Nine times out of ten, my goal when using a Rubber Ducky on pentests is to launch an Empire or Meterpreter session. However, for the Ducky to type out an entire stager often takes too much time to be practical for most real-world USB attacks. This article outlines three techniques to optimize the speed and minimize user detection of the Rubber Ducky.

Rubber Ducky Attack Vectors

The Sneak

Find a solid distraction for the user and, when they're not looking, insert the Ducky into an accessible USB port.

Pros: Payload delivery is guaranteed; The user never examines the Ducky.

Cons: It sucks getting caught; You usually have very little time, depending on the misdirection and ease of access to USB ports.

The Drop

Leave a Ducky around the office: reception, parking lots and bathrooms are usually easy to access and quite successful. Going the extra step to physically label the drive something juicy is well worth it. The Drop also includes sending the Ducky via Priority FedEx, which is a wildly effective vector with the right pretext.

Pros: You don't get caught; People tend to quickly become voyeurs when they see a USB key marked "2016 Vacation Photos".

Cons: Users are staring at their screens during injection and are much more likely to notice unusual behavior.

The Watergate

Slip into an unattended office, usually at night, bypassing physical security controls. The Watergate often uses the Ducky as a physical clipboard to paste stager text into the victim machine.

Pros: All the time in the world.

Cons: Not nearly as commonly in scope in pentests. And, as always, sucks to get caught.

The two most commonly used methodologies, The Sneak and The Drop, need two things to be successful: speed and believability. So, let's first get a baseline and then optimize the delivery of an Empire stager to minimize execution time and keep the user as unaware as possible.