Skip to content
Chimera readability score 0.4364 out of 100, reading level.

Founded in 2005, Hak5's mission is to advance the InfoSec industry. We do this through our award winning podcasts, leading pentest gear, and inclusive community – where all hackers belong.
May 31, 2017 4 min read
A two second HID attack against Windows and Mac that launches the website of your choosing. That's by far the most effective security awareness payload for the USB Rubber Ducky.
Cyber security awareness building is important, and developing an effective security awareness program - or at least raising eyebrows that one is even necessary - doesn't need to be difficult.
Hot off the heels of the bank heist security awareness campaign in Beirut with Jayson Street (See Breakthrough - Cyber Terror on National Geography), @Snubs and I set off to perform our own security awareness research. We were given the unique opportunity to present the keynote at AusCERT 2017 in the Gold Coast of Australia. Our talk was all about trust, convenience, and how USB and better yet Humans are the universal attack vector. CSO has a great write-up.
Essentially we wanted to see if the cyber security community practiced what it preached. Specifically following best practices with regards to foreign USB drives. What we found was astounding. Judging from our own informal poll, it seems many of us in the information security world don't even bother with basic anti-virus, so how would we fare as an industry against foreign USB drives?
Now I've spoken before about a 2-second USB Rubber Ducky payload which will grab Windows password hashes via SMB. It's a great payload for internal audits - so red teams take note. But for this engagement the last thing we wanted was any sensitive data.
Unlike Google, who conducted a similar USB drop at a university with the intent of obtaining reverse shells on the target machines, we opted for something completely benign. Our payload only launches a tiny URL, which takes the target to US-CERT Bulletin ST08-001: Using Caution with USB Drives. The US-CERT bulletin, from the National Cyber Awareness System, states:
Do not plug an unknown USB drive into your computer - If you find a USB drive, give it to the appropriate authorities (a location's security personnel, your organization's IT department, etc.). Do not plug it into your computer to view the contents or to try to identify the owner.
Of the 100 USB Rubber Ducky drives we dropped, we noticed 162 executions from 62 unique IP addresses throughout a 65 day period. Mind you, this was at a conference primarily made up of professionals working in the cyber security industry. Now since we did not uniquely identify each drives payload, we cannot determine the actual percentage plugged in. However, based on the unique factors we can track, the results do seem inline with Google's findings - that 48% of people do plug-in USB drives found in parking lots.
The other data of interest indicated that targets were 68% Windows and 32% Mac. Browsers were 69% Chrome, 24% Safari and shockingly 7% Internet Explorer. The vast majority of executions were within the first week of the conference, however the long tail lasted until mid-April.
Setting this up for your own security awareness campaign is dead simple. All you need is this payload, a few USB Rubber Duckies, a URL to point the payloads and a few creative spots to leave the drives.
For the URL you could setup a website to let the user know they've broken corporate policy and to contact IT - or you could do what we did and send 'em to US-CERT. Either way you'll be able to track the executions. This can be done either with your own web server (preferably running PHP), or you can just use Google's goo.gl URL shortener to get the analytics.
Here's the PHP script which will log IP and browser data along with forwarding on the target to your URL of choice. Uncomment the mail command and change the SMS gateway if you want your phone to ding every time someone plugs one in :)
https://www.us-cert.gov/ncas/tips/ST08-001" /> Page Redirection If you are not redirected automatically, follow the https://www.us-cert.gov/ncas/tips/ST08-001">link.
You'll need to touch full-data.txt and summary.txt and chmod them accordingly.
This cross-platform USB Rubber Ducky payload works against Windows, Mac and some Linux window managers which support URLs from the ALT+F2 menu (like Ubuntu's Unity).
DELAY 1000 ALT F2 DELAY 50 GUI SPACE DELAY 50 GUI r DELAY 50 BACKSPACE DELAY 100 STRING http://example.com ENTER
Replace example.com with the URL of your choosing.
Finally, load up the ducks, find some enticing places to plant 'em, and watch the logs as humans do what humans do best.
As users and as a society, we expect technology to "just work".
As developers and systems administrators, in order to make things "just work", we typically need to put in hard coded trusts.
As hackers and penetration testers, wherever we find these hard coded trusts, it's simply a matter of telling the right lie. Something we learned to do from childhood.
Hacking is all about trust. As in life - trust is hard to build & easy to break. Hacking is violating the inherent trust in complex systems.
Happy Hacking!
Sign up to get the latest on sales, new releases and more …
Notify me when available
We will send you a notification as soon as this product is available again.
We don't share your email with anybody

Facts Only

Who: Hak5, cybersecurity company; attendees at AusCERT 2017 conference in Australia
What: USB Rubber Ducky security awareness campaign, using devices to direct users to a US-CERT Bulletin about the risks of unknown USB drives
When: Between the dates of the AusCERT 2017 conference (likely May 2017) and mid-April 2018
Where: Gold Coast, Australia

Executive Summary

In this article, the cybersecurity company Hak5 presents a security awareness campaign they conducted at the AusCERT 2017 conference in Australia. They used USB Rubber Duckies to test the cyber security community's adherence to best practices regarding foreign USB drives. The payload on these devices directed the user to a US-CERT Bulletin about the risks of using unknown USB drives. Out of the 100 USB drives planted, there were 162 executions from 62 unique IP addresses over a 65-day period, indicating that many cyber security professionals do not follow basic anti-virus practices. The data also showed that the majority of executions were Windows systems and that most browsers used were Chrome or Safari.

Full Take

In this analysis, we will first Steelman the narrative by acknowledging the strengths of Hak5's security awareness campaign. The company used a creative and effective method to test the cyber security community's adherence to best practices regarding foreign USB drives. However, we will also use the A.R.C. analytical framework to detect potential manipulation patterns and question assumptions underlying the narrative.
Pattern Scan:
Emotional exploitation: The article uses a sense of surprise and disbelief to emphasize the results of their test, but this is not a manipulative tactic as it is directly related to the findings of the campaign.
Distortion: There is no evidence of distortion or out-of-context framing in the article.
Bad faith: The authors do not engage in sealioning, attacking critics, or flooding with weak arguments.
False framing: The article does not present a false binary choice or use forced equivalence.
Evasion: There is no evidence of evasion or topic changes when cornered.
Authority games: The authors do not appeal to popularity, borrowed credibility, or jargon as a smokescreen.
Systemic: There is no evidence of mission drift from the stated purpose or predatory "liberation" rhetoric in the article.
Root Cause:
The root cause driving this narrative is the need for cyber security awareness and education, particularly among professionals in the field. The authors aim to highlight the importance of following best practices regarding foreign USB drives and raise awareness about the risks associated with them.
Implications:
This campaign highlights a potential gap in the cyber security community's adherence to best practices regarding foreign USB drives. If a significant portion of professionals in the field are not following basic anti-virus practices, it raises concerns about the overall security posture of organizations and the industry as a whole.
Bridge Questions:
What steps can be taken to improve cyber security awareness and education within the cyber security community?
How can organizations ensure that their employees follow best practices regarding foreign USB drives?
What other areas of cybersecurity best practices need more attention from professionals in the field?