@@f3rny_66 Also maybe they believed they could make a better video now, with a more experienced team of writers and editors, and just used the excuse that they got a bunch of them for the lab to also make a video on them.
7:25 It's because the system can set (from inside) the CAPS lock and NUM lock state of keyboards. The keyboard is aware of change. So if the Ducky can be a keyboard, it also can be aware of such changes. If the script uses these state changes to transmit a message, the keyboard (here the Ducky) can read them and store the data into a file. It's genius.
@@sven957Sven subvert filesystem locks. Many enterprise systems don't allow for external storage to be connected, but keyboards are fair game. The script will just buffer the state changes to memory which in essence does the same thing.
I have a computer that only has an Ethernet port for network connectivity, no wi-fi or bluetooth interfaces that I use for this purpose. It has no data on it except for the OS, and the Ethernet port remains unplugged always
@@Akkbar21 Not really; having an experimental sandbox computer can be really useful, if not for avoiding physical hacking attempts from USB devices then installing suspicious applications to test them first before installing them on your main machine.
Yeah, among other things, if they wanted it to not be used for malicious purposes, they wouldn't have made it look so mundane. Clear irresponsibility on the part of the creators.
@@ivyivyyiivvvyyyyvy "if they wanted it to not be used for malicious purposes, they wouldn't have made it look so mundane" I think the implication is that your boss wouldn't know you're automating the mundane office tasks you are paid for.
As an IT guy you could test your clients IT Security Awareness with these and load a script onto them, that automatically books the person into the next Security Seminar, so they can learn what to do the next time they find a random USB Stick
My previous employer did the phishing email version of this. You click the link, you get (polite, short) training. I always thought they were super obvious. There were only ever two emails in four years that made me wonder. Doing the same with USBs would be cool.
@Ian Visser Lol! No. Companies pen test themselves and run "simulated phishing" campaigns against their own employees all the time. Any company serious about cybersecurity should be doing stuff like this. I wouldn't do it unilaterally unless you are the head of IT or cybersecurity and have already built credibility, but you really want to tell as few employees as possible these types of exercises are going on until they are over.
For additional info, Rubber Duckies are INSANELY easy to access and learn. I built my own out of an Arduino - it’s pretty much identical in functionality to a Rubber Ducky 1.0 and it cost me maybe 6 Canadian Dollars. Granted, I use it to automate basic batch scripts to quickly troubleshoot Windows PCs for myself and some friends but anyone willing enough could definitely do some damage with it if they were so inclined.
@@meme-hj5rs Do you realize how simple these devices are? The code would be maybe 100 lines long for a basic version. A more complicated one would maybe reach 500 or so. Anyway, these are really really simple devices.
I did a project on this in college in 2014 and nearly got a failing grade because my prof said it was unrealistic. I've seem so many things that work like rubber duckies since and it's just grinds my gears every time! These things are neat but dang can they do some harm.
In a white hat sense, I've been doing this since about 2000(ish). Kinda made ninite, but before ninite was a thing (i think). I just wasn't playing as a HID device because I had everything I did scripted at the time. That prof, I really hope he now gets "defcon" famous.
"my prof said it was unrealistic"...are the words highly SUS tech people use to deflect from what they "actually" do...hidden in plain sight...faking ignorance to avoid getting known for actual know-how (:D)
I remember learning about these many years ago in some certification classes I took when I was 14 & 16. A lot of server places will actually have their USB ports flat out disabled to prevent physical malware attacks and cables locked away behind metal from where they can be physically tampered with the prevent wire tapping even if they are already in locked facilities.
That's actually another good reason to have these onboard USB ports on server boards. Besides having physical access you'd have to take apart the server in order to install the USB device.
Saw a server in our university lab that had its front facing USB ports epoxied closed. In a space where students both need to have access to servers to learn and eventually will try stuff like this, I guess it made some sense.
I knew a guy who worked at a place who super glued all their USB ports and installed tamper alarms (Visual and audio) to their terminals. It was a medical office who got hit with some type of ransomware after a disgruntled patient didn't get their refill.
We need to properly thank I-Am-Jakoby for their various contributions to the Rubber Ducky community! Their work made a lot of this possible. Check out their github for some really useful Rubber Ducky resources: github.com/I-Am-Jakoby
For testing: use vm snapshots to return to a previous state. To get the rubber ducky to work in a vm, pass trough a usb hub or pci card directly to the vm. (not the ducky device itself, that's going to cause issues)
I still use my original rubber ducky to automate all kinds of things and to demo why you don't plug in random flash drives. Such an amazing piece of kit and the rubber ducky 2.0 is even more amazing!
@@treeskers one good example from years ago was setting up some HMI PC's for a scada system. They were all the same except for some customer names etc. It involved imaging the OS, mapping a network drive to a file server, then installing various software that required the customer name or specific files to be linked on setup (which is why we couldn't just image everything). Then all the manual files were copied over, registry edits made etc. We would just change the customer name and a couple of details in the ducky script, put the DVD with the OS image in the machine, plug in the rubber ducky and turn it on.
Guess you also haven't seen those USB killers everyone was talking about like ~5 years ago, it's possible to destroy an entire computer by simply plugging in a USB stick.
I love the people in this comment section who are talking about how much of a threat these are or similar comments, these are a pretty risky attack from a risk reward perspective because you need to make damn sure that your fingerprints are not on the device, so your average person shouldn't be too concerned about these. Just know they exist and leave it at that
@@e.l.6562 I wouldn't use personal practice as a gauge for someone's aptitude. Just think of how many peak athletes are coached by people who would never have even dared to strive to compete on the level of the people they train. As long as someone knows what they're talking about that's enough to be taken seriously. Given that I'm effectively clueless in this field, I'd rely on comments from people in the cyber security field and other sources to determine the value of any information put forth anyway. With LMG's core audience, you've got to be mindful that little of what they do will actually be comprehensive or even entirely accurate. Even so, they are in a prime position to spark someone's interest something they'd never considered thinking of before. In that regard, I think even partially inaccurate advice is better than nothing. It would at least give newbies a starting point to research even if it's nothing more than a few key words or phrases they're unfamiliar with.
