Search…
Getting Started
The Ducky Script Language
Guides
Writing your First Payload
Writing a successful payload is a process of continuously researching, writing, encoding, testing and optimizing. Oftentimes a payload involves re-writing the ducky script, encoding the inject.bin and deploying the payload on a test machine several times until the desired result is achieved. For this reason it’s important to become familiar with the payload development process and encoding tools.
Defining our Objective
In this example, we’ll assume that steps 0-2 (pre-engagement interactions, reconnaissance and targeting) have resulted in an objective of: Type the historic “Hello World” words into the Windows notepad program. How devious!
Research
If our payload is to type “Hello World” into Windows notepad, we must first figure out the best way to open that program using just the keyboard. On Windows there are a variety of ways to open notepad. On modern versions one may press the GUI or Windows key and begin typing “notepad” and pressing enter.
While this may suffice, our objective hasn’t specified the version we’re targeting - so we’ll want to use a technique with the widest possible support. Older versions of Windows don’t include the ability to search programs from the start menu just by typing. All versions since Windows 95 however include the keyboard combination Win+R. This powerful shortcut opens the Windows Run dialog, which states “Type the name of a program, folder, document or Internet resource, and Windows will open it for you.”
Since notepad.exe resides in c:\windows by default, we could simply type “c:\windows\notepad.exe” then press enter and the notepad application would open. On most machines it only takes a brief moment for the small program to open, and when it does it will be the active window. Keep this in mind, because we will always be typing into the active window, and anytime we change a GUI element we must wait for the computer to respond. It may seem like notepad opens instantly to us humans, but to a computerized keyboard that types over 9000 characters per minute, that millisecond counts.
Finally, with the notepad application open we should be able to simply type the words “Hello World”.
From our target test machine, be it a Windows Virtual Machine or bare metal, test this theory by manually entering in what we’ll later instruct the USB Rubber Ducky payload to type. Does it work? Great! Let’s move on to writing the Ducky Script.
Write
Since Ducky Script can be written in any standard ASCII text editor, open your favorite - be it gedit, nano, vi, emacs, or even notepad (how ironic in this case?). Don’t worry - I won’t judge you for using vim.
We’ll begin our payload with a remark, a comment stating what the payload does, it’s intended target and the author. This won’t be processed by our duck encoder later on, but it will be helpful if we ever share this payload with the community.
1
REM Type Hello World into Windows notepad.
2
REM Target: Windows 95 and beyond.
3
REM Author: Darren
Copied!
Our next line should delay for at least one full second. The purpose of this delay is to allow the target computer to enumerate the USB Rubber Ducky as a keyboard and load the generic HID keyboard drivers. On much older machines, consider a slightly longer delay. In my experience no more than three seconds are necessary. This delay is important since the USB Rubber Ducky has the capability of injecting keystrokes as soon as it receives power from the bus, and while USB is capable of receiving the keystroke frames, the operating system may not be ready to process them. Try plugging in a USB keyboard into any computer while jamming on the keys and you’ll notice a moment is necessary before any interaction begins.
1
DELAY 1000
Copied!
Next we’ll issue our favorite keyboard combination, Windows key + R to bring up the Run dialog.
1
GUI r
Copied!
Typically the Run dialog appears near instantly to us humans, however to a USB Rubber Ducky with a clock speed of 60,000 cycles per second, that instant is an eternity. For this reason we’ll need to issue a short delay - perhaps just one tenth of a second.
1
DELAY 100
Copied!
Now with the Run dialog as the active window we’re ready to type our notepad command.
1
STRING c:\windows\notepad.exe
Copied!
The
STRING command processes the following characters case sensitive. Meaning STRING C will type a capital letter C. Obviously our keyboards don’t have separate keys for lowercase and capital letters, so our payload actually interprets this as a combination of both the SHIFT key and the letter c - just as you, the human, type. It’s nice to know that the STRING command handles this for you. It does not however end each line of text with a carriage return or enter key, so for that we’ll need to explicitly specify the key.1
ENTER
Copied!
As before whenever a GUI element changes we’ll need to wait, albeit briefly, for the window to appear and take focus as the active window. Depending on the speed of the computer and the complexity of the program we’ll want to adjust the delay accordingly. In this example we’ll be extremely conservative and wait for a full second before typing.
1
DELAY 1000
Copied!
Finally with notepad open and set as our active window we can finish off our ducky script with the historic words.
1
STRING Hello World
Copied!
At this point our text file should look like the following:
1
REM Type Hello World into Windows notepad.
2
REM Target: Windows 95 and beyond.
3
REM Author: Darren
4
DELAY 1000
5
GUI r
6
DELAY 100
7
STRING c:\windows\notepad.exe
8
ENTER
9
DELAY 1000
10
STRING Hello World
Copied!
Save this text file as
helloworld.txt in the same directory as the duck encoder.Encode
While ducky script is a simple, human readable format easily modified and shared, it isn’t actually processed by the USB Rubber Ducky. Rather, the
inject.bin is derived from it using an encoder. A number of open source Ducky Script encoders exist, with the easiest and most recommended version being the official JavaScript Ducky Encoder from Hak5. This simple HTML file runs online or offline in any modern browser.
- 1.
- 2.Open the
jsencoder.htmlfile in a web browser supporting Javascript - 3.Enter your Ducky Script in the main text area
- 4.Click Generate Payload
- 5.Click Download Payload
Test
With the ducky script encoded into an
inject.bin file, we’re ready to test the payload. Copy the inject.bin file to the root of the Micro SD card. Insert the Micro SD card into the USB Rubber Ducky. Now sneak up to the target test machine and plug in the USB Rubber Ducky.The first time you ever plug the USB Rubber Ducky into a computer it will take a moment, typically just a second, to enumerate it as a HID keyboard and load the generic drivers. For this reason we’ve added a one second delay to the beginning of our payload. If the test is not successful on the first attempt, it may be because the target test machine has not yet successfully loaded the generic keyboard drivers. To replay the payload, press the button or unplug and replug the USB Rubber Ducky. This test payload should be successful against all recent versions of Windows.
If the test were unsuccessful, note where things went awry and tweak the ducky script accordingly. Re-encode the inject.bin file, copy it to the Micro SD card (replacing the current file) and re-test.
Lather, rinse, repeat as necessary.
Optimize
With our Hello World payload successfully running against our target test machine, we’re ready to optimize, and optionally obfuscate. This process is covered in greater detail later. Suffice it to say, in this example we can speed up the payload by reducing the number of keystrokes quite easily. Since notepad is an executable we may omit the
.exe part of the STRING command. Likewise, since notepad by default resides in a path directory (c:\windows) we can also omit this part of the STRING command as well. Our new STRING command should be the following:1
STRING notepad
Copied!
At this point we’ve successfully researched, written, encoded, tested and optimized our simple “Hello World” payload. It’s now ready for deployment!