bad USBs are SCARY!! (build one with a Raspberry Pi Pico for $8)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
question for you what does this look like to you it's a usb flash drive right that's what most people think when they see something like this and honestly they're usually right but that is what makes this thing one of the most dangerous devices in hacking because this is not a usb flash drive this is what's called a bad usb it's designed by hackers to hack the computer it's plugged into this thing's crazy man it's incredibly dangerous it's shockingly effective like you want to see it real quick watch this got my crap top here i'm gonna hack my crap talk this is crazy watch this i'm just going to plug the usb in and then hands off i'm not doing anything watch look [Music] what's that oh it's disabling windows defender okay boom okay disable windows defender that's crazy again no hands look ma no hands [Music] so swish my other screen here i got a reverse shell into this computer all from just plugging in a usb how crazy is that now this is more of a prank than a hack but it's pretty bad watch this this is crazy and what's bad is you can't change the volume you can't lower it can't mute it and there's nothing open to like stop playing it unplug it it's still going so you can do a seriously mean rickroll to someone at the office that's pretty awesome now if you saw that and didn't want to try it you're crazy leave the video now but if you do want to try it good i'm going to show you how to do this right now and shout out to dashlane for sponsoring this video they are what i use in my business to organize my passwords keep things safe and secure we'll talk more about them here later now to do this you will need a bad usb the one i'm using is the usb rubber ducky from hack five this is what i recommend but they do run about 45 dollars which is kind of pricey so you know what you can use i almost dropped it so small you can use this this super tiny computing device is the raspberry pi pico this sucker will run you about five dollars which is awesome and i'll show you how to set this up to be a bad usb so if you want to get one of these check the link below it's only five bucks and then of course for anything hacking or it you're gonna need some coffee so get you some [Music] oh yeah i almost forgot i'm gonna give away two of these usb rubber duckies link below for that contest now before i show you how to use this insanely dangerous device and it's super easy by the way i want to talk about how it actually works why is it so effective and why is it so dangerous and also later in this video i do want to show you how to defend against this most computers have a usb port which means most computers are not immune to this attack so i'll show you a few ways to defend you your family and your company from attacks like this now how this bad usb works is actually crazy simple all it does is pretend to be a keyboard that's it that's all it does now typically when you plug in a usb flash drive like this into a computer the computer's like oh that's a that's a mass storage device that's where you store pictures and files and stuff but not the bad usb the bad usb when you plug it in it's recognized as an hid device which stands for human interface device so when i plug in a normal flash drive like this it's recognized as a usb master storage device and it shows up in your finder so you can do stuff throw stuff on it but when i plug in my usb rubber ducky here my bad usb that's gonna be a human interface device there it is right there i'm not gonna let it finish an hid device is stuff like this your keyboard your mouse things that a human will use to interact with a computer and inherently by default the computer will trust a human it's going to trust when you plug in a usb keyboard a usb mouse can you see why that's insanely dangerous because the computer thinks that this is a human and by default we'll trust it it's crazy now even crazier check this out the other reason why this is scary scary effective is because it can type a lot faster than a human for example i can type about 50 to 75 words per minute on a good day i think i haven't tested in a while this sucker can do 1 000 words per minute which means that when you plug the sucker in it does its dirty work before you even realize what's happening because it's typing so fast like think about that if you left your computer open right and you walked away a hacker could come in sit down and start typing away but that would be significantly slower than just someone plugging this into your computer bam that's an extremely fast typing hacker and you're done now also why this is dangerous is that it doesn't have to be a hacker plugging this in right all you have to do is leave a usb flash drive laying around in the parking lot or on someone's desk and you know people are curious they're gonna go huh a usb flash drive i wonder what's on here let's find out let's plug the sucker in and it's too late like once it's plugged in you're you're done it does it so quickly you buy and most of the time you don't notice unless you're pranking them with a rick roll which they're freaking gonna notice and they can't stop it yeah unless they're an i.t person they will not know how to stop that okay enough theory let's start playing with our bad usbs now i am going to cover how to do the usb rubber ducky but first i want to show you how to set up the raspberry pi pico as a bad usb it's super simple don't worry and by the way this thing again is freaking amazing it can do so much more than what we're about to do with it but this is such a cool use case seriously okay anyways here we go i've got links below in the description we're gonna navigate to this github page right here it's a project by dabisu which they're awesome they did this amazing project called pico ducky to turn this into a usb rubber ducky in fact it will work the exact same way using the exact same scripting we'll show you how to do that here in a moment but here is all we have to do but