While the USB Rubber Ducky is known by hackers as a tool for fast in-person keyboard-based attacks, one of the original applications was automation. In this guide, I will explain the latter and explain how we can use it to automate wireless handshake harvesting on the Raspberry Pi without using a screen or other input.
I will explain how to write script in Ducky, prepare a binary file, inject it and see the results. Our goal will be to create a payload that launches the Besside-ng process to collect wireless handshake in a screen session that allows us later via laptop or phone.
The USB Rubber Ducky can be connected to virtually any computer to use as a Human Interface Device (HID) keyboard. This is useful for creating payloads that execute commands remotely on a subject's computer, allowing you to automate complex tasks in a single payload.
You can turn your 30-second access to a target's computer into a permanent backdoor, a ransomware attack, or a custom payload, such as the planning of email threats to Dick Cheney The e-mail address of the destination will be displayed at midnight.
But the USB Rubber Ducky is not a completely offensive tool. The same ability to play commands quickly can be used as a method to automate certain pen test stages on our Raspberry Pi with Kali Linux.
Let the duck work
Automation on the USB Rubber Ducky course depends on the target you want to dump the payload on. In this case, we will use the Ducky to automate processes on our own device, so we will target Kali Linux running on the Raspberry Pi. Although we use the Ducky to quickly set up a process instead of attacking, the process of writing the script, encoding, and loading the payload is the same as if we were launching an attack.
When we work on our own machine, we have the advantage of repeating and tweaking small aspects of our own machine to work more easily with the Ducky. Hotkeys can be added in order to trigger the desired actions more easily. In this example, I did not change my Kali Linux, so my script should work on every updated Kali distribution on a Raspberry Pi.
When automating tasks with a Ducky, accessing a terminal window is essential. Some operating systems have a hotkey to open a command prompt or a terminal window. Kali does not do that, so we need to do a bit of work. Once we open a terminal window, the process becomes much easier, as we can insert commands directly into a bash shell.
The Raspberry Pi platform is not as powerful as many desktop or laptop computers. If the Pi runs too slowly to execute a command properly, it will mishit and derail all other commands in the sequence. For this reason, care must be taken that there is an appropriate "delay" to ensure that the target device can keep up with all incoming data.
To open a terminal window via the USB Rubber Ducky on a Raspberry Pi with Kali, the following string has proved to be the starting sequence for other automation scripts.
This string allows a delay of 5 seconds The Pi Detects the Device, Alt F2 searches for applications, and enters xfce4-terminal to select and open a terminal window. Since the window may be slowing down when opened, I have delayed the next part of the script by 5 seconds to ensure that every command is sent properly.
The most basic "Active" Wi-Fi enlightenment involves scanning an area for in-service wireless networks and capturing long lists of WPA Hand shakes with Besside-ng. This tool enables mass auditing of local area networks to find those with weak passwords within a few minutes, significantly speeding up the process of capturing a data connection in an unfriendly environment.
This tool can be configured to attack all networks or a subset of discovered networks based on features such as encryption, channel, signal strength, and BSSID. To initiate this attack, several prerequisite steps must be taken to prepare the wireless attack card and later resume and control the session from a laptop or phone.
In this example, we prepare these steps by launching a screen session, putting our attack map in monitor mode, and launching the attack on nearby networks.
To get around the inadequacy of the Raspberry Pi screen, you can save time and respond to opportunities that you can not use. t allow a tedious setup and configuration. Within seconds, you can start a screen session and launch an attack without human intervention, without plugging the Ducky into the USB port. You'll need a few things to do this:
Step 1: Download the requisite repos to encode the duck
To encode Payload for the USB Rubber Ducky, we have to download the Ducky Encoder and other files to encode and decode Ducky Binaries. You also need the screen utility, which allows you to disconnect from SSH sessions and restore them later. This will allow us to launch an attack on a headless Pi and rejoin the screen later after logging in via SSH.
