If you want to listen to the article press the button below.
Keystroke Injection
The USB Rubber Ducky, To a human, it’s a flash drive.
To a computer it’s a keyboard, typing at superhuman speeds.
Computers trust humans. Humans use keyboards. Hence the universal spec — HID, or Human Interface Device.
A keyboard presents itself as an HID, and in turn, it’s inherently trusted as a human by the computer.
The USB Rubber Ducky — which looks like an innocent flash drive to humans — abuses this trust to deliver potent payloads, injecting keystrokes at superhuman speeds.
A revolutionary new side-channel exfiltration pathway evades endpoint restrictions, firewalls, and air gaps.
Keystroke Reflection Exploits the defacto standard Keyboard-Computer Architecture implemented by all IBM-PC compatibles since 1984 and adopted in USB Rubber Ducky-HID to provide a side-channel Exfiltration Pathway that has impacted nearly all personal computers over the last 4 decades.
New Hotplug Hacking Framework
USB Rubber Ducky
A new version of the iconic, field-proven hotplug attack tool that invented the Keystroke Injection attack.
DuckyScript™ 3.0 Advanced
A feature-rich programming language as simple as a few key macros, or as complex as your creativity takes you!
Payload Studio
Unleash your hacking creativity with this full-featured Integrated Development Environment for all the Hak5 gear.
Extensions
Bring your payloads to life with this library of reusable functions — from OS detection to Keystroke Reflection.
PayloadHub
Share your creations with the world, get rewarded, and find inspiration from the community payload repository.
EducationLearn directly from the innovators — from e-books & pocket guides to the complete course textbook.
Advanced DuckyScript
A feature-rich structured programming language.
As simple as keystroke macros…
…or as complex as you can imagine!
variables, if/then flow control, while loops, functions, randomization, extensions & more
End Points & Control Codes
Today, keyboards implement the Human Interface Device (USB Rubber Ducky HID) specification. This calls for an “IN endpoint” for the communication of keystrokes from the keyboard to the computer, and an “OUT endpoint” for the communication of lock key LED states from the computer to the keyboard.
A set of HID codes for LED control (spec code page 08) define this communication. Often, these control codes are sent from the computer to the keyboard via the OUT endpoint when a computer starts. As an example, many computer BIOS (or EUFI) provide an option to enable num lock at boot. If enabled, the control code is sent to the keyboard when the computer powers on.
As another example, one may disable a lock key altogether. On a Linux system, command line tools like xmodmap, setxkbmap, and xdotool may be used to disable caps lock. Similarly, an edit to the registry may perform a similar task on Windows systems.
In both cases, the keyboard, naive to the attached computer’s configuration, will still send the appropriate control code to the IN endpoint when the caps lock key is pressed. However, the computer may disregard the request and neglect to send the corresponding LED indication control code back to the keyboard via the OUT endpoint.
Synchronous Reports
As demonstrated, a target may accept keystroke input from multiple HID devices. Put another way, all USB HID keyboard devices connected to a computer feature an IN endpoint, from which keystrokes from the keyboard may be sent to the target computer.
Similarly, all USB HID keyboards connected to the computer feature an OUT endpoint, to which the computer may send caps to lock, num lock and scroll lock control codes for the purposes of controlling the appropriate lock key LED light.
This may be validated by connecting multiple USB keyboards to a computer. Press the caps to lock the key on one keyboard, and watch the caps lock indicator on all keyboards light up.
Due to the synchronous nature of the control code being sent to all USB HID OUT endpoints, the USB Rubber Ducky may perform systematic functions based on the state of the lock keys.
Exploiting the Keyboard-Computer Architecture as an Exfiltration Pathway
The USB Rubber Ducky features a USB HID OUT endpoint which may accept control codes for the purposes of toggling the lock key LED indicators.
In much the same way Keystroke Injection attacks take advantage of the keyboard-computer trust model, Keystroke Reflection attacks take advantage of the keyboard-computer architecture.
By taking advantage of this architecture, the USB Rubber Ducky may glean sensitive data by means of keystroke reflection, using the lock keys as an exfiltration pathway.
This may be particularly useful for performing exfiltration attacks against targets on air-gapped networks where traditional network medium exfiltration techniques are not viable.
Similarly, devices with strict endpoint device restrictions may be susceptible to Keystroke Reflection as it does not take advantage of well-known physical medium exfiltration techniques.
Keystroke Reflection is a new side-channel exfiltration technique developed by Hak5 — the same organization that developed Keystroke Injection. With its debut on the new USB Rubber Ducky, it demonstrates the difficulty to mitigate the attack as it does not rely on a system weakness, but rather the system design and implementation date back to 1984.
Using Keystroke Reflection with DuckyScript, both files and variables may be stored on the USB Rubber Ducky storage without exposing the mass storage “flash drive” to the target computer.
The Keystroke Reflection attack consists of two phases. In the first phase — performed as part of a keystroke injection attack — the data of interest, or “loot”, is gathered from the target and encoded as lock keystrokes for reflection.
In the second phase, the USB Rubber Ducky enters Exfil Mode where it will act as a control code listener on the HID OUT endpoint. Then, the target reflects the encoded lock keystrokes. The binary values of the reflected, or “bit banged”, lock keys are stored as 1’s and 0’s in the loot.bin file on the USB Rubber Ducky.
Conclusion
SB Rubber Ducky is a device used for educational purposes by a company called
Hak5.
Founded in 2005, Hak5’s mission is to advance the InfoSec industry. We do this through our award-winning podcasts, leading pentest gear, and inclusive community – where all hackers belong.
Hak5 gear has found its way into the hearts and toolkits of enthusiasts and red-teams alike. They’re notable for being effective, easy, and expandable. Our design philosophy is simple – make it do the thing. From WiFi audits to covert implants and hotplug mayhem, Hak5 gear delivers.