The “Rubber Ducky” by Hak5 is a very powerful tool that lets the user perform rapid keystroke injection attacks, which is basically a fancy way of saying the device can type fast. Capable of entering text at over 1000 WPM, Mavis Beacon’s got nothing on this $45 gadget. Within just a few seconds of plugging it in, a properly programmed script can do all sorts of damage. Just think of all the havoc that can be caused by an attacker typing in commands on the local machine, and now image they are also the Flash.
But unless you’re a professional pentester, $45 might be a bit more than you’re looking to spend. Luckily for the budget conscious hackers out there, [Tomas C] has posted a guide on using open source software to create a DIY version of Hak5’s tool for $3 a pop. At that cost, you don’t even have to bother recovering the things when you deploy them; just hold on tight to your balaclava and make a run for it.
The hardware side of this hack is the Attiny85-based Digispark, clones of which can be had for as low as $1.50 USD depending on how long your willing to wait on the shipping from China. Even the official ones are only $8, though as of the time of this writing are not currently available. Encapsulating the thing in black shrink tubing prevents it from shorting out, and as an added bonus, gives it that legit hacker look. Of course, it wouldn’t be much of a hack if you could just buy one of these little guys and install the Rubber Ducky firmware on it.
In an effort to make it easier to use, the official Rubber Ducky runs scripts written in a BASIC-like scripting language. [Tomas C] used a tool called duck2spark by [Marcus Mengs], which lets you take a Rubber Ducky script (which have been released by Hak5 as open source) and compile it into a binary for flashing to the Digispark.
Not quite as convenient as just copying the script to the original Ducky’s microSD card, but what do you want for less than 1/10th the original’s price? Like we’ve seen in previous DIY builds inspired by Hak5 products, the trade-off is often cost for ease of use.
[Thanks to Javier for the tip.]
26 thoughts on “DIY Rubber Ducky Is As Cheap As Its Namesake”
The after image of the flash is burning my eyes.
Those Attiny sticks with software USB aren’t very reliable. They’re often not detected by the PC, or lose characters.
I prefer ATMega32U4 based sticks. They’re more expensive (but not much), available also in the housing of an unsuspicious USB flash stick, and very reliable, because the chip has native USB.
If you want to know how to use such a chip as a simple password safe, look here:
Alternatively, be a real badass, find out what’s in your real USB memory stick, download the datasheet for the chip and then write your own firmware. They are almost all 8051 chips with FW written in assembly so dumping, disassembling and modifying the existing FW shouldn’t be too hard.
That’s how badUSB started.
But why would I use a barely documented 8051, when I can have an ATMega or ARM board, with really great libraries, for a fracture of the price?
I once tested this with a ATMega32U4, as it can also control the mouse it can as well be a prank tool for eg in the office at work. I made the cursor move in a circle.
Better to just press caps lock randomly every few minutes or so. Not so often that it’ll be noticed but enough to be annoying.
I did that once, using an LPC11U24 – My boss was NOT happy. His mails stated that he was having PC troubles. Went on for 5 days, he didn’t notice the PCB with red LEDs sticking out of his desktop. Somehow the random script got random,and CAPSlocked every few hundred milliseconds. Bad programming I guess :D
Those STM32 blue pills also got native USB, for the same price as a DigiSpark clone
Should have done this with 555
No; just build a Raspberry Pi 3B+ POE version, Oh, wait…that won’t have true Gigabit Ethernet, and the POE won’t work, either. Yeah, the 555 will substitute nicely for the RPi…
Actually, given the fact that a RasPi Zero costs less than 10 bucks, its also a funny platform to build pentest sticks.
They’re fun, I have one, but the keyboard programmed into it is based on a US keyboard layout, so if you want a emulate a keyboard in a non-US country (for example to use symbols like [ ] ” / \ …) you’ll have to change the keyboard settings on your computer or change the key array in the code, which is not easy since there’s a lot of trial and error.
Previously available solutions and tutorials emulating a RuberDucky on a DigiSpark suffer from poor keyboard layout support for non-US languages. This is solved on duck2spark by “outsourcing” the problem to DuckEncoder which supports multiple keyboard layouts.
I have still had problems with many keystrikes especially ones like ctrl and alt.
how long your willing to wait
how long you’re willing to wait
But how long is your willing to wait?
I bought two pieces and it appeared to be a good idea because one of the wont work for most of the time.
The second thing is that I was not able to upload the arduino sketch in windows environment, it worked only on mac os (uploaded script is executing properly on windows).
Anyways looking at my pranked co-worker was worth paying 1$ (i plunged it into usb port on the back of his monitor :) )
better ones available then this
Bluetooth variety, with an app and write and upload on the fly:
Wifi variety, use via webpage and write and upload on the fly:
Also there are builds using an HC05 and the digispark that work with an already written app, so you have that bluetooth capability to write on the fly or use already stored scripts and upload em on demand..
Regarding the password typer on atmega 32u4 we’ve got a user friendly commercial version here: http://www.anykey.shop. You get a similar device in a nicer casing and even easier to use interface: just type any string click save and presto you have your password or script typing keyboard device instantly configured.
There’s a “better” alternative using this:
Higher speed, more memory and you can even attach other peripherals.
Cons about this and the hak5 attiny85 versions: The usb data traces D+,D- are too short (where it says cjmcu on the pcb). http://anykey.shop gives an alternative to the rubberducky, (half the price of a ducky, a bit more expensive than above links but less dodgy as a bare pcb with too short usb traces) it has a sturdy metal case to carry and make it look like any other usb stick. It’s used for keeping your master unlock password for 1-pass, your mac login or anything you want (bitcoin wallet for instance). Ofcourse you can still abuse/hack with it if you type a short shell/wget execute script…
just use a Cactus WHID if you want something already almost finished.. only $14.
Anyone have familiarity with anything like these that will work on a Mac in single user mode? In the little experimenting I’ve done, I’ve found nothing that’ll work. Single user mode is pretty picky about what keyboard it’ll accept, even those made by Apple itself depending on the vintage of the computer and the keyboard it’s mated to.
These are an even better alternative.. not so much DIY, but they just mainstreamed it.
I don’t get the “basic like scripting language” of it. Use micropython for God’s sake if not a full blown SOC that can run an actual python interpreter. Sure it might not be “elegant” but nothing beats access to regex and list comprehensions.
And if you want elegance do something like streaming pre-computed tables using dma.
Please be kind and respectful to help make the comments section excellent. (Comment Policy)