TekThing 145 – 3 Photo Apps For Better Phone Photos! Shure SE215 Earphone Review, Best Wire Cutter For Makers!

Awesome Android Photography Apps! Shure SE215 Sound Isolating Earphone Review, Best Wire Cutter For Makers Costs $5!
01:42 Android Photography
Anthony asks “could you give some advice on the best settings or android apps to use for smartphone photography?” Sure! Shannon’s got a ton of tips that’ll work with iOS, too… we talk VSCO, Snapseed, and Adobe’s Lightroom photo apps, and gadgets like lenses in the video!
https://play.google.com/store/apps/details?id=com.vsco.cam&referrer=utm_source%3Dcorporate%26utm_medium%3Dcorpweb v

14:26 Shure SE215 Review
Can Shure’s entry level in ear monitor, the SE215 Sound Isolating Earphones, replace 1MORE’s Triple Driver as our favorite earbud under $100? Watch the video to find out… especially if you need in ear monitors that block background noise, or constantly trash headphone cables!!! (Earbuds around $25? Check The Wirecutter!)

The Best Earbuds Under $50

22:51 Wire Cutters for Electronic Makers!
JayLuigi tweets, “@patricknorton I can’t remember the wire snippers you recommended heeeelp??” For most things? Channellock! But you probably saw us using Haako’s CHP-170 Micro Soft Wire Cutter!

25:21 Blocking Facebook Photos You Don’t Want To See
Lance asks, “how can we hide someone’s FaceBook photos from our eyes without stopping people who what to see them.” We discuss your options, and Facebook Notification Settings, in the video.

29:16 Search for Books and eBooks In Your Local Library!
From the we had no idea department, You can now check for ebooks at your local libraries on Google Search! We demo how it works (and where you look for ’em) in the video!

30:38 Do Something Analog
Like Mark, who tells us about the Mayowood Mansion, picking apples, and “over 300 bushels (600 5-gallon pails) of black walnuts with our 4H club” in the video! Awesome!
Thank You Patrons! Without your support via patreon.com/tekthing, we wouldn’t be able to make the show for you every week!
Amazon Associates: http://amzn.to/2gm9Egf
Subscribe: https://www.youtube.com/c/tekthing
Website: http://www.tekthing.com
RSS: http://feeds.feedburner.com/tekthing
HakShop: https://hakshop.myshopify.com/
Twitter: https://twitter.com/tekthing
Facebook: https://www.facebook.com/TekThing
Reddit: https://www.reddit.com/r/tekthingers

Source: Security news

Source: Zologic

Private, Public, or Hybrid? Finding the Right Fit in a Bug Bounty Program

How can a bug bounty not be a bug bounty? There are several reasons. Here’s why you need to understand the differences.
Source: Vulnerabilitys & Threats

Hak5 2304 – Operating System Detection with the Bash Bunny and A Heartfelt Goodbye

Please join us in saying goodbye to our favorite feline, Kerby Kitchen, who was with us since September 2001. We miss her dearly.

Please consider donating to The Humane Society or your favorite animal charity in honor of Kerby. http://www.humanesociety.org Thank you, and thank you for your support. We love you all

Shop: http://www.hakshop.com
Support: http://www.patreon.com/threatwire
Subscribe: http://www.youtube.com/hak5
Our Site: http://www.hak5.org
Contact Us: http://www.twitter.com/hak5
Threat Wire RSS: https://shannonmorse.podbean.com/feed/
Threat Wire iTunes: https://itunes.apple.com/us/podcast/threat-wire/id1197048999
Help us with Translations! http://www.youtube.com/timedtext_cs_panel?tab=2&c=UC3s0BtrBJpwNDaflRSoiieQ

Source: Security news

Source: Zologic

Hacker Tactics – Part 3: Adversarial Machine Learning

Adversaries are constantly changing and improving how they attack us. In this six-part series we’ll explore new or advanced tactics used by threat actors to circumvent even the most cutting-edge defenses.

The overwhelming trend right now is to take problems old, new, and of large scale and apply machine learning or artificial intelligence to them. It’s so ubiquitous that many of the consumers of machine learning results are unaware. This increased trust and reliance on machine learning results brings new threats and requires new thinking around security of it.

What is adversarial machine learning? (And what’s machine learning?)

Machine learning is the method of allowing a system to learn a complex model based on data that is labeled and trained by people. The system can then compare future unlabeled data to that model to determine how closely it fits in the form of a score or category. Any score or category that is applied to more data than consumer interactions or employees behind that data is likely machine learning based. Mature machine learning systems have automation built around the labeling and collection of data to keep the models up to date and relevant. This makes a big difference in accuracy but is the first area of concern.

Results are usually accurate when training data is hand-selected and the results are closely examined. The rest of the time the process of tuning a model is much more automated to keep up. The system will regularly take labeled data from various sources to update the model. It makes the assumption that this data is accurate and should be used to improve the model. If the data submitted is off or intentionally wrong, the model is then thrown off.