Glad that your highlighting security tools, tricks, and remediation. Keep doing videos like this. As a security professional I think tech TH-camrs can play an important role in educating users
Before USB there were versions of this for PS/2. They were largely used for some of the same legitimate tasks, usually some form of automation, or, in some cases they could act as a converter between RS-232 and PS/2 for some serial devices. The tricky part of these USB HID "attacks" is that unlike the old route of a malicious autorun, you can't avoid it by holding shift, and of course once it's plugged in, it gets activated and can start "typing". Some AV software has started adding "keyboard authorization" features to try to combat these types of devices. One interesting approach of dealing with a suspicious "drive" is to plug it in while in a VM (with shortcuts to 'escape' the VM disabled) . Even though it will connect to the host machine, if it is device like this, then keystrokes it tries to send will go to the VM. Heck a MS-DOS VM running a tiny DOS program that just logs key scancodes to a text file could even provide insight on what exactly it is trying to do.
Wow this is scary. I am sure someone could modify a keyboard using a hub and a build in rubber ducky to make it look even less harmfull. If someone receives a USB keyboard by mail, if it looks better than their current keyboard, I am sure many wouldn't hesitate to plug it in their computer to try it.
There's a ducky hidden inside a charging cable that has a wifi connection to control remotely. You can't tell a difference between it and a normal charging cable
10:35 Thanks Linus. Now I know what a rubber ducky looks like. I can safely plug in that USB I found this morning on the sidewalk - it doesn't have that folding silver shield on it, so can't be a rubber ducky.
That's what I thought it was first too. I think Linus didn't think that part of the otherwise good presentation through. I also would have liked to see some practical advice on how to avoid being hurt by this in real life (other than the obvious "don't attach a USB drive that you find on a street to your computer). Anyway, I think this was a very interesting and generally very well made presentation.
At a University near where I live they scattered 50 of these around with a simple script to ping a specific IP so that they could record how many People plugged it in. They recorded 80 different IP Adresses.
So in other words, it'd be stupid easily to hack people if you had malicious intent? And people let their curiosity get the best of them rather than their common sense?
@@freedustin With a little social engineering, no problem. Send a "free" flash drive in the mail as a fake promotional. Give it to them in a swag bag. Become their friend and tell them the photos from the other night are on there. Convince them to print or scan a specific type of item at their local print shop that requires a flash drive and make sure, when they go looking for one (because who has those laying around anymore besides tech people thanks to the cloud), the malicious one is the first one they find. There are a million ways you could social engineer a specific target into plugging a USB into one of their computers. That's just what I came up with in one minute...get creative.
I've been watching Hak5 since 2006, LTT since about 2015..... I was SUPER excited to see this video pop up. I really really hope there's more! Commenting for the algorithm to show this is a great video!
Those are old news, but its good that someone from the mainstream is actually covering this attack venue, and yet another lesson on why not to plug random USB accessories willy nilly
This could be very useful for destroying scam call centers, because you know how much of a plague those scammers are! Create a script that completely wipes the servers and BOOM! No more call centers!
I always wondered if they were going to ever release a newer version of the Duckie, I've had mine for years and it is a super useful tool, especially if you work in I.T. and have to do mundane task, I use mine to install software we use at work after a reimage
I moved away from theirs to Michal monday on github he has a supreme ducky albeit a bit out of date now but found it loads better than hak5s not looked into their 2nd version.
The main infosec advice I give to people is simple "Unless you know what it is, don't put it in". Works decently for other bad decisions you make sometimes too.
LTT needs to do a video on installing windows and user V admin accounts and how to set them up to be secure, topics like login options for users and how they matter.
Hey linus i doubt this will ever been seen but ive got an idea for a video for you, i recently bought a gaming laptop with an i7 and 3060 and it gave me the inspiration for the idea. The challenge is get every big computer youtuber you can think to chip in a single completely random spec component of a custom gaming pc (good or bad) preferably intel and give it away to a random fan ones the build is complete
I've been using a ducky for 5 years to automate changing settings in windows and install software for machines we sell to customers to ensure that they are ready to use out of the box.
Can you build a 5 minute version of this? I would love to share this with my non-technical staff, just so they can know the danger. Heck, that would be a fantastic new channel--security issues for non security people.
@@madness1931 I’m thinking more like Security in Brief. Most security information geared to the regular user is full of stock photography and over explained by experts. The section on USB sticks and how they pose a security threat was the simplest I’ve seen. That could be done for phishing, passwords, etc. Maybe sans the condom, as that wouldn’t fly in my environment. But the security content was perfect for my users.
I remember in the late 80s/early 90s we had to write software on public computers and the only way to save our code was with floppies. We were constantly running into issues where our own floppies that we bought and formatted on our machines, got infected.
Yep, I remember that. First the 5.25 inches, then the 3.5 ones. And those utilities allowing to use extra capacity (2mb total, I think) beyond 1.45 mb. Or the ones which could be used to fake a ram disk to allow certain installations. I remember always knowing even which floppy disks I had as infected. You could recover from that, but was not easy.
Using this as a means to automate bench setup is pretty ingenious. Been subbed to the Hack5 channel for a while and totally love what they did there! It's a research tool in one hand, or a weapon in another. Great video!
Fun facts: The clip in the beginning ( 0:09 - 0:18 ) was a TV-Ad that was actually shown in the early 2000s in germany. The conclusion „So wach warst du noch nie“ at the end means something like „You have never been more awake than now“ and advertised a coffee drink with high caffeine content. There were many complaints due to horrified children and dropouts of pacemakers because of this ads.
Ah yes, the old USB port as an attack vector. Funny you should mention DSM, because one of their SysOps gave a talk at a local small time Defcon type of convention and he mentioned the use of hot melt glue to stop USB port based attacks. Still I always figured that given what we did as kids in high school during the 90s these kinds of attacks would be obvious by now. All of the computers in HS ran NT4, so their drives were NTFS. Except for the computers in the computer lab, because due to curriculum requirements those were W95 machines. Now IT had considered that diskettes would be an attack vector, so they passworded the BIOS and made the A and B drives non-bootable. Except they messed up. All the BIOSes had the same password. Windows 95 is basically a glorified DOS shell, so any user would have low-level access to the hardware. So use W95 to make a dump of the BIOS, take it home, grep the password from the dump. Prep a muLinux diskette with the NTFS read kernel driver, use BIOS password on NT4 box to enable booting from diskette. Boot up muLinux, grab the SAM files, take em home and run L0pht at your leisure. It left no trace on the school computers and meanwhile we had Domain Admin level access.