right here where it says download circuit python for the pico board so go ahead and click on this link i'll do that right now and then click on download.uf2 right there download with circuit python downloaded now we're going to plug in our raspberry pi pico with a usb cable just plug that guy in he'll come up it'll say like rpi dash rpi2 he'll show up as a mass storage device right here we'll jump in there and then we'll take that circuit python file and just drag him over there boom it's going to actually copy over and then disconnect the raspberry pi pico and it'll reconnect as circuit python really simple bam he's now circuit python so cool so now when you go back to your finder you'll see circuit python right here now for step two let's get back to our github page in order for our raspberry pi pico to pretend to be a keyboard or a mouse in hid device we got to download the hid library for him very simple here on the github page we got this link right here go ahead and click on that and we'll scroll down to where we see adafruit circuit python bundle 6x right here go ahead and download that it's fairly small so once you have that downloaded we're going to open that sucker up and we don't have much waiting here everything's so quick so i went to coffee break right now you can do it with me if you want boom ready to go more hacking fuel let's go and uh unzip extract that folder this will take a while hey coffee break i'm okay for another coffee break here we go by the way if you love raspberry pies like i do check out this mug you can pick the sucker up at networkchuck.com as well as this shirt anyways it's still going come on man it is done all right so i'm going to jump into that extracted folder and then i'm going to jump into the lib directory right there go ahead and jump in there a lot of stuff going on here we're gonna take one folder from this directory right here it'll say adafruit hid hid to make it a keyboard make it a hacking device so i'm gonna select that folder copy it go to my finder and jump into my circuit python jump into his lib folder and paste it right there so now he has the hid library now real quick how this raspberry pi pico works with circuit python is when it's first plugged in it'll actually run this python code right here code dot pi so whatever you've coded there it's going to run that script now the script we want to run is a special usb rubber ducky script from our good old buddy dabisu here so i'm going to scroll up a bit here and there's the script ducky and python.pie go ahead and click on that and here's the script it's very very impressive it basically converts duckyscript to be able to be used in python we'll explain duckyscript when we talk about this here in a moment but anyways we can just go back once more and at the top here where it says code click on that and say download zip we're going to download everything he's got here go and open that zip file extract it extract all open that bad boy and inside there we'll have our ducky and python.pi all we're going to do here is copy that python script and paste it to our circuit python just the root directory right here paste now one crucial step here what we're going to do is delete that code.pi and then rename our ducky in python.pi to code dot pi bam now at this point the raspberry pi pico is a bad usb all we have to do now is upload our custom ducky scripts to make it do some bad stuff like i don't know rick rolling someone or doing a reverse shell or even stealing passwords like we saw on mr robot yeah the rubber ducky is actually featured on an episode of mr robot which makes it even cooler right now did i mention that this usb rubber ducky is really good at stealing passwords yeah yeah it's stinking hiss which brings me to the sponsor of this video dashlane a fantastic password manager that i actually use for my business i require all my employees and myself to use dashlane to manage our passwords why well because we can create a different password for every account and easily manage it in one interface it also makes sure that we change our password on a regular basis and it will scan the dark web to make sure that our passwords aren't on some marketplace where they're being sold which does happen guys happens all the stink and time i also love how dashlane handles two-factor authentication which again another security thing you absolutely want to have everything you can get two-factor authentication on get it and dashlane's a fantastic way to do that i can easily link my two-factor authentication codes right to my passwords for my websites and whatever else i want to log into super safe and secure and awesome and i use it on every device from my windows pc to my mac to my phone to my browser just to everything so nowadays this is a bare minimum to protect yourself you've got to use something like a password manager and dashlane is the one i recommend i also use dashlane to help me buy stuff i store my credit cards safely and securely inside dashlane and when i go to checkout at different sites bam the information is right there just click it and go two-step checkout i can't tell you how much i actually use that feature so if you find this as helpful as i do you can try out dashlane for free on your first device over at dashlane.com forward slash network chuck and if you do want to upgrade to premium you can use my code network chuck and get 50 off so yeah give it a try so at this point in our tutorial we can kind of start working on these at the same time because this guy the usb rubber ducky he already has all this code built in he's already set so right now they're on the same level now what i'm going to walk you through real quick is how to set up the rickroll bad usb attack which is super fun you got to do it to somebody so here we go there's a handy place out on the internet that has a ton of rubber ducky scripts it's out here on github and look at this this is amazing just a ton of scripts you can try out and let me find a simple one to talk about how it works like this one how to