Awareness with a USB Rubber Ducky

What Is a USB Rubber Ducky?

A USB Rubber Ducky looks just like an ordinary USB flash drive, but it is actually a programmable microcomputer. The moment it is plugged into a machine, it executes a pre-programmed sequence of keystrokes within seconds -- all without any user interaction.

What Is It Used For?

USB Rubber Duckies are primarily used in penetration testing and social engineering attacks. They can exfiltrate confidential data, install malware on a target machine, or gain access to systems that are not directly reachable over the network.

Features

A Rubber Ducky incorporates several technical components: a microcontroller, a USB interface, a memory chip, and various input/output connectors. Some models offer additional capabilities such as a built-in text editor, a data logger, or an automatic programming function.

Here is an overview of the key components:

• microSD card -- Stores the payload script, which is the sequence of commands that runs automatically when the device is plugged into a target machine.
• Keyboard adapter -- Uses the microSD card to send the stored commands as keystrokes to the computer.
• microSD-to-USB adapter -- A simple plastic dongle that makes it easy to write payload scripts to the microSD card from any computer.
• Mini keyboard adapter -- The core of the Rubber Ducky: a silicon chip with a microSD card slot that transmits the keystrokes to the target machine.

Use Cases -- Media Dropping

Media dropping is an established social engineering technique that bridges the gap between the physical and digital worlds. Attackers plant malware-infected USB sticks in locations where employees are likely to find them -- a lobby, a cafeteria, or a company parking lot. The malware is typically spyware. These devices are often placed during tailgating operations, in which an attacker gains physical access to company premises. When a curious employee picks up the seemingly lost USB stick and plugs it into their workstation, the malicious payload executes silently. If the stick also carries an enticing label -- such as "Salary Overview 2024" or "Financial Records" -- the technique is known as baiting.

Conclusion

USB Rubber Duckies are a powerful tool in security awareness training: they vividly demonstrate how easily confidential data can be exfiltrated or malware installed on a workstation. Combined with social engineering techniques like media dropping -- where rigged USB sticks are strategically placed on company premises -- they underscore the critical importance of fostering a strong security mindset across the organization.