· 

USB Rubber Ducky as a security token

The USB Rubber Ducky resembles a regular USB flash drive, that (when connected to a computer) claims to be a keyboard and quickly starts entering all the predefined commands. It can be used to perform powerful keystroke injection attacks as part of a social engineering strategy. But it can also be used to implement some kind of possession-based authentication mechanism. Since remembering sufficiently long and complicated (which means many special characters and character variation) passwords requires superb memory skills, using the USB Rubber Ducky as a security token, which is a physical device used to gain access to an electronically restricted resource,  could be a comfortable alternative. 


How does it work?

Imagine you want to gain access to your mail account. What would you do after being asked for your password? Right! You would start typing. Well, let the USB Rubber Ducky type for you! It is most likely capable of 'remembering' much more characters than you can. 

 

The payload consists of 4 commands that will be translated to a binary file named 'inject.bin': 

DELAY 3000
STRING your password
DELAY 500
ENTER

What do all these commands mean?

  • DELAY 3000: "Wait for 3000 milliseconds (3 seconds)." This time is needed to create a 'moment of silence' between sequential commands that may take the target some time to process.
  • STRING your password: "Type <your password>."
  • DELAY 500: "Wait for 500 milliseconds (half a second)."
  • ENTER: "Press the ENTER-key."

For the incredible weak password '123456Seven' the result (displayed inside a Hex-Editor) looks like:


Inject-file generator (German keyboard layout)

To use your USB Rubber Ducky in the way described above, you simply need to enter your preferred password and click the button 'Generate'. After that you can download the 'inject.bin' by clicking 'Download'.

   

Other keyboard layouts will follow soon ...


Security flaws

Although the whole idea sounds great at first glance, there're some security flaws worth naming: 

  • The password will be saved in clear text (unhashed) on the device.
  • The 'inject.bin' file can easily be decrypted.
  • It is no 'real' hardware security token (more like a knowledge-based authentication supporter).
  • The input can be logged by a keylogger.
  • If an attacker gets the USB Rubber Ducky, opens a simple text editor and plugs the 'token' into an open USB port, the password will be typed in clear text!

Source Code

var input = document.getElementById("input");
var chars = new Array();
var key_codes = new Array();
var data = new Int8Array(100000);
var compressed_data;
var pos = 0;