You can get this and my Kali Pi payload by opening a terminal window and cloning the repos: 19659020] apt-get install screen
git clone github.com/hak5darren/USB-Rubber-Ducky.git
cd USB Rubber Ducky
git clone github.com/sadmin2001/duckloads.git This will create the folder with the encoding and decoding tools and drop my binary payload and TXT script file into a folder named " Duckloads "added. Each script you create has a TXT component and a BIN injectable binary component. If you forget to save your TXT file, you may find that you are rewriting a script using the binary decoder as a reference, so save it!
To encode our payload we open the DuckyEncoderGUI.jar file in the folder USB Rubber Ducky 19659036] which opens a nice friendly GUI menu to code the Ducky.
- Input File: Select my script at entenloads / respeo.txt to create a new BIN file , Look for respeo.txt as the input file, and you will see that the text of the Ducky script is displayed in the GUI window.
- Layout File: Make sure you use the keyboard correctly for the layout of your Pi, since the default layout is "be," which causes gibberish to be typed.
- Output file: Should be set to inject.bin and save to the same folder unless you want to specify another in the output file menu
Now click "Export bin" to create a binary file to create for the Ducky.
In a lab environment, it is important to know the timing of the script for the target device's speed or other possible To adjust quirks. When I worked with a Pi Zero and a Pi 3, I put a lot of time into my script so that a Pi that just booted up would run all of the provided input, even with slow execution.
Load the microSD card into an adapter or a card reader and connect it to your computer, delete all the binaries on the card, and then drag the new inject.bin onto the card. Eject when the transfer is complete.
Load the microSD card into the Ducky. Start your Pi, connect it to an HDMI screen to get feedback, and give the script a test drive. If you find that it hangs or crashes, check the failed command and adjust the .txt file to correct the problem. Often the timing is too fast for the Pi to force an "enter" or open a new window, which can cause the commands to be garbled. I've worked to correct this by adding a little bit of time, but you can adjust it to what works for you.
The complete Ducky Script text for my Kali Automation script is as follows:
STRING airmon-ng start wlan1
STRING besside-ng wlan1mon
Timing can be set for the device, but the steps should remain in the same order. The goal of the script is to launch an attack that can be resumed and controlled from another device. Therefore, it is important to create a screen session before running our commands.
Step 4: Through the Attack Checklist
In Order For the automation to succeed, we should let a few things pass when we connect the USB Rubber Ducky to the Kali Pi.
First we should watch how the Ducky connects and is recognized by the Pi as a keyboard, followed by a startup app search for "xfce4-terminal." When the xfce4 terminal is selected, The Pi should open the terminal window and immediately start a screening session. From this session, the Pi wlan1 (our attack antenna) throws over airmon-ng into the surveillance mode preparing the attack antenna for our attack before the attack.
After 15 seconds had passed for the process, the Pi will launch besside-ng with our newly named "wlan1mon" attack interface and begin the attack on all nearby networks. The last command is to disconnect the screen session so that it can be resumed from a phone or laptop via SSH.
Once the script does its thing, a Wi-Fi handshake attack script should be running in the background. To reconnect, you need to connect to the Pi via SSH and continue the screen session. SSH into the Pi and reconnect the session by entering the following terminal:
ssh root @ (IP address of Pi)
(enter your password)
This should search for a disconnected screen sessions and automatically find one if found. If your script was successful, this session should help you understand how to attack attacking networks in the environment and create a list of handshakes to audit. You can run this session in the background by separating it, which you can do at any time by typing CTRL-A and then D .
Reconnect allows you to check the status of the attack and redirect, fix, narrow, or restart the attack. Occasionally, Besside-ng gets stuck ("no child process" or "network failed" error), which can be frustrating and break the automation process. Even if this happens, you can restart the screen with a single touch
Now we've explored the basics of using the USB Rubber Ducky for automation – you can create your own scripts remix and create to manage your favorite attacks. The Rubber Ducky can quickly take a lot of work off your hands … it's up to you to explore the possibilities!
Thank you for reading and be sure to keep an eye on zero bytes for more hacking tutorials. You can ask me questions here or @ sadmin2001 on Twitter or Instagram