قالب وردپرس درنا توس
Home / Tips and Tricks / How to automate hacking on the Raspberry Pi with the USB Rubber Ducky «Zero Byte :: WonderHowTo

How to automate hacking on the Raspberry Pi with the USB Rubber Ducky «Zero Byte :: WonderHowTo



While the USB Rubber Ducky is known by hackers as a tool for fast in-person keyboard-based attacks, one of the original applications was automation. In this guide, I will explain the latter and explain how we can use it to automate wireless handshake harvesting on the Raspberry Pi without using a screen or other input.

I will explain how to write script in Ducky, prepare a binary file, inject it and see the results. Our goal will be to create a payload that launches the Besside-ng process to collect wireless handshake in a screen session that allows us later via laptop or phone.

The Duck for Offensive & Defense

The USB Rubber Ducky can be connected to virtually any computer to use as a Human Interface Device (HID) keyboard. This is useful for creating payloads that execute commands remotely on a subject's computer, allowing you to automate complex tasks in a single payload.

It may look like a USB flash drive, but it is not. Image of SADMIN / Null Byte

You can turn your 30-second access to a target's computer into a permanent backdoor, a ransomware attack, or a custom payload, such as the planning of email threats to Dick Cheney The e-mail address of the destination will be displayed at midnight.

But the USB Rubber Ducky is not a completely offensive tool. The same ability to play commands quickly can be used as a method to automate certain pen test stages on our Raspberry Pi with Kali Linux.

Let the duck work

Automation on the USB Rubber Ducky course depends on the target you want to dump the payload on. In this case, we will use the Ducky to automate processes on our own device, so we will target Kali Linux running on the Raspberry Pi. Although we use the Ducky to quickly set up a process instead of attacking, the process of writing the script, encoding, and loading the payload is the same as if we were launching an attack.

The microSD card holder of the USB Rubber Ducky. Picture of SADMIN / Zero Byte

When we work on our own machine, we have the advantage of repeating and tweaking small aspects of our own machine to work more easily with the Ducky. Hotkeys can be added in order to trigger the desired actions more easily. In this example, I did not change my Kali Linux, so my script should work on every updated Kali distribution on a Raspberry Pi.

Debian Duck: Writing a Ducky Script for the Kali Linux Platform

When automating tasks with a Ducky, accessing a terminal window is essential. Some operating systems have a hotkey to open a command prompt or a terminal window. Kali does not do that, so we need to do a bit of work. Once we open a terminal window, the process becomes much easier, as we can insert commands directly into a bash shell.

The Raspberry Pi platform is not as powerful as many desktop or laptop computers. If the Pi runs too slowly to execute a command properly, it will mishit and derail all other commands in the sequence. For this reason, care must be taken that there is an appropriate "delay" to ensure that the target device can keep up with all incoming data.

The USB Rubber Ducky is easy to configure and swap. Picture of SADMIN / Null Byte

To open a terminal window via the USB Rubber Ducky on a Raspberry Pi with Kali, the following string has proved to be the starting sequence for other automation scripts.

DELAY 5000
ALT F2
DELAY 3000
STRING xfce4-terminal
DELAY 100
ENTER
DELAY 5000

This string allows a delay of 5 seconds The Pi Detects the Device, Alt F2 searches for applications, and enters xfce4-terminal to select and open a terminal window. Since the window may be slowing down when opened, I have delayed the next part of the script by 5 seconds to ensure that every command is sent properly.

Automating Wi-Fi handshake capture with nothing but ducks

The most basic "Active" Wi-Fi enlightenment involves scanning an area for in-service wireless networks and capturing long lists of WPA Hand shakes with Besside-ng. This tool enables mass auditing of local area networks to find those with weak passwords within a few minutes, significantly speeding up the process of capturing a data connection in an unfriendly environment.

This tool can be configured to attack all networks or a subset of discovered networks based on features such as encryption, channel, signal strength, and BSSID. To initiate this attack, several prerequisite steps must be taken to prepare the wireless attack card and later resume and control the session from a laptop or phone.

USB Rubber Ducky Ready to Charge. Image of SADMIN / Null Byte

In this example, we prepare these steps by launching a screen session, putting our attack map in monitor mode, and launching the attack on nearby networks.

Hiring A Headless Kali Pi To Attack Wi-Fi Handshakes

To get around the inadequacy of the Raspberry Pi screen, you can save time and respond to opportunities that you can not use. t allow a tedious setup and configuration. Within seconds, you can start a screen session and launch an attack without human intervention, without plugging the Ducky into the USB port. You'll need a few things to do this:

Step 1: Download the requisite repos to encode the duck

To encode Payload for the USB Rubber Ducky, we have to download the Ducky Encoder and other files to encode and decode Ducky Binaries. You also need the screen utility, which allows you to disconnect from SSH sessions and restore them later. This will allow us to launch an attack on a headless Pi and rejoin the screen later after logging in via SSH.

