Search…
The USB Rubber Duck
The USB Rubber Ducky is a keystroke injection tool designed for systems administration and penetration testing.
Housed inside a generic “thumb drive” case, the stealthy tool can be used in social engineering engagements to obtain remote access to systems, gather intelligence, exfiltrate data and more.
While it looks like a typical mass-storage flash drive, it’s actually a programmable keyboard. It’s recognized as a USB Human Interface Device (HID) by the target. Given the ubiquity of USB keyboards it has near universal support. Essentially, if the target device supports USB keyboards, it supports the USB Rubber Ducky.
The USB Rubber Ducky works by injecting keystrokes into the target device - be it a computer, tablet or smartphone - at an extremely high rate beyond 1000 words per minute.
The keystrokes are programmed into the USB Rubber Ducky using an extremely simple scripting language called Ducky Script.
Ducky Scripts can be written in any text editor, and as you’ll see they offer a nice balance of simplicity and power.
These simple Ducky Scripts are one of the most appealing aspects of the USB Rubber Ducky platform. With a low barrier to entry, anyone can craft a script to their needs.

IT Administration Origins

Did you know the first USB Rubber Ducky was invented by Hak5 founder Darren Kitchen while working as a sysadmin? Tired of typing the same commands to fix printers and network shares again and again, the device evolved out of laziness. He programmed a development board to emulate the typing for him - and thus the keystroke injection attack was born. Needing a case - a miniature bath time friend, the rubber ducky, was requisitioned.
The USB Rubber Ducky has been used in everything from massive social engineering exercises to provisioning fleets of corporate tablets and educational Chromebooks. If it can be done with a keyboard, it can be done with a USB Rubber Ducky.

Anatomy of the Duck

Before getting into deploying our first keystroke injection attacks, we should become familiar with the basics. The USB Rubber Ducky relies on 5 aspects of its design. Further in this chapter we'll explore its unique hardware attributes.

Payloads

Payloads describe to the USB Rubber Ducky what actions to take and come in many forms. Some provide means for exfiltrating data while others may create backdoors, inject binaries or initiate reverse shells on a target. Payloads are shared on forums and are simple to copy, paste and modify for your particular engagement.

Ducky Script

Ducky Script is the simple scripting language in which Payloads are written. Ducky scripts can be authored in any standard text editor, such as notepad on Windows, textedit on Mac, Vim, Emacs, Nano, Gedit or Kate on Linux. Ducky Script files must be standard ASCII and cannot contain unicode characters.

Duck Encoder

The USB Rubber Ducky doesn't read the Ducky Script text files natively, rather it expects a binary keystroke injection file. A Duck Encoder is a tool that converts these human readable Ducky Script payload into an Inject.bin file ready for deployment on the ducky. There are several open source, online and cross-platform Duck Encoders available.

inject.bin

inject.bin is the compiled version of the Ducky Script that must reside in the root directory of a Micro SD card inserted into the USB Rubber Ducky in order to be read and processed by the firmware. The inject.bin is created by the Duck Encoder.

Firmware

The firmware is the code running on the USB Rubber Ducky CPU which processes the inject.bin file, injecting keystrokes on the target device.

Hardware Overview

While the USB Rubber Ducky is disguised as an ordinary USB drive, under the hood it sports a formidable 60 MHz 32-bit AT32UC3B1256 CPU with 256K of onboard flash, a High Speed USB 2.0 interface, Micro SD card reader, micro push button, a multi-color LED indicator and a standard USB Type A connector.

Micro SD card reader

This reader supports FAT formatted cards up to 2 GB. The purpose of the interchangeable cards is to host the inject.bin payload files. These files are typically very small (usually only a few kilobytes) and thus many inexpensive Micro SD cards may be carried. Alternative firmware may also mount the Micro SD card as mass storage in addition to acting as a keyboard.
It is important to always safely eject the Micro SD card from the host computer to avoid damage.

Micro Push Button

This button is used to either replay a payload. To replay a payload after initial connection and attack execution on a target computer, simply press the button once and the payload will re-deliver.

Multi-color LED Indicator

The LED will flash green when the payload is being executed. That is to say when the USB Rubber Ducky is typing out the keystrokes encoded in the inject.bin file. The LED will light solid red if there is an error with the Micro SD. For instance if the inject.bin file has been encoded incorrectly, named incorrectly, not located on the root of the Micro SD card, or if the SD card has been damaged or corrupted or is not seated properly.

Standard USB Type A Connector

For best overall support the USB Rubber Ducky uses a standard male USB Type A connector. This may be converted to newer USB Type C, older PS/2, or even Android OTG with a variety of ordinary USB keyboard adapters.

Generic “Thumb Drive” Case

The plastic case included with the USB Rubber Ducky serves to aid in social engineering, as it looks very similar to the regular “thumb drives” found as giveaways at most conferences and events. In fact, this particular design of case is so popular, you may already have a compatible metal swivel piece silk-screened with a company logo in your desk drawer.
The case snaps together with the metal swivel piece clipping onto the rounded joints. Squeeze the metal piece together to create a tight connection. To open the case, remove the metal swivel piece, then using caution insert a knife, paperclip or similar into the hole at the back of the case and gently separate the two halves.
For those with 3D Printers, you may be interested in the USB Rubber Ducky case featuring a button from http://www.thingiverse.com/thing:194826 (Courtesy Thingiverse user ffleurey)