Search…
Hak5 USB Rubber Ducky
Getting Started
Keystroke Injection Attacks
The USB Rubber Duck
The Attack Workflow
Payload Principals
Writing your First Payload
Obfuscation and Optimization
The Ducky Script Language
Ducky Script Quick Reference
Sample Payloads
Guides
15 Second Password Hack, Mr Robot Style
Quickly Steal a Windows Password Hash
A 3 Second Reverse Shell with the USB Rubber Ducky
The Best Security Awareness Payload for the USB Rubber Ducky
Troubleshooting
WILL THE USB RUBBER DUCKY WORK STRAIGHT AWAY?
NOTHING HAPPENED WHEN I PLUGGED IN MY USB RUBBER DUCKY
MY USB RUBBER DUCKY SHOWS A SOLID RED LED, NOW WHAT?
MY USB RUBBER DUCKY IS FLASHING RED, NOW WHAT?
WHAT FILE SYSTEMS ARE SUPPORTED?
CAN THE USB RUBBER DUCKY HOLD MULTIPLE PAYLOADS?
Powered By GitBook
Obfuscation and Optimization
While this section isn’t intended to be a comprehensive list of obfuscation and optimization techniques, these three simple examples effectively illustrate the concept.

Obfuscation

So what is obfuscation? Obfuscation is all about reducing the visibility of the payload, or simply put – making it stealthier. This is crucial in a social engineering deployment scenario. If a payload is too long, or too “noisy” it’s more likely to be noticed and thwarted. With that in mind, let’s look at two simple examples of obfuscating the Windows command prompt.
Our ducky script begins with a common combination of keystrokes which opens the Windows command prompt.
1
DELAY 1000
2
GUI r
3
DELAY 100
4
STRING cmd
5
ENTER
Copied!
From here we typically have a large black and white terminal window open – which to laymen may look intimidating. Let’s reduce that visibility.
1
DELAY 500
2
STRING color FE
3
ENTER
4
STRING mode con:cols=18 lines=1
5
ENTER
Copied!
The first command color FE sets the command prompt color scheme to yellow text on a white background. Unfortunately the same color cannot be set as both background and foreground, however a yellow on white command prompt is very difficult to read and will obscure our payload. For a complete list of color combinations, issue color * in a terminal.
For 1337 Mode, issue the color a command
The next command, mode con:cols=18 lines=1, reduces the command prompt window size to 18 columns by 1 line. This, in combination with the above color command, creates a very small and extremely difficult to read command prompt. Best of all, while this makes reading the payload difficult by any observer, it does not impact the function of the payload in any way. The computer simply doesn’t care that the command prompt is illegible.
Finally we’ll execute our command. Let’s pick something silly that’ll take some time to run, just for fun. In that case we’d add to our obfuscated payload the following:
1
STRING tree c:\ /F /A
2
ENTER
3
DELAY 20000
4
STRING exit
5
ENTER
Copied!
The above tree command will map the file and directory structure of the C drive in ASCII. Even with the fast solid state drive in my development computer, this task takes about 20 seconds to complete. Afterwards, when our nefarious tree command finishes, we’ll want to close the command prompt in order to prevent our target user from noticing our devilish deeds. So for that we’ll need to add a 20 second delay, followed by the exit command to close the command prompt. While we may be able to issue the exit and ENTER keystrokes while the tree command is executing, depending on the complexity of the running process there is no guarantee it will issue.
By adding up the delays and keystrokes of this ducky script, we can approximate this payload to require around 23 seconds to execute.

Optimization

What about optimization? If obfuscation is all about making a payload stealthier, optimization is all about making it faster. Short of injecting keystrokes faster, often times a little finesse can go a long way in reducing unnecessary delays. Let’s take a crack at optimizing the above tree attack payload while maintaining its obfuscation.
1
DELAY 1000
2
GUI r
3
DELAY 100
4
STRING cmd /C color FE&mode con:cols=18 lines=1&tree c:\ /F /A
5
ENTER
Copied!
These 5 lines of ducky script executes the exact same payload as the previous 15-line version, and executes in less than 3 seconds instead of 23! Now, the command prompt is still open for around 20 seconds while the tree command completes, but no further action from the USB Rubber Ducky is needed once the single command is run. Meaning, seconds after plugging in the USB Rubber Ducky, it can be safely removed while the tree command continues to run. Let’s take a look at how.
Similar to the first version, we open the Windows Run dialog and enter the cmd command in order to open a command prompt, but rather than just open the prompt we’ll pass it a few parameters and commands. The first is /C, which tells the command prompt to close once the command completes. Alternatively if we were to issue /K for keep, the command prompt would stay visible even after the tree command completes.
The rest of the payload is to string together all of the commands. By placing an ampersand symbol (&) in between our commands, we can string them together on one line. in our case this is “color“, “mode“, and “tree“. This is what we would call a one-liner payload since it utilizes just a single STRING command.
Aside from being able to unplug the USB Rubber Ducky as soon as the Run dialog completes, this payload is also more reliable. The biggest issue with the first version was the 500 ms delay between issuing “cmd” and beginning to type the commands.
Any time a payload must wait on a GUI element, a reliability issue can occur. If the target computer were running slowly, and more than a half-second were required in order to open the command prompt, the payload would have failed.

Further Optimization

Our obfuscated and optimized tree attack ducky script is great, but like all ducky scripts there’s always room for even more improvement.
1
DELAY 1000
2
GUI r
3
DELAY 100
4
STRING cmd /C "start /MIN cmd /C tree c:\ /F /A"
5
ENTER
Copied!
Like CMD inception, the above ducky script is even more optimized. Notice the “color” and “mode” commands have been removed, and instead the “cmd /C tree c:\ /F /A” command has been wrapped inside another “cmd /C” command.
The first “cmd” issues the second with the leading “start /MIN” command. The “start” command executes everything following with the parameter “/MIN“. The “/MIN” parameter opens the second “cmd” window in a minimized state.
Since the first “cmd” running the “start” command completes in an instant, the command prompt is only visible for a split second. The second “cmd“, which is actually executing our “tree c:\ /F /A” command, is left minimized in the background mapping the file and directory structure of the C drive.
The result is a script which executes even faster than before, having typed only 42 characters instead of 56. This new version is actually even more obfuscated than the previous one with the tiny yellow on white command prompt, because it’s command prompt is minimized the entire time the tree command is running.
This is just one benign example of an optimized and obfuscated USB Rubber Ducky payload, though it illustrates greatly the importance of taking the time to finesse any ducky script.
Getting Started - Previous
Writing your First Payload
Next - The Ducky Script Language
Ducky Script Quick Reference
Last modified 6mo ago
Copy link
Contents
Obfuscation
Optimization
Further Optimization