I've made a video on the USB Rubber Ducky by Hak5 which can be found at the bottom of this article. But, I will also go into some depth in writing here.

So what exactly is the USB Rubber Ducky?

In short, the USB Rubber ducky is not actually a USB in the traditional sense. It is actually a keyboard as far as your computer is concerned. So the USB Rubber Ducky is a keyboard? As far as your computer is concerned, yes, it is in fact, a keyboard (HID). However, let's look at it more technically.

When the USB Rubber Ducky is plugged into your computer, your computer detects it as a keyboard. THIS is the vulnerability. Let's think about it for a moment, have you ever plugged in your keyboard and been asked: "May this device make changes to your computer?" Likely not. The USB Rubber ducky does not require user authentication to run. Now, this is where it gets fun. The USB Rubber ducky runs a script, meaning it is really typing on its own. The script is basically an instruction guide for the device. Press "ipconfig" then enter. So what can it do? The USB Rubber Ducky can do anything a keyboard can do, surprisingly enough there's a lot of keyboard shortcuts that allow for a lot of ingenuity with the USB Rubber Ducky. For example, GUI r which is the Windows key + R opens a run bar, and if you type cmd you'll open Command Prompt, etc.

Another example is GUI Y Which will accept any dialog box open, these are commonly seen when an application is requesting to run as Administrator. Very vital with certain commands. Thinking outside the box. The system admin is the limit with the USB Rubber Ducky. There's a ton you can do, including downloading payloads wrapped in .exe's, meant to convince the user it's harmless, or, quite honestly, you can run the .exe with the USB Rubber ducky by downloading it then executing it. There's no need to even have the user interact with the application later.

What are the limits? There are countermeasures to the USB Rubber Ducky if security protocols are good, restricting a user's access to resources, blocking open USB ports, etc. They are all viable countermeasures, furthermore, physical access is a huge limit. In order to even have the script run you need physical access, the computer must be unlocked, and you have to make it into the building in the first place. Once your past that, and some hopefully locked doors, you can look at computers. Penetration testing with the Rubber Ducky: I think the USB Rubber Ducky is a viable option in certain engagements, especially if physical access is an option. Social engineering will help a ton in this situation because obviously, you'll need physical access to the building. Once in you'll need to get access to a computer, so probably somewhere along the line, you'll need some good social engineering skills.

Conclusion: The USB Rubber Ducky is overall a great tool and has a lot of capabilities. The Bash Bunny by Hak5 also has a lot of potential but I have yet to try it out when I do you can expect some videos though :)

Start learning with Cybrary

Create a free account

Related Posts

All Blogs