Rubber Ducky: Learning About the Keystroke Injection
Imagine being able to execute commands and load code automatically without user interaction by simply inserting a USB device. This is the behavior of a Rubber Ducky.
A Rubber Ducky is a specially designed USB device, often disguised as a thumb drive, that automatically runs code on any host computer into which it is plugged. It does so by appearing to the computer as a USB HID (Human Interface Device) keyboard and/or mouse, and then “typing” in keyboard shortcuts and commands. This device is considered a Keystroke Injection Attack Tool, but it could be a great partner if you use it properly.
Dark Side
When talking about Keystroke Injection, there are so many options. On the Hak5 website we have a lot of attack examples with explanatory tutorials. A good example, is the 15 Second Password Hack, Mr Robot Style, that explains how to get other user credentials on our computer. This tutorial uses a variation of Mimikatz to get the passwords from memory and after it, it sends the credentials to a server previously installed on our computer.
Credential theft is just one example, as this device can be used maliciously for an infinite number of purposes such as file deletion or Sniffing.
Good Side
Given a non-malicious use, the main feature could be programming processes to save time in our day-to-day or to have a well-defined configuration process to set up any computer for the specific use we want to give it. For example, we can have a Rubber Ducky with a specific programming environment configuration ready to be installed on any computer.
Commercial Option
Rubber Ducky from Hak5 was the device that invented the Keystroke Injection in 2010, becoming the must-have Pentest tool. Being the pioneer and having a big community behind it helped this product to be the most chosen on the market. Nowadays we can buy this product for 59,99 US$.
Apart from this, there are many sites that sell similar products using as base MCUs (Microcontroller Units) like the Attiny85 or the ATMEGA32U4.
Homemade Option And Example
To create a homemade version (not as compact as the original) of the Hak5 Rubber Ducky, you will need a device with a main MCU on it that is directly connected to USB. The ESP8266 chip used on other story is not a USB-capable MCU, and so it uses a USB to UART bridge chip to connect the ESP8266 to the USB of your computer.
What will we use?
- Arduino based board: To use as a USB device.
- Arduino IDE: To upload our code to the board we need an IDE. We use Arduino IDE, but there are others that could be used as well.
Arduino IDE can be installed using the guide they provide and you can configure it and write your first “Hello world” using the help section from the documentation called “Get started with Arduino”.
Once we have our board installed and configured the next step is to load the code that will be executed when connecting the device to a computer. In our case, we decided to load a code that turns off the Windows Defender on the computer that we are attacking. We get this script from the Darren Kitchen (Hak5 founder) Payload list. But there is a problem, the original Rubber Ducky uses Ducky Script as its programming language, and Arduino doesn’t support it natively. For that, we have to use Duckuino, which is a simple Ducky Script to Arduino converter (it converts Ducky Script to C). To speed up this process, you can use the online version of this software.
Once we have our code converted from Ducky Script, the last step is to load the code into the board and, we will already have a device that will deactivate Windows Defender when connecting it to the USB port of the computer we want to attack. Needless to say, this is only an example 😙.
How to Defend Us Against It
Here are three actions you can take to counteract Rubber Ducky, taking into account that these devices operate at speeds that are practically impossible for standard users.
USB port blocker
USB port blockers are an effective way to deter users from connecting unauthorized USB devices that may contain malicious payloads without their knowledge. This defense come with a special key that unlocks and locks the device once installed.
However, the downside to USB port blockers lies in the fact that these devices are still subject to physical tampering if not monitored properly. Any user with ill intent and a few basic tools can easily remove port blockers from a target system.
Using special programs to monitor typing speed
Certain programs like DuckHunter are designed to run in the background and keep a close eye on the typing speed. Since Rubber Ducky devices type at speeds that are practically impossible for humans to type at, the program effectively blocks keyboard input when a Rubber Ducky attack is detected.
The disadvantage of using this method of prevention is that these programs take a few milliseconds to detect an attack. Depending on the length of the payload, it can still make its way into a target computer before being blocked by the program.
Restricting access to elevated Command Prompt
Running Command Prompt as an administrator unlocks a whole set of actions that can be performed on a computer. On Windows, you can gain access to elevated Command Prompt by first typing CMD in the Run command and then holding down Ctrl + Shift + Enter. These keystrokes can easily be programmed into a Rubber Ducky device.
Setting a password for using elevated Command Prompt stops any Rubber Ducky programmed to seek administrative privileges dead in its tracks.
Conclusions
Knowing how Key Injection works not only helps us to know how to defend against it, but also allows us to take advantage of something that was conceived for malicious use. Automating processes, defining auto-configurable environments… these are just some possibilities that Keystroke Injection gives us when used in the right way.
