Exfiltration consists of techniques that adversaries may use to steal data from your network. Once they’ve collected data, adversaries often package it to avoid detection while removing it. This can include compression and encryption. Techniques for getting data out of a target network typically include transferring it over their command and control channel or an alternate channel and may also include putting size limits on the transmission.
DUCKY" will be saved in the
netshcommand will get the network name (SSID) and passphrase (key) for the currently connected network (
netshcommand (filtered for only SSID and key) will be redirected (saved) to a file on the root of the "
DUCKY" drive, saved as the computer name (in
$_EXFIL_MODE_ENABLEDinternal variable. Then, the target reflects the encoded lock keystrokes. The binary values of the reflected, or “bit banged”, lock keys are stored as 1’s and 0’s in the loot.bin file on the USB Rubber Ducky.
ATTACKMODEcommand. the USB Rubber Ducky will act as a HID keyboard.
SAVE_HOST_KEYBOARD_LOCK_STATEwill save the state of the lock key LEDs, as reported by the target, so that they may be restored to their original configuration after the Keystroke Reflection attack is performed.
$_EXFIL_MODE_ENABLED = TRUEwill instruct the USB Rubber Ducky to listen for control codes on the USB HID OUT endpoint, saving each change as a bit within
$_EXFIL_LEDS_ENABLED = TRUEwill show flash the USB Rubber Ducky LED as loot is saved, useful when debugging. Set as
FALSEfor a more stealthy operation, however the flash drive case should sufficiently conceal the LED.
$env:tmp\z) directory, encoded in standard ASCII.
WAIT_FOR_SCROLL_CHANGEwill get triggered when the final key "press" from the SendKeys class is executed, thereby continuing the payload.
$_EXFIL_MODE_ENABLED = FALSEwill instruct the USB Rubber Ducky to conclude saving the received control codes in loot.bin and
RESTORE_HOST_KEYBOARD_LOCK_STATEwill restore the lock key LEDs to their original state before the exfiltration began.
loot.binfile on the root of the MicroSD card. This file maintains the
.binextension, as it may contain any arbitrary binary data — as received bit by bit over the USB HID OUT endpoint via control codes intended to manipulate the lock key LED states.
loot.binfile may be treated in various different ways. For example, if the data retrieved was originally in an ASCII format, such as in the WiFi credential exfiltrating example, then simply renaming the file
loot.txtwill yield a file readable by any standard text editor such as notepad, TextEdit, vim and the like without manipulation.
.jpegwould yield an image readable by conventional means.
loot.binfile and further processing would be necessary. In these cases, file processing tools would be necessary to carve out the original files.
loot.binfrom a target via the Keystroke Reflection pathway, any variable in Ducky Script may be saved, or exfiltrated, to the loot file using the
$FOOwill be written (appended) to the
loot.binfile on the root of the USB Rubber Ducky MicroSD card.
PID, and a loop containing incremental
PIDvariables and lock key detection — one may write a payload to brute force the allow list of an otherwise hardware installation limited computer, then write the allowed
loot.binfor further analysis.