• The friendly Linux forum for all users.
Dismiss Notice
Welcome to Linux Forum! As we have just launched, please help us grow by telling your friends about us and posting in the forum. Thanks!

USB Rubber Ducky

Discussion in 'LF Linux Articles' started by Jarret, Nov 30, 2016.

  1. Jarret

    Jarret Moderator Staff Member

    The USB Rubber Ducky device is not a truly malicious tool like the USB Killer. The USB Rubber Ducky can be used maliciously, though. Let's look over the abilities of the device and see what it can do.


    The USB Rubber Ducky, as shown in Figure 1, is a typical looking USB Mass Storage Device. The device has a very hidden secret inside. The components housed inside are:
    • Atmel 32bit AVR Microcontroller AT32UC3B1256
    • MicroSD card reader
    • Micro push-button
    • Multi-color LED indicator
    • JTAG Interface (can be used for I/O)
    • Standard “Type A” USB connector

    Figure 01.jpg
    FIGURE 1

    More detailed hardware information can be found at https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Hardware. The specific information on the processor is as follows:

    • High Performance, Low Power AVR 32 UC 32-Bit Microcontroller
    • Compact Single-cycle RISC Instruction Set Including DSP Instruction Set
    • Read-Modify-Write Instructions and Atomic Bit Manipulation
    • Performing up to 1.39 DMIPS / MHz
    • Up to 83 DMIPS Running at 60 MHz from Flash
    • Up to 46 DMIPS Running at 30 MHz from Flash
    • Memory Protection Unit
    • Multi-hierarchy Bus System
    • High-Performance Data Transfers on Separate Buses for Increased Performance
    • 7 Peripheral DMA Channels Improves Speed for Peripheral Communication
    • Internal High-Speed Flash
    • 512K Bytes, 256K Bytes, 128K Bytes, 64K Bytes Versions
    • Single Cycle Access up to 30 MHz
    • Prefetch Buffer Optimizing Instruction Execution at Maximum Speed
    • 4ms Page Programming Time and 8ms Full-Chip Erase Time
    • 100,000 Write Cycles, 15-year Data Retention Capability
    • Flash Security Locks and User Defined Configuration Area
    • Internal High-Speed SRAM, Single-Cycle Access at Full Speed
    • 96K Bytes (512KB Flash), 32K Bytes (256KB and 128KB Flash), 16K Bytes (64KB Flash)
    • Interrupt Controller
    • Autovectored Low Latency Interrupt Service with Programmable Priority
    • System Functions
    • Power and Clock Manager Including Internal RC Clock and One 32KHz Oscillator
    • Two Multipurpose Oscillators and Two Phase-Lock-Loop (PLL) allowing Independant CPU
    • Frequency from USB Frequency
    • Watchdog Timer, Real-Time Clock Timer
    • Universal Serial Bus (USB)
    • Device 2.0 and Embedded Host Low Speed and Full Speed
    • Flexible End-Point Configuration and Management with Dedicated DMA Channels
    • On-chip Transceivers Including Pull-Ups
    • USB Wake Up from Sleep Functionality
    • One Three-Channel 16-bit Timer/Counter (TC)
    • Three External Clock Inputs, PWM, Capture and Various Counting Capabilities
    • One 7-Channel 20-bit Pulse Width Modulation Controller (PWM)
    • Three Universal Synchronous/Asynchronous Receiver/Transmitters (USART)
    • Independant Baudrate Generator, Support for SPI, IrDA and ISO7816 interfaces
    • Support for Hardware Handshaking, RS485 Interfaces and Modem Line
    • One Master/Slave Serial Peripheral Interfaces (SPI) with Chip Select Signals
    • One Synchronous Serial Protocol Controller
    • Supports I2S and Generic Frame-Based Protocols
    • One Master/Slave Two-Wire Interface (TWI), 400kbit/s I2C-compatible
    • One 8-channel 10-bit Analog-To-Digital Converter, 384ks/s
    • 16-bit Stereo Audio Bitstream DAC
    • Sample Rate Up to 50 KHz
    • QTouch Library Support
    • Capacitive Touch Buttons, Sliders, and Wheels
    • QTouch and QMatrix Acquisition
    How does all this work? When a USB device is connected to a system the system will query the device to determine its use and device type. The device type allows the system to load the appropriate driver so the USB device can be used on the system. For example, a WiFi adapter can be inserted into a system. The system queries the device and finds it is a specific model of a RealTek WiFi adapter. The system will the load the appropriate driver for the device and start it, if possible. Once started the system will attempt to use the WiFi adapter to connect to a network. If needed, a configuration window may appear to help configure the device properly as needed.