disable windows defender it's crazy simple what it does darren kitchen from hack five is the one who designed duckyscript and all it is is commands that help you simulate a keyboard so for example we've got delay that'll just delay weight then we have the control key escape we can enter string so it'll say string and actually type in this word like you're typing in on the keyboard or this sentence the enter key you can tab so as we saw from our example earlier that's all that was happening is we had a script that was just simulating keystrokes movements through the gui we knew how to get there we just had to program it in this ducky script how cool is that and that's where it becomes really fun because really it's you can do anything it's up to your imagination it can also get pretty dang complicated like the rick roll thing that's actually pretty complex if i go back to that real quick actually or if i go to i haven't shown it to you yet here it is rick roll this thing's doing a lot it's actually setting up a vbs script and running hidden so you can't find it so now how do we do this so let's talk about the usb rubber ducky first so this guy i'm gonna undo him real quick take off his armor his disguise and here inside of it we have a micro sd card just take that sucker out this is where we're going to store our script our ducky script and the rubber ducky will come with a handy micro sd card reader usb and just plug that sucker into your computer and it should come up as a mass storage device go ahead and open that sucker and there'll be one file in there similar to the raspberry pi pico when you plug this sucker in it's going to launch this inject.bin file which is the rubber ducky script you're going to load up there but first we have to prep the script i've got a link below to a gui tool that you can use to encode it's just going to be a html file i'll open that right here and all you'll do is paste in the script in this script editor so for example our ric roll right here we're going to copy all that code all that script paste it right here and then to get it ready to put it on the usb rubber ducky we're going to click on generate payload right here so generate payload it gives you a whoo and then we'll scroll down and download the payload click on download you'll see that it does download as inject.bin and all we'll simply do is copy that go to a usb rubber ducky and paste that in there saying yeah we want to replace that file that's simple to keep in mind with the usb rubber ducky you do have to encode it using this really simple ducky encoder so put your script in here generate the payload and you're solid then you just take the flash drive out slide that micro sd card back into your naked duck here that's weird naked duck and it's it's all set i can do is plug it in now that's simple for the raspberry pi pico you actually don't have to encode anything which is kind of cool for the pico all we're going to do is copy the script open up notepad or something any kind of text editor paste all the junk in there and we're going to do a file save as change it to all files i'll name it payload.dd and then just like the usb rubber ducky we'll take that payload.dd copy that go to our circuit python drive here and then just paste it here now be careful because um this will run the second you put it on there so i'm gonna go ahead and do it just gonna paste that sucker on there and then i'm gonna unplug it so it doesn't have a chance to run so when you plug this raspberry pi pico in it's going to execute that python script and immediately launch your ducky script and start working let's try it out so here we go i'm going to take my usb cord here and by the way this is on the downside of the raspberry pi pico it's not as covert or flash drivey as the usb rubber ducky now i'm sure you could custom print something and do some soldering to make it look better but you can still have the same look and feel just have a cord no big deal so as i plug the sucker in this should do the rick roll the other downside is it does show up as a mass storage device as well as an hid device but notice it's doing the same thing super freaking cool and it's only five bucks i mean this is such a amazing i love raspberry pi stuff man yes now yeah another downside to going with the pico instead of going with the usb rubber ducky um it's kind of hard to edit your script when you already have one on there because like i said when you plug the sucker into your computer even just to edit the script it's still going to launch that python script and start to play to do whatever attack you have and you may not want to attack yourself but there is a workaround it's not as simple but it still works what this basically involves is factory resetting your raspberry pi pico and reloading everything again like we already did in our steps all we're going to do is um on the raspberry pi pico there's a button that says boot cell or boot select you're going to hold that down as you plug in your usb when you do that it'll load up like it did when we first plugged it in it says rpi rpi2 here we can actually obliterate it with a script called nuke unless that script is firmware i'll have that in the link below this calls flash underscore nuke i'm just going to copy that paste it on the rpi2 and once you paste it on there it'll do the same thing as circuit python it's just going to erase everything and bring it back up and now it has nothing on it so if i were to unplug it plug it back in it no longer has circuit python on it you'll have to go through the steps of setting it up again which isn't that bad like it took like three seconds right maybe five so yeah two very dangerous and extremely effective devices a usb rubber ducky and a raspberry pi pico you can look at the scripts here and do some pretty insane stuff and it's not just windows man os x you can do stuff on linux really again it's an hid device you can mimic keyboard input mouse input and you can do whatever you stink and want really if you can do it on a keyboard you can