Been watching since the earliest of the NCIX days. Great video to let people know about the dangers of things like this. Can't describe how happy I am to see the LTT intro and song making their way back into all the videos. don't know why, just am!
Very excited and happy to see Linus mentioning Darren Kitchen, two of my first and most favourite youtubers. There are a ton of other hardware based hacking devices from Hak5, we would really like to see those to be featured in LTT as well.
Great video! Though you should have shown the Ducky as several different looking USB sticks. A novice might only watch out for a stick that looks like the one you are showing. And it seems to me like you are trying to communicate to novices too. Otherwise I have nothing to complain about and found the video very well written and informative.
I worked for DSM at a local industrial site before our buy out and when I tell you that our classes RAMPED up and they locked our machines. We weren’t allowed to use anything in the machines unless it was provided by our it team.
I made one of these with a cheap raspberry pi Pico and it works amazingly, and it is extremely easy to use, they are really help full when trying to code or set up something on multiple computers because it automates it.
I hope the dide taking the usb stick to IT security got a bonus. Hardly anyone does that. Even many IT people would just carelessly plug it in. And that's why social engineering is even a thing. If technical security measurements get better and better, the only weakness that's basically impossible to reliably patch is the user. Humans will always make mistakes. That's why it's more important than ever before to make people aware of those threats and educate them. I think that devices like this should be legal. The main reasons are 1. Someone will do it anyway, no matter if it's legal or not 2. If it's done anyway it's better to make it public to show that devices like that exist and what they can do
Most people have absolutely no idea how scary these things are lol. I ordered one a few years ago to play around with. I don't use it much but I still carry it around with me in my laptop bag. The first day I had it I managed to build a payload that when plugged in within a few seconds would grab every single one of my saved Google chrome passwords and email it to myself. My jaw hit the floor when that email came in with my entire password list in it lol. From that point forward I pretty much NEVER walk away from my laptop at work without locking it. It's insane how much damage someone can do with one of these and a little know-how and 5 seconds of access to a USB slot on your device.
I almost bought one of these a long time ago. Then I realized you can do the exact same thing with a $5 arduino board. The script language is a little more complex but gives you wayyyyy more features, plus you can add other devices to the arduino like wifi, bluetooth, even capacitors to make your own badUSB. You can go even further and buy "fake" arduinos for even cheaper ($2 in bulk) that do the same thing, 3D print a bunch of harmless looking USB shells and then drop them around the city. Not that i've ever done that.....
Right all of this information is clear, the rubber ducky was meant for ease-of-use. The hack.5 gang has always been script kiddy friendly. The more we arm the masses, the better awareness we all share.
I mean I really hope you never did that. Because that would make you look like a real creepy looser if you did. But you didn’t so that’s not a concern right?
@@goodnight4u I definitely didn't but if I had it would of just pinged a server I had setup as a part of a paper I may have done on cyber security for a college class.
The Writer, Tanner McCoolman, was excellent for this video. As someone that was trained in CySec and learned how to use a USB Rubber Ducky, it was very well explained on how this attack vector works!
@@MRJMXHD Slow? Really? I loved it. It really takes off season 3 and 4. Stick with it because it all comes together. This show has some of the best directed episodes I've seen on television. The first season is a bit smaller in scope, but becomes a much bigger story as it goes along.
Just realized my passion and finally started pursuing a comp sci degree this semester. And I'm quite proud of myself because I actually understood every single issue you guys listed with the ducky. I love this field haha
If you don't need the built in storage, I'd recommend a Digispark USB. It just uses Arduino code, and there's programs that translate RD scripts to run on them. Plus they're like 20$ for a 5 pack. I've been using them for automated thin client setup.
I know of one virus that spread through USB, I forget the exact name of it, but I had it both from a school computer and a mobile radio station computer. The way it worked was: if you inserted a USB drive, the computer had a background task running that would hide all your files/folders, and replace them with shortcuts that both opened the file, and opened the virus, spreading it to your machine and anything else you plugged into it. Luckily for me, AVG free was able to pick up the virus file on my drive the first time, so I was just stuck with shortcuts for icons (easily fixed with some cmd trickery). The second time I recognized what happened and removed it myself (lucky me I had autorun disabled and the virus couldn't run itself, for some reason).
At my workplace, the desktops had just the two USB ports for the keyboard and mouse enabled for just HID, and all others disabled. IT are the only ones that can get files off a flash drive using an isolated, disconnected machine with various malware scanners.
Interesting use for automating your PC setup. Have you also tried UiPath process automation?! It can perform way more complicated stuff and it seems easier to setup that this rubber ducky stuff. Nice shoutout to the Konami cheat code, I'm a game dev :D
Why would anyone use an external device to run a setup script, especially one that is so limited? If you already have access to the computer, just put the payload on a regular flash drive and run it...
Or Ansible. This is a neat tool but, for businesses, there are much better options for imaging computers and setting up software. Most software can be baked into the ISO image.
This would be pretty fun to write a harmless script that forces a friend to listen to the entire duration of never gonna give you up before they’re allowed to use their computer again
I would love to see you do some in-depth vids on the rest of the Hak5 line. I've actually taken to using my old Mark V Pineapple as my IOT access system in my DMZ which let's me rain hell down on bot-net sweeps and the occasional budding hacker that war-drives by for crits and giggles lol.
@@shalokshalom Yeah... But they very easily could make a library for another language that handles all the timings and things. Creating a whole new language seems a bit far.
@Ian Visser that's not quite what I meant. I understand what this device does, but I don't see why a new language was required when a different language with a library would have sufficed. Sure it simplifies the scripting I guess, but it still seems like a lot of trouble rather than making a library.
VM's could totally be an option. I don't know about Windows, but on Linux using qemu you can pass an entire USB controller to a VM, so if you plug the ducky into a specific port it controls the VM
This usb stick saved my ass on my first job of manually setting up computers in every classroom, i could plug 2-3 pc at the same time, log in and perform the routine task before lunch break in a single day
Linus said in the video it was to automate software installs as a system admin, insert the key into a Windows machine, and let it do it thing, while you walk away to work on something else without having to babysit a single machine for say 10 different pieces of software to install.
This is actually why a lot of businesses will prevent you from plugging in any keyboard except the "certified" ones. I think Active Directory even has a feature for that
@@GulfCoastGrit I wonder if there could be wireless PS/2 keyboard transceivers. After all, as far as the computer is concerned wireless USB peripherals are identical to wired ones.
One time back in middle school my cousin found a flash drive on the school bus. This was well before I even knew what "computer security" meant. We plugged it into a PC to see what was on it. Luckily it didn't do anything. It was just FULL of prawn. Lots and lots of really hardcore prawn. We erased the drive and I gave it back to him and we never mentioned it to anyone.
my 2 Favorite Tec channel cross over? hak5 was my fav in the past with Darren Kitchen and Snubs.... Now Linus is reviewing a Rubber Ducky key? amazing!
I used a usb rubber ducky to automate my old job’s login process and open everything i needed without me sitting there for 10 minutes. i love those things
I always do! To be fair, I have an extra shitty computer that is connected to nothing and am not a afraid of losing anything on it. I'm not about to let some e-waste go to waste.
I had a college teacher do that to USB stick I left in his class. It was basically empty with just a couple photos on it from when I was in the military I kept it around as a backup, and it fell out of my backpack...dude literally just plugged it into his computer to find out what student left it in his class. He found it and gave it back to me and told me "be careful you wouldn't want to lose one of those with important information on it". This professor was the schools lead as far as like...tech classes. He pretty much ran the IT department..this was at a community college.
These things have been available for over a decade, I’m surprised Linus has only just made a video on this cool device.
I was just gonna type the exact same thing :D
He says it's been a thing for a decade but a new version was released this year.
I mean he got them for the lab, might as well make a video while at it.
He’s been making videos on these types of malicious USB drives for the better part of a decade.
@@f3rny_66 Also maybe they believed they could make a better video now, with a more experienced team of writers and editors, and just used the excuse that they got a bunch of them for the lab to also make a video on them.
7:25 It's because the system can set (from inside) the CAPS lock and NUM lock state of keyboards. The keyboard is aware of change. So if the Ducky can be a keyboard, it also can be aware of such changes. If the script uses these state changes to transmit a message, the keyboard (here the Ducky) can read them and store the data into a file. It's genius.
Yeah that part blew my mind. Also 7:27 wysi
yea that’s really smart
@@Clumrat wysi
@@sven957Sven subvert filesystem locks. Many enterprise systems don't allow for external storage to be connected, but keyboards are fair game. The script will just buffer the state changes to memory which in essence does the same thing.
@@sven957 Systems can detect when a script/executable is launched and blocks it.
Using the keyboard to type a script though, different story.
Finally a video on these, they've been a thing for ages!
Never plug in a random flash drive you've found or been given a lot of the times.
It's pretty much the equivalent of going rawdog at a lights-out group grope. (orgy)
I have a computer that only has an Ethernet port for network connectivity, no wi-fi or bluetooth interfaces that I use for this purpose. It has no data on it except for the OS, and the Ethernet port remains unplugged always
@@Turboy65 Lol where do you find these things
@@TheLongDon Make lots of kinky friends, wait for the flash mob....LOL....
@@Akkbar21 Not really; having an experimental sandbox computer can be really useful, if not for avoiding physical hacking attempts from USB devices then installing suspicious applications to test them first before installing them on your main machine.
Hak5: it was made to automate mundane office tasks
Also Hak5: "Attack mode"
thanks
Yeah, among other things, if they wanted it to not be used for malicious purposes, they wouldn't have made it look so mundane. Clear irresponsibility on the part of the creators.
He ptorek
He attak
but more importantly,
he automate mundane office task
Take you for explaining now I can understand it clearly
@@ivyivyyiivvvyyyyvy
"if they wanted it to not be used for malicious purposes, they wouldn't have made it look so mundane"
I think the implication is that your boss wouldn't know you're automating the mundane office tasks you are paid for.
As an IT guy you could test your clients IT Security Awareness with these and load a script onto them, that automatically books the person into the next Security Seminar, so they can learn what to do the next time they find a random USB Stick
What about the OMG cable?
How you gonna teach people to avoid a normal ass lookin cable?
My previous employer did the phishing email version of this. You click the link, you get (polite, short) training. I always thought they were super obvious. There were only ever two emails in four years that made me wonder.
Doing the same with USBs would be cool.
I like your idea
@Ian Visser Lol! No. Companies pen test themselves and run "simulated phishing" campaigns against their own employees all the time. Any company serious about cybersecurity should be doing stuff like this. I wouldn't do it unilaterally unless you are the head of IT or cybersecurity and have already built credibility, but you really want to tell as few employees as possible these types of exercises are going on until they are over.
LMAO
For additional info, Rubber Duckies are INSANELY easy to access and learn.
I built my own out of an Arduino - it’s pretty much identical in functionality to a Rubber Ducky 1.0 and it cost me maybe 6 Canadian Dollars. Granted, I use it to automate basic batch scripts to quickly troubleshoot Windows PCs for myself and some friends but anyone willing enough could definitely do some damage with it if they were so inclined.
How did you use your arduino
raspberry pi pico works as well
Github link of your code or it didn't happen
@@meme-hj5rs Do you realize how simple these devices are? The code would be maybe 100 lines long for a basic version. A more complicated one would maybe reach 500 or so. Anyway, these are really really simple devices.
This makes a bit more sense to me. I wouldn't pay $100 just to Rick Roll a friend. But there is no Arduino with USB A so how did you do it?
I did a project on this in college in 2014 and nearly got a failing grade because my prof said it was unrealistic. I've seem so many things that work like rubber duckies since and it's just grinds my gears every time! These things are neat but dang can they do some harm.
In a white hat sense, I've been doing this since about 2000(ish). Kinda made ninite, but before ninite was a thing (i think). I just wasn't playing as a HID device because I had everything I did scripted at the time. That prof, I really hope he now gets "defcon" famous.
Should've left a ducky stick next to the professor's car door or office door with a payload that just launched notepad and typed "I told you so"
could you apply for a revision then... obviously a revision of HS grade could happen... after you already finished uni...
"my prof said it was unrealistic"...are the words highly SUS tech people use to deflect from what they "actually" do...hidden in plain sight...faking ignorance to avoid getting known for actual know-how (:D)
@@RobotnikPlays dude. You still can lol
I remember learning about these many years ago in some certification classes I took when I was 14 & 16. A lot of server places will actually have their USB ports flat out disabled to prevent physical malware attacks and cables locked away behind metal from where they can be physically tampered with the prevent wire tapping even if they are already in locked facilities.
That's actually another good reason to have these onboard USB ports on server boards. Besides having physical access you'd have to take apart the server in order to install the USB device.
Or just keep people out of the server room with proper physical security controls. As a server admin, I need USB sometimes
@@roberttalada5196 Yep, if an adversary has physical access to a server, it's basically game over anyway.
Saw a server in our university lab that had its front facing USB ports epoxied closed.
In a space where students both need to have access to servers to learn and eventually will try stuff like this, I guess it made some sense.
I knew a guy who worked at a place who super glued all their USB ports and installed tamper alarms (Visual and audio) to their terminals. It was a medical office who got hit with some type of ransomware after a disgruntled patient didn't get their refill.
We need to properly thank I-Am-Jakoby for their various contributions to the Rubber Ducky community! Their work made a lot of this possible. Check out their github for some really useful Rubber Ducky resources: github.com/I-Am-Jakoby
Disappointed that Linus did not drop the Rubber Ducky
Thank you sooo much!
It was an honor alone just to be in a video!
@@IamJakoby Epic, you're the legit channel too and not a fake advertiser
@@PlanetXtreme I appreciate you! I've put a lot of effort into trying to make something legitimate to offer 😀
Don't mind me riding Jakoby's coat tails here 😉 Funny to see my 32 wants the D payload refrenced. People can feel free to check out my repo as well.
For testing: use vm snapshots to return to a previous state. To get the rubber ducky to work in a vm, pass trough a usb hub or pci card directly to the vm. (not the ducky device itself, that's going to cause issues)
I once heard you still have risks even when using VM for testing bc it could infect your network between it and your "main pc environment"
@@OrlandoTiquimwell yeah you could... if you program it to
I still use my original rubber ducky to automate all kinds of things and to demo why you don't plug in random flash drives.
Such an amazing piece of kit and the rubber ducky 2.0 is even more amazing!
So it isn't just me... Never figured out why nobody else put them to good and practical use.
@@JonLinde I know right!?
It has been an absolute life saver for multi hour system setups etc
@@BrodieFairhall can you elaborate on your usage? like what kind of things are you automating with this
@@treeskers one good example from years ago was setting up some HMI PC's for a scada system. They were all the same except for some customer names etc.
It involved imaging the OS, mapping a network drive to a file server, then installing various software that required the customer name or specific files to be linked on setup (which is why we couldn't just image everything). Then all the manual files were copied over, registry edits made etc.
We would just change the customer name and a couple of details in the ducky script, put the DVD with the OS image in the machine, plug in the rubber ducky and turn it on.
I don't get why you can't do all that with a regular usb drive and just run some executable file manually that does all you want it to do?
I always laughed at people for "acting like just plugging in a single USB stick could cause THAT much harm". I guess, I was the fool.
Guess you also haven't seen those USB killers everyone was talking about like ~5 years ago, it's possible to destroy an entire computer by simply plugging in a USB stick.
Have you seen the USB Killer too?
@@FlameMage2 I had seen that (USB Killer), but also only recently
it doesn’t have to be a use lol you could make your own homemade one that can fit into any type of plug output
You can even take over ATMs...so I've heard
Hak5 brings back so many memories. I'm glad the LTT labs people found a use for their duckies, but I'm not sure I learned all that much.
ahh yes, those fond memories of when Matt Lestock and Paul The Camera Guy were on the team. i stopped watching when Matt left.
This video isn't really for anyone who already knows about Hak5 though. It's for everyone else that doesn't.
Security analyst here, I've only seen one on a network once, they're pretty interesting! I hope you guys cover more cybersecurity topics
I love the people in this comment section who are talking about how much of a threat these are or similar comments, these are a pretty risky attack from a risk reward perspective because you need to make damn sure that your fingerprints are not on the device, so your average person shouldn't be too concerned about these. Just know they exist and leave it at that
6:00 4 months later and this has suddenly become a real story XD
I would love for LTT to do more videos on Cyber Security
After seeing what their "server room" looks like, I'm not sure that I would trust them
I wouldn't unless they have someone who actual has some Cybersecurity accreditation or experience.
@@e.l.6562 I wouldn't use personal practice as a gauge for someone's aptitude. Just think of how many peak athletes are coached by people who would never have even dared to strive to compete on the level of the people they train. As long as someone knows what they're talking about that's enough to be taken seriously. Given that I'm effectively clueless in this field, I'd rely on comments from people in the cyber security field and other sources to determine the value of any information put forth anyway.
With LMG's core audience, you've got to be mindful that little of what they do will actually be comprehensive or even entirely accurate. Even so, they are in a prime position to spark someone's interest something they'd never considered thinking of before. In that regard, I think even partially inaccurate advice is better than nothing. It would at least give newbies a starting point to research even if it's nothing more than a few key words or phrases they're unfamiliar with.
@CGG_GSS Then why are they doing a video about cybersecurity?
But he should stay away from talking about the programming. A lot of what he said was not correct or the fault of the device.
