Jump to content

[Payload] Yubikey Style Password Prefix

Recommended Posts

Is there a more secure password than one you don't even know yourself?

Password Prefixing is a form of two-stage authentication. A user-chosen password is prefixed by a given string, much like a password salt.

The first action is to generate the prefix string. The best way to garble this so that it is not known is by hashing it.

Head over to http://www.adamek.biz/md5-generator.php and generate your token.

md5("My Password Prefix") = "b6b8fbc2caf2ff719c7894c83db0b998"

Now, we can create the DuckScript based on that MD5 string.

DELAY 3000
STRING b6b8fbc2caf2ff719c7894c83db0b998_

Here, I've suffixed the prefix with an underscore to separate the token from the rest of the password.

Whenever you register a new password, keep the password box focused and place the Ducky in to input the prefix token, then put the rest of the password.

Your password for that site is now: b6b8fbc2caf2ff719c7894c83db0b998_pa$$W0rd

Whenever you sign in, place the Duck in the PC and the prefix will be inputted, followed by your own, known password.

To create an even more secure token, you can use the Perfect Passwords generator at: https://www.grc.com/passwords.htm to create pseudo-random strings as prefixes, that way, you can't even say to someone "My password is the MD5 hash of "My Password Prefix" followed by Pa$$W0rd".

DELAY 3000
STRING EkRjsmp8oNLmwKdLEVXhqLlcls5TQOVTk7mXcj4Km0KMJKAIw920rtsfq0Cevgb_
Edited by ApacheTech Consultancy
Link to comment
Share on other sites

You could leave the "Naked Duck" (this time the exposed board not the firmware) plugged in, and just press the GPIO (ducky's tiny button) to replay the sequence.

You could indeed. :D

Or even use the MultiDuck to deploy different prefixes based on keyboard LEDs. :D

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...