What is the best security awareness payload for the Rubber Ducky?

What is the best security awareness payload for the Rubber Ducky?

A two second HID attack against Windows and Mac that launches the website of your choosing. That's by far the most effective security awareness payload for the USB Rubber Ducky.

Cyber security awareness building is important, and developing an effective security awareness program - or at least raising eyebrows that one is even necessary - doesn't need to be difficult.


Hot off the heels of the bank heist security awareness campaign in Beirut with Jayson Street (See Breakthrough - Cyber Terror on National Geography), @Snubs and I set off to perform our own security awareness research. We were given the unique opportunity to present the keynote at AusCERT 2017 in the Gold Coast of Australia. Our talk was all about trust, convenience, and how USB and better yet Humans are the universal attack vector. CSO has a great write-up.

Essentially we wanted to see if the cyber security community practiced what it preached. Specifically following best practices with regards to foreign USB drives. What we found was astounding. Judging from our own informal poll, it seems many of us in the information security world don't even bother with basic anti-virus, so how would we fare as an industry against foreign USB drives?



Now I've spoken before about a 2-second USB Rubber Ducky payload which will grab Windows password hashes via SMB. It's a great payload for internal audits - so red teams take note. But for this engagement the last thing we wanted was any sensitive data.

Unlike Google, who conducted a similar USB drop at a university with the intent of obtaining reverse shells on the target machines, we opted for something completely benign. Our payload only launches a tiny URL, which takes the target to US-CERT Bulletin ST08-001: Using Caution with USB Drives. The US-CERT bulletin, from the National Cyber Awareness System, states:

Do not plug an unknown USB drive into your computer - If you find a USB drive, give it to the appropriate authorities (a location's security personnel, your organization's IT department, etc.). Do not plug it into your computer to view the contents or to try to identify the owner.


Of the 100 USB Rubber Ducky drives we dropped, we noticed 162 executions from 62 unique IP addresses throughout a 65 day period. Mind you, this was at a conference primarily made up of professionals working in the cyber security industry. Now since we did not uniquely identify each drives payload, we cannot determine the actual percentage plugged in. However, based on the unique factors we can track, the results do seem inline with Google's findings - that 48% of people do plug-in USB drives found in parking lots.

The other data of interest indicated that targets were 68% Windows and 32% Mac. Browsers were 69% Chrome, 24% Safari and shockingly 7% Internet Explorer. The vast majority of executions were within the first week of the conference, however the long tail lasted until mid-April.


Setting this up for your own security awareness campaign is dead simple. All you need is this payload, a few USB Rubber Duckies, a URL to point the payloads and a few creative spots to leave the drives.

For the URL you could setup a website to let the user know they've broken corporate policy and to contact IT - or you could do what we did and send 'em to US-CERT. Either way you'll be able to track the executions. This can be done either with your own web server (preferably running PHP), or you can just use Google's goo.gl URL shortener to get the analytics.

Here's the PHP script which will log IP and browser data along with forwarding on the target to your URL of choice. Uncomment the mail command and change the SMS gateway if you want your phone to ding every time someone plugs one in :)

$today = date("F j, Y, g:i a");
$data = json_encode(array("headers" =&amp;amp;gt; getallheaders(), "server" =&amp;amp;gt; $_SERVER, "request" =&amp;amp;gt; $_REQUEST));
file_put_contents("summary.txt", $today . "\t" . $_SERVER['REMOTE_ADDR'] . "\t" . $_SERVER['HTTP_USER_AGENT'] . "\n", FILE_APPEND);
file_put_contents("full-data.txt", $data . "\n", FILE_APPEND);
$message = $today . " - " . $_SERVER['REMOTE_ADDR'];
mail('5105551212@tmomail.net', 'subject', $message);
<html><head><meta charset="UTF-8" />
<meta http-equiv="refresh" content="1;url=https://www.us-cert.gov/ncas/tips/ST08-001" />
<script type="text/javascript">window.location.href = "https://www.us-cert.gov/ncas/tips/ST08-001"</script>
<title>Page Redirection</title></head>
<body>If you are not redirected automatically, follow the <a href="https://www.us-cert.gov/ncas/tips/ST08-001">link</a>.</body></html>

You'll need to touch full-data.txt and summary.txt and chmod them accordingly.

This cross-platform USB Rubber Ducky payload works against Windows, Mac and some Linux window managers which support URLs from the ALT+F2 menu (like Ubuntu's Unity).

DELAY 1000
STRING http://example.com

Replace example.com with the URL of your choosing.

Finally, load up the ducks, find some enticing places to plant 'em, and watch the logs as humans do what humans do best.


As users and as a society, we expect technology to "just work".

As developers and systems administrators, in order to make things "just work", we typically need to put in hard coded trusts.

As hackers and penetration testers, wherever we find these hard coded trusts, it's simply a matter of telling the right lie. Something we learned to do from childhood.

Hacking is all about trust. As in life - trust is hard to build & easy to break. Hacking is violating the inherent trust in complex systems.

Happy Hacking!

Leave a comment

Comments will be approved before showing up.

Also in Blog

Stealing Files with the USB Rubber Ducky – USB Exfiltration Explained
Stealing Files with the USB Rubber Ducky – USB Exfiltration Explained

As a keystroke injection attack tool capable of mimicking both a USB keyboard and mass storage, the USB Rubber Ducky excels at autonomously exfiltrating documents – or what we like to call performing an involuntary backup. In this article I will briefly outline the steps necessary to turn your USB Rubber Ducky into a document exfiltration machine, as described on Hak5 episodes 2112, 2113 and 2114.

Continue Reading

The 3 Second Reverse Shell with a USB Rubber Ducky
The 3 Second Reverse Shell with a USB Rubber Ducky

In this tutorial we’ll be setting up a Reverse Shell payload on the USB Rubber Ducky that’ll execute in just 3 seconds.

A reverse shell is a type of shell where the victim computer calls back to an attacker’s computer. The attacking computer typically listens on a specific port. When it receives the connection it is then able to execute commands on the victim computer. In essence it’s remote control of a computer.

Continue Reading

What's the quickest way to steal a Windows password hash?
What's the quickest way to steal a Windows password hash?

Using a USB Rubber Ducky and this simple payload, Windows password hashes can be captured for cracking in less than two seconds.

This technique works against almost all versions of Microsoft Windows and only requires a 5 line Ducky Script and an open source server setup on the target network.

Continue Reading