I’m pretty sure that you cannot type as fast as this little guy, which looks like this:
Digging into Ducky script
Right now, let’s dig into Ducky script. This is a special programming language used in USB Rubber Ducky. Programming your Rubber Ducky is very simple. You basically create a text script, use online payload encoder or Java encoder, Java application, for that purpose. Put the binary file to SD card, SD card to Rubber Ducky, and Rubber Ducky to the victim machine. That’s it. Your Rubber Ducky will just run the payload each time you put it into the USB port on the computer.
Let’s look closer to the syntax of Duckyscript. Let’s create the first script > Comment line (combination of Windows and R keys) > Sending CMD string > Sending enter key. For the purpose of this demonstration, I will use a virtual machine. Sometimes virtual machines are not capable of receiving these fast keystrokes from Rubber Ducky, so I will use additional command parameters to slow down the Rubber Ducky. I will use Java encoder to encode the script. There are three parameters – script file, output file (I will output directly to my SD card), and last parameter is the language, standard US language layout of the keyboard. Looks promising.
Now, I’m putting SD card to Rubber Ducky. Let’s switch to the testing workstation and see… how everything works. We have opened a command line.
That was quick, easy, so… what can we do next?
Let’s say you want to have full-disk access to some computer, but you already discovered that this machine has BitLocker configured, what can you do about it? You can ask the user politely for giving his password, I’m not sure if this will succeed, or use some social engineering and Rubber Ducky.
On the Rubber Ducky part, we are going to add additional payload or extended payloads. We’ll create recovery password for BitLocker, using Rubber Ducky. This way, we will have potentially opportunity to unlock the BitLocker product drive. Let’s try this one. Let’s say we want to have some initial delay just to be sure that all the activity on the computer is not disturbing our payload. Next, we will run command line again, and on the command line let’s add additional delay for the popup window to pop up. On the command line, we want to have reconfigured BitLocker. This is the command. We are adding additional recovery passwords, numeric passwords for BitLocker. Of course, we will need enter.
Let’s try it. My SD card is going back to the computer. Back to Rubber Ducky. Let’s close everything and assume that this is an unlocked workstation. Waiting delay for approximately five seconds. Here we go. We have slowed down by our additional command, but successful command, and we have added this additional recovery password. We can confirm that it’s there.
I think we all know that this attack can be easily detected, as we have created additional recovery key, something that changed the state of the machine. More advanced type of this scenario would involve stealing recovery key and sending key to some server that’s tried to create such payload.
Creating the script using PowerShell
For that, let’s create the third script. We will need something that we already know with a small change. We are just storing the BitLocker configuration, BitLocker credentials, passwords, numeric passwords, to the file in developer local system. What can we do next? Next, we need to have something to send it to our web server. For that, we will use PowerShell. PowerShell script will be perfect for that.
This will be our payload. The first line – we just read the contents of the file that is storing our BitLocker credentials. This is the conversion to Base64, and here we have added this as an argument to the request. Some regular server with some specially created application. We’ll just need to store all the requested information. This way, we will have this in our controlled machine. Let’s save it.
One more thing, PowerShell has this nice feature to run scripts from the command line and scripts are Base64 and called it also. Effectively, something like this will run our script.
Of course, we need to have command here and enter afterward. How we manage to encode our payload, this is the second simple script for that. Let me run the PowerShell again and this is it. We read the contents of our payload file and put it back on the console. This is our payload generator.
Let’s see how this works. This is the exact representation of this payload:
Let’s copy it, then paste it here, save, and that would be it. SD card is going back to the computer. We are going to compile the third script.
First command – success. On normal physical machines, we don’t have this delay, so this would be 10 times faster. Actually this is only for demonstration, but this is pretty fast as well because I’m not sure if I will be able to type this script as fast from my memory. Okay, success.
As we see, something was sent to my server. I’m pretty sure that the contents of this file can be also confirmed that they are correct.
Our server knows the numeric password. What does it mean? That means we have used Rubber Ducky to perform actually the real warned attack on the physical machine.
Advantages of Rubber Ducky
What is super cool about Rubber Ducky? It’s so small and looks like a regular USB drive. It’s also cheap, so you can just buy a bunch of these and leave it somewhere, for example, for casual victims like your friends or maybe colleagues from the company. These are obvious examples, but did you know that Rubber Ducky is also multi-platform? We have tested it on the Windows platform right now, but Rubber Ducky can use its payloads against Mac OS or Linux operating systems. Of course, payload needs to be adjusted for each platform. I think that every penetration tester should have ready-to-use Rubber Ducky in his pocket for each assessment, so at least for most common targets.
If you want to learn or see other examples of Rubber Ducky script, I would recommend seeing this page.
It’s a huge repository of scripts. The page is also having online encoder and decoder, so you can check your scripts here. Please be aware that string delay is not covered here yet.
This is not the newest parser for the Rubber Ducky script. Here we have some contributed scripts by different users. You can find inspiration here. Please be aware that every time you put the script from the site to your Rubber Ducky, double check what it does because sometimes, scripts can have some malicious activity, so please stay safe.
Thank you for watching! If you have any interesting idea regarding Rubber Ducky that you want to share with us, just leave your comment. Stay tuned for the next episodes of Hacks Weekly.