A few months back, security researcher Justin Engler (@JustinEngler) introduced me to a neat toy: the USB Rubber Duck.
The Duck is a USB thumb-drive lookalike with a secret — the hardware is really a microcontroller with a microSD Card interface. The device can act as any kind of USB slave, with a program or script fed to it via the SD card. The default personality for the Rubber Duck is a a USB keyboard. Plug it in, and it will type keystrokes generated via a script file.
The Duck is one of those hacking tools with both good and evil uses. On the ‘good’ side, it can be used for automatic entry of complex commands in an environment where centralized computer management is difficult. I consider using it for some of our own Bandolier related work: for the portions of the project where data collection commands must be run on the scanned system and no remote-use tools exist, it could be a real time-saver (and it can prevent the dreaded ‘human error’/’fat finger’ factor).
On the evil side, it can be used to immediately pop up a command shell and type malicious commands.
After purchase, I set my Duck aside for more interesting projects. Meeting Éireann Leverett at AppSecDC changed my tune — he had a thumb drive with a case identical to my Rubber Duck.
Keystrokes themselves can be pretty dangerous, beyond just using built-in commands. My first project over the weekend was a few lines of Python: take a batch file, and encode it as keystrokes to reconstruct and then execute the batch file on a victim machine using various methods (notepad, echo). My intention was to take the output from EXE2BAT and literally type in the netcat utility, convert it to an executable, and run it. This lets me get any executable I want onto a system, although the typing speed is pretty slow (a stripped down copy of netcat still takes 10 minutes to type in, extract, and run).
Someone smarter than me already submitted a related payload, that will run in seconds. It is a base64-encoded VBScript reverse shell. The keystrokes type in the encoded form of the tiny program, the VBScript necessary to decode the program, and finally the VBScript and then the extract executable is run. In turn, this will open a reverse shell to a remote host, presumably owned by an attacker. The remote host could itself be programmed to determine which type of machine connected to it, add user accounts, install backdoors, rootkits, etc. It would be difficult to unplug the thumb drive in time to save yourself from being pwned.
I’m finding the Duck particularly interesting because it bypasses many kinds of protection: USB Mass Storage can be disabled, Autorun can be disabled, and the Duck will still work. Who locks their machine down enough to prevent a new keyboard from being plugged in? I’m also becoming curious about Host OS fingerprinting: could a USB Slave device such as the Rubber Duck determine what kind of host it’s plugged into, based on the USB setup and queries it receives? If so, the Duck could be programmed to be a universal system hacker, with separate payloads for Windows, Linux, Solaris, etc, running the script based on the system it was plugged into.
CISSP friends used to joke with me that I would fail the exam. One of their questions was, “You find a USB thumb drive, what do you do?” My answer was, I would plug it into a quarantine system, make an image of it, and start some analysis. I’m beginning to re-think that position…