chars["KEY_NON_US_100"] = ["100",""];
chars["ASCII_20"] = ["KEY_SPACE",""];
chars["ASCII_21"] = ["KEY_1", "MODIFIERKEY_SHIFT"];
chars["ASCII_22"] = ["KEY_2","MODIFIERKEY_SHIFT"];
chars["ASCII_23"] = ["KEY_BACKSLASH",""];
chars["ASCII_24"] = ["KEY_4","MODIFIERKEY_SHIFT"];
chars["ASCII_25"] = ["KEY_5","MODIFIERKEY_SHIFT"];
chars["ASCII_26"] = ["KEY_6","MODIFIERKEY_SHIFT"];
chars["ASCII_27"] = ["KEY_BACKSLASH","MODIFIERKEY_SHIFT"];
chars["ASCII_28"] = ["KEY_8","MODIFIERKEY_SHIFT"];
chars["ASCII_29"] = ["KEY_9","MODIFIERKEY_SHIFT"];
chars["ASCII_2A"] = ["KEY_RIGHT_BRACE","MODIFIERKEY_SHIFT"];
chars["ASCII_2B"] = ["KEY_RIGHT_BRACE",""];
chars["ASCII_2C"] = ["KEY_COMMA",""];
chars["ASCII_2D"] = ["KEY_SLASH",""];
chars["ASCII_2E"] = ["",""];
chars["ASCII_2F"] = ["KEY_7","MODIFIERKEY_SHIFT"];
chars["ASCII_30"] = ["KEY_0",""];
chars["ASCII_31"] = ["KEY_1",""];
chars["ASCII_32"] = ["KEY_2",""];
chars["ASCII_33"] = ["KEY_3",""];
chars["ASCII_34"] = ["KEY_4",""];
chars["ASCII_35"] = ["KEY_5",""];
chars["ASCII_36"] = ["KEY_6",""];
chars["ASCII_37"] = ["KEY_7",""];
chars["ASCII_38"] = ["KEY_8",""];
chars["ASCII_39"] = ["KEY_9",""];
chars["ASCII_3A"] = ["KEY_PERIOD","MODIFIERKEY_SHIFT"];
chars["ASCII_3B"] = ["KEY_COMMA","MODIFIERKEY_SHIFT"];
chars["ASCII_3C"] = ["KEY_NON_US_100",""];
chars["ASCII_3D"] = ["KEY_0","MODIFIERKEY_SHIFT"];
chars["ASCII_3E"] = ["KEY_NON_US_100","MODIFIERKEY_SHIFT"];
chars["ASCII_3F"] = ["KEY_MINUS","MODIFIERKEY_SHIFT"];
chars["ASCII_40"] = ["KEY_Q","MODIFIERKEY_RIGHT_ALT"];
chars["ASCII_41"] = ["KEY_A","MODIFIERKEY_SHIFT"];
chars["ASCII_42"] = ["KEY_B","MODIFIERKEY_SHIFT"];
chars["ASCII_43"] = ["KEY_C","MODIFIERKEY_SHIFT"];
chars["ASCII_44"] = ["KEY_D","MODIFIERKEY_SHIFT"];
chars["ASCII_45"] = ["KEY_E","MODIFIERKEY_SHIFT"];
chars["ASCII_46"] = ["KEY_F","MODIFIERKEY_SHIFT"];
chars["ASCII_47"] = ["KEY_G","MODIFIERKEY_SHIFT"];
chars["ASCII_48"] = ["KEY_H","MODIFIERKEY_SHIFT"];
chars["ASCII_49"] = ["KEY_I","MODIFIERKEY_SHIFT"];
chars["ASCII_4A"] = ["KEY_J","MODIFIERKEY_SHIFT"];
chars["ASCII_4B"] = ["KEY_K","MODIFIERKEY_SHIFT"];
chars["ASCII_4C"] = ["KEY_L","MODIFIERKEY_SHIFT"];
chars["ASCII_4D"] = ["KEY_M","MODIFIERKEY_SHIFT"];
chars["ASCII_4E"] = ["KEY_N","MODIFIERKEY_SHIFT"];
chars["ASCII_4F"] = ["KEY_O","MODIFIERKEY_SHIFT"];
chars["ASCII_50"] = ["KEY_P","MODIFIERKEY_SHIFT"];
chars["ASCII_51"] = ["KEY_Q","MODIFIERKEY_SHIFT"];
chars["ASCII_52"] = ["KEY_R","MODIFIERKEY_SHIFT"];
chars["ASCII_53"] = ["KEY_S","MODIFIERKEY_SHIFT"];
chars["ASCII_54"] = ["KEY_T","MODIFIERKEY_SHIFT"];
