Over Employed Rubber Ducky

go back / p4p1


Created on Fri. 25 aug 2022



Consider this post as a big joke I don't condone being lazy at work :). I had a reputation in my old company to have automated a lot of their processes and was able to mess around for most of my days doing pentesting instead of actual SOC work with the use of selenium. One day I will do a blog post about selenium and using it for profit but this one is going to be different.

After receiving a meme from a friend of mine about your boss catching you away on MS teams while working from home and then installing a mouse randomiser on your computer to randomly move your mouse around to "fake" work. I had the brilliant of using the USB rubber ducky to spit out a bunch of Lorem Ipsum so that the computer never turns off.

Planning

When I start working on this kind of project I will always start by google-ing stuff randomly up until I have a point of entry. I do know about the rubber ducky I did actually build a library for arduino uno as a young hacker does when he is broke and cant buy a rubber ducky. I just never worked with an actual rubber ducky before this project. Here is a video of me showcasing my library :) FYI: I did enable privacy enhanced mode so that the only way google is legally allowed to store your information from this page is if you click play

I did decide to buy one for last Christmas but never thought on how to use it other than for a red team engagement.

So after looking through the internet about the rubber ducky most of the information I could find was about the new USB rubber ducky it is a bit of a shame because I have the old model and not the new one. This did make 1 hour of my research useless, but you know you live you learn. After reading through some documentation I learned about ducky script again 2 simple commands that can be used for this to work.

Ducky Script

The main two commands that I found useful for this engagement where the following:

STRING

The string command is used to type a specified string with the ducky:

          
            STRING Lorem ipsum dolor
          
        
DELAY

The delay command is used to way a certain amount of time in milliseconds:

          
            DELAY 1000
          
        

Programming

Using this knowledge I can write a simple routine that will last 15min to type in some lorem ipsum and basically keep the session on the computer online:

Now because this routine lasts around 58 minutes with all of the delays you would need 7 of them to represent a full day of work. The full script if uploaded to a github gist and can be found below:

Compiling

To save this script to the rubber ducky I then needed to compile it using the duckencoder java program because the new web portal does not function properly with my old rubber ducky.

Here is the command I used so that it can be copy pasted:

          
            $ java -jar duckencoder.jar -i ./payload.txt -o inject.bin
          
        

Using that bin file you can now transfer it to the USB rubber ducky sd-card and have fun :)


I hope you enjoyed this little post it is currently 2 am and I am exhausted even though I'll mess around making "fake" work programs I do have a job that just nuked my brain today :). This entire project did remind me of this website I found a while ago called overemployed.com I found the concept hilarious of using tricks like that to work 2 full time jobs at the same time I probably could have with my last job seeing I managed to automate everything :).