jaime_lion Posted November 14, 2014 Share Posted November 14, 2014 So should I buy a ducky to play around with it? At the moment I dont have any pen-testing jobs and I dont see any in the near future. Aside from playing around with it and maybe playing a prank or two on a friend I dont think I will be using it for that much. I also am wondering is the ducky useful in pen-testing cause from what I have heard alot of places physically disable usb ports. Thoughts? Quote Link to comment Share on other sites More sharing options...
Broti Posted November 14, 2014 Share Posted November 14, 2014 (edited) Definitely. It's superb for real life demonstrations. It's quite effective to show people directly the potential dangers of not unlocking from their system if they are in the same proximity while searching something. Just run a small prank to show the risks of BadUSB attacks, or show them a demo of running netcat for a remote shell. Most people aren't aware of physical access attacks. Even some admins I know haven't secured their company systems against offline access and some even don't know about this method at all. Edited November 14, 2014 by Broti Quote Link to comment Share on other sites More sharing options...
Biocow Posted November 14, 2014 Share Posted November 14, 2014 Even a machine with unused USB ports that are physically disabled probably has a mouse and keyboard plugged in. It takes a few extra seconds but all you have to do is unplug one, deploy the ducky then plug the keyboard. Unless they are permanently attaching devicee to the USB ports you can use the ducky. Quote Link to comment Share on other sites More sharing options...
Kud0s82 Posted November 19, 2014 Share Posted November 19, 2014 I have just ordered mine. I mainly bought it as a learning tool. I will be playing pranks, but also want to learn more about pen testing, and learning the ins, and outs of using a reverse shell. Quote Link to comment Share on other sites More sharing options...
Broti Posted November 19, 2014 Share Posted November 19, 2014 But be careful and stay legal ;-) I built my own hack-network. So I can test what I want without harming anyone. Quote Link to comment Share on other sites More sharing options...
Kud0s82 Posted November 19, 2014 Share Posted November 19, 2014 But be careful and stay legal ;-) I built my own hack-network. So I can test what I want without harming anyone. I plan on staying legal. I have several test computers to use. I would only do harmless pranks to my co-workers. I could probably give the IT guys some scares, but I won't do that. Quote Link to comment Share on other sites More sharing options...
Kud0s82 Posted November 19, 2014 Share Posted November 19, 2014 I won't be able to do much harm at work since there are only a few computers that have admin rights to them. So the run CMD as admin won't work unless I somehow get the Admin user name, and password. Quote Link to comment Share on other sites More sharing options...
Broti Posted November 19, 2014 Share Posted November 19, 2014 Well, there is always a way... *whistle* Quote Link to comment Share on other sites More sharing options...
Kud0s82 Posted November 19, 2014 Share Posted November 19, 2014 Yes, but that would require me getting into an Admin machine. Granted it would not be hard. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.