USB Rubber Ducky: Keystroke Injection
The USB Rubber Ducky is not a typical USB drive. It is a Human Interface Device (HID) that computers recognize as a standard keyboard. This allows it to inject pre-programmed keystroke sequences at superhuman speeds, executing commands and automating tasks as if a person were typing them.
How a Keystroke Injection Attack Works
An attacker can program a Rubber Ducky with a payload written in "DuckyScript." When the device is plugged into a target computer, it immediately begins "typing" its payload. This can be used to:
- Open a command prompt or terminal and download/execute malicious software from the internet.
- Exfiltrate saved Wi-Fi passwords or browser credentials.
- Create a reverse shell, giving the attacker remote access to the machine.
- Bypass security controls that rely on blocking storage devices (since it's seen as a keyboard).
# Simple DuckyScript to open Notepad and type a message on Windows
DELAY 1000
GUI r
DELAY 500
STRING notepad
ENTER
DELAY 750
STRING Hello, world! This is a payload.
ENTER
Defensive Measures:
- Physical Security: The most important defense. Lock your computer when you step away, even for a moment. Control physical access to sensitive areas and server rooms.
- User Awareness & Training: Educate users about the danger of plugging in unknown USB devices found in public spaces (a common social engineering tactic).
- Port Disablement & Whitelisting: In high-security environments, disable unused USB ports via BIOS/UEFI settings or use software to only allow authorized (whitelisted) USB devices.
- Endpoint Security Software: Some modern security solutions can detect and block the rapid keystroke injection patterns characteristic of a BadUSB device.
Resources and Further Reading
- Hak5 Official Product Page - The creators of the USB Rubber Ducky.
- Official DuckyScript Documentation - Learn how to write payloads for the device.
- Community Payloads Repository - A large collection of DuckyScript payloads for various operating systems and tasks.