This meeting was of NKCyber's Red Team Division on its third week back from hiatus. The meeting was intended to take place in GH 240 at 7:00p, however was moved to GH 250 due to a scheduling conflict with Chase Law's "Chase - Midterm exam - Mergers and Acquisitions" on the date of February 28, 2024. As a part of the meeting which followed the structure of TryHackMe's Weaponization room I, Red Team Leader and Outreach Officer Patrick Hirsch, demoed a Rubber Ducky configured with a non-malicious payload.
On Monday, February 26, at about 1:50p a USB Rubber Ducky was loaned by NKCyber RnD Head Ben Molloy to Patrick Hirsch to be demoed at the week's Red Team Meeting. The devised was passed off in MP 325 at the end of MAT/CSC 483-001.
Patrick Hirsch took the Rubber Ducky to the Lobby of Griffin Hall where he researched the DuckyScript language and, on his own laptop, wrote, compiled, and tested a payload designed to use PowerShell via Run to simply create a directory (~\Duckies), download an mp3 file from https://www.nyan.cat/music/original.mp3 as ~\Duckies\maliciousFile.mp3, and use VLC to play the file while hidden and minimized.
Upon creation of a successful payload, Patrick took the Rubber Ducky to the then empty GH 240 and tested the payload on the podium computer to ensure the demo would work on the device to be used for the demo in-meeting. The device was plugged in once and confirmed to work as intended. No witnesses were present to observe this test being preformed.
The following day, Tuesday, February 27, Patrick Hirsch showed the Rubber Ducky to a few peers including NKCyber's President Angel Munoz, Vice-President Carson Rolph, and Treasurer Dexter Walters. All demos done on this day were on personal devices.
On the day of the meeting, Wednesday, February 28, Patrick Hirsch, also General Manager of Norse Code Radio (NCR), learned during NCR's Mid-Semester Party of a previously unknown of room reservation by Chase Law for GH 240 spanning between the party and Red Team's Meeting, in response both events were moved next door to GH 250.
Shortly before Red Team meeting's start time of 7:00p Patrick set up by logging into the podium computer and testing the payload by plugging in the Rubber Ducky to the device. This was however unsuccessful since VLC was not installed on the GH 250 computer.
The meeting went as planned with 2 out of the 3 consistently attending Red Team members present. Following along with the Weaponization room on TryHackMe's Red Team Learning Path, a demo was preformed by Patrick on Windows Scripting Host (WSH) using the TryHackMe Virtual Machine connected to via the web client remote desktop from the podium computer. Next, members were asked to pick a subsequent task in the room and complete it by developing and delivering the payload described on their own TryHackMe VMs connected to from their own laptops before reconvening to share observations on the methods they explored.
Next, following along with the "Delivery Techniques" task's mention of the Rubber Ducky as a form of USB Delivery the Rubber Ducky was demoed by Patrick Hirsch on his personal laptop connected via HDMI to the GH 250 projectors for the 2 members present to see. Next, the Rubber Ducky was disassembled, the workings of it explained, and a "Hello World" program was written, compiled, and loaded onto the Rubber Ducky. This compilation was done on my personal laptop due to its having a microSD port, the payload's execution was then demoed on a willing member's personal laptop. I do not recall whether this Hello World script was plugged into the podium computer.
Cleaning up after the NCR party and NKCyber meeting, Patrick ran into another NKCyber member and reconfigured the Rubber Ducky to run the Nyan Cat script and demoed the device once again on his personal laptop.
The following day, Thursday, February 29th, Patrick Hirsch, also Web Editor for The Northerner, got to his desk in The Northerner's Newsroom (GH 125) around 12:15p to observe the Desktop computer had been removed. This was escalated to The Northerner's Editor-in-Chief, Managing Editor, and Faculty advisor. At 1:45p The Northerner's Faculty Advisor escalated the question to Derek Armstrong and Stephen Yungbluth, Derek wrote back within a minute saying that "This computer was removed for security reasons."
Around 3p Patrick noticed he had been locked out of his NKU account and went to Derek Armstrong's office to inquire farther. Derek described the reported observation of a "Hacking Device" being plugged into the computer in GH 240 on Monday and again in GH 250 on Wednesday with Patrick's user account being the associated user. These events were recognized by Patrick who explained the use of the Rubber Ducky for a demo in an NKCyber meeting and further explained the function of payload ran.
Patrick and Derek went down to GH 125 where Patrick showed on his device the Rubber Ducky in action and the working of the script it had run. The Rubber Ducky, stated by Patrick to be the property of Ben Molloy loaned for this demo was taken by Derek pending further investigation.
Patrick's account was promptly unlocked following this meeting and Ben's Rubber Ducky was stated to be returned in a week if Derek did not hear back from Dave. Similarly, The Northerner's desktop computer was said to be returned shortly following further investigation.
Between the 4 day period described above, the only campus devices the Rubber Ducky had been used on were those in GH 240 and GH 250. The computer in the Northerner's Newsroom was not involved in any of these activities but taken into account merely due to the user, HirschP2, being most frequently logged into that device.