You’ve likely experienced this first hand. For example, if someone has logged into your Amazon or Netflix accounts as you, all account activity is falsely assumed to be yours. The following recommendations are subsequently different because of the selections they made. This is a pretty benign (if not annoying) scenario, but the same concept can be applied to security and business decisions.

Malicious actors engage in adversarial machine learning when they deliberately manipulate the input data. Exploiting vulnerabilities of the learning algorithm in this way can compromise the security of the entire system.

Examples of adversarial machine learning include:

Biometric recognition
Attackers may target biometric recognition, where they can then:

  • Impersonate a legitimate user via fake biometric traits (biometric spoofing)
  • Compromise users’ template galleries that are adaptively updated over time

Computer Security
Malicious actors can exploit machine learning in computer security by:

  • Misleading signature detection
  • Poisoning the training set
  • Replacing the model elasticity

Spam filtering
Attackers may obfuscate spam messages by misspelling bad words or inserting good words.

Why is it used?

We rarely question results, ask where they come from, or how they might change. It’s relatively new, and being defensive with it always lags behind. The technology’s ability to adapt is the core reason it’s used and also makes it easier to exploit.

How is it advanced?

Adversarial machine learning is advanced largely due to the complexity of machine learning itself. Malicious actors would need a thorough understanding of how machine learning works.

No matter how confident someone may be of the accuracy of their training set, an attacker can manage to replace the model directly if it is not protected. This doesn’t require anything specific to machine learning as a practice, it’s just not often listed as a critical asset.

Machine learning security products can also be exploited by adversaries to an extent. They are tuned to avoid false positives as much as possible. If your model is supposed to find something bad and you are mimicking something good according to the model it will think it’s good. This will also not throw any alarms. Detection evasion is therefore one of the oldest and most commonly used malicious activities.


In this now famous and simple example (https://arxiv.org/abs/1412.6572), once the random snow is added to the training set the model is much more confident that the picture is a random snow than it ever was sure it was a panda.

In order to prevent the pandas from being classified as random pixels you need some sort of checks on the data before it is used in the training set. This can be difficult to get right because if you overly define it, it will limit the flexibility of the model to find unintuitive relationships.

There’s a more detailed exploration of techniques here: https://blog.openai.com/adversarial-example-research/. This needs to be translated to other contexts as well.

How do you defend against adversarial machine learning?

1) Add security measures to automated training of machine learning

2) Protect access to machine learning models

3) Make creation of results transparent

4) Notify when when something is outside the model

Something that is rarely mentioned is how machine learning results are presented. They are usually very opaque. Going back to Netflix as an example, when you see a recommendation that has you questioning your taste in media you can see a brief “recommended because: … ” and you can then point to the family member that poisoned your training set or recognize you have some outliers in your taste.

This is rarely done in other products, especially in security solutions. This is a critical component in catching issues in the process. If you see an IP address and a risk score, you probably don’t have any more information than what was used to create the score so you have to trust it or know how it used that information to create that score. Due to the nature of machine learning, it’s not as easy as showing an arithmetic equation. However there are some things that would help and machine learning can provide.

1. Machine Learning Model: This lets you know the approximate technique used

2. Key training samples: What are the top matches?

3. Top factors with weight: There are hundreds or more data points that are used in these models. In each result there are top data points that made an impact in that result.

With this information available you could identify a number of things that need to be adjusted or have more trust in the result.

One of the scarier realities about machine learning attacks is that they are not isolated to security products. They are everywhere and integrated into our lives. The more we trust them without being able to verify the more vulnerable we become.

Click here to check out the second part of this series, Supply Chain Attacks. Up next in the series: Exploiting Vulnerabilities through Malicious Office Documents.

Source: Honeypot Tech

WTB: Flawed Apple Mac Firmware Updates May Leave Them Vulnerable to Attack

The intelligence in this week’s iteration discuss the following threats: Data breach, Data theft, Malspam, Phishing, Targeted attacks, and Vulnerabilities. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.

Trending Threats

Flawed Apple Mac Firmware Updates May Leave Them Vulnerable to Attack (September 29, 2017)
Duo Labs researchers have discovered that some Mac systems’ Extensible Firmware Interface (EFI) are vulnerable to sophisticated attacks. While Apple has addressed this vulnerability in a security update, researchers identified that some instances of Mac EFI’s were not updated along with the security update. This led to researchers finding of approximately 73,000 machines that are affected by firmware vulnerabilities.
Recommendation: Mac users should update to the most recent version of Mac OS version 10.12.6 as soon as possible, if it has not been applied already. This update provides the latest EFI firmware and provides features that address known vulnerabilities.
Tags: Vulnerability, Mac firmware

Whole Food Investigates Payment Card Breach (September 29, 2017)
The U.S.-based supermarket chain “Whole Foods” has acknowledged that its Point of Sale (POS) systems at some locations were compromised by unknown actors. Whole Foods states that its primary store checkout systems were not infected, but instead the POS systems location in taprooms and full table-service restaurants located within some stores. As of this writing, it is unknown how many locations were compromised and how many individuals may be affected via stolen credit card information.
Recommendation: Customer facing companies that store credit card data must actively defend against Point-of-Sale (POS) threats and stay on top of industry compliance requirements and regulations. All POS networks should be aggressively monitored for these type of threats. In the case of FastPoS infection, the affected networks should be repopulated, and customers should be notified and potentially offered fraud protection to avoid negative media coverage and reputation.
Tags: Breach, Data theft, POS

