The pen…drive is mightier than the sword. The rubber ducky, first conceptualised and popularised by Darren Kitchen from hak5 is a USB keyboard emulator. It gives the wielder of this device unlimited power, at least on computer systems. The emulator injects keystrokes into the victim’s machine with unprecedented speed and precision. The right combination of keystrokes will do great but unspeakable things.
The USB rubber ducky https://shop.hak5.org/products/usb-rubber-ducky-deluxe currently sells for $49.99 which is a reasonable price and I would highly recommend purchasing one to support Hak5. However, if for some reason you are unable to get hold of one then pick yourself up a CJMCU virtual keyboard. You will also need a micro SD card, a micro SD card reader, a rubber duck and a coffee.
Installing the Arduino Integrated Development Environment
Once you have your coffee and your CJMCU you will need to download and install the Arduino integrated development environment. This can be download from the Microsoft Store if you are using Windows or you can get it from their website if you are using linux. https://www.arduino.cc/en/guide/linux
Next you will need to get Duckduino from Seytonic’s github repository.
Uploading the .ino Script
The next thing to do is insert your CJMCU into a USB port and launch the Arduino IDE. Before going any further, you may need to check that the right board and COM port is selected. Both of these can be configured from the tools menu. Since the CJMCU board is a clone of the Leonardo board that’s the board I selected from the boards menu.
Next you will need to copy the contents of the Duckduino-microSD.ino file into the Arduino sketch. Then use the upload button to push the new sketch to the CJMCU board. This is the functionality that allows the CJMCU to impersonate a keyboard. This is what allows it to act like the USB Rubber Ducky we all know and love. After a bit of time the upload will complete, and the device is almost ready to go. The only thing missing is a payload.
Loading the Payload
There is a huge repository of ducky payloads on the git hub repository https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payloads. Find the payload you want, I suggest starting with something easy like the Open Webpage, Any Platform payload. Copy the contents of the script to a text file and make the modifications to tailor it to your liking (may I suggest https://www.youtube.com/watch?v=oHg5SJYRHA0). Save it as script.txt or whatever you have set the String DEFAULT_FILE_NAME = “script.txt”; value to in the ino file uploaded to the CJMCU. Finally, copy the script.txt file over to your microsd using your microsd card reader. Your knock off USB Rubber Ducky is now ready to prank unsuspecting victims.
While the USB Rubber Ducky is primarily associated with hacking and penetration testing, it is a powerful automation tool that can be used for a wide range of tedious tasks. For instance, imagine if you needed to install software or make configuration changes on multiple air gapped machines. You could write a script that automates this process for you.
While you’re here why not check out some of my other articles. I am currently going through the Starting Point on Hack The Box and have write-ups for Archetype, Oopsie, Vaccine, Shield, Pathfinder, Included and Markup.