    Most USB devices are automatically detected and used by the system, such as keyboards. A keyboard is seen by a system as sending input to the system which the system will accept. The USB Rubber Ducky will be seen as a keyboard device. Because of the device type most systems will start accepting data from the keyboard.

    Scripts can be created and placed on the USB Rubber Ducky memory to allow them to be pushed into the system. These scripts can be used to gain a lot of information from the system in which the USB Rubber Ducky is inserted.

    Because of the widespread use and acceptance of USB devices the Rubber Ducky works on Windows, Linux, Apple and Android devices.

    Ducky Script

    The Ducky Script language is a very straight forward language. The language is based off of keystrokes to act as a keyboard.

    The commands are as follows:

    • DEFAULT_DELAY ### - sets a default delay in milliseconds to occur between each command within the whole script. Delays are necessary to allow windows to open, characters to be sent to the system, etc.
    • DELAY ### - sets a default delay in milliseconds to occur when the command is given. The Rubber Ducky can send around 16 keystrokes a second to the system.
    • GUI x – the command is the same as pressing the Window key. An additional key is also pressed to perform a certain task in Windows or other Operating System (OS). For example, the Window key and 'r' opens a run command window. You can also use the command WINDOW.
    • STRING xxxx – sends the string of characters to the system.
    • MENU or APP – performs the same action as a right-click.
    • REPLAY x – cause the last command to be repeated x number of times.
    • Key presses to the system (these are the same as pressing the designated key)
      • BREAK
      • PAUSE
      • CTRL
      • ALT
      • BREAK
      • CAPSLOCK
      • DELETE
      • END
      • ESC (ESCAPE)
      • HOME
      • INSERT
      • NUMLOCK
      • PAGEUP
      • PAGEDOWN
      • SPACE
      • TAB
      • F1..F12
      • UP (UPARROW)

    The USB Rubber Ducky sends data to the system as hex just as a keyboard. To convert the text file to hex you use 'duckencoder'. The 'duckencoder' program can be downloaded from https://github.com/hak5darren/USB-Rubber-Ducky/tree/master/Encoder. The encoder is a JAVA file which is run from a terminal: java -jar duckencoder.jar -i input-file.txt -o /media/SDCard/inject.bin.

    To be able to test the scripts before they are actually converted to hex and placed on the Rubber Ducky there is a simulator. The simulator can be found at: https://hackaday.io/project/1153-hak5-usb-rubberducky-emulator.

    If you look around the Internet there are websites devoted to payloads (scripts) for the Rubber Ducky. The Rubber Ducky can also be used to assist in using Metasploit and netcat to test security.

    Sample Script

    The following script can open 'notepad' on a Windows system and type text to the program:

    • DEFAULT_DELAY 200 ms
    • GUI r
    • STRING notepad.exe
    • STRING Go to linuxforum.com!

    The text within 'notepad' should read 'Go to linuxforum.com!'.

    USB Rubber Ducky Purchase

    The USB Rubber Ducky can be purchased at https://hakshop.com/products/usb-rubber-ducky-deluxe. There are many other items there for assisting in network security testing.

    At the time of this writing, the cost was $44.99.

Share This Page