Money-Making Machine: Monero-Mining Malware (September 28, 2017)
ESET researchers have discovered a malware campaign that has been ongoing since at least May 2017. Actors are targeting unpatched Windows webservers with a malicious “Monero” cryptocurrency mining malware. The malware is a modified version of the open source Monero mining software “xmrig” that exploits the known vulnerability “CVE-2017-7296” located in unpatched “Microsoft ISS 6.0” servers. As of this writing, researchers state that the actors behind this campaign have created a botnet that has mined Monero worth approximately $63,000 USD.
Recommendation: It is crucial that your company ensure that servers are always running the most current software version. In addition, your company should have policies in place in regards to the proper configurations needed for your servers in order to conduct your business needs safely. Furthermore, always practice Defense in Depth (do not rely on single security mechanisms – security measures should be layered, redundant, and failsafe).
Tags: Vulnerability, Unpatched webserver, Malicious cryptocurrency miner, Monero

Banking Trojan Attempts to Steal Brazillion$ (September 28, 2017)
Cisco Talos researchers have identified a new banking trojan campaign that is targeting South American banks, primarily those located in Brazil. The malware is being distributed via malspam. The emails purport that the recipient has received an invoice and to open the .html attachment to view. The attachment contains a link that will direct the recipient to a goo[.]gl URL shortener that will then redirect another location that will download the archived malware (RAR). If the file is decompressed and the JAR file (which masquerades as an invoice) is clicked on, the installation process of the banking Trojan will begin. The malware will use web injections to steal banking credentials.
Recommendation: Always be on high alert while reading email, in particular when it has attachments, attempts to redirect to a URL, comes with an urgent label, or uses poor grammar. Use anti-spam and antivirus protection, and avoid opening email from untrusted or unverified senders.
Tags: Malspam, Banking trojan

Tech Support Scammer Abuse Native Ad and Content Provider Taboola to Serve Malware (September 28, 2017)
Threat actors are taking advantage of native advertising to engage in malvertisement campaigns, according to Malwarebytes researchers. Rogue advertisement companies are displaying legitimate advertisements to increase their reputation, and then switch to displaying malvertisements at a later point in time. Researchers discovered this tactic has affected websites that use the services of the popular native advertising and content provider “Taboola”. Taboola’s content appears on websites that receive significant traffic such as msn[.]com. If the malvertisements are clicked, users will be redirected a tech support scam page. The warning on the website claims that the user’s computer has crashed and requests that a provided number be called to receive assistance.
Recommendation: Users should be cautious when clicking on advertisements because as this story portrays, malicious advertisements can sometimes appear on legitimate online locations. If the advertised product is appealing, it would be safer to search for the product on the authentic website of the company who is selling the product, or other trusted online shopping locations. The same logic can be applied to advertised news stories, it would be safer to search for the story or headline on trusted media sources instead of following advertisements.
Tags: Malvertising, Tech support scam

Phish For The Future (September 27, 2017)
An advanced persistent spear phishing campaign has been found to have occurred between July 7 and August 8, 2017, according to the Electronic Frontier Foundation. The spear phishing campaign targeting employees of “Non-Governmental Organization (NGO) for the Future and Free Press.” The actors’ objective in the campaign is to steal credentials for business-related services such as Dropbox, Google, and LinkedIn. The actors used tabloid-style headlines, as well as scare tactics such as a notification for a work-related email that had subscribed to an adult content website. A recipient may then follow the link to a fake Google login page and enter their credentials to unsubscribe.
Recommendation: Spear phishing emails represent a significant security risk because the sending email will often appear legitimate to the target; sometimes a target company email is compromised and used for such emails. Education is the best defense, inform your employees on what to expect for information requests from their managers and colleagues. Employees should also be aware of whom to contact when they suspect they are the target of a possible spear phishing attack.
Tags: Spear phshing, Credential theft

Stored Cross-Site Scripting Vulnerability in WordPress 4.8.1 (September 26, 2017)
Sucuri researchers have found a Cross-Site Scripting (XSS) vulnerability that affects the open source content management system “WordPress,” specifically, version 4.8.1. Researchers state that the vulnerability requires access to a “Contributor” account on the targeted site, or any account in a WordPress installation with the “bbPress” plugin that has posting abilities. The vulnerability can allow an actor to send a post or topic with a crafted XSS payload, which will execute when an administrator comes to review the post and clicks “Save” or “Preview.” This can result in malicious actors remotely executing arbitrary code to send an authenticated request that can edit the website’s PHP code that can lead to taking full control of the website.
Recommendation: Sometimes webmasters discover that one of their sites has been compromised months after the initial infection. Websites, much like personal workstations, require constant maintenance and upkeep in order to adapt to the latest threats. In addition to keeping server software up to date, it is critical that all external facing assets are monitored and scanned for vulnerabilities. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs.
Tags: Vulnerability, WordPress

