Ever Wonder to make your own Rubber Ducky? I don’t want to be competitive against the Hakshop. First, if you wanted to purchase original USB Rubber Ducky from them, cause it’s truly made straightforward for faster-executing programs. It would be better and faster for executing or writing the payloads.

Yet, If you wanted to make your own particular USB Rubber Ducky?

  • Windows (Operating System)
  • USB 3.0 Flash Drive

Supported Flash Drives:

  • Patriot 8GB Supersonic Xpress* ( Almost all now are 2307 on Amazon [bought 9 from all 9 sellers] )
  • Kingston DataTraveler 3.0 T111 8GB
  • Silicon power marvel M60 64GB
  • Patriot Stellar 64 Gb Phison
  • Toshiba TransMemory-MX USB 3.0 16GB (May ship with 2307)
  • Toshiba TransMemory-MX USB 3.0 8GB (May ship with 2307)
  • Kingston DataTraveler G4 64 GB
  • Patriot PSF16GXPUSB Supersonic Xpress 16GB
  • Silicon Power 32GB Blaze B30 (SP032GBUF3B30V1K)
  • Kingston Digital 8GB USB 3.0 DataTraveler (DT100G3/8GB)* – Using PS2251-03 (By the way, the DriveCom.exe does not work for it, you need use Phison MPALL Tools to burn the firmware.)
  • Verbatim STORE N GO 32GB USB 3.0
  • Verbatim STORE N GO V3 8GB USB 3.0 (May ship with 2307)

Make Your Own USB Rubber Ducky

Determining the Microcontroller of Our USB Flash Drive:

Before beginning, we need to ensure our USB utilizes the supported controller. We can utilize a program called Flash Drive Information Extractor to assemble the required data about our USB.

Simply open the tool and hit the “Get USB Flash Drive Information” catch while you have your USB embedded into your PC. On the off chance that your drive utilizes the Phison 2303 (2251-03) controller, the yield ought to appear to be like this:

In any case, if your USB gadget has an alternate one, it is no doubt that you can’t reinvent it to a HID gadget with this adventure. Make a point to check the known bolstered gadgets so as to get one that will work.

Keeping in mind the end goal to change our upheld USB drive, we have to manufacture the apparatuses which interface with it. The source code is distributed on GitHub by Adam Caudill. Really, Visual Studio accompanies a flawless component that gives us a chance to clone the entire archive. You can even connect with VS from the GitHub site:

screen-shot-2016-11-14-at-11-26-51-pm

After cloning and opening the repostitory. You are most likely to see three solutions.

  • DriveCom
  • EmbedPayload
  • Injector

We will need DriveCom and EmbedPayload only. If opened, you can compile with Ctrl + Shift + B or Menu bar – Build – Build Solution.

If you cannot clone the repository through Visual Studio, download the .zip file from GitHub and open the .sln files in each folder of the solutions. DriveCom and EmbedPayload should be in the …\Psychson\tools directory now: E:\Documents\Bad_USB\Psychson\tools.

screen-shot-2016-11-14-at-11-29-47-pm

Burner Image

A “burner image” is required for dumping and flashing firmware on your drive. These are typically named using the convention “BNxxVyyyz.BIN”. Burner images for Phison controllers can be found here. Even though the site is only available in Russian, you will find the download link if you scan the site for “BN03.” BN implies burner image, and 03 corresponds to PS2251-03. I extracted the files in E:\Documents\BadUSB\Burner_Image\.

Every burner image should do the job, but you can use the newest version which is indicated by the “Vyyy” part of the name.

Download Duck Encoder

The “Duck Encoder” is a Java-based cross-platform tool which converts scripts into HID payloads. It is based upon the Bad-USB called “Rubber Ducky” by Hak5. You can download it here. (Do not forget to install Java.) I saved it at E:\Documents\Bad_USB\DuckEncoder\.

Creating Custom Firmware

At this point, all our preparations are done and we can continue using the tools. In this step, we simply have to go to our …\Psychson\firmware\ directory and run build.bat. If everything goes right, you will see a new folder with many different files inside.

The fw.bin file is the file we will use in the following payload.

Writing a Script

You may ask yourself in which language we are going to write our script. Since the Duck Encoder is based upon “Rubber Ducky,” we will use “Duckyscript” as the language. The syntax is rather easy. More detailed instructions can be found here.

We will go ahead and create a .txt file in our preferred directory

(E:\Documents\Bad_USB\DuckEncoder\script.txt). I thought of showing you something more interesting than a “Hello World” script, so I made this one:

As you may suppose, the Bad USB will “press” Windows + R and cause windows to shut down immediately with this script. In addition, you can clearly see that I wrote “/” instead of “-“. That’s because our “keyboard” (Bad USB) has a U.S. layout and Windows is set to DEU in my country. Keep in mind that we have to change the Windows layout to U.S. and write the script the way we would do usually, or the way your victim’s PC would write it. Don’t be confused of the input.

