 Comments

Comments

Dinah August 18, 2022 8:17 AM

How do you get the info back off of the drive? I can’t imagine later plugging that drive into by own computer to retrieve the data. There’s no way in hell I’d trust it to not do the same to me then transmit it to someone else. This isn’t made by the most scrupulous people. It takes someone pretty naive to believe in honor among thieves.

Incontinentia August 18, 2022 9:08 AM

@Dinah

Don’t crap where you eat comes to mind. Perhaps a craigslist laptop specifically purchased for the occasion, with slightly modified hardware would do the trick?

Ven August 18, 2022 10:29 AM

@Dinah

From a technical side the Rubber Ducky has an armed mode and a configuration mode. It doesn’t come with any active payloads installed just the language built to run a payload. You would need to use (and trust) the configuration mode to load a payload first, then arm and run the attack, then change back to the configuration mode to access the data.

From a more social perspective, I’m not sure what makes you think the makers are unscrupulous. They are fairly public having been in the security community and creating security videos and tools for years. The source for the device firmware is on GitHub.

I won’t claim that I can give an impartial view of their trustworthiness, as I’ve been a fan of theirs for years, but I will say that I would trust them more than say your average Anti-Virus vendor. Trusting any security or pen test tool maker is a very iffy thing, but I will trust those working in the public eye more than those that do everything behind closed doors.

Resuna August 18, 2022 10:36 AM

They probably won’t have an exploit for a Raspberry Pi running Haiku or MorphOS, or a RiscV Linux box.

tim August 18, 2022 11:07 AM

They probably won’t have an exploit for a Raspberry Pi running Haiku or MorphOS, or a RiscV Linux box.

True. But most people want to be able to do something with their computers and would most likely be running Windows or Mac OS X.

zh August 18, 2022 2:03 PM

And they can use the normal computer to ssh into the stipulated unexploited Raspberry Pi, to copy the information off.

Ted August 18, 2022 3:12 PM

@Dinah, Ven, All

How do you get the info back off of the drive?

According to Hak5: “…you can always get to the filesystem of the USB Rubber Ducky by removing the MicroSD card and using a card reader…”

Otherwise, similar to what Ven said, it looks like you can use The Button to switch the Rubber Ducky from its keyboard enumeration function to a USB storage function.

If you wanted more options for exfiltrating data, Hak5 also offers Bash Bunny. Though I’d probably enjoy starting with the simpler product.

https://docs.hak5.org/hak5-usb-rubber-ducky/unboxing-quack-start-guide

Jonathan Wilson August 19, 2022 4:46 PM

Maybe its time Microsoft added something to Windows via e.g. Group Policy where it will refuse to acknowledge or talk to any unknown USB device (this thing may emulate a keyboard but when you plug it in Windows still does the usual “new device found” thing)

That way if its plugged in, Windows will simply ignore it and any “keystrokes” it might send.

Clive Robinson August 19, 2022 8:34 PM

@ ,

Re : Is it USB or Keyboard

“Maybe its time Microsoft added something to Windows via e.g. Group Policy where it will refuse to acknowledge or talk to any unknown USB device”

Remember Microsoft are still twitchy about “USB Killer Drivers” since the “Chip Killer” FTDI Update on FT232 chips debacle back in 2014. They basically do not want to get involved in having anything to do with making hardware not work.

Basically it was when the loonies at chip manufacturer FTDI “commited physical cyber-warfare” as they tried to destroy “grey market” chips in everyday users peripherals. They basically pushed an “illegal” –in UK– driver update through Microsoft and millions of USB devices stopped working… and Microsoft caught the bulk of the flack.

But it goes a little deeper than that, the USB specification is effectively flawed.

Which from a security aspect makes USB and User Input Peripherals at best problematic.

Firstly there is weak association between USB physical devices and software drivers. Basically the organisation behind USB makes money from the selling of USB device ID numbers. This “encorages” people to steal existing ID’s rather than pay for their own. So from the software side there is no way to tell what the device is, or if it is genuine.

Secondly there is the issue of when is a device actually a USB device or something else using a USB plug? Some hardware user peripherals like mice come into this category.

But “User Input” devices like keyboards also have to work when a computer boots and has no updatable USB drivers available as the OS is not loaded.

USB-IF came up with HID 111 to cover this problem in part,

https://en.m.wikipedia.org/wiki/USB_human_interface_device_class

But as always things that have to work at or below BIOS level through the entire boot process represent a very serious security risk that is effectively unavoidable.

[1] The thing is from a manufacturing perspective FTDI shot themselves in the foot, I know of atleast two FMCE manufacturers who have “Design Out / Do Not Use” on all FTDI chips now… You can read more about it from the time in,

https://www.zdnet.com/article/ftdi-admits-to-bricking-innocent-users-chips-in-silent-update/

What's in a name August 26, 2022 5:14 AM

There is a common misconception which is that there is no way to stop these attacks and still use USB drives because computers must trust keyboards.
This is not true. There is a simple solution which supprisingly our operating systems don’t implement which is to lock the screen when a keyboard – ANY KEYBOARD – is connected (like Penteract’s keyboard detector does.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.