It’s a story as old as time: some hacker sees nice hardware pen-testing tool, hacker recoils in horror at the price of said tool, hacker builds their own version for a fraction of the price.
An example of this is Rubber Ducky, an excellent Hak5 hacking tool that thanks to the work of several developers we can emulate using a small and cheap Digispark. An advantage of cheap hardware from generic off the shelf parts is that it is disposable and almost impossible to trace.
The USB Rubber Ducky is a keystroke injection tool disguised as a generic flash drive. Computers recognize it as a regular keyboard and automatically accept its pre-programmed keystroke payloads at over 1000 words per minute. Seconds of physical access are all it takes to deploy some of the most advanced pen-test attacks or IT automation tasks. But Rubber Ducky can also help practical jokes execution, for example with a script that quickly changes the wallpaper of a co-worker workstation.
But at $45 plus shipping Rubber Ducky is not exactly a cheap tool, fortunately we can DIY a clone for only $3 with a Digispark development board and some free software. The Digispark is an Attiny85 based microcontroller development board similar to the Arduino Uno, only cheaper and smaller.
Digispark boards
Step 1: Setup Digispark Development Environment
Before starting to work with our board, we must have installed the Arduino IDE. After this, we must download the compatibility package of this board, a fairly simple operation.
Arduino - Software_THE ARDUINO SOFTWARE IS PROVIDED TO YOU "AS IS" AND WE MAKE NO EXPRESS OR IMPLIED WARRANTIES WHATSOEVER WITH RESPECT TO…_www.arduino.cc
After installation Open Arduino IDE application, go to File -> PreferencesIn the input field named “Additional Boards Manager URLs” enter the following URL.
http://digistump.com/package_digistump_index.json
Open Arduino IDE — Preferences Tools -> Board -> Boards ManagerFrom the drop down menu select “Contributed”, Select the Digistump AVR Boards package and install it.
Now we need to install Digispark Bootloader Driver. You only need the driver to program it with arduino. Once you program it, it’ll work like a rubber ducky (a generic USB keyboard) on any device you plug it into without any driver.
https://github.com/digistump/DigistumpArduino/releases/download/1.6.7/Digistump.Drivers.zip
Usually there will be some issues with the driver installation process. So please make sure to install the drivers properly.
Finally, go to Tools -> Board, and select Digispark (Default — 16.5mhz) and set it as default.
Step 2: Turning Digispark into a Rubber Ducky Clone
Rubber Ducky uses a simple scripting language to create payloads. For Digispark, things are not that simple. We need to program our own payloads using Digikeyboard.h and Arduino IDE. There are some scripts available for Digispark ATTiny85 in the internet. But thanks to the work of MaMe82 (Marcus Mengs) you can translate Rubber Ducky Scripts to Digispark with duck2spark project.
mame82/duck2spark_Converter for raw RubberDucky payloads to Digispark Arduino IDE Sketch source. - mame82/duck2spark_github.com
A great feature of Duck2spark is that available solutions and tutorials emulating a RuberDucky-like on a DigiSpark suffer from poor keyboard layout support for non-US languages. This is solved by “outsourcing” the problem to DuckEncoder which supports multiple keyboard layouts.
Using Duck2spark is really easy. Let’s see an example of the duck2spark documentation, a classic hello world:
Generate a DuckyScript test.duck you want to use as output:
echo "STRING Hello World" > test.duck
Compile the script using DuckEncoder with your keyboard layout (de in example) or use my python port:
java -jar encoder.jar -i test.duck -o raw.bin -l de
Use duck2spark.py to convert into Arduino Sketch (options for single run, 2 seconds startup delay):
duck2spark.py -i raw.bin -l 1 -f 2000 -o sketch.ino
After setting up the Arduino IDE load the example "DigisparkKeyboard" and replace the Sketch source by the one saved to sketch.ino
Click Sketch -> Upload or click Upload button on the top left. Open a notepad or any software. Plug in the Digispark USB again and magically “Hello World” will be typed.
Rubber Ducky Payloads can be anything; It changes as per our goals and intentions! We can Create Wireless Network Association, Download and execute payloads, reverse shells, etc. For pen testing engagements we can even use Meterpreter, Empire, Unicorn, or any other powershell payloads.
hak5darren/USB-Rubber-Ducky_Contribute to hak5darren/USB-Rubber-Ducky development by creating an account on GitHub._github.com
Troubleshooting
If you are able to program your Digispark and the code runs, but the sketches do not run after the Digispark is unplugged and plugged in again: You will need to update the bootloader. The bootloader has a built in updating mechanism. To flash the bootloader use the guide here and the Digispark will work and run the sketches after unplugging and plugging back in.
Keep in mind that Digispark is OSHW (Open Source HardWare), there are no original Digispark or clone Digispark, they are all the same! The only difference is that some manufacturers flash old versions of the bootloader.
Tips
Digispark use do not end here, as an Arduino compatible development system it can be used for any Arduino based attack with minimal modifications. Even to use it for HID attacks is not essential to run Duck2Spark, if you want to work USB HID at low level Digispark has a built-in keyboard library called Digikeyboard.
A final tip for your Rubber Ducky clone: use some heat shrink tubing to provide electrical insulation, mechanical protection, sealing, and some stealth to your new Digispark-Ducky. A device that’s cheap enough that you don’t mind leaving it at the scene if you’ve got to pull on your ninja outfit and make a break for it.