Jump to content

Wifi duck?


Recommended Posts

  • 2 weeks later...

It's a good solution. Although I built a wifi ducky based on arduino boards and the ESP8266, since combining both gave the possibility of full speed USB and multiple end points. I built prototypes and used these until I found the 'Cactus Micro' , which is a combination of a Leonardo and ESP8266. Wrote various controllers for Python, .NET and Android.  Works well. Since the Atmel chip is recognized as both a HID device and a Serial port, You can (via a script) run command prompt in a windows target, and return the output of the script (via serial) to the duck and then on back to the attacker machine! Can supply the code if you're interested.


Link to comment
Share on other sites

  • 2 months later...

I'm new to this and want to make sure I understand, please - you're using the Cactus to inject the same password-capturing commands as the Ducky, just over wifi instead of by direct USB fake-keyboard entry?  So you can enter them at your leisure instead of having to distract the user for 15 seconds?

I was trying to think how this would be useful, and if I understand the basic concept, it makes sense - you could plant the Cactus when the computer is turned off (possibly after hours when no users are around, minimizing chances of detection), wait for them to walk away and lock their screen, then run the Ducky Script over wifi?  That way there's much less chance of them seeing the powershell window, and you can retrieve the Cactus later when no one's around again.

Have I got this right, or am I misunderstanding something critical? :)  Thanks!

Link to comment
Share on other sites

See the following projects I've built around the Ducky HID attack..

https://github.com/basic4/WiDucky   - Wifi Ducky with windows/Python/Android controllers.

https://github.com/basic4/USB-Rubber-Ducky-Clone-using-Arduino-Leonardo-Beetle   - A basic ducky with microSD for under $10.





Edited by basic4
Link to comment
Share on other sites

Hi - A ducky only works if the user IS logged in AND the screen isn't locked.

Using a ducky requires that the user has walked away from the target machine without locking it. Or if you can distract the user from the screen for the amount of time needed to insert the ducky and run its script. 

When a machine is locked, can you use the keyboard? (except to login)  - No you need the password  - which we don't know.

So a Ducky is just a tool to type commands very quickly - that's all.



Link to comment
Share on other sites

I have a question about the serial port used as exfil channel.

Does it require some specific drivers enabled on the victim machine?

I am referring to this [1]

This command batch file allows feedback from the target Windows machine to be sent.
If the Widucky types 'remrec4.bat dir/w', the batch file executes the the 'dir/w' command
and sends the output of the command to the WiDucky serial port.
The output is then returned via wifi to the controller application and displayed remotely.

(*This requires the Arduino drivers to be loaded on the target machine.) 

From my understanding, if the target machine doesn't have those drivers previously installed, the exfil channel will not work. Thus we will not be able to have an interactive (sort-of) remote shell. Am I right?

[1] https://github.com/basic4/WiDucky/blob/8ce8d217040448bf7b654c1eab4eae5da5596767/Test-Scripts/Remrec-Script/readme

Edited by zibri
Link to comment
Share on other sites

Yeah right!

Maybe wouldn't be easier to have it running automatically at the boot (e.g. rc.local in a Linux OS) once the widucky is inserted?

However, this will also requires the victim machine to be able to reach internet and hope the attacker's webserver (i.e. where those drivers are located) is not blacklisted.

P.S. Can you provide an example of drivers needed. I would like to create a Powershell one-line script to try install them.


Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...