The Ninja Ducky Toolkit is a set of basic scripts for setting up a means to exfiltrate data via USB keyboard implant devices (like the awesome and original Rubber Ducky from Hak5).
You can retrieve the current toolkit from the GitHub repository here, the rest of this article is dedicated to explaining the how and the why: https://github.com/p0ep0e/ninja-ducky-toolkit
The aim of the scripts is to address a couple of challenges I had:
- I wanted to use cheap and disposable USB implants because using them is generally opportunistic – I want to be able to plug one in to an unlocked computer and walk away.
- Most payloads (scripts) out there for exfiltrating data to a remote location rely on either SMTP or worse, FTP meaning that you expose login credentials not only on-screen but these can also be retrieved by decompiling the device.
- Attiny85 USB devices have don’t handle long sophisticated payloads due to memory constraints.
- Sending by email isn’t always secure and can often expose the data enroute to the destination mailbox
How does it work
Data exfiltration, encryption and storage/sending
The process for data exfiltration is pretty simple:
- You find an unlocked PC
- Insert your Ninja Ducky Attiny85 device
- The device uses PowerShell and the built-in Windows gatherNetworkInfo.vbs script to prepare a lot of data, then it gathers the saved Wifi passwords.
- The PowerShell script then submits the data to a file (NinjaDuckyReceiver.php) hosted on our website via https.
- The NinjaDuckyReceiver.php receiver accepts the data (if the security token is valid) and can send the data by email, store in on the web server or both, encrypting the data if we like.
Once the security research receives an email with encrypted data in it, they can paste it in to the decrypter form to decypt the data (again, over https or done locally to keep the data confidential).
In order to have disposible USB implants, they needed to be low cost and the general concensus online is that DigiSpark Attiny85 boards are the way to go. They definately bring some challenges and simply don’t work at all with a small percentage of machines but in general, are a worthwhile tool.
One of the first challenges is the limited memory of the boards, this required a creative solution for scripting the keystrokes necessary to exfiltrate data, kudos to PeterF who on this thread provided a way of saving memory by retrieving strings as needed, keeping them in storage until then.
How to make a Ninja Ducky
Firstly, you need to buy some DigiSpark Attiny85 board clones, I recommend going for a pack of 10 of them so you can have some serious and some just doing fun things (more on that later).
To compile the scripts and load them, you need to download and install the free Arduino IDE, available here: https://www.arduino.cc/en/software.
You’ll also need to download and install the drivers for the Attiny85 boards: https://github.com/digistump/DigistumpArduino/tree/master/tools
Open the Arduino IDE and go to File > Preferences and in the Additional Boards Manager URLs add the following:
It should look like this:
Next go to Tools > Board > Digistump AVR Boards
Select Digispark (Default – 16.5mhz), like this:
Create a new project by going to File > New and paste the contents of the NinjaDuckyV1.0.ino file in it.
Click the Upload button in the Arduino IDE:
When the Arduino IDE says Plug in device now, insert your Attiny85 in to a USB port (NOT before), if you have problems with it being recognised, I found a USB hub, splitter or docking station worked better some times:
When the device is ready, it will say:
Now be careful!! Within a couple of seconds, the computer will detect the Attiny85 as a keyboard and start running the script!! 🙂
Finally, you’ll need to host your NinjaDuckyReceiver.php file somewhere publically accessible and configure the options in it (comments are in the script).