do it with this now time for the big question how do you protect yourself against a device like this because what hackers will do with these bad usbs is they will leave them in parking lots leave them just around hoping that someone will pick it up and plug it into their computer which people do i mean again people are just curious so the best thing you can do is to encourage your people hey don't plug in usb flash drives that you don't know what they are if you found one don't plug that sucker in don't plug in random usb crap into your computer because it could hack you in seconds and sure it might be a harmless rick roll or it could be i don't know stealing and exfiltrating all of your data on your computer that can happen it could download malware it can do anything literally anything because it's pretending to be you and it's faster and smarter than you so you're screwed so just don't plug crap into your computer also hey when you leave your computer lock that sucker never leave your computer just open because first of all you'll leave yourself open to pranks from your co-workers but also if your computer is open then this is where a usb rubber ducky shines because again it can just mimic all of your actions on that computer but if your computer is locked and requires a password to log in most likely this guy doesn't know your password so when it plugs in it's going to be i'm screwed i can't log in so right there it's defeated so don't plug crap into your computer and always lock your computer when you walk away always windows key l let's do it now those methods i just mentioned require the user to be educated and to protect themselves all the time which we know human error is going to be a factor in that all the time so another way you can protect your company yourself and your friends your family from something like this is to enable password authentication for administrative access what does that mean all means and you saw in the script and i'll go and play the video right here but most the time when it's trying to run something it has to run it as an administrator which requires a pop-up saying hey do you want to run this as an administrator and you have to say yes now by default it's just a simple click yes for most people what you can do is change that to where it requires a password whenever you do that if you're a system admin for a company this will be best done through group policy making registry changes across all your devices i've got that on my daughter's computer right now but you can also edit your registry on your computer now be very careful editing the registry is a dangerous thing you never want to do that without knowing what you're doing now doing this you're going to kind of know what you're doing because i'm walking you through it access registry we'll type in windows key s which again the hacker could do with usb anyways you'll type in reg edit it's going to open up your registry editor from here we're going to go to hkey local machine software microsoft and if you're wondering what the chunk this is this is where a lot of your settings are held and configured and made in the registry you're kind of looking at the behind the scenes behind the curtain of how your windows computer works then you go to windows and i'll have this link below and i'll throw up on the screen right now then current version policies i know it's a lot and then finally system and here's a bunch of registry entries what i want to change right here is the consent prompt behavior admin go ahead and open that right now the data value is five you want to change that to one which will enable that prompt and require you to put a password in instead of just having a yes or no toggle then you'll click ok to save that i'm not gonna save mine i don't care about that right now again as an admin you can make that change across the board through group policy in your company and you should do stuff like that also not giving your users administrative access on their own machines is another way you can prevent this because a lot of the attacks this usb rubber ducky does requires administrative access on the computer if the user doesn't have administrative access then this guy is rendered useless so using a lot of best practices like the principle of least privilege is essential now there are some other fun ways like you can actually do a physical protection against usb devices you can actually use this little device that'll lock usb ports you could also go as far as disabling usb ports altogether through some policies you can use software that does this but that does make your computer very very inconvenient to use because we often use our usb ports for everything from plugging in keyboards mice and usb flash drives again a huge reason why this is so insanely effective because we use this for things all the time every day crazy how this can just mess you up so yeah bad usbs are pretty stinking bad but they're also incredibly fun so i encourage you to get one and play with it so yeah usb rubber ducky again i'm giving away two so if you want to snag one of these contests link below in the description or just get one 45 bucks or get a raspberry pi pico five dollars not as cool as this but it does do the job and for five bucks why not you can also do other stuff with these things so again link below if you want to pick one of these up yeah that's about it let me know what you think of the video in the comments below let me know if you have done some cool stuff with usb rubber duckies and don't forget to hack that youtube algorithm like comment notification bell subscribe is that everything yeah that's everything yeah that's about it i'll catch you guys next time [Music]
Info
Channel: NetworkChuck
Views: 632,111
Rating: undefined out of 5
Keywords: usb rubber ducky, bad usb, badusb, raspberry pi pico, raspberry pi, hacker usb, hacking usb, bad usb flash drive
Id: e_f9p-_JWZw
Channel Id: undefined
Length: 21min 2sec (1262 seconds)
Published: Fri Aug 20 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.