Hak5’s Rubber Ducky: Never again look at a USB stick the same way
Updated: Aug 3
USB sticks, they are all the same. Transfer files via an offline carrier because your internet may be down. Or perhaps you like buying USBs like me cause you need something to boot from when installing Linux, maybe? But what if that harmless-looking USB was the beginning of a company being taken down just because someone asked the front desk to reprint their report due today?
The Rubber Ducky from Hak5 is what I’d like to call the first beginner’s hacker tool. With easy installation and lots of tutorials, anyone can learn to use the Rubber Ducky for fun or their next pentest. This was one of the first tools seen on the hit show “Mr. Robot.” Darlene uses it by dropping multiple USBs in the parking lot of a police station.
Unsuspecting malicious intent, a police officer picks one up and plugs it into his central DeskDesktopthe station. But sadly, the malware that Darlene wrote was detected by the AV on the deskDesktophis is one-way Rubber Duckys can be used for malicious intent, but what can it be used for something to help? Maybe faster than typing in all those commands? Maybe downloading all the Wi-Fi passwords from a device to share with new employees?
A brief history of the Rubber Ducky
Now it begs the question, who came up with the Rubber Ducky from Hak5? Darren Kitchen. Darren thought of Ducky when working as a system administrator. Typing up all those commands over and over again became bothersome, so he set out to create a device that he could plug in that would register to a workstation as a Keyboard, typing faster than any human on the planet. But with great power comes great exploits. Darren soon discovered he could perform “Keystroke injection,” where plugging in the Rubber Ducky allowed him to install backdoors, steal documents, or even download more malicious code without the user suspecting a thing.
Since the device was so small and provided a helping hand and a little companionship, he named it the Rubber Ducky.
Passwords to capture
I get asked a lot of things: “What’s the Wi-Fi password?” I then must look at how to give them the password to read legibly. My handwriting can be pretty bad after typing all the time. A long time ago, I found a way to use netsh WLAN to show profiles; This allows a user to show the saved Wi-Fi passwords on their laptop. Using a Rubber Ducky, the user could then script out all the commands required to display the passwords of all the Wi-Fi profiles they’ve connected to.
This is one out of thousands of possible uses for the Rubber Ducky. Whether it’s malicious or for good intentions from its upbringing, the Rubber Ducky can be a great tool to use to start your cyber security career. Using this tool will help with the following skills:
· Introduction to Scripting
· Exploitation of Windows, Linux, or Apple Devices
· Defending against such devices
· Social Engineering
Next week I’ll release an article on what software or settings could be used.
To defend against Rubber Duckys in your own company.
“Never underestimate the determination of a time-rich and cash-poor kid.” ― Cory Doctorow, Little Brother