[Info] Long Live the Duck - a one-year follow-up

[Darren Kitchen]

A lot has happened since we first introduced the USB Rubber Ducky hardware a little over a year ago. We excelled in some areas, fell flat in others, and over time with the help of the community come close to where the project should be.

First, a little background. The USB Rubber Ducky concept is quite simple - violate the inherent trust the computer has in the human. If you can gain physical access to a machine, even for just a few seconds, you should be able to inject a payload at extreme speed using just keystrokes. This is done with relative ease given the fact that all computers, since the beginning, have trusted keyboards as they represent human input. The USB HID class allows us to mimic a keyboard while injecting preprogrammed keystrokes.

The project started as a proof of concept using a development board called the USB Teensy. This small Arduinio clone could perform a HID attack, as demonstrated on early episodes of Hak5. Darren shared his USB Rubber Ducky prototype off to IronGeek at Shmoocon 2010 and a month later the cat was out of the bag. IronGeek recreated the attack using the Teensy and demo'ed it, crediting Hak5, at OuterZone in March. That month the USB Rubber Ducky prototype was demoed on Hak5 and a development team was kickstarted by sending 100 boards to developers around the world.

Based on feedback from these developers we came to a few conclusions. In order for the USB Rubber Ducky to be a success we needed to make it simple. Rather than program and flash a device using C code, we developed a scripting language which could be written in standard text files. A cross-platform program would convert the text file into a binary to be moved onto the root of a micro SD card. With the micro SD card inserted into the USB Rubber Ducky the HID attack was ready for deployment. To further the enhance the USB Rubber Ducky as a covert HID attack tool it was fitted with a generic USB flash drive case. The custom hardware USB Rubber Ducky was born.

The first generation USB Rubber Ducky wasn't without some serious issues to overcome. The small batch PCB assembly was at such a high cost that the initial retail release was $80 - three times that of an adequately equipped teensy. The latch holding the microSD card could inadvertently spring open in use. The firmware was only able to attack Windows targets, and the ducky script encoder only supported US keyboards. The later was a huge oversight by the US-centric development team. To make matters worse, licensing issues encumbered the timely open sourcing of the firmware.

What had started as a modest hardware project turned out to be a nightmare. Developers were unhappy with the lack of source code, the high price and the compatibility problems. The ducky team tried several firmware fixes only to fall flat and waste time. Eventually the licensing restrictions were overcome and the source code was produced on github.

Since then the promise of community development has shown its power. One developer in particular, Midnight Snake, took on two of the most challenging issues -- cross platform compatibility and international language support. During this time Hak5 worked on several hardware revisions of the USB Rubber Ducky, replacing the faulty microSD card latch with a slot and finding ways to lower the costs of production.

So far there have been four hardware revisions. The first (black) debuted at $80 while between the second (red), third (white) and currently fourth (green) the hardware has finally come down to half the cost as it was at launch.

Furthermore several enhancements have been made to the way payloads are generated. At first a wiki and forum were setup to share payloads. Several have been shining examples of the USB Rubber Ducky's power - like the four line wget & execute from PowerShell by Mubix, or the Windows 7 backdoor and 15 second reverse shell.

To simplify payload writing process several of the most popular payloads have been adapted to the online generator at usbrubberducky.com. Simply fill in the blanks, click generate and receive a bin file ready for use on the USB Rubber Ducky.

Android hacking has also debuted. Following the introduction of Kos' (kos.io) P2P-ADB attack, and the subsequent Micro-to-Micro OTG or "Kos Cable" we made him, we're excited to publish a few useful Android payloads. The first enables developer mode and USB debugging, perfect for use with Kos' P2P-ADB attacks, while another simply adds an open WiFi access point to the device so Android can more easily be friends with the WiFi Pineapple.

A tremendous amount of progress has been made over the last year and it's thanks in most part to the USB Rubber Ducky community who has continued to support the platform. With a lot of the bugs worked out, costs reduced and process made even more simple we're very excited to see what's in store for the next generation of the USB Rubber Ducky.

[no42]

Its been hard. Nice to know there is continued interest in this project.

I would like to mention Dnucna's hard work at an alternative encoder, which made supporting other languages much easier than my hacky encoder code PoC's. But we still need people from other countries to play with Dnucna's Encoder to help generate other language files.

I mainly took interest in the platform, because of the unique form-factor (can look like a proper USB, without soldering/taping/connecting addons) and that it can be applied in other areas. Like bypassing device-control, where I personally have had a lot of fun :)

My Main Targets for next year:

• Improve Composite HID & Mass Storage Release (I have released demos, but they are limited)
  
• Provide more documentation and examples (In the works)
  
• Possibly attempt rotating VID & PID (if this can be done on avr???) in an attempt to circumvent Device Control without re-flashing the Ducky
  

Possible Alternative Firmwares (sub-projects):

• Have Mouse commands; though its reliability may be questionable due to various screen sizes may make it difficult to be constructive, rather than just a prank for the end user.
  
• Yubikey Support / Clone.
  

--Snake

Edited December 30, 2012 by midnitesnake

[Espike845]

I just received my first duck today. Thank you to everyone involved in helping this project succeed. I look forward to making my own contributions soon.

[Neworld]

I'm very interested in projects like these, but most of the conversation's are over at the Jasager forum.... I'm thinking there should be a collective forum category that displays all new content from every category of hak5 forums. Any thoughts? This would help boost new/old projects and save the inconvenience of switching between them all.

[--nick--]

Can you make a new ducky which has internal storage added?

[PineDominator]

Can you make a new ducky which has internal storage added?

What would be better is a windows and or linux app that organizes payloads and does all the commands to upload to the sd card, no offence but loading payloads the current way is just as cumbersome or worse than using a gui (arduino) and a teensy. There is also an anoying bug where java needs to be added to some setting inside dos, having an app to fix common issues would be cool:-)

[overwraith]

What would be better is a windows and or linux app that organizes payloads and does all the commands to upload to the sd card, no offence but loading payloads the current way is just as cumbersome or worse than using a gui (arduino) and a teensy. There is also an anoying bug where java needs to be added to some setting inside dos, having an app to fix common issues would be cool:-)

I was looking into making an android app that I could just select the payload from the development files on my SD card, but that quickly fell through when I couldnt find any RTF file support in android. It would be cool if we (the community) could make android gui/friendly compiler, because that would mean you could compile from your phone or tablet. Would mean mobile payload selection.

YAY, someone mentioned my SAM payload improvement on the web show!!!

Edited December 6, 2012 by overwraith

[Darren Kitchen]

I'm very interested in projects like these, but most of the conversation's are over at the Jasager forum.... I'm thinking there should be a collective forum category that displays all new content from every category of hak5 forums. Any thoughts? This would help boost new/old projects and save the inconvenience of switching between them all.

Over the years this forum has seen a lot of action in various categories. To get a view of what's going on click "View New Content" at the top, or follow this link: http://forums.hak5.org/index.php?app=core&module=search&do=viewNewContent&search_app=forums

Can you make a new ducky which has internal storage added?

Midnight Snake just posted his POC Composite firmware, which does just this. Alternatively a second USB drive can be plugged in, or both can be plugged into a hub.

Initially the project goal was to just be a keyboard. We did a lot of USB Mass Storage hacking with the USB Switchblade and from that security vendors, and even OS vendors *cough* Microsoft *cough* wised up and patched the hole. There isn't much you can't do with a keyboard that you could do with storage. The reverse shell injection payload is a great example of this.

[shoeless89]

Thanks for everything you guys at do Hak5 and the community as a whole!