Apple Releases Security Update for iOS (September 26, 2017)
The U.S. Computer Emergency Response Team (CERT) has issued an alert regarding Apple’s latest security update in iOS 11.0.1. The update addresses vulnerabilities that a threat actor could exploit remotely. A successful exploitation could allow an actor to take full control of an affected device.
Recommendation: The U.S. CERT advises Apple customer to review the Apple security page located at “https://support.apple.com/en-us/HT208143” and apply the necessary update.
Tags: Vulnerability, iOS, Alert

Breach at Sonic Drive-In May Have Impacted Millions of Credit, Debit Cards (September 26, 2017)
The U.S. restaurant chain “Sonic Drive-In” has confirmed that it was the subject of a data breach that affects an unknown number of restaurant payment systems, according to KrebsOnSecurity. Researchers believe that ongoing breach has potentially resulted in in actors selling millions of stolen credit and debit card account on underground markets.
Recommendation: Bank accounts and credit card numbers should be protected with the utmost care, and only used with vendors that you trust to keep your information in compliance with the relevant standards. Regular monitoring of financial accounts in addition to identity protection and fraud prevention services can assist in identifying potential theft of data.
Tags: Breach, Data theft, Sonic, Credit and debit cards

Proof-of-Concept Exploit Code Published for Remote iPhone 7 Hack (September 26, 2017)
The Google Project Zero team has published proof-of-concept code for a vulnerability that affects iPhone 7 handsets. The researchers state that if the exploit is executed successfully, a threat actor could implant a backdoor into the firmware. This would allow a remote actor to be able to read and write commands “to be issued to the firmware via crafted action frames, thus allowing easy remote control over the Wi-Fi chip.” Additionally, this exploit can be executed without the need of any user interaction. Apple has issued a security update to fix this vulnerability. This vulnerability is not limited to iPhone 7 but affects any device that Broadcom WiFi chips running the firmware version BCM4355C0.
Recommendation: This story portrays the potential risk that exists if security updates for devices are applied. Employees should be informed on the dangers of not applying security updates to personal and professional devices. Policies should be in place to apply security updates as soon as possible. Apple has released a security update for both iPhone’s iOS and Apple TV’S tvOS. Google has also patched the vulnerability for Android. To check if your Android phone is updated, go to “Settings” -> “About Device” -> “Software info” and check to see if the “Android security patch level” is at least “2017-09-05.”
Tags: Vulnerability, iPhone 7, Wi-Fi

XPCTRA Malware Stealing Banking and Digital Wallet User’s Credentials (September 25, 2017)
Incident handler, Renato Marinho, has published his findings a new trojan dubbed, “XPCTRA” that is being distributed via a malspam campaign. The emails claim that the link in the body of the email leads to PDF form invoice, but will lead the recipient to download an executable file. The executable file (dropper) will download a zip file, which is subsequently unzipped and executes the malware payload. The malware is capable of multiple forms of malicious activity. It can monitor and intercept traffic to financial institution websites, as well as stealing banking and email credentials.
Recommendation: All employees should be educated on the risks of malspam, specifically, how to identify such attempts and whom to contact if a phishing attack is identified. Emails that request that the recipient follow a link that then asks for credentials to be entered is often an indicator of a phishing attack.
Tags: Malware, Banking, XPCTRA

Deloitte Hit by Cyber-Attack Revealing Clients’ Secret Emails (September 25, 2017)
The London registered and U.S.-based accounting firm “Deloitte” has confirmed that it was the target of a sophisticated attack that resulted in confidential information being stolen. The compromised resulted in sensitive information such as confidential emails, and plans of some of their blue-chip clients. Additionally, the unknown threat actors also had the potential to access to architectural diagrams for business and health information, IP addresses, usernames, and passwords. Deloitte discovered the breach in March 2017, however, it appears that the actors had access to Deloitte global email server since October or November 2016.
Recommendation: Ensure that your server is always running the most current software version. Additionally, maintaining secure passwords for RDP and other remote access systems is paramount, and passwords should be changed on a frequent basis. Intrusion detection systems and intrusion prevention systems can also assist in identifying and preventing attacks against your company’s network. Furthermore, always practice Defense in Depth (do not rely on single security mechanisms – security measures should be layered, redundant, and failsafe).
Tags: Breach, Data theft

Source: Honeypot Tech

The State of Ransomware

Ransomware has become one of the most prevalent new cybersecurity threats faced by today’s enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization’s ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Source: Vulnerabilitys & Threats

Ducky Script – USB Rubber Ducky 101

Ducky Script is the language of the USB Rubber Ducky. Writing scripts for can be done from any common ascii text editor such as Notepad, vi, emacs, nano, gedit, kedit, TextEdit, etc.


Ducky Script syntax is simple. Each command resides on a new line and may have options follow. Commands are written in ALL CAPS, because ducks are loud and like to quack with pride. Most commands invoke keystrokes, key-combos or strings of text, while some offer delays or pauses. Below is a list of commands and their function, followed by some example usage.


