Have you ever seen a movie where a hacker plugs a seemingly ordinary USB drive into a computer and instantly steals data? Today, you'll be building a device that does exactly that.
β οΈ Disclaimer:All content in this project is intended for security research purposes only.
- WiFi password stealer
In the summer of 2022, I set out to build a device capable of extracting data from a target computer. But how exactly does one deploy malware and exfiltrate information? In the following sections, Iβll walk through the essential steps, underlying concepts, and technical nuances involved in creating a custom keystroke injection tool. While this project specifically targets WiFi credentials, the payload can easily be modified for more advanced or malicious purposesβthe only real limits are your creativity and technical expertise.
Over time, the project has grown to include a wide variety of scripts and tools. It was originally created to demonstrate the capabilities of a Rubber Duckyβspecifically, a cost-effective version using the Raspberry Pi Pico (RPi Pico). Currently, the two main components of the project are:
- Rubber Ducky attack
- Bash Bunny attack
Physical access to the unlocked victim's computer.
The computer has to have internet access in order to send the stolen data using SMTP for exfiltration over a network medium.
Knowledge of the victim's computer password for the Linux exploit.
After creating a pico-ducky, you only need to copy the modified payload (adjusted for your SMTP details for the Windows exploit and/or adjusted for the Linux password and a USB drive name) to the RPi Pico.
- RPi Pico
- Micro USB to USB Cable
- Jumper Wire (optional)
- pico-ducky: Transformed RPi Pico into a USB Rubber Ducky
- USB flash drive (for the exploit over a physical medium only)
Note
It is possible to build this tool using the Rubber Ducky, but keep in mind that RPi Pico costs about $4.00 and the Rubber Ducky costs $80.00.
However, while pico-ducky is a good and budget-friendly solution, Rubber Ducky does offer things like stealthiness and usage of the latest DuckyScript version.
In order to use Ducky Script to write the payload on your RPi Pico, you first need to convert it to a pico-ducky. Follow these simple steps in order to create pico-ducky.
A keystroke injection tool, once connected to a host machine, executes malicious commands by running code that mimics keystrokes entered by a user. While it looks like a USB drive, it acts like a keyboard that types in a preprogrammed payload. Tools like Rubber Ducky can type over 1,000 words per minute. Once created, anyone with physical access can deploy this payload with ease.
The payload uses STRING command to processes injection keystrokes. It accepts one or more alphanumeric/punctuation characters and will type the remainder of the line exactly as-is into the target machine. The ENTER/SPACE will simulate a press of keyboard keys.
We use DELAY command to temporarily pause execution of the payload. This is useful when a payload needs to wait for an element, such as a Command Line, to load. Delay is useful when used at the very beginning, when a new USB device is connected to a targeted computer. Initially, the computer must complete a set of actions before it can begin accepting input commands. In the case of HIDs setup time is very short. In most cases, it takes a fraction of a second because the drivers are built-in. However, in some instances, a slower PC may take longer to recognize the pico-ducky. The general advice is to adjust the delay time according to your target.
Data exfiltration is the unauthorized transfer of data from a computer/device. Once the data is collected, an adversary can package it to avoid detection while sending data over the network using encryption or compression. Two most common ways of exfiltration are:
- Exfiltration over the network medium.
This approach was used for the Windows exploit. The whole payload can be seen here.
- Exfiltration over a physical medium.
This approach was used for the Linux exploit. The whole payload can be seen here.
In order to use the Windows payload (payload1.dd), you don't need to connect any jumper wire between pins.
Once passwords have been exported to the .txt file, payload will send the data to the appointed email using Yahoo SMTP. For more detailed instructions, visit the following link. Also, the payload template needs to be updated with your SMTP information, meaning that you need to update RECEIVER_EMAIL, SENDER_EMAIL, and your email PASSWORD. In addition, you could also update the body and the subject of the email.
Note
After sending data over the email, the
.txtfile is deleted.You can also use an SMTP from another email provider, but you should be mindful of the SMTP server and port numbers you will write in the payload.
Keep in mind that some networks could be blocking the usage of an unknown SMTP at the firewall.
In order to use the Linux payload (payload2.dd) you need to connect a jumper wire between GND and GPIO5 in order to comply with the code in code.py on your RPi Pico. For more information about how to setup multiple payloads on your RPi Pico, visit this link.
Fig. 1: Exploit on Linux
Once passwords have been exported from the computer, data will be saved to the designated USB flash drive. In order for this payload to function properly, it needs to be updated with the correct name of your USB drive, meaning you will need to replace USBSTICK with the name of your USB drive in two places.
In addition, you will also need to update the Linux PASSWORD in the payload in three places. As stated above, in order for this exploit to be successful, you will need to know the victim's Linux machine password, which makes this attack less plausible.
In order to run the wifi_passwords_print.sh script you will need to update the script with the correct name of your USB stick after which you can type in the following command in your terminal:
echo PASSWORD | sudo -S sh wifi_passwords_print.sh USBSTICKwhere PASSWORD is your account's password and USBSTICK is the name for your USB device.