chars["ASCII_55"] = ["KEY_U","MODIFIERKEY_SHIFT"];
chars["ASCII_56"] = ["KEY_V","MODIFIERKEY_SHIFT"];
chars["ASCII_57"] = ["KEY_W","MODIFIERKEY_SHIFT"];
chars["ASCII_58"] = ["KEY_X","MODIFIERKEY_SHIFT"];
chars["ASCII_59"] = ["KEY_Z","MODIFIERKEY_SHIFT"];
chars["ASCII_5A"] = ["KEY_Y","MODIFIERKEY_SHIFT"];
chars["ASCII_5B"] = ["KEY_8","MODIFIERKEY_RIGHT_ALT"];
chars["ASCII_5C"] = ["KEY_MINUS","MODIFIERKEY_RIGHT_ALT"];
chars["ASCII_5D"] = ["KEY_9","MODIFIERKEY_RIGHT_ALT"];
chars["ASCII_5E"] = ["KEY_TILDE","MODIFIERKEY_SHIFT"];
chars["ASCII_5F"] = ["KEY_SLASH",""];
chars["ASCII_60"] = ["KEY_EQUAL","MODIFIERKEY_SHIFT"];
chars["ASCII_61"] = ["KEY_A",""];
chars["ASCII_62"] = ["KEY_B",""];
chars["ASCII_63"] = ["KEY_C",""];
chars["ASCII_64"] = ["KEY_D",""];
chars["ASCII_65"] = ["KEY_E",""];
chars["ASCII_66"] = ["KEY_F",""];
chars["ASCII_67"] = ["KEY_G",""];
chars["ASCII_68"] = ["KEY_H",""];
chars["ASCII_69"] = ["KEY_I",""];
chars["ASCII_6A"] = ["KEY_J",""];
chars["ASCII_6B"] = ["KEY_K",""];
chars["ASCII_6C"] = ["KEY_L",""];
chars["ASCII_6D"] = ["KEY_M",""];
chars["ASCII_6E"] = ["KEY_N",""];
chars["ASCII_6F"] = ["KEY_O",""];
chars["ASCII_70"] = ["KEY_P",""];
chars["ASCII_71"] = ["KEY_Q",""];
chars["ASCII_72"] = ["KEY_R",""];
chars["ASCII_73"] = ["KEY_S",""];
chars["ASCII_74"] = ["KEY_T",""];
chars["ASCII_75"] = ["KEY_U",""];
chars["ASCII_76"] = ["KEY_V",""];
chars["ASCII_77"] = ["KEY_W",""];
chars["ASCII_78"] = ["KEY_X",""];
chars["ASCII_79"] = ["KEY_Z",""];
chars["ASCII_7A"] = ["KEY_Y",""];
chars["ASCII_7B"] = ["KEY_7","MODIFIERKEY_RIGHT_ALT"];
chars["ASCII_7C"] = ["KEY_NON_US_100","MODIFIERKEY_RIGHT_ALT"];
chars["ASCII_7D"] = ["KEY_0","MODIFIERKEY_RIGHT_ALT"];
chars["ASCII_7E"] = ["KEY_RIGHT_BRACE","MODIFIERKEY_RIGHT_ALT"];
chars["ASCII_7F"] = ["KEY_BACKSPACE",""];
chars["ISO_8859_1_A0"] = ["KEY_SPACE",""];
chars["ISO_8859_1_A4"] = ["KEY_E","MODIFIERKEY_RIGHT_ALT"];
chars["ISO_8859_1_A7"] = ["KEY_3","MODIFIERKEY_SHIFT"];
chars["ISO_8859_1_B0"] = ["KEY_TILDE","MODIFIERKEY_SHIFT"];
chars["ISO_8859_1_B2"] = ["KEY_2","MODIFIERKEY_RIGHT_ALT"];
chars["ISO_8859_1_B3"] = ["KEY_3","MODIFIERKEY_RIGHT_ALT"];
chars["ISO_8859_1_C4"] = ["KEY_QUOTE","MODIFIERKEY_SHIFT"];
chars["ISO_8859_1_D6"] = ["KEY_SEMICOLON","MODIFIERKEY_SHIFT"];
chars["ISO_8859_1_DC"] = ["KEY_LEFT_BRACE","MODIFIERKEY_SHIFT"];
chars["ISO_8859_1_DF"] = ["KEY_MINUS",""];
chars["ISO_8859_1_E4"] = ["KEY_QUOTE",""];
chars["ISO_8859_1_F6"] = ["KEY_SEMICOLON",""];
chars["ISO_8859_1_FC"] = ["KEY_LEFT_BRACE",""];
chars["UNICODE_20AC"] = ["KEY_E","MODIFIERKEY_RIGHT_ALT"];