Similar to the REM command in Basic and other languages, lines beginning with REM will not be processed. REM is a comment.
REM The next three lines execute a command prompt in Windows


DEFAULT_DELAY or DEFAULTDELAY is used to define how long (in milliseconds * 10) to wait between each subsequent command. DEFAULT_DELAY must be issued at the beginning of the ducky script and is optional. Not specifying the DEFAULT_DELAY will result in faster execution of ducky scripts. This command is mostly useful when debugging.
REM delays 100ms between each subsequent command sequence


DELAY creates a momentary pause in the ducky script. It is quite handy for creating a moment of pause between sequential commands that may take the target computer some time to process. DELAY time is specified in milliseconds from 1 to 10000. Multiple DELAY commands can be used to create longer delays.
REM will wait 500ms before continuing to the next command.


STRING processes the text following taking special care to auto-shift. STRING can accept a single or multiple characters.
STRING | a…z A…Z 0…9 !…) `~+=_-“‘;:<,>.?[{]}/|!@#$%^&*()
STRING notepad.exe
STRING Hello World!


Emulates the Windows-Key, sometimes referred to as the Super-key.
REM will hold the Windows-key and press r, on windows systems resulting in the Run menu.


Emulates the App key, sometimes referred to as the menu key or context menu key. On Windows systems this is similar to the SHIFT F10 key combo, producing the menu similar to a right-click.
REM Switch to desktop, pull up context menu and choose actions v, then d toggles displaying Windows desktop icons


Unlike CAPSLOCK, cruise control for cool, the SHIFT command can be used when navigating fields to select text, among other functions.
REM this is paste for most operating systems


Found to the left of the space key on most keyboards, the ALT key is instrumental in many automation operations. ALT is envious of CONTROL
ALT |END, ESC, ESCAPE, F1…F12, Single Char, SPACE, TAB
STRING notepad.exe
STRING Hello World
REM alt-f pulls up the File menu and s saves. This two keystroke combo is why ALT is jealous of CONTROL's leetness and CTRL+S


The king of key-combos, CONTROL is all mighty.
CONTROL | BREAK, PAUSE, F1…F12, ESCAPE, ESC, Single Char | | CTRL | BREAK, PAUSE, F1…F12, ESCAPE, ESC, Single Char
REM this is equivalent to the GUI key in Windows

Arrow Keys


Extended Commands

These extended keys are useful for various shortcuts and operating system specific functions and include:

Source: Security news

Source: Zologic

Optimizing and Obfuscating Payloads – USB Rubber Ducky 101

Obfuscation and Optimization

While this post isn’t intended to be a comprehensive list of obfuscation and optimization techniques, these three simple examples effectively illustrate the concept.


So what is obfuscation? Obfuscation is all about reducing the visibility of the payload, or simply put – making it stealthier. This is crucial in a social engineering deployment scenario. If a payload is too long, or too “noisy” it’s more likely to be noticed and thwarted. With that in mind, let’s look at two simple examples of obfuscating the Windows command prompt.

Our ducky script begins with a common combination of keystrokes which opens the Windows command prompt.

DELAY 1000

From here we typically have a large black and white terminal window open – which to laymen may look intimidating. Let’s reduce that visibility.

STRING mode con:cols=18 lines=1

The first command, “color FE“, sets the command prompt color scheme to yellow text on a white background. Unfortunately the same color cannot be set as both background and foreground, however a yellow on white command prompt is very difficult to read and will obscure our payload. For a complete list of color combinations, issue “color *” in a terminal. Bonus: For 1337 mode, issue “color a

The next command, “mode con:cols=18 lines=1” reduces the command prompt window size to 18 columns by 1 line. This, in combination with the above color command, creates a very small and extremely difficult to read command prompt. Best of all, while this makes reading the payload difficult by any observer, it does not impact the function of the payload in any way. The computer simply doesn’t care that the command prompt is illegible.

Finally we’ll execute our command. Let’s pick something silly that’ll take some time to run, just for fun. In that case we’d add to our obfuscated payload the following:

STRING tree c: /F /A
DELAY 20000

The above tree command will map the file and directory structure of the C drive in ASCII. Even with the fast solid state drive in my development computer, this task takes about 20 seconds to complete. Afterwards, when our nefarious tree command finishes, we’ll want to close the command prompt in order to prevent our target user from noticing our devilish deeds. So for that we’ll need to add a 20 second delay, followed by the exit command to close the command prompt. While we may be able to issue the “exit” and ENTER keystrokes while the tree command is executing, depending on the complexity of the running process there is no guarantee it will issue.

By adding up the delays and keystrokes of this ducky script, we can approximate this payload to require around 23 seconds to execute.


What about optimization? If obfuscation is all about making a payload stealthier, optimization is all about making it faster. Short of injecting keystrokes faster, often times a little finesse can go a long way in reducing unnecessary delays. Let’s take a crack at optimizing the above “tree” attack payload while maintaining its obfuscation.