You can get this and my Kali Pi payload by opening a terminal window and cloning the repos: 19659020] apt-get install screen
git clone github.com/hak5darren/USB-Rubber-Ducky.git
cd USB Rubber Ducky
git clone github.com/sadmin2001/duckloads.git[19659021] This will create the folder with the encoding and decoding tools and drop my binary payload and TXT script file into a folder named " Duckloads "added. Each script you create has a TXT component and a BIN injectable binary component. If you forget to save your TXT file, you may find that you are rewriting a script using the binary decoder as a reference, so save it!

Step 2: Open the GUI Encoder and encode a new bin

To encode our payload we open the DuckyEncoderGUI.jar file in the folder USB Rubber Ducky 19659036] which opens a nice friendly GUI menu to code the Ducky.

  • Input File: Select my script at entenloads / respeo.txt to create a new BIN file , Look for respeo.txt as the input file, and you will see that the text of the Ducky script is displayed in the GUI window.
  • Layout File: Make sure you use the keyboard correctly for the layout of your Pi, since the default layout is "be," which causes gibberish to be typed.
  • Output file: Should be set to inject.bin and save to the same folder unless you want to specify another in the output file menu

Now click "Export bin" to create a binary file to create for the Ducky.

Step 3: Loading and Testing the Script

In a lab environment, it is important to know the timing of the script for the target device's speed or other possible To adjust quirks. When I worked with a Pi Zero and a Pi 3, I put a lot of time into my script so that a Pi that just booted up would run all of the provided input, even with slow execution.

Load the microSD card into an adapter or a card reader and connect it to your computer, delete all the binaries on the card, and then drag the new inject.bin onto the card. Eject when the transfer is complete.

Loading some payloads. Image of SADMIN / Null Byte

Load the microSD card into the Ducky. Start your Pi, connect it to an HDMI screen to get feedback, and give the script a test drive. If you find that it hangs or crashes, check the failed command and adjust the .txt file to correct the problem. Often the timing is too fast for the Pi to force an "enter" or open a new window, which can cause the commands to be garbled. I've worked to correct this by adding a little bit of time, but you can adjust it to what works for you.

The complete Ducky Script text for my Kali Automation script is as follows:

DELAY 5000
ALT F2
DELAY 3000
STRING xfce4-terminal
DELAY 100
ENTER
DELAY 5000
STRING screen
DELAY 1000
ENTER
DELAY 1000
ENTER
DELAY 5000
STRING airmon-ng start wlan1
DELAY 800
ENTER
DELAY 800
ENTER
DELAY 15000
STRING besside-ng wlan1mon
DELAY 800
ENTER
DELAY 800
ENTER
DELAY 5000
CTRL a
STRING d
DELAY 50
ENTER

– SADMIN / GitHub

Timing can be set for the device, but the steps should remain in the same order. The goal of the script is to launch an attack that can be resumed and controlled from another device. Therefore, it is important to create a screen session before running our commands.

Step 4: Through the Attack Checklist

In Order For the automation to succeed, we should let a few things pass when we connect the USB Rubber Ducky to the Kali Pi.

First we should watch how the Ducky connects and is recognized by the Pi as a keyboard, followed by a startup app search for "xfce4-terminal." When the xfce4 terminal is selected, The Pi should open the terminal window and immediately start a screening session. From this session, the Pi wlan1 (our attack antenna) throws over airmon-ng into the surveillance mode preparing the attack antenna for our attack before the attack.

After 15 seconds had passed for the process, the Pi will launch besside-ng with our newly named "wlan1mon" attack interface and begin the attack on all nearby networks. The last command is to disconnect the screen session so that it can be resumed from a phone or laptop via SSH.

Step 5: SSH into the Pi & Reconnect the Attack Session

Once the script does its thing, a Wi-Fi handshake attack script should be running in the background. To reconnect, you need to connect to the Pi via SSH and continue the screen session. SSH into the Pi and reconnect the session by entering the following terminal:

ssh root @ (IP address of Pi)
(enter your password)
screen -r

This should search for a disconnected screen sessions and automatically find one if found. If your script was successful, this session should help you understand how to attack attacking networks in the environment and create a list of handshakes to audit. You can run this session in the background by separating it, which you can do at any time by typing CTRL-A and then D .

Reconnect allows you to check the status of the attack and redirect, fix, narrow, or restart the attack. Occasionally, Besside-ng gets stuck ("no child process" or "network failed" error), which can be frustrating and break the automation process. Even if this happens, you can restart the screen with a single touch

Remix & Try Your Own

Now we've explored the basics of using the USB Rubber Ducky for automation – you can create your own scripts remix and create to manage your favorite attacks. The Rubber Ducky can quickly take a lot of work off your hands … it's up to you to explore the possibilities!

The USB Rubber Ducky is a serious tool that you can add to your pen test kit. Image of SADMIN / Null Byte

Thank you for reading and be sure to keep an eye on zero bytes for more hacking tutorials. You can ask me questions here or @ sadmin2001 on Twitter or Instagram

Do not miss: How to get Keystroke Injection Payloads on the USB Rubber Ducky

Cover and screenshots of SADMIN / Null Byte [19659069]
Source link