key_codes["MODIFIERKEY_CTRL"] = "0x01";
key_codes["MODIFIERKEY_SHIFT"] = "0x02";
key_codes["MODIFIERKEY_ALT"] = "0x04";
key_codes["MODIFIERKEY_GUI"] = "0x08";
key_codes["MODIFIERKEY_LEFT_CTRL"] = "0x01";
key_codes["MODIFIERKEY_LEFT_SHIFT"] = "0x02";
key_codes["MODIFIERKEY_LEFT_ALT"] = "0x04";
key_codes["MODIFIERKEY_LEFT_GUI"] = "0x08";
key_codes["MODIFIERKEY_RIGHT_CTRL"] = "0x10";
key_codes["MODIFIERKEY_RIGHT_SHIFT"] = "0x20";
key_codes["MODIFIERKEY_RIGHT_ALT"] = "0x40";
key_codes["MODIFIERKEY_RIGHT_GUI"] = "0x80";
key_codes["KEY_MEDIA_VOLUME_INC"] = "0x80";
key_codes["KEY_MEDIA_VOLUME_DEC"] = "0x81";
key_codes["KEY_MEDIA_MUTE"] = "0x7F";
key_codes["KEY_MEDIA_PLAY_PAUSE"] = "0x08";
key_codes["KEY_MEDIA_NEXT_TRACK"] = "0x10";
key_codes["KEY_MEDIA_PREV_TRACK"] = "0x20";
key_codes["KEY_A"] = "4";
key_codes["KEY_B"] = "5";
key_codes["KEY_C"] = "6";
key_codes["KEY_D"] = "7";
key_codes["KEY_E"] = "8";
key_codes["KEY_F"] = "9";
key_codes["KEY_G"] = "10";
key_codes["KEY_H"] = "11";
key_codes["KEY_I"] = "12";
key_codes["KEY_J"] = "13";
key_codes["KEY_K"] = "14";
key_codes["KEY_L"] = "15";
key_codes["KEY_M"] = "16";
key_codes["KEY_N"] = "17";
key_codes["KEY_O"] = "18";
key_codes["KEY_P"] = "19";
key_codes["KEY_Q"] = "20";
key_codes["KEY_R"] = "21";
key_codes["KEY_S"] = "22";
key_codes["KEY_T"] = "23";
key_codes["KEY_U"] = "24";
key_codes["KEY_V"] = "25";
key_codes["KEY_W"] = "26";
key_codes["KEY_X"] = "27";
key_codes["KEY_Y"] = "28";
key_codes["KEY_Z"] = "29";
key_codes["KEY_1"] = "30";
key_codes["KEY_2"] = "31";
key_codes["KEY_3"] = "32";
key_codes["KEY_4"] = "33";
key_codes["KEY_5"] = "34";
key_codes["KEY_6"] = "35";
key_codes["KEY_7"] = "36";
key_codes["KEY_8"] = "37";
key_codes["KEY_9"] = "38";
key_codes["KEY_0"] = "39";
key_codes["KEY_ENTER"] = "40";
key_codes["KEY_ESC"] = "41";
key_codes["KEY_BACKSPACE"] = "42";
key_codes["KEY_TAB"] = "43";
key_codes["KEY_SPACE"] = "44";
key_codes["KEY_MINUS"] = "45";
key_codes["KEY_EQUAL"] = "46";
key_codes["KEY_LEFT_BRACE"] = "47";
key_codes["KEY_RIGHT_BRACE"] = "48";
key_codes["KEY_BACKSLASH"] = "49";
key_codes["KEY_NON_US_NUM"] = "50";
key_codes["KEY_SEMICOLON"] = "51";
key_codes["KEY_QUOTE"] = "52";
key_codes["KEY_TILDE"] = "53";
key_codes["KEY_COMMA"] = "54";
key_codes["KEY_PERIOD"] = "55";
key_codes["KEY_SLASH"] = "56";
key_codes["KEY_CAPS_LOCK"] = "57";
key_codes["KEY_F1"] = "58";
key_codes["KEY_F2"] = "59";
key_codes["KEY_F3"] = "60";
key_codes["KEY_F4"] = "61";
key_codes["KEY_F5"] = "62";
key_codes["KEY_F6"] = "63";
key_codes["KEY_F7"] = "64";
key_codes["KEY_F8"] = "65";
key_codes["KEY_F9"] = "66";
key_codes["KEY_F10"] = "67";
key_codes["KEY_F11"] = "68";
key_codes["KEY_F12"] = "69";
key_codes["KEY_PRINTSCREEN"] = "70";
key_codes["KEY_SCROLL_LOCK"] = "71";
key_codes["KEY_PAUSE"] = "72";
key_codes["KEY_INSERT"] = "73";
key_codes["KEY_HOME"] = "74";
key_codes["KEY_PAGEUP"] = "75";
key_codes["KEY_DELETE"] = "76";
key_codes["KEY_END"] = "77";
key_codes["KEY_PAGEDOWN"] = "78";
key_codes["KEY_RIGHT"] = "79";
key_codes["KEY_LEFT"] = "80";
key_codes["KEY_DOWN"] = "81";
key_codes["KEY_UP"] = "82";
key_codes["KEY_NUM_LOCK"] = "83";
key_codes["KEYPAD_SLASH"] = "84";
key_codes["KEYPAD_ASTERIX"] = "85";
key_codes["KEYPAD_MINUS"] = "86";
key_codes["KEYPAD_PLUS"] = "87";
key_codes["KEYPAD_ENTER"] = "88";
key_codes["KEYPAD_EQUALS"] = "103";
key_codes["KEYPAD_1"] = "89";
key_codes["KEYPAD_2"] = "90";
key_codes["KEYPAD_3"] = "91";
key_codes["KEYPAD_4"] = "92";
key_codes["KEYPAD_5"] = "93";
key_codes["KEYPAD_6"] = "94";
key_codes["KEYPAD_7"] = "95";
key_codes["KEYPAD_8"] = "96";
key_codes["KEYPAD_9"] = "97";
key_codes["KEYPAD_0"] = "98";
key_codes["KEYPAD_PERIOD"] = "99";
key_codes["KEY_APP"] = "0x65";
key_codes["KEY_POWER"] = "0x66";
key_codes["KEY_EXE"] = "0x74";
key_codes["KEY_HELP"] = "0x75";
key_codes["KEY_MENU"] = "0x76";
key_codes["KEY_SELECT"] = "0x77";
key_codes["KEY_STOP"] = "0x78";
key_codes["KEY_AGAIN"] = "0x79";
key_codes["KEY_UNDO"] = "0x7A";
key_codes["KEY_CUT"] = "0x7B";
key_codes["KEY_COPY"] = "0x7C";
key_codes["KEY_PASTE"] = "0x7D";
key_codes["KEY_FIND"] = "0x7E";
key_codes["KEY_SYSTEM_POWER"] = "0x81";
key_codes["KEY_SYSTEM_SLEEP"] = "0x82";
key_codes["KEY_SYSTEM_WAKE"] = "0x83";
key_codes["KEYPAD_PIPE"] = "0xC9";
key_codes["KEY_LEFT_CTRL"] = "0xE0";
key_codes["KEY_LEFT_SHIFT"] = "0xE1";
key_codes["KEY_LEFT_ALT"] = "0xE2";
key_codes["KEY_LEFT_GUI"] = "0xE3";
key_codes["KEY_COMMAND"] = "0xE3";
key_codes["KEY_RIGHT_CTRL"] = "0xE4";
key_codes["KEY_RIGHT_SHIFT"] = "0xE5";
key_codes["KEY_RIGHT_ALT"] = "0xE6";
key_codes["KEY_RIGHT_GUI"] = "0xE7";

