Skip to content

USB Rubber Ducky – Part 2: Attack of the HID

by on July 1, 2013

ducky

Background

The USB Rubber Ducky was introduced in our previous post “The Return of USB Auto-Run Attacks“.  This is the first of many follow-ups, that introduce new attack scenarios and the increase in functionality, that really makes this tiny device a big part of the hearts of penetration testers.

Brute-force attacks…

Use the Force Ducky

As documented in the Definitive Ducky Guide (Draft):

Darren Kitchen has created a brute-force script that can potentially defeat the Android Pin-Lock. The script is written in a high level language called “Ducky Script”, which means it is easy for noobs and people with limited programming experience to quickly modify and improve the script to their own ends.

Initially confirmed to work on the following devices:

  • Galaxy Nexus running Android 4.2.1
  • Galaxy Note 2 running Android 4.2.1

Posted Image

(Images Sourced From Hak5.org)

As of 16th June 2013 according to the Hak5 forums (link). A similar attack can now be launched against iOS devices.

Now the Ducky has to cope with account policies such as possible login-delays and possible lock-outs. It may not be the best solution in the world, but you could definitively script the an attack using the top 10 – 20 pin combinations; The ducky is much more elegant at typing (firing off HID codes) so it may be a simple case of plug ‘n pwn! (Providing the device user has a weak password).

The Ducky can even brute-force the EFI Pin on Apple Mac Laptop/Desktop Computers.

This is a great mechanism to show off to clients, especially if they have a pin/password that is in the top 10 (or 20) common pin / password combinations. 🙂

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: