WEBVTT

00:00:00.060 --> 00:00:08.180
while this may look like a perfectly ordinary USB drive it is actually a tool

00:00:05.520 --> 00:00:08.180
of Chaos

00:00:12.059 --> 00:00:14.540
right

00:00:17.940 --> 00:00:26.220
it's known as the hack 5 rubber ducky and while it can be used to perform

00:00:23.460 --> 00:00:31.320
silly pranks or to automate mundane office work it can also be used for

00:00:28.800 --> 00:00:35.640
highly illegal cyber crime this ingenious little device here

00:00:33.300 --> 00:00:41.100
contains Hardware that can be used to grab passwords open back doors for

00:00:38.340 --> 00:00:46.440
ransomware or even delete entire file systems in a matter of seconds

00:00:43.800 --> 00:00:50.760
but rather than ignore it hoping that aspiring narrow duals will remain

00:00:48.360 --> 00:00:55.800
ignorant of its existence we are going to show all of you how it works

00:00:52.860 --> 00:00:59.640
demonstrate some of what it can do and give you the knowledge that you need to

00:00:57.420 --> 00:01:03.780
protect yourself from USB Bandits looking to compromise your precious data

00:01:01.860 --> 00:01:08.580
you know what else we're gonna do tell you about our sponsor build Redux build

00:01:06.540 --> 00:01:11.820
Redux makes it easy to configure your new build with support guides to help

00:01:10.260 --> 00:01:15.060
along the way they also offer competitive pricing as compared to

00:01:13.380 --> 00:01:20.840
building a PC yourself head to build redux.com Linus and start your new build

00:01:18.000 --> 00:01:20.840
today

00:01:21.540 --> 00:01:28.380
foreign

00:01:28.380 --> 00:01:35.040
the rubber ducky has existed for over a decade becoming a favorite tool of both

00:01:32.460 --> 00:01:40.560
real world hackers and it professionals alike and it's been featured on TV shows

00:01:37.439 --> 00:01:41.880
like Mr Robot and Sesame Street are you

00:01:40.560 --> 00:01:47.280
sure about that last one well it's definitely Mr Robot at least I'm doing a

00:01:43.979 --> 00:01:49.860
hacking with my rubber ducky USB

00:01:47.280 --> 00:01:56.100
and what makes the rubber ducky so Insidious is that compared to Media

00:01:52.439 --> 00:01:58.200
portrayals of hacking devices as full-on

00:01:56.100 --> 00:02:03.000
computer systems that can wreak havoc when connected to your network or

00:01:59.759 --> 00:02:06.960
gadgety looking keys that override

00:02:03.000 --> 00:02:11.340
decryption or authentication it looks

00:02:06.960 --> 00:02:13.620
perfectly mundane USB a on one side USBC

00:02:11.340 --> 00:02:17.520
with a little cap on the other it's the kind of thing that you might plug into

00:02:15.480 --> 00:02:21.660
your machine just to find out what it does

00:02:18.660 --> 00:02:24.840
second you do that it Springs into

00:02:21.660 --> 00:02:27.239
action executing its payload and it

00:02:24.840 --> 00:02:33.660
bypasses many malware scanners by disguising itself to your PC or Mac or

00:02:31.080 --> 00:02:39.120
even your phone as a human interface device or keyboard I mean what virus

00:02:37.020 --> 00:02:43.739
scanner or firewall would think to check for a nefarious keyboard

00:02:41.400 --> 00:02:48.000
not all but actually more than you'd think it turns out rubber duckies do get

00:02:46.440 --> 00:02:54.180
detected by some of the higher end systems that know how to look for them

00:02:49.860 --> 00:02:56.519
or rather they did get detected earlier

00:02:54.180 --> 00:03:01.019
this year hack 5 released the rubber ducky 2.0 which included several

00:02:58.980 --> 00:03:04.620
features that make detection attempts now flow off it like water off a duck's

00:03:03.900 --> 00:03:09.239
back previously rubber ducky payloads or

00:03:07.379 --> 00:03:14.220
programs if you want to call them that had to be tailored to their specific

00:03:11.340 --> 00:03:18.599
Target for example a payload meant to run on Windows 7 might not work on

00:03:16.620 --> 00:03:25.019
Windows 11 and certainly wouldn't work on macOS but this latest iteration can

00:03:22.260 --> 00:03:29.940
detect the operating system detect when the device is set up and can even copy

00:03:27.900 --> 00:03:34.620
Hardware information from an already attached keyboard and spoof it to

00:03:32.760 --> 00:03:39.780
confuse any would-be security measures it can't even be detected by its input

00:03:37.379 --> 00:03:44.819
rate because it's limited by default to the speed of an extremely fast yet still

00:03:42.299 --> 00:03:49.459
believable human meaning it has the same level of system privilege as the logged

00:03:47.519 --> 00:03:53.340
in user terrifying and while a bit of

00:03:51.659 --> 00:03:57.239
programming skill is beneficial to make the most of the rubber ducky I suspect

