Red Team Week 3 re-absorbed the planned coverage of TryHackMe's Weaponization room in the "Initial Access" section of TryHackMe's Red Team Route and implemented a demo of a Rubber Ducky as a delivery technique.
On the day of the meeting we learned during NCR's Mid-Semester Party of a previously unknown of room reservation by Chase Law for GH 240 through the start of Red Team's Meeting causing us to move next door to GH 250.
NOTE: Resulting from this meeting's Rubber Ducky demo and a test from earlier in the week, a security alert was triggered prompting an investigation by NKU IT. An incident report was written outlining this in full.
Starting with the Weaponization room, a live demo of the rather simplistic first task following Windows Scripting Host (WSH) was done showing the creation and execution of the created script.
Following Task 2, Windows Scripting Host, members in attendance were asked to pick one of the next 3 tasks; An HTML Application (HTA), Visual Basic for Application (VBA), and PowerShell (PSH), to complete independently and share their findings and observations on the means explored. About 30 minutes were allotted to this portion.
Task 8 of THM's Weaponization room, Delivery Techniques, explores several means of getting a payload to a target system including USB Delivery. A Rubber Ducky was demoed as a form of USB Delivery.
The below payload was demoed and analyzed:
REM TITLE Nyanify Rubber Ducky Sample
REM AUTHOR Patrick Hirsch <HirschP2@nku.edu>
REM DESCRIPTION Rubber Ducky demo script to download and play the Nyan Cat music on a target device assuming internet-connected Windows with VLC installed
DELAY 1000
WINDOWS r
STRING powershell "mkdir ~\Duckies;cd ~\Duckies;Invoke-RestMethod -Uri https://www.nyan.cat/music/original.mp3 -OutFile maliciousFile.mp3;& 'C:\Program Files\VideoLAN\VLC\vlc.exe' --qt-start-minimized --play-and-exit --qt-notification=0 'maliciousFile.mp3';exit"
ENTER
Next we looked at the syntax of DuckyScript and compiled the default Hello World program from Hak5's PayloadStudio onto the the Ducky to demo how to write/arm an attack with the Rubber Ducky.
To close out the meeting, members were promised links to DuckyScript resources and encouraged to write a non-malicious payload to test at the next meeting.
The following Friday, Red Team members were sent the following:
From: Patrick Hirsch hirschp2@mymail.nku.edu
Sent: Friday, March 1, 2024 6:40 PM
To: NKCyber nkcyber@nku.edu
Subject: NKCyber | Red Team - Regarding the Rubber Ducky Demo
So, as it turns out, Rubber Duckies are not undetectable.
Yesterday, I learned that between testing the "Nyan Cat" payload on Monday and the meeting on Wednesday I had inadvertently triggered a security alert that had been picked up by NKU's IT department. While I don't have specifics, to my understanding some monitoring system exists on NKU campus devices that had recognized the device plugged in by some form of fingerprint or serial number recognized against a database of suspicious devices and alerted IT of the event and the associated user account prompting an investigation into the pair of similar events.
To be clear, while this investigation is, to my knowledge, still open, both myself and Angle have explained what happened and I have shown what the Rubber Ducky was configured to do when it was plugged in. My account was unlocked following this meeting and we do not believe anything major will come of this. At worst, it could be seen as poor judgement on our part, but I believe it is fair to say that there was no wrong-doing; I simply demoed a device relevant to our club's purpose and function in a non-destructive or malicious manner that did not directly violate any campus policies that I know of. Basic moral of the story: Do not knowingly plug a Rubber Ducky into any university devices for any reason, and as always, never attack any device you are not authorized to.
If interested in Rubber Ducky or other HID attack detections, this blog post by user Koufax explores some of the ideas that goes into it on Linux using a tool called usbrip to parsing its logs of connected USB devices as well as a 7-year-old abandoned project that aimed to actively stop such attacks.
For next meeting, I still want to try out some DuckyScripts you write if we get the Ducky back by then, but with the following change and emphasis: I will bring a Raspberry Pi running Raspbian, you can write a script to run on there, or to run on your own device. Please have the readable, non-compiled script with you, we'll compile it there before loading it onto the device.
All that being said: Here is the link to the Hak5 DuckyScript documentation, references, and example scripts. Hak5's Payload Studio Community Edition is the web-based IDE designed for writing and compiling DuckyScript.
Patrick Hirsch
Cybersecurity Major, Spring 2025
General Manager, Norse Code Radio
Outreach, NKCyber
Web Editor, The Northerner
Student Employee, FUEL NKU