Wifi duck?

GraafG · September 4, 2016

http://hackaday.com/2016/09/03/software-usb-on-the-esp8266/

basic4 · September 17, 2016

It's a good solution. Although I built a wifi ducky based on arduino boards and the ESP8266, since combining both gave the possibility of full speed USB and multiple end points. I built prototypes and used these until I found the 'Cactus Micro' , which is a combination of a Leonardo and ESP8266. Wrote various controllers for Python, .NET and Android. Works well. Since the Atmel chip is recognized as both a HID device and a Serial port, You can (via a script) run command prompt in a windows target, and return the output of the script (via serial) to the duck and then on back to the attacker machine! Can supply the code if you're interested.

basic4 · September 17, 2016

It's all here https://github.com/basic4/WiDuck

GraafG · September 25, 2016

Thank you basic4!!!

The url is missing a y :

https://github.com/basic4/WiDucky

youretheone · December 7, 2016

I'm new to this and want to make sure I understand, please - you're using the Cactus to inject the same password-capturing commands as the Ducky, just over wifi instead of by direct USB fake-keyboard entry? So you can enter them at your leisure instead of having to distract the user for 15 seconds?

I was trying to think how this would be useful, and if I understand the basic concept, it makes sense - you could plant the Cactus when the computer is turned off (possibly after hours when no users are around, minimizing chances of detection), wait for them to walk away and lock their screen, then run the Ducky Script over wifi? That way there's much less chance of them seeing the powershell window, and you can retrieve the Cactus later when no one's around again.

Have I got this right, or am I misunderstanding something critical? :) Thanks!

youretheone · December 7, 2016

(Sorry, I don't mean "run the Ducky Script", I mean "run the powershell commands the Ducky Script would run".)

basic4 · December 15, 2016

Hi

1. No ducky will work when a machine is locked. That's one of their limitations.

2. Yes - the WiDucky can just sit there and do nothing until you connect to it over WiFi - and send keystrokes.

Basic4.

basic4 · December 15, 2016

See the following projects I've built around the Ducky HID attack..

https://github.com/basic4/WiDucky - Wifi Ducky with windows/Python/Android controllers.

https://github.com/basic4/USB-Rubber-Ducky-Clone-using-Arduino-Leonardo-Beetle - A basic ducky with microSD for under $10.

Basic4.

Edited December 15, 2016 by basic4

youretheone · December 18, 2016

Hi basic4! Thanks for responding! Apologies, I'm confused (and a newbie)...I thought the whole point of a ducky was that they plugged into computers when the user was still logged in, but had locked the screen. Is that wrong? Thanks!

basic4 · December 18, 2016

Hi - A ducky only works if the user IS logged in AND the screen isn't locked.

Using a ducky requires that the user has walked away from the target machine without locking it. Or if you can distract the user from the screen for the amount of time needed to insert the ducky and run its script.

When a machine is locked, can you use the keyboard? (except to login) - No you need the password - which we don't know.

So a Ducky is just a tool to type commands very quickly - that's all.

Regards,

Basic4.

zibri · December 23, 2016

I have a question about the serial port used as exfil channel.

Does it require some specific drivers enabled on the victim machine?

I am referring to this [1]

This command batch file allows feedback from the target Windows machine to be sent.
If the Widucky types 'remrec4.bat dir/w', the batch file executes the the 'dir/w' command
and sends the output of the command to the WiDucky serial port.
The output is then returned via wifi to the controller application and displayed remotely.

(*This requires the Arduino drivers to be loaded on the target machine.)

From my understanding, if the target machine doesn't have those drivers previously installed, the exfil channel will not work. Thus we will not be able to have an interactive (sort-of) remote shell. Am I right?

[1] https://github.com/basic4/WiDucky/blob/8ce8d217040448bf7b654c1eab4eae5da5596767/Test-Scripts/Remrec-Script/readme

Edited December 23, 2016 by zibri

basic4 · December 23, 2016

Hi Zibri - Yes. You'd need to install the serial drivers via a script (powershell etc) to get full 2-way communication.

zibri · December 23, 2016

Yeah right!

Maybe wouldn't be easier to have it running automatically at the boot (e.g. rc.local in a Linux OS) once the widucky is inserted?

However, this will also requires the victim machine to be able to reach internet and hope the attacker's webserver (i.e. where those drivers are located) is not blacklisted.

P.S. Can you provide an example of drivers needed. I would like to create a Powershell one-line script to try install them.

Thanks!

youretheone · December 23, 2016

Thanks for clearing that up basic4! I don't know where I got that misconception from. :)

Sign In

Wifi duck?

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Join the conversation

Recently Browsing 0 members