DELAY 1000
STRING cmd /C color FE&mode con:cols=18 lines=1&tree c: /F /A

These 5 lines of ducky script executes the exact same payload as the previous 15-line version, and executes in less than 3 seconds instead of 23! Now, the command prompt is still open for around 20 seconds while the tree command completes, but no further action from the USB Rubber Ducky is needed once the single command is run. Meaning, seconds after plugging in the USB Rubber Ducky, it can be safely removed while the tree command continues to run. Let’s take a look at how.

Similar to the first version, we open the Windows Run dialog and enter the “cmd” command in order to open a command prompt, but rather than just open the prompt we’ll pass it a few parameters and commands. The first is “/C“, which tells the command prompt to close once the command completes. Alternatively if we were to issue “/K” for “keep“, the command prompt would stay visible even after the tree command completes.

The rest of the payload is to string together all of the commands. By placing an ampersand symbol (&) in between our commands, we can string them together on one line. in our case this is “color“, “mode“, and “tree“. This is what we would call a one-liner payload since it utilizes just a single STRING command.

Aside from being able to unplug the USB Rubber Ducky as soon as the Run dialog completes, this payload is also more reliable. The biggest issue with the first version was the 500 ms delay between issuing “cmd” and beginning to type the commands.

Any time a payload must wait on a GUI element, a reliability issue can occur. If the target computer were running slowly, and more than a half-second were required in order to open the command prompt, the payload would have failed.

Optimizing the Optimized

Our obfuscated and optimized tree attack ducky script is great, but like all ducky scripts there’s always room for even more improvement.

DELAY 1000
STRING cmd /C "start /MIN cmd /C tree c: /F /A"

Like CMD inception, the above ducky script is even more optimized. Notice the “color” and “mode” commands have been removed, and instead the “cmd /C tree c: /F /A” command has been wrapped inside another “cmd /C” command.

The first “cmd” issues the second with the leading “start /MIN” command. The “start” command executes everything following with the parameter “/MIN“. The “/MIN” parameter opens the second “cmd” window in a minimized state.

Since the first “cmd” running the “start” command completes in an instant, the command prompt is only visible for a split second. The second “cmd“, which is actually executing our “tree c: /F /A” command, is left minimized in the background mapping the file and directory structure of the C drive.

The result is a script which executes even faster than before, having typed only 42 characters instead of 56. This new version is actually even more obfuscated than the previous one with the tiny yellow on white command prompt, because it’s command prompt is minimized the entire time the tree command is running.

This is just one benign example of an optimized and obfuscated USB Rubber Ducky payload, though it illustrates greatly the importance of taking the time to finesse any ducky script.

Source: Security news

Source: Zologic

Writing your first USB Rubber Ducky Payload

Your First Payload

Writing a successful payload is a process of continuously researching, writing, encoding, testing and optimizing. Often times a payload involves re-writing the ducky script, encoding the inject.bin and deploying the payload on a test machine several times until the desired result is achieved. For this reason it’s important to become familiar with the payload development process and and encoding tools.

Let’s begin by defining our objective. In this example, we’ll assume that steps 0-2 (pre-engagement interactions, reconnaissance and targeting) have resulted in an objective of: Type the historic “Hello World” words into the Windows notepad program. How devious!


If our payload is to type “Hello World” into Windows notepad, we must first figure out the best way to open that program using just the keyboard. On Windows there are a variety of ways to open notepad. On modern versions one may press the GUI or Windows key and begin typing “notepad” and pressing enter.

While this may suffice, our objective hasn’t specified the version we’re targeting – so we’ll want to use a technique with the widest possible support. Older versions of Windows don’t include the ability to search programs from the start menu just by typing. All versions since Windows 95 however include the keyboard combination Win+R. This powerful shortcut opens the Windows Run dialog, which states “Type the name of a program, folder, document or Internet resource, and Windows will open it for you.”

Since notepad.exe resides in c:windows by default, we could simple type “c:windowsnotepad.exe” then press enter and notepad would open. On most machines it only takes a brief moment for the small program to open, and when it does it will be the active window. Keep this in mind, because we will always be typing into the active window, and anytime we change a GUI element we must wait for the computer to respond. It may seem like notepad opens instantly to us humans, but to a computerized keyboard that types over 9000 characters per minute, that millisecond counts.

Finally, with notepad open we should be able to simple type the words “Hello World”.

From our target test machine, be it a Windows Virtual Machine or bare metal, test this theory by manually entering in what we’ll later instruct the USB Rubber Ducky payload to type. Does it work? Great! Let’s move on to writing the ducky script.


Since ducky script can be written in any standard ASCII text editor, open your favorite – be it gedit, nano, vi, emacs, or even notepad (how ironic in this case?). Don’t worry – I won’t judge you for using vim.

We’ll begin our payload with a remark, a comment stating what the payload does, it’s intended target and the author. This won’t be processed by our duck encoder later on, but it will be helpful if we ever share this payload with the community.

