Intro to the USB Rubber Ducky

May 11, 2017 | Views: 14605

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

I’ve made a video on the USB Rubber Ducky by Hak5 which can be found at the bottom of this article. But, I will also go into some depth in writing here.

So what exactly is the USB Rubber Ducky?

In short, the USB Rubber ducky is not actually a USB in the traditional sense. It is actually a keyboard as far as your computer is concerned.

So the USB Rubber Ducky is a keyboard?

As far as your computer is concerned, yes, it is in fact, a keyboard (HID). However, let’s look at it more technically. When the USB Rubber Ducky is plugged into your computer, your computer detects it as a keyboard. THIS is the vulnerability. Let’s think about it for a moment, have you ever plugged in your keyboard and been asked: “May this device make changes to your computer?” Likely not. The USB Rubber ducky does not require user authentication to run.

Now, this is where it gets fun. The USB Rubber ducky runs a script, meaning it is really typing on its own. The script is basically an instruction guide for the device. Press “ipconfig” then enter.

So what can it do?

The USB Rubber Ducky can do anything a keyboard can do, surprisingly enough there’s a lot of keyboard shortcuts that allow for a lot of ingenuity with the USB Rubber Ducky. For example,  GUI r which is the Windows key + R opens a run bar, and if you type cmd you’ll open Command Prompt, etc.  Another example is GUI Y Which will accept any dialog box open, these are commonly seen when an application is requesting to run as Administrator. Very vital with certain commands.

Thinking outside the box.

The system admin is the limit with the USB Rubber Ducky. There’s a ton you can do, including downloading payloads wrapped in .exe’s, meant to convince the user it’s harmless, or, quite honestly, you can run the .exe with the USB Rubber ducky by downloading it then executing it. There’s no need to even have the user interact with the application later.

What are the limits?

There are countermeasures to the USB Rubber Ducky if security protocols are good, restricting a user’s access to resources, blocking open USB ports, etc. They are all viable countermeasures, furthermore, physical access is a huge limit. In order to even have the script run you need physical access, the computer must be unlocked, and you have to make it into the building in the first place. Once your past that, and some hopefully locked doors, you can look at computers.

Penetration testing with the Rubber Ducky:

I think the USB Rubber Ducky is a viable option in certain engagements, especially if physical access is an option. Social engineering will help a ton in this situation because obviously, you’ll need physical access to the building. Once in you’ll need to get access to a computer, so probably somewhere along the line, you’ll need some good social engineering skills.

The USB Rubber Ducky is overall a great tool and has a lot of capabilities. The Bash Bunny by Hak5 also has a lot of potential but I have yet to try it out when I do you can expect some videos though 🙂

Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
1 Comment
  1. Sounds cool , but it’s pretty hard to find tho

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?