Wireless Ducky - Both a recommendation and a question (I hope Darren's reading)

[this-is-me]

One commonly recommended prevention from attacks from a USB Rubber Ducky or similar HID device is simply to lock your computer when you are away from it. I've heard @hak5Darren make this statement on one of the episodes. This got me to thinking about an alternative attack, and a possible upgrade to the Ducky hardware.

The recommendation of locking your PC makes sense, as an attacker does not generally have access to changing settings from within the lock screen. On this note, let's say the victim leaves his computer locked while he visits the bathroom. Imagine how easily a Wireless Ducky could allow the attacker to own his victim's PC. The attacker plugs into the victim's PC a micro 2.4ghz USB keyboard receiver​, like the one pictured below this keyboard:

This attack assumes that the keyboard receiver is one that is already paired to the keyboard, like the cheap ones from Chinese eBay sellers are. A computer or a teensy is ready on command to act as the paired keyboard and send the keys to this wireless receiver. By the time the victim returns to his computer, the drivers for this micro receiver are already installed. The victim doesn't notice a hardly visible 1/2cm device sticking out of a USB port, and unlocks his PC as normal. A VERY short diversion is staged, like someone spilling a glass of water. When the victim looks away from his unlocked screen, a button is pressed on a remote device, which begins the wireless HID payload execution. The person performing the diversion apologizes profusely, and maintains the victim's gaze for as long as the payload is executing (the payload is designed for speed, such as a simple reverse shell). Once the victim glances back, his PC has been pwned, and he's unaware of it. He's done everything he should except looking away while his PC is unlocked, and he still was pwned.

In this scenario, I still don't know the best way to remove the micro receiver from the victim PC.

Such an attack could also be useful when physical access to the PC is time-delayed from when an attack is necessary. I could imagine a pentesting "janitor" planting a micro dongle early before a corporate user logs in, then when the actual attack takes place later, there was no clear physical access by the attacker during that time (in case someone reviews security cameras). While I realize there are other more realistic options with physical access, like a hardware keylogger, I think this could be another tool in the arsenal.


This brings up two possibilities:

(A) Hardware upgrades to make a nano-receiver, wireless, battery powered pocket-ducky. The pocket ducky could even have separate buttons for 2-3 discrete payloads. One would lose the ability to do twin duck firmware on a WiDuck, but gain the ability to remotely attack (within 10m).
(B) Using an SDR to intercept and replay keys/key combos from an existing micro dongle/keyboard, like the ones you can get from eBay for $12 or less (example)

In the case of (B), it actually opens up a world of interesting pentesting attacks, since high level executives may already have wireless keyboards. With enough time, you could create a specialized attack using ducky methods and the company's existing hardware to pwn an executive. With a "utility van" and a nice antenna, you may not even need physical access to the building! KeySweeper already does the keylogging portion of this; Imagine sending ducky commands to random wireless keyboard receivers around the building.

If (B) were to be done, I would have an issue, as I am clueless about SDR and replay attacks. What tools/software/hardware would be needed, especially to convert a ducky script into a replayable radio signal?

Really, I'm just trying to get the ball rolling here since I could imagine the possibilities, but have very few skills that could make this happen.

[overwraith]

I don't see why it wouldn't be possible, other than probably not having the libraries in place to do it. Teensy and Arduino are probably good microcontrollers to start prototyping on. You also might need a usb protocol analyzer. If it is possible to hook up to a generic usb wifi/bluetooth dongle with a teensy you need not necissarily recollect your wireless dongle you used in the attack. They are typically cheap, and provided you get resold dongles, or purchase with pre-paid cards, and from seldom used manufacturers it would probably be pretty much untracable. There are wifi breakouts, as - well as bluetooth ones. Depending on which microcontroller you use you just have to make sure your microcontroller reasonably supports both.

[basic4]

Did this around a year back. Works just like a ducky only via wifi. I wrote a control app and script parser in C#, one in android (very useful) and another in Python. Since the 'controller' sends the keystrokes, interactive scripts are possible. Built 3 prototypes (differing hardware) but the smallest is the best.

 

 

[basic4]

Details available on https://github.com/basic4/WiDucky