USB Rubber Ducky – Part 2: Attack of the HID
The USB Rubber Ducky was introduced in our previous post “The Return of USB Auto-Run Attacks“. This is the first of many follow-ups, that introduce new attack scenarios and the increase in functionality, that really makes this tiny device a big part of the hearts of penetration testers.
Use the Force Ducky
As documented in the Definitive Ducky Guide (Draft):
- http://ducky-decode.googlecode.com/files/The USB Rubber Ducky Draft.doc
Darren Kitchen has created a brute-force script that can potentially defeat the Android Pin-Lock. The script is written in a high level language called “Ducky Script”, which means it is easy for noobs and people with limited programming experience to quickly modify and improve the script to their own ends.
Initially confirmed to work on the following devices:
- Galaxy Nexus running Android 4.2.1
- Galaxy Note 2 running Android 4.2.1
(Images Sourced From Hak5.org)
As of 16th June 2013 according to the Hak5 forums (link). A similar attack can now be launched against iOS devices.
Now the Ducky has to cope with account policies such as possible login-delays and possible lock-outs. It may not be the best solution in the world, but you could definitively script the an attack using the top 10 – 20 pin combinations; The ducky is much more elegant at typing (firing off HID codes) so it may be a simple case of plug ‘n pwn! (Providing the device user has a weak password).
The Ducky can even brute-force the EFI Pin on Apple Mac Laptop/Desktop Computers.
This is a great mechanism to show off to clients, especially if they have a pin/password that is in the top 10 (or 20) common pin / password combinations. 🙂
- The Return of USB “Auto-Run” Attacks (penturalabs.wordpress.com)