[Question] How long of a delay for first type runs?

[DrDinosaur]

Hello. I was wondering what delay you should give the rubber ducky when you need to run it on a completely new machine. I'm doing a science fair project on this and I was wondering what a good delay at the start of a script would be to allow installation of the drivers. After the drivers are installed, the payload would continue it's normal course, just like a test machine. I want to know a good delay so it would be accurate to a real attack scenario where someone would plug this in to a new computer. IIRC, it took a quite some time to install compared to the Teensy. They are only one time events though, so I don't have good knowledge of them. Maybe I could uninstall the drivers to test it again? If that's possible, which drivers would I target? Sorry if this is confusing. Thanks!

[no42]

The first DELAY line, depends on your systems.

Myself and Darren have had success with DELAY 2000, I've found on VMware I need a DELAY 5000, Others have had to put a high DELAY 10000 (seems odd).

If your school has USB keyboards (not PS2) grab their VID and PID, and clone this onto the Ducky, as the drivers are already installed, you should be able to shorten the delay.

Or use the multi-playload (m_duck), and push the ducky's button (after only num_lock/caps_lock LED is lit).

Edited December 31, 2012 by midnitesnake

[PineDominator]

The first DELAY line, depends on your systems.

Myself and Darren have had success with DELAY 2000, I've found on VMware I need a DELAY 5000, Others have had to put a high DELAY 10000 (seems odd).

If your school has USB keyboards (not PS2) grab their VID and PID, and clone this onto the Ducky, as the drivers are already installed, you should be able to shorten the delay.

Midnitesnake not sure if it is possible on the current ducky but on the teensy I made a function that read the status of the number lock key and then set and unset the numlock key in a while loop until the original read numlock was different from the last read value. After that I would delay for 500 milliseconds just in case. Worked on all the systems I tested on

[DrDinosaur]

Thanks for the replies. If someone were to use this in say a work environment with no knowledge of their current keyboard setup (so cloning wouldn't be possible), what would be a reasonable delay that would pretty safely work across all the machines? I just a general standard. I'm not actually going to need to test this on those machines right now. I just need a simple benchmark that would work in a real world situation. Thanks!

[no42]

Upto you , I have success with DELAY 2000 on most systems.

Optionally use the m_duck payload, trigger a keyboard led then push the ducky's button, after you can see the OS has successfully registered the ducky. If your mailing Ducky's in as a social engineering gig, I would still go for duck.hex, and maybe a DELAY 3500 (middle value).

[DrDinosaur]

Ok. I'm running the default firmware (duck.hex) for HID attacks, so I'll use 3500ms as the initial delay for installation on new machines.