Website Copyright © 2020 Kyle C. Hale, Illinois Institute of Technology.
For this lab you will learn how to create a low-cost USB device that, when plugged into a victim's system, can be used to gain system access, open up backdoors, modify files, etc. This type device is sometimes generically called a Rubber Ducky (named after Hak5's device). The idea is that this device can be used to infiltrate a system quickly and easily when physical access to the target system is possible. Even if that's not the case, attackers can simply leave the drives in a parking lot, and hope that someone picks it up and plugs it into a target machine for them. These dropped drive attacks are notoriously effective, because people actually pick them up.
The basic idea of this hardware is that you will program it to act like a USB keyboard that automatically sends keystrokes to the target system when plugged in. The most common is to use a hot-key combination (cmd+space on Mac) to launch a terminal program and type in arbitrary commands (e.g. download a paylod from the attacker's server and execute it). A glaring weakness of this attack is that a user must be logged in and the system must be active for it to work.
The board you have is a cheap Chinese knock-off of the Digispark development board, which itself is pretty similar to Hak4's official Rubber Ducky USB stick. Both are pretty expensive, and are out of stock anyway.
First download the latest Arduino IDE package for your system, install, and run it.
Then you should go to the Preferences menu (File -> Preferences, or Arduino -> Preferences on Mac).
In the box titled "Additional Boards Manager URLs" put in http://digistump.com/package_digistump_index.json
and click OK.
We'll need to install the board drivers now. Go to Tools -> Board -> Board Manager and then from the drop-down menu select "Contributed". In the filter type in "Digistump" and when the package called "Digistump AVR Boards" comes up click to install it. This will take a few seconds.
Once that finishes, go to Tools -> Boards and select "Digispark" (the default option). Then go to Tools -> Programmer and select the "USBtinyISP" option. If this doesn't work for you, try to go to the Digistump tutorial.
Now we're ready to flash the device and try it out (but don't plug it in
yet). We'll start with a simple example Arduino script which just causes an
LED on the board to blink on and off. Luckily the board packages already
include such a script. Go to File -> Examples -> Digispark_Examples
-> and select the "Start" script. That should bring up some code. Take
a look a code and see how easy this API makes it to program the little
board. To flash the device, (don't insert it yet) hit the "Upload" button
(it has a right arrow on it) and it will then prompt you to plug in the
board. Do so now. In a few seconds, you'll see some messages print out
in the Arduino console, hopefully ending with the line
"Micronucleus done. Thank you!". If so, your device is
now programmed, and you should see the red LED blinking at 1Hz.
Let's make it do something more interesting now.
If you get an error like "bad CPU type" on a Mac you might have to jump through another hoop
to get the Arduino IDE to do the right thing. First download a nightly build of the Arduino IDE instead, and
then amke sure to run the following, where below I'm assuming that you're leaving the Arduino app in ~/Downloads.
$ cd ~/Library/Arduino15/packages/arduino/tools/avr-gcc
$ mv 4.8.1-arduino5/ orig.4.8.1
$ ln -s ~/Downloads/Arduino.app/Contents/Java/hardware/tools/avr 4.8.1-arduino5
First make sure you have Java installed (check by opening a terminal
and running java -version). If you don't have it installed, you'll
want to go here to get and install it.
Now we're going to download the Rubber Ducky toolchain. This toolchain is incompatible with our Arduino, but it has a convenient scripting language (Duck script) for developing keyboard payloads which we'll want to use (lost opporunity here: Duck script does not use duck typing). Instead of using the binaries that this toolchain produces directly to flash our devices, we'll translate them into Arduino script. First get the Rubber Ducky toolchain from Hak5:
$ git clone https://github.com/hak5darren/USB-Rubber-Ducky
$ cd USB-Rubber-Ducky
Now we need to write some Duck Script. If you're using Mac, I've written one for you. You can get it liked this:
$ curl -fL http://cs.iit.edu/~khale/class/security/s20/handout/hacked.osx > test.duck
If you don't have a Mac, grab an example script from here (the reverse shells are particularly fun to play with). Now we need to use the Rubber Ducky toolchain to encode this into binary:
$ java -jar Encoder/encoder.jar -i test.duck -o test.bin -l us
This encodes the script using an US English keyboard layout.
Since we don't have an actual rubber ducky, we use a Python tool to translate between rubber ducky binary files to Aruduino IDE source:
$ cd ..
$ git clone https://github.com/mame82/duck2spark
$ cd duck2spark
$ ./duck2spark.py -i ../USB-Rubber-Ducky/test.bin -l 1 -f 2000 -o sketch.ino
This gives us an Arduino sketch which we can paste directly into the Arduino IDE, and program the device just like we did before.
Go explore some existing payloads and see what you can get the thing to do!.
No handin for this lab.
This work is licensed under a Creative Commons Attribution-NonCommercialShareAlike 4.0 International License. A human-readable summary of (and not a substitute for) the license is the following: You are free to copy and redistribute the material in any medium or format. You must give appropriate credit. If you remix, transform, or build upon the material, you must distribute your contributions under the same license as the original. You may not use the material for commercial purposes.
Website Copyright © 2020 Kyle C. Hale, Illinois Institute of Technology.