REM Type Hello World into Windows notepad. 
Target: Windows 95 and beyond. Author: Darren

Our next line should delay for at least one full second. The purpose of this delay is to allow the target computer to enumerate the USB Rubber Ducky as a keyboard and load the generic HID keyboard drivers. On much older machines, consider a slightly longer delay. In my experience no more than three seconds are necessary. This delay is important since the USB Rubber Ducky has the capability of injecting keystrokes as soon as it receives power from the bus, and while USB is capable of receiving the keystroke frames, the operating system may not be ready to process them. Try plugging in a USB keyboard into any computer while jamming on the keys and you’ll notice a moment is necessary before any interaction begins.

DELAY 1000

Next we’ll issue our favorite keyboard combination, Windows key + R to bring up the Run dialog.


Typically the Run dialog appears near instantly to us humans, however to a USB Rubber Ducky with a clock speed of 60,000 cycles per second, that instant is an eternity. For this reason we’ll need to issue a short delay – perhaps just one tenth of a second.


Now with the Run dialog as the active window we’re ready to type our notepad command.

STRING c:windowsnotepad.exe

The STRING command processes the following characters case sensitive. Meaning STRING C will type a capital letter C. Obviously our keyboards don’t have separate keys for lowercase and capital letters, so our payload actually interprets this as a combination of both the SHIFT key and the letter c – just as you, the human, type. It’s nice to know that the STRING command handles this for you. It does not however end each line of text with a carriage return or enter key, so for that we’ll need to explicitly specify the key.


As before whenever a GUI element changes we’ll need to wait, albeit briefly, for the window to appear and take focus as the active window. Depending on the speed of the computer and the complexity of the program we’ll want to adjust the delay accordingly. In this example we’ll be extremely conservative and wait for a full second before typing.

DELAY 1000

Finally with notepad open and set as our active window we can finish off our ducky script with the historic words.

STRING Hello World

At this point our text file should look like the following:

REM Type Hello World into Windows notepad. Target: Windows 95 and beyond. Author: Darren
DELAY 1000
STRING c:windowsnotepad.exe
DELAY 1000
STRING Hello World

Save this text file as helloworld.txt in the same directory as the duck encoder.


While ducky script is a simple, human readable format easily modified and shared, it isn’t actually processed by the USB Rubber Ducky. Rather, the inject.bin is derived from it using an encoder. Being an open source project, there are many encoders available on most platform from a range of programming languages. There are even online encoders which will convert your ducky script to an inject.bin without installing any software. This post will cover the basics of encoding a ducky script into an inject.bin file ready for deployment on the USB Rubber Ducky.

Java Based Command Line Encoder

The standard encoder is a cross-platform java command line tool. It has been greatly enhanced by the community, with many contributions from user midnitesnake. Download it from the resources section of usbrubberducky.com and save it in a convenient directory along with your helloworld.txt ducky script from the previous step. The Java runtime environment is required in order to run the duckencoder.jar file. If Java isn’t already installed, it can be found for most operating systems from java.com/download.

From a command prompt, navigate to this directory and run the jar file with java.

java -jar duckencoder.jar

The usage, arguments and script commands will display. The standard usage is to specify an input file, and output file and optionally a language. Encode the helloworld.txt into an inject.bin with the following:

java -jar duckencoder.jar -i helloworld.txt -o inject.bin

Java Based Graphical Encoder

As an alternative to the standard command line encoder, a java-based encoder and editor with syntax highlighting is available from usbrubberducky.com courtesy of community member Moritz. The source is available from his git repo at https://github.com/moritzgloeckl/duckygui

Start the Ducky_Encoder_GUI.jar either by double clicking the file from your operating system’s file browser, or issuing the command:

java -jar Ducky_Encoder_GUI.jar

From the GUI, select helloworld.txt as the the input file (or paste the contents into the editor), specify a layout language and an output directory and filename inject.bin, then click Export bin.

Online Encoder

Community member James Hall has developed a very convenient online encoder at


This site is also home to a payload generator and links to DuckTools, a Python-based encoder and library. Using the online encoder, you’re able to paste the ducky script into the editor, select the language and click Generate Script.

You’ll be given links to download the corresponding ducky script text file as well as the encoded inject.bin file.


With the ducky script encoded into an inject.bin file, we’re ready to test the payload. Copy the inject.bin file to the root of the Micro SD card. Insert the Micro SD card into the USB Rubber Ducky. Now sneak up to the target test machine and plug in the USB Rubber Ducky.

The first time you ever plug the USB Rubber Ducky into a computer it will take a moment, typically just a second, to enumerate it as a HID keyboard and load the generic drivers. For this reason we’ve added a one second delay to the beginning of our payload. If the test is not successful on the first attempt, it may be because the target test machine has not yet successfully loaded the generic keyboard drivers. To replay the payload, press the button or unplug and replug the USB Rubber Ducky. This test payload should be successful against all recent version of Windows.

If the test were unsuccessful, note where things went awry and tweak the ducky script accordingly. Re-encode the inject.bin file, copy it to the Micro SD card (replacing the current file) and re-test.

Lather, rinse, repeat as necessary.


