Randomization
Last updated
Last updated
DuckyScript 3.0 includes various randomization features, from random keystroke injection to random integers. This enables everything from payload obfuscation to unique values for device mass-enrollment, and even games!
As an inherently deterministic device, USB Rubber Ducky pseudorandom number generator (PRNG) relies on an algorithm to generate a sequence of numbers which approximate the properties of random numbers. While the numbers generated by the USB Rubber Ducky are not truly random, they are sufficiently close to random allowing them to satisfy a great number of use cases.
The seed is the number which initializes the pseudorandom number generator. From this number, all future random numbers are generated. On the USB Rubber Ducky, this number is stored in the file seed.bin
, which resides on the root of the devices MicroSD card storage similar to the inject.bin
file.
The randomness used to automatically generate the seed considered entropy. A higher level of entropy results in a better quality seed. Entropy may be derived from human input or the USB Rubber Ducky hardware alone.
A high entropy seed.bin
file may be generated using Payload Studio. Alternatively, if no seed is generated, a low entropy seed will be automatically generated by the USB Rubber Ducky in the case that one is necessary.
Random keystroke injection is possible with DuckyScript 3.0. Using the appropriate random command, a random character may be typed.
Command | Character Set |
---|---|
Different key-maps will produce different characters on a keyboard. For example, with a US keyboard layout the key combo SHIFT 3
will produce in a pound, hash or number sign ("#
"). On a UK keyboard layout, the same key combo will produce the symbol for the pound sterling currency ("ÂŁ
").
For this reason, when Payload Studio compiles the DuckyScript payload into an inject.bin
file, the selected language map will be packed into the payload such that the correct random keys are injected.
This payload will type:
10 random lowercase letters, per the while loop.
20 random numbers, per the while loop.
3 random special characters.
The payload will then instruct the user to press the button.
On each press of the button, the BUTTON_DEF
will execute.
This special functions contains the RANDOM_CHARACTER
command, and thus a random character will be typed.
As opposed to the RANDOM_NUMBER
command which will keystroke inject, or type a random digit, the internal variable $_RANDOM_INT
may be referenced for a random integer.
Each time this payload is executed, the LED will randomly blink between 0 and 9 times.
Each time the $_RANDOM_INT
variable is referenced, it will produce a random integer. By default, this integer will be between 0 and 9. The range in which the integer is produced may be specified by changing the values of $_RANDOM_MIN
and $_RANDOM_MAX
.
As unsigned integers, the minimum and maximum values must fall within the range of 0 through 65535.
Each time this payload is executed, the LED will blink a random number of times between 20 and 50.
The random minimum and maximum values may be changed arbitrarily as many times as needed throughout the payload.
Random integers may be evaluated by conditional statement in the same way as ordinary variables.
The random range, as defined by $_RANDOM_MIN
and $_RANDOM_MAX
, is initialized only once at the start of the payload.
The remainder of the payload is carried out within the infinite loop, WHILE TRUE
.
Each time the loop begins the variable $A
will assign a new random number from the internal variable $_RANDOM_INT
between the range initially defined.
The variable $A
will be evaluated, and its condition (whether it's greater or less than 500) will be typed.
The loop will restart after the press of the button.
In addition to random keystroke injection and integers, the USB Rubber Ducky can randomize a number of ATTACKMODE parameters.
Remember, VID
and PID
must be used as a pair and MAN
, PROD
and SERIAL
must be used as a trio.
On each press of the button, the USB Rubber Ducky will re-enumerate as a new USB HID device with random VID, PID, MAN, PROD and SERIAL values.
The string Hello, World!
may be typed.
Because VID
and PID
values may dictate device driver initialization, the USB Rubber Ducky may not be correctly enumerated as a Human Interface Device by the target OS.
Use caution when using random VID
and PID
values as unexpected results are likely.
While performing security research with the USB Rubber Ducky, it is useful to inspect the USB device enumeration on the target operating system. These example commands and utilities are helpful in this regard.
Click the Apple icon
Click About This Mac
Click System Report
Click USB
Microsoft USBView from the Windows SDK or the freeware Nirsoft USBDeview are graphical utilities for inspecting USB devices.
The random functions can be used in combination with the interactive abilities of the USB Rubber Ducky in a number of ways. This example will illustrate some of the possibilities by demonstrating a simple dice roll guessing game.
While calling RANDOM_CHAR
will produce a random character, it will produce a different character every time it is called. In the event we would like to produce a random char once but inject it several times throughout our payload we will need to store this output in a variable; then we can use that variable with INJECT_VAR
to inject it as many times as needed.
These internal variables cannot be assigned to. They are read only and thus cannot be on the left side of the =
in an expression.
INJECT_VAR
can be used to inject a variable.
This requires the variable being passed to INJECT_VAR
to hold a scancode.
If, for example, the key generated by $_RANDOM_LETTER_KEYCODE
happened to be Z
the result of the injection would be
INJECT_VAR
does not automatically convert an integer into its corresponding character, the TRANSLATE
extension is required for this!
The following code will not function. $_RANDOM_INT
is a random integer, not a scancode of a number key.
To inject $_RANDOM_INT
we would need to use the TRANSLATE
extension to convert an integer into the decimal character representation.
This becomes easier to understand why when we consider the example value 1234
. While 1234
will fit into a single VAR
, it is 4 keys to type the value out in decimal format. The integer value must be converted to decimal format, then converted from decimal format into the correct sequence of key presses in the correct keyboard language to type out the keys 1
2
3
4
Internal Variable | Value |
---|---|
ATTACKMODE Parameter | Result |
---|---|
Internal Variable | Description |
---|---|
RANDOM_LOWERCASE_LETTER
abcdefghijklmnopqrstuvwxyz
RANDOM_UPPERCASE_LETTER
ABCDEFGHIJKLMNOPQRSTUVWXYZ
RANDOM_LETTER
abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
RANDOM_NUMBER
0123456789
RANDOM_SPECIAL
!@#$%^&*()
RANDOM_CHAR
abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ 0123456789 !@#$%^&*()
$_RANDOM_INT
Random integer within set range
$_RANDOM_MIN
Random integer minimum range (unsigned, 0-65535)
$_RANDOM_MAX
Random integer maximum range (unsigned, 0-65535)
$_RANDOM_SEED
Random seed from seed.bin
VID_RANDOM
Random Vendor ID
PID_RANDOM
Random Product ID
MAN_RANDOM
Random 32 alphanumeric character iManufacturer
PROD_RANDOM
Random 32 alphanumeric character iProduct
SERIAL_RANDOM
Random 12 digit serial number
$_RANDOM_LOWER_LETTER_KEYCODE
Returns random lower letter scancode (a-z)
$_RANDOM_UPPER_LETTER_KEYCODE
Returns random upper letter scancode (A-Z)
$_RANDOM_LETTER_KEYCODE
Returns random letter scancode (a-zA-Z)
$_RANDOM_NUMBER_KEYCODE
Returns random number scancode (0-9)
$_RANDOM_SPECIAL_KEYCODE
Returns random special char scancode(shift0-9)
$_RANDOM_CHAR_KEYCODE
Returns random letter number or special scancode