The USB Rubber Ducky resembles a regular USB flash drive, that (when connected to a computer) claims to be a keyboard and quickly starts entering all the predefined commands. It can be used to perform powerful keystroke injection attacks as part of a social engineering strategy. But it can also be used to implement some kind of possession-based authentication mechanism. Since remembering sufficiently long and complicated (which means many special characters and character variation) passwords requires superb memory skills, using the USB Rubber Ducky as a security token, which is a physical device used to gain access to an electronically restricted resource, could be a comfortable alternative.
How does it work?
Imagine you want to gain access to your mail account. What would you do after being asked for your password? Right! You would start typing. Well, let the USB Rubber Ducky type for you! It is most likely capable of 'remembering' much more characters than you can.
The payload consists of 4 commands that will be translated to a binary file named 'inject.bin':
What do all these commands mean?
- DELAY 3000: "Wait for 3000 milliseconds (3 seconds)." This time is needed to create a 'moment of silence' between sequential commands that may take the target some time to process.
- STRING your password: "Type <your password>."
- DELAY 500: "Wait for 500 milliseconds (half a second)."
- ENTER: "Press the ENTER-key."
For the incredible weak password '123456Seven' the result (displayed inside a Hex-Editor) looks like:
Inject-file generator (German keyboard layout)
To use your USB Rubber Ducky in the way described above, you simply need to enter your preferred password and click the button 'Generate'. After that you can download the 'inject.bin' by clicking 'Download'.
Other keyboard layouts will follow soon ...
Although the whole idea sounds great at first glance, there're some security flaws worth naming:
- The password will be saved in clear text (unhashed) on the device.
- The 'inject.bin' file can easily be decrypted.
- It is no 'real' hardware security token (more like a knowledge-based authentication supporter).
- The input can be logged by a keylogger.
- If an attacker gets the USB Rubber Ducky, opens a simple text editor and plugs the 'token' into an open USB port, the password will be typed in clear text!