With our Hello World payload successfully running against our target test machine, we’re ready to optimize, and optionally obfuscate. This process is covered in greater detail later. Suffice it to say, in this example we can speed up the payload by reducing the number of keystrokes quite easily. Since notepad is an executable we may omit the .exe part of the STRING command. Likewise, since notepad by default resides in a path directory (c:windows) we can also omit this part of the STRING command as well. Our new STRING command should be the following:

STRING notepad

At this point we’ve successfully researched, written, encoded, tested and optimized our simple “Hello World” payload. It’s now ready for deployment! Go forth and duck ‘em!

Source: Security news

Source: Zologic

The Ducking Workflow – USB Rubber Ducky 101

Whether you’re auditing an ATM, esoteric cash register system, an electronic safe, specialized kiosk or an ordinary Windows PC – the workflow will be similar.


Pre-engagement Interactions

As with any audit, pre-engagement interactions may help determine the hardware, software and network environment of the target. Asking detailed questions about the environment before the engagement begins will save time down the line.



Regardless of what information is provided in the pre-engagement interactions, it’s always good to double check with reconnaissance. Either in person or online, seek to determine the software and hardware being used by the organization before going in. Since the USB Rubber Ducky will only act as a simple pre-programmed keyboard, a payload written for one system may be useless when deployed against another. Utilize the best social engineering and open source intelligence gathering techniques to determine the state of the environment.



Once you’ve performed your recon, you’ll likely be able to pick out a key target. Perhaps it’s an often unattended kiosk or workstation, a computer connected to a segmented part of the network, or a machine with high level access.



With this target in mind, research the operating system of the machine, it’s installed software and network access. If possible, obtain similar hardware or emulate the target in a virtual machine. For instance, if the target is a slow thin client running an old version of Windows as a domain member running specialized banking software, try to match the target as closely as possible with bare metal or virtual machines.



Begin writing your payload by first manually typing into the target test machine, making careful notes of which keystroke combinations and delays succeed at accomplishing your objective. It is only after you can successfully reproduce your desired outcome manually that you should move on to writing the corresponding USB Rubber Ducky payload to automate the task.


Carefully mind any necessary delays in the ducky script, especially when interacting with GUI elements. The target computer’s CPU speed will play an important role in determining how long to delay between input. If you know that your target is a high-end modern machine you may craft a quicker payload with less delays. On the other hand, if the target is an old and slow machine, you’ll need to be much more conservative on your delays.


Remember, the USB Rubber Ducky does not receive interaction back from the computer, such as the active window. If for instance you script a payload to launch a command prompt and begin typing, be sure to delay long enough for the command prompt to appear before injecting your command prompt keystrokes.



Once your human-readable ducky script has been written, it’s ready to be converted into a USB Rubber Ducky compatible inject.bin file. Using one of the many duck encoders, specify the ducky script text file as the input and the inject.bin file as your output. Copy this inject.bin file to the root of the Micro SD card.


Depending on your target’s keyboard layout, you may need to specify a language file. This is because different regions use different keymaps. For instance, a computer with a United States layout will interpret SHIFT+3 as the octothorpe / hash / pound symbol (#). A computer with a United Kingdom layout will interpret the same keyboard combination as the symbol for Great Britain Pound / Pound Sterling (£).



With the Micro SD card loaded with the newly created inject.bin file, it’s time to test the payload. Insert the Micro SD card into the USB Rubber Ducky and connect it to the target test machine. Note where the payload succeeds and where it does not. You may need to write, encode and test several times in order to develop a stable, reliable payload. Using a virtual machine for the target test machine is very handy in this regard, as snapshots can be restored after each payload test. Moreover, virtual machines may be more easily customized in order to match the speed of the actual target.



Once the payload has been successfully tested and provides the auditor with the desired outcome, it’s time to begin optimization. This may be done to shave off a few seconds from the delivery, or to obfuscate the payload in some way. It’s only after a payload has been successfully developed that optimization should be done, and similar to the initial development, testing should be done at every step to ensure reliable deployment.


If it’s speed you’re after in a payload, be careful not to tweak the delays too low. Just because you’re able to reliably reproduce the attack against your target test machine, doesn’t mean the real target will be as receptive – especially if background tasks are eating up CPU resources. Often it’s the reduction of keystrokes and steps necessary to achieve the goal that’s most effective in optimizing a payload, such as reducing it to a single line of powershell or similar.



With the payload written, tested and optimized, you’re finally ready to deploy it against the target. This is where strategies can vary wildly. One scenario may be to social engineer the target machine’s operator into plugging the USB Rubber Ducky in for you. Another may be to obtain unobserved physical access to the target with a partner or other distraction. Get creative!


As with most things in computing, two is one – one is none. Have a backup. It would be a shame to spend valuable resources gaining access to a secure facility only to have the initial payload fail. Having a less optimized, yet more reliable payload ready to go on another USB Rubber Ducky can make all the difference on an engagement.


Finally, consider a decoy, either as part of your social engineering strategy or in case you get caught. For instance, if you’re attempting to deploy an extremely quick one-line powershell reverse shell against a target Windows PC by pleading the user into printing a document from your USB drive for you – it may seem odd if there are no actual files on the “drive”. Having a similar looking real USB flash drive loaded with a benign document will lower suspicion and make your story seem more legitimate.

Source: Security news

Source: Zologic