6:11 4 months later that has never been more ironic, LMAO
Colton crying after opening the company to a cyber threat is very foreshadowing xD
This sounds like a dream come true for every of Linus's viewers who have grandparents.
they dont even know that they have usb poerts or what usb is
@@ducksongfansthat moment when being illiterate is the best defense 😂
Just now do I realize that I actually want one of these, being able to plug in a drive and have it automate a couple commands looks useful as hell
I saw this an my first thought was automating installing emulator games via USB
Glad that your highlighting security tools, tricks, and remediation. Keep doing videos like this. As a security professional I think tech TH-camrs can play an important role in educating users
Would absolutely LOVE an LTT deep dive on Hak5 tools
Before USB there were versions of this for PS/2. They were largely used for some of the same legitimate tasks, usually some form of automation, or, in some cases they could act as a converter between RS-232 and PS/2 for some serial devices. The tricky part of these USB HID "attacks" is that unlike the old route of a malicious autorun, you can't avoid it by holding shift, and of course once it's plugged in, it gets activated and can start "typing". Some AV software has started adding "keyboard authorization" features to try to combat these types of devices. One interesting approach of dealing with a suspicious "drive" is to plug it in while in a VM (with shortcuts to 'escape' the VM disabled) . Even though it will connect to the host machine, if it is device like this, then keystrokes it tries to send will go to the VM. Heck a MS-DOS VM running a tiny DOS program that just logs key scancodes to a text file could even provide insight on what exactly it is trying to do.
Can it access the host machine even if the operating system was different from the virtual machine
@@petelee2477 it's an automatically typing keyboard - it requires exactly right context (usually empty desktop) to start working properly
@@petelee2477 Don't rule it out. Malware can escape virtual machines. With this tool in particular, unlikely.
Wow this is scary. I am sure someone could modify a keyboard using a hub and a build in rubber ducky to make it look even less harmfull. If someone receives a USB keyboard by mail, if it looks better than their current keyboard, I am sure many wouldn't hesitate to plug it in their computer to try it.
That is a shockingly terrifying and also very clever idea tbh
There's a ducky hidden inside a charging cable that has a wifi connection to control remotely. You can't tell a difference between it and a normal charging cable
Or ANY usb device for that matter. Webcam, mouse, printer, once the USB gets plugged in, it's game over.
Theres already something called duckhunt which detects ultra speed typing.
@@suzierottencrotch7893 you just slow the typing speed down to a human level and while slower is still automated
I was wondering if LTT would do more security-related videos like the Rubber Ducky. I was pretty excited for this.
10:35 Thanks Linus. Now I know what a rubber ducky looks like. I can safely plug in that USB I found this morning on the sidewalk - it doesn't have that folding silver shield on it, so can't be a rubber ducky.
That's what I thought it was first too. I think Linus didn't think that part of the otherwise good presentation through. I also would have liked to see some practical advice on how to avoid being hurt by this in real life (other than the obvious "don't attach a USB drive that you find on a street to your computer). Anyway, I think this was a very interesting and generally very well made presentation.
At a University near where I live they scattered 50 of these around with a simple script to ping a specific IP so that they could record how many People plugged it in. They recorded 80 different IP Adresses.
So in other words, it'd be stupid easily to hack people if you had malicious intent? And people let their curiosity get the best of them rather than their common sense?
@@QuackZack at random yeah, good luck nailing a specific target tho.
@@freedustin With a little social engineering, no problem. Send a "free" flash drive in the mail as a fake promotional. Give it to them in a swag bag. Become their friend and tell them the photos from the other night are on there. Convince them to print or scan a specific type of item at their local print shop that requires a flash drive and make sure, when they go looking for one (because who has those laying around anymore besides tech people thanks to the cloud), the malicious one is the first one they find. There are a million ways you could social engineer a specific target into plugging a USB into one of their computers. That's just what I came up with in one minute...get creative.
I've been watching Hak5 since 2006, LTT since about 2015..... I was SUPER excited to see this video pop up. I really really hope there's more!
Commenting for the algorithm to show this is a great video!
That recreation of the Mr.Robot's scene with the usb thumb drive taken and plugged in by the cop was funny AF with Colton being the victim 😂
Those are old news, but its good that someone from the mainstream is actually covering this attack venue, and yet another lesson on why not to plug random USB accessories willy nilly
I guess so, even their wifi and ethernet taps are old stuff too
@@username8644 i get the sentiment, but bro i just ahd a stroke
as a cyber security professional i would love to see LMG pick up more cyber content. LinusSecTips????
LTT x John Hammond collab is what i wanna see
That name will 100% get abused.
@@theBabyDead that's the point
@@theBabyDead perfect
Just go watch Hak5 or Seytonic. Those guys already do a great job at it.
This could be very useful for destroying scam call centers, because you know how much of a plague those scammers are! Create a script that completely wipes the servers and BOOM! No more call centers!
Colton running malicious software did not age well in hindsight did it? :P
I always wondered if they were going to ever release a newer version of the Duckie, I've had mine for years and it is a super useful tool, especially if you work in I.T. and have to do mundane task, I use mine to install software we use at work after a reimage
I moved away from theirs to Michal monday on github he has a supreme ducky albeit a bit out of date now but found it loads better than hak5s not looked into their 2nd version.
The main infosec advice I give to people is simple "Unless you know what it is, don't put it in". Works decently for other bad decisions you make sometimes too.
LTT needs to do a video on installing windows and user V admin accounts and how to set them up to be secure, topics like login options for users and how they matter.
Hey linus i doubt this will ever been seen but ive got an idea for a video for you, i recently bought a gaming laptop with an i7 and 3060 and it gave me the inspiration for the idea. The challenge is get every big computer youtuber you can think to chip in a single completely random spec component of a custom gaming pc (good or bad) preferably intel and give it away to a random fan ones the build is complete
You know wireless BadUSBs exist, they're open source too : ) search for them on TH-cam
Oh Seytonic, glad to see you here
“There safe trust me”
Yo it’s seytonic love the videos dude
I've been using a ducky for 5 years to automate changing settings in windows and install software for machines we sell to customers to ensure that they are ready to use out of the box.
Great video! Thanks for educating about this kind of attack 😃
Been working on a couple of Open-Source BadUSB projects myself recently.