var download = (function () {
    var dwnld = document.createElement("a");
    document.body.appendChild(dwnld);
    dwnld.style = "display: none";
    return function (data, name) {
        var blob = new Blob(data, {type: "octet/stream"}),
        url = window.URL.createObjectURL(blob);
        dwnld.href = url;
        dwnld.download = name;
        dwnld.click();
        window.URL.revokeObjectURL(url);
    };
}());

function ctc(character) {
        var character = character.charCodeAt(0);
        var code;
        if (character < 128) {
                code = "ASCII_" + character.toString(16).toUpperCase();
        } else if (character < 256) {
                code = "ISO_8859_1_" + character.toString(16).toUpperCase();
        } else {
                code = "UNICODE_" + character.toString(16).toUpperCase();
        }
        return code;
}

function stb(str) {
        if (str.startsWith("0x")) {
                return parseInt(str.substring(2), 16);
        } else {
                return parseInt(str);
        }
}

function c2b(str) {
        if (chars[str] != null) {
                var keys = new Array();
                if(chars[str][1] != ""){
                        keys[0] = chars[str][0];
                        keys[1] = chars[str][1];
                } else {
                        keys[0] = chars[str][0];
                }

        var bytes = new Int8Array(keys.length);
                for (var i = 0; i < keys.length; i++) {
                        var key = keys[i].trim();
                                if (key_codes[key] != null) {
                                        bytes[i] = stb(key_codes[key].trim());
                                } else if (chars[key] != null) {
                                        bytes[i] = stb(chars[key][0].trim());
                                } else {
                                        bytes[i] = 0x00;
                                }
                        }
                        return bytes;
        } else {
                window.alert("Fehler! Zeichen nicht gefunden! <" + str + ">");
                var bytes = new Int8Array(1);
                bytes[0] = 0x00;
                return bytes;
        }
}

function ctb(character) {
        return c2b(ctc(character));
}

function add(table) {
        for (var i = 0; i < table.length; i++){
                data[pos] = table[i];
                pos++;
        }
        if (table.length % 2 != 0) {
                data[pos] = 0x00;
                pos++;
        }
}

var download_button = document.getElementById("download");
download_button.style.visibility='hidden';
    
function generate(){
        try{
                var delay1 = 3000;
                var delay2 = 500;
                var pwd = input.value;
        while (delay1 > 0) {
                data[pos] = 0x00;
                pos++;
                if (delay1 > 255) {
                        data[pos] = 0xFF;
                        pos++;
                        delay1 -= 255;
                } else {
                        data[pos] = delay1;
                        pos++;
                        delay1 = 0;
                }
        }
                
        for (var i = 0; i < pwd.length; i++) {
                var character = pwd.charAt(i);
                add(ctb(character));
        }
                
        while (delay2 > 0) {
                data[pos] = 0x00;
                pos++;
                if (delay2 > 255) {
                        data[pos] = 0xFF;
                        pos++;
                        delay2 -= 255;
                } else {
                        data[pos] = delay2;
                        pos++;
                        delay2 = 0;
                }
        }
                
        data[pos] = parseInt("40");
        pos++;
        data[pos] = 0x00;       

        compressed_data = new Int8Array(pos + 1);
        for(var i = 0; i <= pos; i++){
                compressed_data[i] = data[i];
        }
                
                download_button.style.visibility='visible';
                }catch(err){
                        window.alert("Ihre Eingabe ist ungültig!");
                }
}

function download_data(){
        download([compressed_data], 'inject.bin');
}