NetworkManager is based on the concept of connection profiles, and it uses plugins for reading/writing data. It uses .ini-style keyfile format and stores network configuration profiles. The keyfile is a plugin that supports all the connection types and capabilities that NetworkManager has. The files are located in /etc/NetworkManager/system-connections/. Based on the keyfile format, the payload uses the grep command with regex in order to extract data of interest. For file filtering, a modified positive lookbehind assertion was used ((?<=keyword)). While the positive lookbehind assertion will match at a certain position in the string, sc. at a position right after the keyword without making that text itself part of the match, the regex (?<=keyword).* will match any text after the keyword. This allows the payload to match the values after SSID and psk (pre-shared key) keywords.
For more information about NetworkManager here is some useful links:
Below is an example of the exfiltrated and formatted data from a victim's machine in a .txt file.
WiFi-password-stealer/resources/wifi_pass.txt
Lines 1 to 5 in f5b3b11
One of the advantages of Rubber Ducky over RPi Pico is that it doesn't show up as a USB mass storage device once plugged in. Once plugged into the computer, all the machine sees it as a USB keyboard. This isn't a default behavior for the RPi Pico. If you want to prevent your RPi Pico from showing up as a USB mass storage device when plugged in, you need to connect a jumper wire between pin 18 (GND) and pin 20 (GPIO15). For more details visit this link.
π‘ Tip:
- Upload your payload to RPi Pico before you connect the pins.
- Don't solder the pins because you will probably want to change/update the payload at some point.
When creating a functioning payload file, you can use the writer.py script, or you can manually change the template file. In order to run the script successfully you will need to pass, in addition to the script file name, a name of the OS (windows or linux) and the name of the payload file (e.q. payload1.dd). Below you can find an example how to run the writer script when creating a Windows payload.
python3 writer.py windows payload1.ddWith a few minor modifications, the previously used scripts can also be adapted to run on the Bash Bunny. The Bash Bunny works by emulating a trusted USB device [1]. For this project, weβll configure it to emulate a flash storage device using the following command [1, 2]:
ATTACKMODE HID STORAGE
Using the DuckyScript ATTACKMODE command, we can define which type of device the Bash Bunny should emulate [1]. Each attack mode registers with the system using a unique USB Vendor ID (VID) and Product ID (PID) [1]. It's also possible to combine multiple attack modes by chaining them together.
Fig. 2: Bash Bunny Mark I plugged in a PC
The Bash Bunny supports the original DuckyScript commands, which is why I was able to reuse the script from the Rubber Ducky section. To use these commands inline, we need to prefix them with the QUACK command [1]. For example, instead of writing WINDOWS r, we write Q WINDOWS r.
To load payloads onto the Bash Bunny, the device must be set to arming mode (switch position 3βthe one closest to the USB plug) [1]. Once connected, copy payload.txt and exfil.txt to either payloads\switch1. Payloads must be named payload.txt [1,2], while any supporting files referenced by the payload can be named freely.
For reference, the Bash Bunny mass storage directory structure is as follows [2]:
BashBunny/
βββ loot/
β βββ (data exfiltrated from payloads will be saved here)
βββ payloads/
βββ library/
β βββ (reusable scripts or modules)
βββ switch1/
β βββ payload.txt
β βββ (optional files, e.g., exfil.txt, scripts, etc.)
βββ switch2/
βββ payload.txt
βββ (optional files)
Fig. 3: Bash Bunny Mass Storage Directory Structure
Once the script has finished executing, the results will be saved in loot\wifi_pass.txt. If the target computer has no saved WiFi passwords, the file will be empty.
Note
Since the Bash Bunny attack relies on a PowerShell script (exfil.txt), it can only be used on Windows systems. To use a similar approach on Linux, you'll need to modify the payload and replacing the PowerShell script with the Bash script referenced in the Linux section above.
This pico-ducky currently works only on Windows OS.This attack requires physical access to an unlocked device in order to be successfully deployed.
The Linux exploit is far less likely to be successful, because in order to succeed, you not only need physical access to an unlocked device, you also need to know the admins password for the Linux machine.
Machine's firewall or network's firewall may prevent stolen data from being sent over the network medium.
Payload delays could be inadequate due to varying speeds of different computers used to deploy an attack.
The pico-ducky device isn't really stealthy, actually it's quite the opposite, it's really bulky especially if you solder the pins.
Also, the pico-ducky device is noticeably slower compared to the Rubber Ducky running the same script.
If theCaps Lockis ON, some of the payload code will not be executed and the exploit will fail.If the computer has a non-English Environment set, this exploit won't be successful.
Currently, pico-ducky doesn't support DuckyScript 3.0, only DuckyScript 1.0 can be used. If you need the 3.0 version you will have to use the Rubber Ducky. For this exploit version 3.0 isn't needed!