Ducky Script is the language of the USB Rubber Ducky. Writing scripts for can be done from any common ascii text editor such as Notepad, vi, emacs, nano, gedit, kedit, TextEdit, etc. Syntax Ducky Script syntax is simple. Each command resides on a new line and may have options follow. Commands are written in ALL […]

Read more

Obfuscation and Optimization While this post isn’t intended to be a comprehensive list of obfuscation and optimization techniques, these three simple examples effectively illustrate the concept. Obfuscation So what is obfuscation? Obfuscation is all about reducing the visibility of the payload, or simply put – making it stealthier. This is crucial in a social engineering […]

Read more

Your First Payload Writing a successful payload is a process of continuously researching, writing, encoding, testing and optimizing. Often times a payload involves re-writing the ducky script, encoding the inject.bin and deploying the payload on a test machine several times until the desired result is achieved. For this reason it’s important to become familiar with […]

Read more

Whether you’re auditing an ATM, esoteric cash register system, an electronic safe, specialized kiosk or an ordinary Windows PC – the workflow will be similar.   Pre-engagement Interactions As with any audit, pre-engagement interactions may help determine the hardware, software and network environment of the target. Asking detailed questions about the environment before the engagement […]

Read more

A two second HID attack against Windows and Mac that launches the website of your choosing. That’s by far the most effective security awareness payload for the USB Rubber Ducky. Cyber security awareness building is important, and developing an effective security awareness program – or at least raising eyebrows that one is even necessary – doesn’t […]

Read more

As a keystroke injection attack tool capable of mimicking both a USB keyboard and mass storage, the USB Rubber Ducky excels at autonomously exfiltrating documents – or what we like to call performing an involuntary backup. In this article I will briefly outline the steps necessary to create turn your USB Rubber Ducky into a document […]

Read more

The 3 Second Reverse Shell with a USB Rubber Ducky In this tutorial we’ll be setting up a Reverse Shell payload on the USB Rubber Ducky that’ll execute in just 3 seconds. A reverse shell is a type of shell where the victim computer calls back to an attacker’s computer. The attacking computer typically listens […]

Read more

Pilfering Passwords with the USB Rubber Ducky Can you social engineer your target into plugging in a USB drive? How about distracting ’em for the briefest of moments? 15 seconds of physical access and a USB Rubber Ducky is all it takes to swipe passwords from an unattended PC. In honor of the USB Rubber […]

Read more