Some days ago, with a colleague, i’ve talked about the real usefulness of USB hardware locks on critical clients/servers.
USB Locks are tools that allows to completely avoid the use of USB ports using a simple padlock.
Well, in my opinion it is not a bad idea: a lot of threats are related to USB, concern not only the data contained into the USB flash disk, but also the USB device itself.
What is a USB Rubber Ducky and how is it used?
A USB Rubber Ducky is a keystroke injection tool created by HAK5 that looks like a simple USB flash drive, but it tells the OS that it is a 03h (human interface) device, so the OS to respond as if it is a simple human interface device.
The computer inherently trusts input generated by humans, so almost every OS will trust any HID by default and automatically acquire the drivers necessary to mount the device: once mounted is recognized it as a regular keyboard and accept pre-programmed keystroke payloads at over 1000 words per minute.
The payloads, crafted using a scripting language, can be used to drop reverse shells, inject binaries, brute force pin codes and many other automated functions.
The USB Rubber Ducky is a great tool for the penetration tester, but also for and systems administrator.
However, a downside to USB Rubber Ducky might be its slow functionality on certain operating systems: in some machines it may take 5 seconds to load the drivers, in others maybe longer than 60.
The time needed to deliver the payload is related to how fast the machine can handle keystrokes: this could becomes a bummer during real penetration testing scenarios where you are required to enter the office physically, because the variety of machine setups can be drastically different.
The Rubber Ducky is programmed using a really simple scripting language, named Ducky Script: each command is on a new line, and using key shortcuts and terminal commands, it’s possible to achieve specific actions with relatively little code.
A good tutorial for Rubber Ducky configuration is available here.
A DYI Rubber Ducky?
Yes, “It could work”!
With a fast search on google, comes up a lot of interesting tutorials.
More extreme, in this article, Anton Zhukov explains how some models of simple USB Flash Drive can be turned in a USB Rubber Ducky.
How prevent a Rubber Ducky attack?
First, it is important to only use USB drives that you trust completely!
DuckHunt is a small efficient script that acts as a daemon consistently monitoring your keyboard usage (right now, speed and selected window) that can catch and prevent a rubber ducky attack. (Technically it helps prevent any type of automated keystroke injection attack, so things like Mousejack injections are also covered.)
References and further readings
- The last attack technique: malware through letterboxes!
- Load & Use Keystroke Injection Payloads on the USB Rubber Ducky
- Duck Toolkit NG
- EvilOSX on GitHub
- Building a USB Rubber Ducky for $7
- Turning a Regular USB Flash Drive into a USB Rubber Ducky
- DuckHunt on GitHub