Can you build a 5 minute version of this? I would love to share this with my non-technical staff, just so they can know the danger. Heck, that would be a fantastic new channel--security issues for non security people.
That would be amazing. I want to send this to my family too.
Im into that
Isn't that just Techquickie? Dumbed down tech info, for the average Joe.
@@madness1931 I’m thinking more like Security in Brief. Most security information geared to the regular user is full of stock photography and over explained by experts. The section on USB sticks and how they pose a security threat was the simplest I’ve seen. That could be done for phishing, passwords, etc. Maybe sans the condom, as that wouldn’t fly in my environment. But the security content was perfect for my users.
@@slhuck and hosted by jake or anthony.
I remember in the late 80s/early 90s we had to write software on public computers and the only way to save our code was with floppies. We were constantly running into issues where our own floppies that we bought and formatted on our machines, got infected.
Yep, I remember that. First the 5.25 inches, then the 3.5 ones. And those utilities allowing to use extra capacity (2mb total, I think) beyond 1.45 mb. Or the ones which could be used to fake a ram disk to allow certain installations. I remember always knowing even which floppy disks I had as infected. You could recover from that, but was not easy.
I bought one of these to automate iPad and Mac deployments when we aren’t using DEP. Saves SO MUCH TIME, it just needs to be updated occasionally
That Jacket is Wild. Straight outta the 90s. Love it.
I'm surprised he hasn't reviewed one of these sooner. I've used these for years, amazing tools, but also pretty deadly if you wanted to use it as such
Love seeing this, I would love more security integration from LTT in videos ❤
Using this as a means to automate bench setup is pretty ingenious.
Been subbed to the Hack5 channel for a while and totally love what they did there! It's a research tool in one hand, or a weapon in another. Great video!
This is probably the best advertisement they could have asked for. I'd bet tens of thousands of people bought it after watching your great promotion.
Fun facts:
The clip in the beginning ( 0:09 - 0:18 ) was a TV-Ad that was actually shown in the early 2000s in germany. The conclusion „So wach warst du noch nie“ at the end means something like „You have never been more awake than now“ and advertised a coffee drink with high caffeine content.
There were many complaints due to horrified children and dropouts of pacemakers because of this ads.
Ah yes, the old USB port as an attack vector. Funny you should mention DSM, because one of their SysOps gave a talk at a local small time Defcon type of convention and he mentioned the use of hot melt glue to stop USB port based attacks.
Still I always figured that given what we did as kids in high school during the 90s these kinds of attacks would be obvious by now.
All of the computers in HS ran NT4, so their drives were NTFS. Except for the computers in the computer lab, because due to curriculum requirements those were W95 machines. Now IT had considered that diskettes would be an attack vector, so they passworded the BIOS and made the A and B drives non-bootable.
Except they messed up. All the BIOSes had the same password. Windows 95 is basically a glorified DOS shell, so any user would have low-level access to the hardware. So use W95 to make a dump of the BIOS, take it home, grep the password from the dump.
Prep a muLinux diskette with the NTFS read kernel driver, use BIOS password on NT4 box to enable booting from diskette. Boot up muLinux, grab the SAM files, take em home and run L0pht at your leisure.
It left no trace on the school computers and meanwhile we had Domain Admin level access.
man you old
These are VERY useful tools, different versions too!
5:56 the irony here is palpable - this scene didn't age very well for LMG.
Been watching since the earliest of the NCIX days. Great video to let people know about the dangers of things like this. Can't describe how happy I am to see the LTT intro and song making their way back into all the videos. don't know why, just am!
Very excited and happy to see Linus mentioning Darren Kitchen, two of my first and most favourite youtubers.
There are a ton of other hardware based hacking devices from Hak5, we would really like to see those to be featured in LTT as well.
Coltons Reaction was F***ing priceless even if it was staged XD 🤣
So cool to see Linus tackling some cybersecurity now. Everyone could use some extra awareness.
Great video! Though you should have shown the Ducky as several different looking USB sticks. A novice might only watch out for a stick that looks like the one you are showing. And it seems to me like you are trying to communicate to novices too. Otherwise I have nothing to complain about and found the video very well written and informative.
I worked for DSM at a local industrial site before our buy out and when I tell you that our classes RAMPED up and they locked our machines. We weren’t allowed to use anything in the machines unless it was provided by our it team.
I made one of these with a cheap raspberry pi Pico and it works amazingly, and it is extremely easy to use, they are really help full when trying to code or set up something on multiple computers because it automates it.
You really emphasized "Being safe" at the end there🤣
😂
I was NOT ready for that
Damn, there’s even a USB-C version. Nobody is safe.
6:00 This did not age well post session cookie hack.
I hope the dide taking the usb stick to IT security got a bonus. Hardly anyone does that. Even many IT people would just carelessly plug it in. And that's why social engineering is even a thing. If technical security measurements get better and better, the only weakness that's basically impossible to reliably patch is the user. Humans will always make mistakes. That's why it's more important than ever before to make people aware of those threats and educate them.
I think that devices like this should be legal. The main reasons are
1. Someone will do it anyway, no matter if it's legal or not
2. If it's done anyway it's better to make it public to show that devices like that exist and what they can do
Most people have absolutely no idea how scary these things are lol. I ordered one a few years ago to play around with. I don't use it much but I still carry it around with me in my laptop bag. The first day I had it I managed to build a payload that when plugged in within a few seconds would grab every single one of my saved Google chrome passwords and email it to myself. My jaw hit the floor when that email came in with my entire password list in it lol. From that point forward I pretty much NEVER walk away from my laptop at work without locking it. It's insane how much damage someone can do with one of these and a little know-how and 5 seconds of access to a USB slot on your device.
Not to mention something like sudo rm -rf /* lol. See ya later data. Hope u had backups.
It would be interesting if LTT did an interview with Darren Kitchen or Shannon Morse on their products.
I almost bought one of these a long time ago.
Then I realized you can do the exact same thing with a $5 arduino board. The script language is a little more complex but gives you wayyyyy more features, plus you can add other devices to the arduino like wifi, bluetooth, even capacitors to make your own badUSB.
