USB Rubber Ducky

The Duck is a USB thumb-drive lookalike with a secret — the hardware is really a micro-controller with a microSD Card interface.  The device can act as any kind of USB slave, with a program or script fed to it via the SD card.  The default personality for the Rubber Duck is a a USB keyboard.  Plug it in, and it will type keystrokes generated via a script file.

The Duck is one of those hacking tools with both good and evil uses.  On the ‘good’ side, it can be used for automatic entry of complex commands in an environment where centralized computer management is difficult.

On the evil side, it can be used to immediately pop up a command shell and type malicious commands, execute scripts (e.g. powershell scripts) and install and execute software (bypassing UELA on Windows). There are lots of scripts available on the net, so using them is quite simple. It’s even possible to add a few lines to your script to “see” if the new “keyboard” is detected by the OS and keyboard input (actually next script lines) are accepted by the OS.

Keystrokes themselves can be pretty dangerous, beyond just using built-in commands.  I’m finding the Duck particularly interesting because it bypasses many kinds of protection: USB Mass Storage can be disabled, Autorun can be disabled, and the Duck will still work.  Who locks their machine down enough to prevent a new keyboard from being plugged in?  I’m also becoming curious about Host OS fingerprinting: could a USB Slave device such as the Rubber Duck determine what kind of host it’s plugged into, based on the USB setup and queries it receives?  If so, the Duck could be programmed to be a universal system hacker, with separate payloads for Windows, Linux, Solaris, etc, running the script based on the system it was plugged into.

Last but not least there are dozens of pages describing how to build your own “Rubber Ducky” USB device if you have a USB stick with the right NAND chipset.

Keep this in mind the next time you find an USB stick outside and think about attaching it to your PC to see what’s on it …

Regards, M.