GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → mikeryan → uberducky

mikeryan / uberducky

Licence: GPL-2.0 license
Wireless USB Rubber Ducky triggered via BLE (make your Ubertooth quack!)

Programming Languages

c
50402 projects - #5 most used programming language
Makefile
30231 projects
python
139335 projects - #7 most used programming language

Labels

bluetoothusb-rubber-duckybluetooth-lehacking-toolredteamubertoothredteam-hardware-tool

Projects that are alternatives of or similar to uberducky

Extendable
Blocks Based Bluetooth LE Connectivity framework for iOS/watchOS/tvOS/OSX. Quickly configure centrals & peripherals, perform read/write operations, and respond characteristic updates.
Stars: ✭ 88 (+10%)
Mutual labels:  bluetooth, bluetooth-le
Ble
Connect to and interact with Bluetooth LE peripherals.
Stars: ✭ 156 (+95%)
Mutual labels:  bluetooth, bluetooth-le
Nimble Arduino
A fork of the NimBLE library structured for compilation with Ardruino, designed for use with ESP32.
Stars: ✭ 108 (+35%)
Mutual labels:  bluetooth, bluetooth-le
Bleu
BLE (Bluetooth LE) for U🎁 Bleu is the best in the Bluetooth library.
Stars: ✭ 481 (+501.25%)
Mutual labels:  bluetooth, bluetooth-le
py-bluetooth-utils
Python module containing bluetooth utility functions, in particular for easy BLE scanning and advertising
Stars: ✭ 60 (-25%)
Mutual labels:  bluetooth, bluetooth-le
Esp32 Ble Keyboard
Bluetooth LE Keyboard library for the ESP32 (Arduino IDE compatible)
Stars: ✭ 533 (+566.25%)
Mutual labels:  bluetooth, bluetooth-le
Easyble
Android BLE framework
Stars: ✭ 155 (+93.75%)
Mutual labels:  bluetooth, bluetooth-le
pirowflo
All-in-one data interface for your Waterrower S4 Monitor or Smartrow
Stars: ✭ 73 (-8.75%)
Mutual labels:  bluetooth, bluetooth-le
Esp32 Ble Mouse
Bluetooth LE Mouse library for the ESP32 (Arduino IDE compatible)
Stars: ✭ 180 (+125%)
Mutual labels:  bluetooth, bluetooth-le
Angular Web Bluetooth
The missing Web Bluetooth module for Angular
Stars: ✭ 164 (+105%)
Mutual labels:  bluetooth, bluetooth-le
Super Simple Raspberry Pi Audio Receiver Install
Super Easy installation to make your Raspberry Pi an Audio Receiver
Stars: ✭ 448 (+460%)
Mutual labels:  bluetooth, bluetooth-le
Radareeye
A tool made for specially scanning nearby devices[BLE, Bluetooth & Wifi] and execute our given command on our system when the target device comes in-between range.
Stars: ✭ 218 (+172.5%)
Mutual labels:  bluetooth, hacking-tool
Ios Pods Dfu Library
OTA DFU Library for Mac and iOS, compatible with nRF5x SoCs
Stars: ✭ 349 (+336.25%)
Mutual labels:  bluetooth, bluetooth-le
Ha Bt Proximity
Distributed Bluetooth Room Presence Sensor for Home Assistant
Stars: ✭ 77 (-3.75%)
Mutual labels:  bluetooth, bluetooth-le
IOS-DFU-Library
OTA DFU Library for Mac and iOS, compatible with nRF5x SoCs
Stars: ✭ 400 (+400%)
Mutual labels:  bluetooth, bluetooth-le
Ble.net
Cross-platform Bluetooth Low Energy (BLE) library for Android, iOS, and UWP
Stars: ✭ 137 (+71.25%)
Mutual labels:  bluetooth, bluetooth-le
BleLab
Bluetooth LE Lab - UWP application for interaction with BLE GATT devices
Stars: ✭ 68 (-15%)
Mutual labels:  bluetooth, bluetooth-le
ruuvitag-demo
Demo of reading Bluetooth Low Energy sensor measurements of RuuviTag environmental sensors and feeding them to MQTT, a database and dashboards
Stars: ✭ 14 (-82.5%)
Mutual labels:  bluetooth, bluetooth-le
Node Ble
Bluetooth Low Energy (BLE) library written with pure Node.js (no bindings) - baked by Bluez via DBus
Stars: ✭ 159 (+98.75%)
Mutual labels:  bluetooth, bluetooth-le
Bluescan
A powerful Bluetooth scanner
Stars: ✭ 206 (+157.5%)
Mutual labels:  bluetooth, hacking-tool
View All Similar Projects ➔

Uberducky - Wireless USB Rubber Ducky built on Ubertooth

Uberducky is a tool for injecting keystrokes into a target computer that can be triggered wirelessly via BLE. It is inspired by Hak5's USB Rubber Ducky, and like that tool it impersonates a USB keyboard and can inject malicious payloads such as reverse shells and RATs.

A normal USB Rubber Ducky has one major shortcoming: it is only useful when the target machine is left unlocked. An Uberducky can be hidden in a forgotten USB port, such as behind a tower under a desk or attached to a monitor. As soon as the operator of the target system drops their guard (or you distract them), Uberducky can be triggered to drop a malicious payload.

If you're interested you can read the story behind Uberducky and learn more about how it's built.

Getting Started

At the moment, you will need to build the firmware to use the tool and rebuild it any time you want to change the duckyscript payload.

You will need ubertooth-dfu from Project Ubertooth to flash the firmware. You will also need an ARM toolchain. If you are on Debian or Ubuntu, install these with:

apt-get install gcc-arm-none-eabi libnewlib-arm-none-eabi

This repo uses a submodule. If you didn't git clone --recursive, you must pull down the submodule using:

git submodule update --init --recursive

Drop your duckyscript payload into script.txt. You can then build and flash the firmware by running:

make
ubertooth-dfu -r -d uberducky.dfu

Big fat warning: this will replace any existing Ubertooth firmware you have on the device. If you want to re-flash normal Ubertooth firmware, follow the instructions below for how to re-flash.

Triggering Uberducky

Uberducky will wait for a specially-formatted BLE advertising packet. When it receives this packet, it will run the duckyscript. There are two ways of triggering it. If you have a second Ubertooth, you can run the following:

ubertooth-ducky -q

If you do not have a second Ubertooth but you have a system running Linux, you can send the special packet using the following commands:

sudo btmgmt add-adv -D 1 -u fd123ff9-9e30-45b2-af0d-b85b7d2dc80c 1 &&
    sudo btmgmt clr-adv

If neither of these approaches strikes your fancy, you may trigger Uberducky using any mechanism that results in fd123ff9-9e30-45b2-af0d-b85b7d2dc80c being in the first 32 bytes of any BLE advertising packet on channel 38 (2426 MHz) in LE byte order (i.e., 0c c8 2d 7d...). We're simply advertising it in a list of 128-bit UUIDs.

Re-flashing the firmware

Since Uberducky impersonates a keyboard, it does not respond to normal USB commands for reflashing the firmware. There are two mechanisms for forcing it to re-enter DFU mode and allowing the firmware to be re-flashed. The first is to send a specially-formatted BLE packet to reset it into DFU mode using a second Ubertooth:

ubertooth-ducky -b

It can also be done from Linux:

sudo btmgmt add-adv -D 1 -u 344bc7f2-5619-4953-9be8-9888fe29d996 1 &&
    sudo btmgmt clr-adv

Alternatively, you can force the device into DFU mode by using a wire to jumper two pins on the expansion header.

The expansion header is a 2x3 pin header between the two largest chips on the board, about halfway between the USB connector and antenna. It is labeled "EXPAND" on the back side of the board. Holding the board so USB is pointed up, on the front side of the board the expansion header looks like this:

  +-------+
6 + O | O | 3
  +---+---+
5 + O | O | 2
  +---+---+
4 + O | X | 1
  +---+---+

PIN #1, marked X, is square.

With Ubertooth unplugged, use a piece of wire, paperclip, staple, etc to connect pins 1 and 2 together. When it it plugged in, the Ubertooth should enter bootloader mode (LEDs will be turning on and off in sequence).

You must flash the new firmware within 5 seconds, otherwise it will boot into the previously flashed firmware.

Future Work

I would like to implement some mechanism for updating the Duckyscript and changing the UUID without having to recompile. Possible solutions include a USB serial port and a wireless protocol.

It would be useful to have dedicated apps for triggering Uberducky on OS X, Android, and possibly even iOS.

Frequently Asked Questions

Why Wireless?

Sometimes it's not feasible to wait for your target to leave their computer unlocked. If their system has a hidden USB port (such as behind a screen or under a desk) you can plug in Uberducky and lay in wait. When the opportunity arises, distract the victim and launch the attack wirelessly.

Why Ubertooth?

Ubertooth is a great piece of kit, and best of all the design is completely open. The LPC1752 microcontroller has a flexible USB peripheral that can emulate a keyboard, and the CC2400 radio facilitates easy communication over 2.4 GHz ISM. This tool was partly an exercise in seeing how little code it takes to receive BLE advertising packets on Ubertooth (fewer than 100 lines of actual code!).

How do I change the script?

Update script.txt and rerun the make and ubertooth-dfu commands listed above. We're working on better ways of doing this.

I need Duckyscript payloads

USB Rubber Ducky Payloads.

I want regular Ubertooth functionality back

See the above section on "re-flashing firmware".

What do you think of Duckyscript?

No comment (hey there are kids around).

I have an idea on how to make Uberducky even cooler!

Submit a GitHub issue with your feature request, or better yet a pull request :)

About

Uberducky was written by Mike Ryan of ICE9 Consulting. The author disclaims any liability for the illegal use of this tool.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].