Ninja Ducky Toolkit – cheap and secure data exfiltration via USB implants

Ninja Ducky Toolkit – cheap and secure data exfiltration via USB implants

The Ninja Ducky Toolkit is a set of basic scripts for setting up a means to exfiltrate data via USB keyboard implant devices (like the awesome and original Rubber Ducky from Hak5).

You can retrieve the current toolkit from the GitHub repository here, the rest of this article is dedicated to explaining the how and the why: https://github.com/p0ep0e/ninja-ducky-toolkit

The aim of the scripts is to address a couple of challenges I had:

  • I wanted to use cheap and disposable USB implants because using them is generally opportunistic – I want to be able to plug one in to an unlocked computer and walk away.
  • Most payloads (scripts) out there for exfiltrating data to a remote location rely on either SMTP or worse, FTP meaning that you expose login credentials not only on-screen but these can also be retrieved by decompiling the device.
  • Attiny85 USB devices have don’t handle long sophisticated payloads due to memory constraints.
  • Sending by email isn’t always secure and can often expose the data enroute to the destination mailbox

How does it work

Data exfiltration, encryption and storage/sending

The process for data exfiltration is pretty simple:

  • You find an unlocked PC
  • Insert your Ninja Ducky Attiny85 device
  • The device uses PowerShell and the built-in Windows gatherNetworkInfo.vbs script to prepare a lot of data, then it gathers the saved Wifi passwords.
  • The PowerShell script then submits the data to a file (NinjaDuckyReceiver.php) hosted on our website via https.
  • The NinjaDuckyReceiver.php receiver accepts the data (if the security token is valid) and can send the data by email, store in on the web server or both, encrypting the data if we like.

Decryption

Once the security research receives an email with encrypted data in it, they can paste it in to the decrypter form to decypt the data (again, over https or done locally to keep the data confidential).

Attiny85 Boards

In order to have disposible USB implants, they needed to be low cost and the general concensus online is that DigiSpark Attiny85 boards are the way to go.  They definately bring some challenges and simply don’t work at all with a small percentage of machines but in general, are a worthwhile tool.

One of the first challenges is the limited memory of the boards, this required a creative solution for scripting the keystrokes necessary to exfiltrate data, kudos to PeterF who on this thread provided a way of saving memory by retrieving strings as needed, keeping them in storage until then.

How to make a Ninja Ducky

Firstly, you need to buy some DigiSpark Attiny85 board clones, I recommend going for a pack of 10 of them so you can have some serious and some just doing fun things (more on that later).

To compile the scripts and load them, you need to download and install the free Arduino IDE, available here: https://www.arduino.cc/en/software.

You’ll also need to download and install the drivers for the Attiny85 boards: https://github.com/digistump/DigistumpArduino/tree/master/tools

Open the Arduino IDE and go to File > Preferences and in the Additional Boards Manager URLs add the following:

http://digistump.com/package_digistump_index.json

It should look like this:

Click Ok

Next go to Tools > Board > Digistump AVR Boards

Select Digispark (Default – 16.5mhz), like this:

Create a new project by going to FileNew and paste the contents of the NinjaDuckyV1.0.ino file in it.

Click the Upload button in the Arduino IDE:

When the Arduino IDE says Plug in device now, insert your Attiny85 in to a USB port (NOT before), if you have problems with it being recognised, I found a USB hub, splitter or docking station worked better some times:

When the device is ready, it will say:

Now be careful!!  Within a couple of seconds, the computer will detect the Attiny85  as a keyboard and start running the script!!  🙂

Finally, you’ll need to host your NinjaDuckyReceiver.php file somewhere publically accessible and configure the options in it (comments are in the script).

Bob McKay

About Bob McKay

Bob is a Founder of Seguro Ltd, a full time father and husband, part-time tinkerer-with-wires, coder, Muay Thai practitioner, builder and cook. Big fan of equality, tolerance and co-existence.

Disclosure Policy

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.