USB Rubber Ducky — Basic Use Case Scenario
“Humans use keyboards. Computers trust humans.”
DISCLAIMER: As with the rest of the information I provide within my blog, this is to be used for educational or private purposes only. The use of the methods detailed below may be illegal to perform on equipment that is not your own or you have not received consent to tamper with.
“The USB Rubber Ducky is a Human Interface Device programmable with a simple scripting language allowing penetration testers to quickly and easily craft and deploy security auditing payloads that mimic human keyboard input.”
Put simply, it is a script-able keyboard. You can plug it into a USB port and it will automatically run the configured script after the HID driver has installed. What’s so special about this? Well, this thing “types” at an inhuman rate and allows a pen-tester to quickly compromise a system as if they were sitting down and typing it themselves. Here’s an example:
You notice someone leave their computer unattended so you go check it out. When you open Powershell with administrative privileges and click yes, it doesn’t fuss. Now you have to type out some commands to expose the system, download an exploit from a remote location, and run it. That would get you access to their system and it would be compromised… But they just got back from the bathroom and caught you on their system. Bummer. Too bad you didn’t just use a USB Rubber Ducky!
Now, I won’t be getting into the scripting too much for this little device (that can be explored here) but the example below ought to be somewhat self-explanatory.
REM The next three lines execute a command prompt in Windows
- Using “REM” leaves a remark in the script.
- “GUI” is the Windows or Command key.
- “STRING” types the text that follows on the same line.
- “ENTER” presses the Enter key.
Most of the other commands are pretty logical as well; like using ALT, CTRL, etc. With this knowledge, let’s jump right into the thick of it and “manually” disable the Windows 10 anti-malware service(Windows Defender).
Disabling Windows 10 Defender with a USB Rubber Ducky
Now that Windows comes with anti-malware capabilities baked in, we’ll need to shut Defender off to make our target an easy… target. Keep in mind, the key presses in my script will only allow this to work on a Windows 10 target while an Administrative account is logged in. Other OSes will use a different method to access their security settings and without Administrative privileges, you might have to provide credentials to turn Defender off. With the Rubber Ducky, we can use the code below to easily shut off Windows Defender.
REM Disable Windows Defender (Win10)
REM Written by Anthony Dahmane
REM Initial delay to allow the keyboard to be detected.
REM Open Start Menu and go to Settings.
REM Go to the very last option in the menu (Update & Security).
REM Go to Windows Defender.
REM Toggle the service to off.
REM Close the window.
If you’re on a Windows 10 system, you can follow along with the script and see if it works. The cluster of DOWNARROW and RIGHTARROWs are to ensure the correct selection in the settings menu regardless of window size or resolution. There’s most likely a better way to perform this, but this worked on three separate systems so it’ll do for now. In the tiny picture below, you can see what happened after I inserted the USB Rubber Ducky into my system.
With Defender turned off, the system will no longer proactively defend against threats. This leaves us a gateway of opportunity for running various attacks against this system. Check out my upcoming posts for ideas on where to go from here! Oh, and HUGE shoutout to Hak5 for being so cool, producing amazing educational content, and for selling such useful gear.
“With great power comes great responsibility.” — Ben Parker (or maybe Voltaire)