Search…
Getting Started
The Ducky Script Language
Guides
Keystroke Injection Attacks
Have you ever typed on a computer keyboard? I bet you have. Chances are you do this all the time. And your computer happily accepts your keystrokes and does your bidding. Why wouldn't it? After all, keystrokes are the commands of humans. And computers, being programmed by mankind, have been instructed to obey humans.
So, until the pending AI uprising, how is it that keystrokes can be an attack?
Simply put, computers inherently trust human input, in the form of keystrokes. Whether it's writing an email, chatting with colleagues, or scanning your hard drive for sensitive documents before surreptitiously copying them – keyboards are king.
Go ahead – try it yourself. If you're on a Windows PC, hold down the Windows key and press R, then type in "
tree" (without the quotes) and hit enter. Don't worry - it's harmless. Really.If you're on a Mac, hold down the ⌘ Command key and press Spacebar, then type in "
terminal" (without the quotes) and hit enter. In the terminal, type in "find ." (again, without the quotes) and hit enter.Now, what do we know about keystrokes? Two things immediately come to mind. 1) the keyboard, and 2) the human operator typing on said keyboard.
Keyboards
Keyboards come in a variety of shapes and sizes. From the clicky-clacky IBM Model M type to the ergonomic variety, they all share something in common today: HID, or the Human Interface Device specification. Ever since the USB interface took over as the defacto standard for computer peripherals in the late 90's, this HID specification has been the cornerstone of how all keyboards speak to computers.
5-Pin DIN connector for IBM PC AT Keyboard
Keyboards weren't always universal, however. From the late 80's, the IBM PC and compatible "clones" used a small round 6-pin mini-DIN known as PS/2 for their keyboard connectors. At the same time, Apple computers used a small round 4-pin mini-DIN connector known as the Apple Desktop Bus. Neither were compatible with each other.
Even further back a large round 5-pin "PC AT" design was in fashion, though it was frequently incompatible with the numerous desktop designs of the early personal computer era.
IBM Model M Keyboard
It was a far cry from the modern age where just about any USB keyboard can be plugged into any computer. Today we enjoy ubiquity among not just keyboards, but mice, joysticks and other peripherals because of the HID specification. If you spill coffee on your keyboard at the office, chances are you can simply snag a new one from the supply closet, plug it in and expect it to just work. It's not just computers either – smartphones accept the standard, although they typically require a USB adapter to plug in a keyboard.
Human Operators
Human operators also come in a variety of shapes and sizes. More pertinent to keystrokes however, they each have their own typing speed and style. Some hunt and peck at a paltry 20 to 30 Words per Minute (WPM), while other professionals may be in the 65 to 75 WPM range.
On the higher end of the spectrum a proficient typist can hit upwards of 120 WPM, while stenographers (trained court reporters) are expected to type at speeds from 180–225 WPM.
Accuracy is another determining factor of typing. To err is human, afterall. Were we all perfect, the backspace key would need not exist. A research paper from 2009 published by IEEE found that of typists performing about 85 WPM, if they had to correct for errors their rate would drop to 65 WPM. That's a fair amount of errors.
For the record this author types at a rate of 75 WPM with an accuracy of 98.5% – according to ratatype.com. Not bad, but not perfect either. It's the reason why sometimes in the command prompt I'll get the error message "bad command or file name", or or "No command 'ifcomfig' found, did you mean 'ifconfig'"
Trust
My typing errors speak to the heart of the man-machine relationship. The computer trusts me implicitly, even when I key in a mistake.
The computer, knowing that I probably mean to type "ifconfig" not "ifcomfig" gracefully tells me of my wrongdoing, while dutifully attempting to execute whatever command I throw at it. There's no room for gray area, it's just black or white. One or zero. Whatever I type, it'll do it – no matter what.
And therein lies the attack vector. This hard-coded trust.
What does this mean to the systems administrator?
Let's say you're working in IT, and you get a tech support request. The person is having trouble getting to a shared network resource – a mapped Windows network drive, containing purchase orders and invoices. For whatever reason it's no longer available.
Now, you could walk them through clicking the Start menu, then File Explorer before clicking Network and drilling down through all available servers then finding the right network share, right-clicking it, choosing Map Network Drive and clicking through the wizard. Phwew!
Instead you open up a command prompt and type in "
net use p: \accounting\invoices". You're a pretty good typist, so in a minute you're done – which means more time for important stuff. Like browsing your favorite online forum while running "tree" to make it look like you're working.What does this mean for the penetration tester?
Imagine your team is doing a penetration test for a client, and you get to do the physical assessment. For this engagement you're under the pretext of an IT contractor, and you've used a social engineering technique to enter the client's building. Now all you have to do is nab some documents – preferably some proprietary intellectual property – and leave.
Armed with just a flash drive you make the rounds of the office floors until you come across an unattended, unlocked computer. You notice its user has stepped into the kitchen for a cup of coffee. You plug in your flash drive. Of course drag and drop wouldn't be your best bet for exfiltrating all spreadsheets from the documents folder. There are dozens of folders and subfolders, it would take minutes. Minutes you don't have.
Instead you key into a command prompt "
xcopy documents*.xlsx d:". A few moments later you're walking out with a few hundred megabytes of confidential spreadsheets.What just happened?
In both instances the computer did exactly what it was told to do. In most cases, there are no barriers to the user doing this. Connecting to a shared drive or copying a file is exactly what modern operating systems are designed to do as easily and transparently as possible.
While the intent of the two professionals differ — the sysadmin and the pentester — the computer accepts the keystrokes, trusts the human and executes the commands dutifully.
As we can see, a few simple keystrokes can be very powerful. In both cases, typing out a short command was far quicker than the alternatives. Now, do you know what can type even faster than a human?
Automated Keystrokes
We've established that the two primary factors in keystrokes are 1) the keyboard and 2) the operator. The first is just a matter of speaking the HID protocol, and the second is not necessarily unique to humans.
This is where the USB Rubber Ducky comes in. It doesn't look to you and I like a keyboard, but to a computer it is one. One that's pre-programmed to deliver keystrokes at insane speeds. Hundreds of words per minute can be keyed out by the USB Rubber Ducky.
With over 9000 characters per minute being injected down the USB line, what is a computer to do? If you're thinking "exactly what's asked of it", you'd be right.
In both cases, our sysadmin and our pentester, the benefit of a pre-programmed keystroke delivery device is astounding. These two scenarios only describe very light tasks – mapping a network drive and copying some files. Just imagine the more complex objectives.
Consider this. It's possible to literally type an executable file – your everyday "exe" program – into a computer. A small program might be comprised of just a few hundred random characters. Even the most locked down computer, with no network access and flash drives prohibited, may be susceptible to malicious user input.
Chances are though, you'd be hard pressed to key in a full program comprised of hundreds of characters at one hundredth the speed of a USB Rubber Ducky, let alone reliably. Remember, it only takes one typo to invalidate the entire program.
With this in mind, every day sysadmin tasks from fixing printers and network shares become automated with a USB Rubber Ducky. And for the pentester, that means a plug-and-play means for installing backdoors, capturing credentials, performing network reconnaissance, exfiltrating documents and a whole lot more.
This book serves as the introduction to the USB Rubber Ducky, as well as the workflow and best practices for getting the most out of this keystroke injection attack platform.
Last modified 8mo ago