You can even use custom scripts and do some reverse engineering here.

Converting It into an HID Payload

It is time to start using the Windows terminal – cmd.

java -jar “PATH to \duckencode.jar” -i “PATH to \script.txt”-o “\payload.bin Path”

Example:

java -jar E:\Documents\BadUSB\DuckEncoder\duckencode.jar -i E:\Documents\Bad_USB\DuckEncoder\script.txt -o E:\Documents\Bad_USB\DuckEncoder\inject.bin

We won’t get any output, but inject.bin should be created in E:\Documents\Bad_USB\DuckEncoder\, in my instance.

Embed the Payload in the Firmware

Now we need to use the tools we built with Visual Studio. Obviously, EmbedPayload is to embed payloads. We simply have to execute it in cmd:

“Path to EmbedPayload.exe” “PATH to payload” “PATH to the firmware we built”

For me, it is:

E:\Documents\BadUSB\Psychson\tools\EmbedPayload.exe E:\Documents\Bad_USB\DuckEncoder\inject.bin E:\Documents\Bad_USB\Psychson\firmware\bin\fw.bin

Note that fw.bin includes the payload now. You can also overwrite the firmware by executing build.bat again.

Dumping the Current Firmware of the USB Flash Drive

I strongly advise you to make a copy of the current firmware on your USB flash drive in case you want to restore it. For any action we want to take on our USB, we have to use DriveCom, which is in our “tools” folder.

“PATH to DriveCom.exe” /drive=”Drive Letter of our USB” /action=DumpFirmware /burner=”PATH to our burner image” /firmware=”PATH of the output.bin”

In my instance:

E:\Documents\Bad_USB\Psychson-master\tools\DriveCom.exe /drive=F /action=DumpFirmware /burner=E:\Documents\Bad_USB\Firmware\BN03V117M.BIN /firmware=E:\Documents\Bad_USB\originalfw.bin

Flashing Firmware

Finally, we can hand over the very malicious shut-down payload embedded into the firmware to our USB flash drive:

“PATH to DriveCom.exe” /drive=”Drive Letter” /action=SendFirmware /burner=”PATH to our burner image” /firmware=”PATH to the firmware”

In my instance:

E:\Documents\BadUSB\Psychson\tools\DriveCom.exe /drive=F /action=SendFirmware /burner=E:\Documents\Bad_USB\Firmware\BN03V117M.BIN /firmware=E:\Documents\Bad_USB\Psychson\firmware\bin\fw.bin

A successful output should look like this:

screen-shot-2016-11-14-at-11-33-56-pm

Notice that DriveCom is switching the mode of our USB to boot mode automatically to flash the firmware. Now that our USB flash drive has become a keyboard, we cannot switch modes any more with our tools, nor access to the memory, but that is a minor problem. In the next section, I will focus how to resolve this issue.

Setting Our Device into “Boot Mode” Manually

If you want to take further actions to your Bad USB, you will notice that neither DriveCom nor Windows nor any other operating system can access it, because it is a keyboard after all. We need to open the case of our USB drive and connect two pins of the microcontroller while plugging the drive into our PC. Since the circle is on the top left corner of my controller (from this perspective), I have to connect the two pins of the left bottom side:

You may need to open the picture in a new tab and zoom in.
You may need to open the picture in a new tab and zoom in.

I usually use the edge of a USB connector to connect these two pins. In addition, a USB extension cable can be very useful in this scenario. It seems to be difficult, but you will get used to this. Use whatever you feel most comfortable with, without damaging your USB flash drive. If you do it correctly, the drive will show up in Windows again:

I for the most part utilize the edge of a USB connector to associate these two pins. Furthermore, a USB augmentation link can be exceptionally valuable in this situation. It is by all accounts troublesome, however you will get used to this. Utilize whatever you feel most good with, without harming your USB streak drive. In the event that you do it accurately, the drive will appear in Windows once more:

What’s more, we can change our drive or glimmer the first firmware once more. If not, your PC will close down—invest more energy next time.

Make Your Own USB Rubber Ducky: Notes

The Bad USB may not deal with each Windows PC, including mine, since it might be inept at stacking drivers.

Remember that you won’t have the capacity to get to the memory while your USB drive is faking a HID gadget.

Last Thoughts

The Bad USB is a capable instrument in the event that you have entry to your casualty’s PC, despite the fact that Windows can be poop at stacking the USB drivers. Moreover, it maintains a strategic distance from AV location since it is a console as opposed to an infection.

In case you’re thinking about to do a straightforward appearance to embed our USB into one PC at your preferred organization, please note to have a genuine USB streak drive for the case that you will undoubtedly get got, so you can escape effectively.

Besides, I might want to specify that I truly acknowledge useful criticism from you all. So don’t hesitate to PM me on the off chance that you discover any error or need me to enhance something!

Regards, MY_OUZO