00:03:55.319 --> 00:04:02.340
the average Enthusiast could pick it up pretty quickly the manual is just 32

00:03:59.940 --> 00:04:06.180
pages and fits into the average pen or shirt pocket kind of like the kind you'd

00:04:04.200 --> 00:04:11.700
find on our excellent Workshop jacket available at lttstore.com ducky code is

00:04:09.420 --> 00:04:17.400
written in ducky script a proprietary language from hack 5 and simple commands

00:04:14.519 --> 00:04:23.160
are simple to write Attack Mode lets you set the device into hid and or storage

00:04:20.280 --> 00:04:27.419
mode string is used to type out letters delay is used to make the device wait

00:04:25.380 --> 00:04:32.340
for a number of milliseconds perhaps for a program to launch and most other key

00:04:30.479 --> 00:04:36.840
presses or combinations are achieved by simply putting the name of the key onto

00:04:34.380 --> 00:04:40.380
a line so here's the Konami Code written in ducky script once you're done

00:04:38.820 --> 00:04:44.759
building your instructions they can be compiled into a ready-to-use payload

00:04:42.419 --> 00:04:48.780
using payload Studio it will highlight syntax Mark potential errors and give

00:04:47.160 --> 00:04:52.740
you suggestions for auto completion while you're typing

00:04:50.280 --> 00:04:57.120
automating simple keyboard inputs is only so useful though the command line

00:04:54.840 --> 00:05:03.780
is what really turns the target system into one big ducky puddle playground

00:04:59.840 --> 00:05:05.940
there it can write and run code to turn

00:05:03.780 --> 00:05:10.380
the volume all the way up open 20 new Chrome Windows with the same YouTube

00:05:07.440 --> 00:05:15.900
video over and over and over again or put a little Dancing Duck on the screen

00:05:13.080 --> 00:05:20.220
truly groundbreaking stuff to show you a real world use case we wrote a payload

00:05:17.820 --> 00:05:25.860
to set up a new PC for benchmarking it installs Chrome 7-Zip and steam pauses

00:05:23.520 --> 00:05:29.940
to allow for login and then proceeds to install many of the games we typically

00:05:27.600 --> 00:05:34.620
run with markbench and this use case is notable because it's actually the reason

00:05:32.100 --> 00:05:39.360
that hack5 founder Darren kitchen built the ducky in the first place to make

00:05:36.539 --> 00:05:45.120
repetitive tasks like fixing printers or network shares faster and easier

00:05:42.539 --> 00:05:49.560
but enough about its intended purpose let's talk about how it can be used to

00:05:47.580 --> 00:05:53.360
get around doors and locks that were meant to stay closed

00:06:01.380 --> 00:06:06.600
all it takes is one user performing one

00:06:04.800 --> 00:06:11.940
careless action to compromise the system and it only takes one compromised system

00:06:09.120 --> 00:06:16.380
to compromise an entire network common practice for troublemakers

00:06:13.740 --> 00:06:21.900
looking to access a specific network is to invest in a small flock of duckies or

00:06:19.199 --> 00:06:27.600
similar devices those waterfowl get configured with a malicious payload then

00:06:24.180 --> 00:06:30.600
they get taken out to sea to go whaling

00:06:27.600 --> 00:06:32.819
whaling is a type of fishing attack that

00:06:30.600 --> 00:06:37.800
specifically targets a wealthy or a powerful person a whale and any City's

00:06:36.060 --> 00:06:43.139
business district is full of such aquatic mammals like Executives

00:06:40.400 --> 00:06:48.300
politicians or celebrities who have predictable daily routines and might not

00:06:45.840 --> 00:06:53.340
know very much about computer security a few armed duckies then dropped into a

00:06:51.000 --> 00:06:57.780
parking lot or in the stairwell of an office building can be an extremely

00:06:55.319 --> 00:07:02.639
dangerous thing its capabilities are limited only by the creativity of the

00:06:59.699 --> 00:07:08.160
programmer and as you know there is no such thing as a perfect luck let's say

00:07:05.759 --> 00:07:13.860
for example a bad actor wanted to download data from a Target system to a

00:07:10.740 --> 00:07:16.199
ducky device well many well-protected

00:07:13.860 --> 00:07:21.900
systems completely block external storage devices but there's a solution

00:07:18.960 --> 00:07:27.960
for that using a script that reads a Target file then flashes the caps lock

00:07:25.080 --> 00:07:33.060
and number lock keys the duck can read those flashes as binary bits and then

00:07:30.720 --> 00:07:37.940
quack that loot directly onto its internal micro SD card

00:07:35.099 --> 00:07:43.080
the ducky 2.0 isn't all powerful though seasoned programmers may find that ducky

00:07:40.380 --> 00:07:47.639
script 3.0 lacks the same quality of life tools of typical languages among

00:07:45.840 --> 00:07:53.280
other common issues it's difficult to perform string concatenation for example

00:07:50.000 --> 00:07:55.560
and the ecosystem leaves a lot of room

00:07:53.280 --> 00:08:00.360
for improvement while lots of completed payloads can be found online and simply

