Low-cost USB Rubber Ducky pen-test tool for $3 using Digispark and Duck2Spark

medium-com
13-09-2018

#1

Low-cost USB Rubber Ducky pen-test tool for $3 using Digispark and Duck2Spark

It’s a story as old as time: some hacker sees nice hardware pen-testing tool, hacker recoils in horror at the price of said tool, hacker builds their own version for a fraction of the price.

An example of this is Rubber Ducky, an excellent Hak5 hacking tool that thanks to the work of several developers we can emulate using a small and cheap Digispark. An advantage of cheap hardware from generic off the shelf parts is that it is disposable and almost impossible to trace.

The USB Rubber Ducky is a keystroke injection tool disguised as a generic flash drive. Computers recognize it as a regular keyboard and automatically accept its pre-programmed keystroke payloads at over 1000 words per minute. Seconds of physical access are all it takes to deploy some of the most advanced pen-test attacks or IT automation tasks. But Rubber Ducky can also help practical jokes execution, for example with a script that quickly changes the wallpaper of a co-worker workstation.

But at $45 plus shipping Rubber Ducky is not exactly a cheap tool, fortunately we can DIY a clone for only $3 with a Digispark development board and some free software. The Digispark is an Attiny85 based microcontroller development board similar to the Arduino line, only cheaper and smaller.

Digispark boards

Step 1: Setup Digispark Development Environment

Before starting to work with our board, we must have installed the Arduino IDE. After this, we must download the compatibility package of this board, a fairly simple operation.

After installation Open Arduino IDE application, go to File - > Preferences
In the input field named “Additional Boards Manager URLs” enter the following URL.

<http://digistump.com/package_digistump_index.json>

Open Arduino IDE — Preferences Tools - > Board - > Boards Manager
From the drop down menu select “Contributed”, Select the Digistump AVR Boards package and install it.

Now we need to install Digispark Bootloader Driver.

https://github.com/digistump/DigistumpArduino/releases/download/1.6.7/Digistump.Drivers.zip

Usually there will be some issues with the driver installation process. So please make sure to install the drivers properly.

Finally, go to Tools - > Board , and select Digispark (Default — 16.5mhz) and set it as default.

Step 2: Turning Digispark into a Rubber Ducky Clone

Rubber Ducky uses a simple scripting language to create payloads. For Digispark, things are not that simple. We need to program our own payloads using Digikeyboard.h and Arduino IDE. There are some scripts available for Digispark ATTiny85 in the internet. But thanks to the work of MaMe82 (Marcus Mengs) you can translate Rubber Ducky Scripts to Digispark with duck2spark project.

A great feature of Duck2spark is that available solutions and tutorials emulating a RuberDucky-like on a DigiSpark suffer from poor keyboard layout support for non-US languages. This is solved by “outsourcing” the problem to DuckEncoder which supports multiple keyboard layouts.

Using Duck2spark is really easy. Let’s see an example of the duck2spark documentation, a classic hello world:

Generate a DuckyScript test.duck you want to use as output:


echo "STRING Hello World" > test.duck


Compile the script using DuckEncoder with your keyboard layout (de in example) or use my python port:


java -jar encoder.jar -i test.duck -o raw.bin -l de


Use duck2spark.py to convert into Arduino Sketch (options for single run, 2 seconds startup delay):


duck2spark.py -i raw.bin -l 1 -f 2000 -o sketch.ino


After setting up the Arduino IDE load the example "DigisparkKeyboard" and replace the Sketch source by the one saved to sketch.ino 

Click Sketch -> Upload or click Upload button on the top left. Open a notepad or any software. Plug in the Digispark USB again and magically “Hello World” will be typed.

Rubber Ducky Payloads can be anything; It changes as per our goals and intentions! We can Create Wireless Network Association, Download and execute payloads, reverse shells, etc. For pen testing engagements we can even use Meterpreter, Empire, Unicorn, other powershell payloads.

A final tip use some heat shrink tubing to provide electrical insulation, mechanical protection, sealing, and some stealth to your new Digispark-Ducky. A device that’s cheap enough that you don’t mind leaving it at the scene if you’ve got to pull on your ninja outfit and make a break for it.

Original links

https://medium.com/p/5d59afc1910/