00:07:57.780 --> 00:08:04.919
copied to your rubber ducky many of them require modifying the code yourself and

00:08:03.120 --> 00:08:09.479
lack the documentation that a novice user might need so if you didn't already

00:08:07.440 --> 00:08:13.319
understand most of the ducky script complaints that we scrolled through you

00:08:11.580 --> 00:08:18.720
could find yourself having issues early on the biggest issue though is running

00:08:16.020 --> 00:08:22.440
your code there's a light to indicate the status of any code that's running

00:08:20.220 --> 00:08:27.840
and there's a button that allows you to stop at Midstream but there's not really

00:08:24.840 --> 00:08:29.400
a great way to test your payloads unless

00:08:27.840 --> 00:08:35.880
you have an extra machine that you don't mind doing whatever it is you're doing two and even

00:08:34.020 --> 00:08:40.560
if you're okay with that there's no guarantee that other systems will

00:08:37.620 --> 00:08:44.219
function exactly the same as yours it could even be something as simple as

00:08:41.940 --> 00:08:49.140
whatever delay you've programmed for a chrome window to launch might be longer

00:08:46.440 --> 00:08:52.800
on a Target system additionally if you've already run a payload on a

00:08:50.700 --> 00:08:57.300
machine once some of the changes that payload made Might persist making it

00:08:55.260 --> 00:09:01.560
difficult to track how your code changes are affecting your payloads function if

00:08:59.640 --> 00:09:04.740
there was an included way for example to run it on a virtual machine that could

00:09:03.240 --> 00:09:10.080
be restored with a single button press that would be a lot more user friendly

00:09:07.620 --> 00:09:12.959
if you do have machines to test on and the patience to learn your way around

00:09:11.339 --> 00:09:18.240
the small issues of the duckyscript language you too though could be doing

00:09:15.060 --> 00:09:20.160
Mr Robot level infosec exfiltration data

00:09:18.240 --> 00:09:23.820
busting door crashing and output inputting but that brings us to an

00:09:22.560 --> 00:09:29.940
important question should you be able to as I said earlier

00:09:27.180 --> 00:09:34.800
a small flock of unattended armed duckies can be a very dangerous thing as

00:09:32.700 --> 00:09:40.019
it only takes one to expose an entire network that's what almost happened to

00:09:37.380 --> 00:09:44.880
the multinational chemical firm DSM back in 2012. thankfully for them instead of

00:09:43.019 --> 00:09:49.980
checking the contents themselves the person that found the mystery USB stick

00:09:47.100 --> 00:09:54.959
took it directly to it people following protocol is truly the only way to keep a

00:09:52.500 --> 00:10:00.240
network secure and even though many people are not aware of how dangerous

00:09:57.660 --> 00:10:06.899
physical media can be attacking with it is not a New Concept the brain computer

00:10:02.940 --> 00:10:09.500
virus from 1986 used floppy disks to

00:10:06.899 --> 00:10:14.459
travel between machines and in 2010 stuxnet famously cloned itself and

00:10:12.060 --> 00:10:18.540
traveled by any means possible to hit a single offline Target in Iran

00:10:17.339 --> 00:10:23.820
however in any given year Society is robbed of

00:10:21.180 --> 00:10:28.740
far more using crowbars and bolt cutters and yet they still sell those at every

00:10:26.100 --> 00:10:33.660
hardware store so the mere fact that a tool like the rubber ducky can be used

00:10:31.200 --> 00:10:38.760
by evildoers shouldn't be a cause for Banning it just make sure that you and

00:10:36.779 --> 00:10:44.640
your loved ones can recognize it for what it is and always practice safe

00:10:41.880 --> 00:10:48.899
computer use just like I always safely segue to our sponsor Squarespace if

00:10:47.640 --> 00:10:53.459
you're building your brand online in 2022 you need a website and if you need

00:10:51.660 --> 00:10:57.480
a tool to help build that brand look no further than Squarespace Squarespace is

00:10:55.500 --> 00:11:01.800
the all-in-one platform to help expand your brand online make a beautiful

00:10:59.880 --> 00:11:05.519
website engage with your audience and sell anything and everything from

00:11:03.120 --> 00:11:10.140
products to content we love Squarespace so much we use it here at LMG it's

00:11:08.220 --> 00:11:13.680
custom templates make it easy to stand out with a beautiful website that fits

00:11:12.120 --> 00:11:16.800
your needs you can maximize your visibility thanks to a suite of

00:11:15.180 --> 00:11:20.160
integrated SEO features and their analytic insights help you optimize for

00:11:18.540 --> 00:11:23.279
performance so you can see what's going well and What needs a little work so get

00:11:22.380 --> 00:11:28.980
started today and head to squarespace.com forward slash LTT to get

00:11:25.680 --> 00:11:30.720
10 off your first purchase if you guys

00:11:28.980 --> 00:11:35.160
enjoyed this video you might also enjoy our video on the password reset key too

00:11:33.060 --> 00:11:38.300
socks and sandals really go well with the ninja mask it turns out