You can go even further and buy "fake" arduinos for even cheaper ($2 in bulk) that do the same thing, 3D print a bunch of harmless looking USB shells and then drop them around the city.
Not that i've ever done that.....
Right all of this information is clear, the rubber ducky was meant for ease-of-use. The hack.5 gang has always been script kiddy friendly. The more we arm the masses, the better awareness we all share.
I mean I really hope you never did that. Because that would make you look like a real creepy looser if you did. But you didn’t so that’s not a concern right?
@@goodnight4u I definitely didn't but if I had it would of just pinged a server I had setup as a part of a paper I may have done on cyber security for a college class.
The Writer, Tanner McCoolman, was excellent for this video. As someone that was trained in CySec and learned how to use a USB Rubber Ducky, it was very well explained on how this attack vector works!
0:29 i love how that website is considered cyber crime
Mr. Robot is such a great show. One of the few series that stuck the landing. With a name like Mr. Robot, the show is not at all what you think it is.
I found it hard to watch due to it's slow pacing. Might just go back.
What it is?
@@MRJMXHD Slow? Really? I loved it. It really takes off season 3 and 4. Stick with it because it all comes together. This show has some of the best directed episodes I've seen on television. The first season is a bit smaller in scope, but becomes a much bigger story as it goes along.
@@MRJMXHD The whole series is on Prime now.
@@NEOREV_MUSIC thanks I will.
Just realized my passion and finally started pursuing a comp sci degree this semester. And I'm quite proud of myself because I actually understood every single issue you guys listed with the ducky. I love this field haha
If you don't need the built in storage, I'd recommend a Digispark USB. It just uses Arduino code, and there's programs that translate RD scripts to run on them. Plus they're like 20$ for a 5 pack. I've been using them for automated thin client setup.
if you find the right deal on Amazon for example you can get them for half of that
Well now i know what to get my friend for his birthday next month. This is gonna be fun.
6:01 Who thinks Linus is projecting about. “That one time” the channel turned into Tesla?
Hak5's stuff is great. They have some amazing tools.
Props to the Hak5 team. Great group of people
Wait, but how do we protect ourselves apart from not plugging in usb drives?
dont download shady shit lmao, make sure not too donwload optional packages included with installers
I know of one virus that spread through USB, I forget the exact name of it, but I had it both from a school computer and a mobile radio station computer.
The way it worked was: if you inserted a USB drive, the computer had a background task running that would hide all your files/folders, and replace them with shortcuts that both opened the file, and opened the virus, spreading it to your machine and anything else you plugged into it.
Luckily for me, AVG free was able to pick up the virus file on my drive the first time, so I was just stuck with shortcuts for icons (easily fixed with some cmd trickery). The second time I recognized what happened and removed it myself (lucky me I had autorun disabled and the virus couldn't run itself, for some reason).
At my workplace, the desktops had just the two USB ports for the keyboard and mouse enabled for just HID, and all others disabled. IT are the only ones that can get files off a flash drive using an isolated, disconnected machine with various malware scanners.
10:40 Remember kids safety first
😂
Interesting use for automating your PC setup. Have you also tried UiPath process automation?! It can perform way more complicated stuff and it seems easier to setup that this rubber ducky stuff. Nice shoutout to the Konami cheat code, I'm a game dev :D
Why would anyone use an external device to run a setup script, especially one that is so limited? If you already have access to the computer, just put the payload on a regular flash drive and run it...
Or Ansible. This is a neat tool but, for businesses, there are much better options for imaging computers and setting up software. Most software can be baked into the ISO image.
You can configure any Arduino to act as a HID device, I had this idea some time ago but ofc there's a consumer product for this already 😃
Or a Raspberry Pi Zero.
@@Max_Mustermann A Pi Zero could also run a real programming language for the scripting. (Think LuaJIT)
@@christopheroliver148 Yes, It works pretty well with Python for example.
00:45 be honest, how long did that shot take?
This would be pretty fun to write a harmless script that forces a friend to listen to the entire duration of never gonna give you up before they’re allowed to use their computer again
I would love to see you do some in-depth vids on the rest of the Hak5 line. I've actually taken to using my old Mark V Pineapple as my IOT access system in my DMZ which let's me rain hell down on bot-net sweeps and the occasional budding hacker that war-drives by for crits and giggles lol.
can u translate those words
@@bro918 he use hacky tools to fight the big bad corporations
Unlike other crime, this is the one that you can stop yourself falling for.
NEVER plug in a USB that isn't yours
I'm very surprised the ducky doesn't just use an existing language
Might be because of the way it works. It sends signals, as a keyboard.
The way you can program this, could be limiting.
@@shalokshalom Yeah... But they very easily could make a library for another language that handles all the timings and things. Creating a whole new language seems a bit far.
@Ian Visser that's not quite what I meant. I understand what this device does, but I don't see why a new language was required when a different language with a library would have sufficed. Sure it simplifies the scripting I guess, but it still seems like a lot of trouble rather than making a library.
VM's could totally be an option. I don't know about Windows, but on Linux using qemu you can pass an entire USB controller to a VM, so if you plug the ducky into a specific port it controls the VM
This usb stick saved my ass on my first job of manually setting up computers in every classroom, i could plug 2-3 pc at the same time, log in and perform the routine task before lunch break in a single day
These things have SUCH a reputation for abuse, I actually didn't know what the original intended function was.
Linus said in the video it was to automate software installs as a system admin, insert the key into a Windows machine, and let it do it thing, while you walk away to work on something else without having to babysit a single machine for say 10 different pieces of software to install.
This is actually why a lot of businesses will prevent you from plugging in any keyboard except the "certified" ones. I think Active Directory even has a feature for that
@@GulfCoastGrit I wonder if there could be wireless PS/2 keyboard transceivers. After all, as far as the computer is concerned wireless USB peripherals are identical to wired ones.
10:27 Good good, now do guns.
Thank you for covering this! I know this is the newest release which is awesome!
Be right back, pre-ordering my RubberDucky… I mean… uhh for the purpose of setting up my printer… of course 😬
One time back in middle school my cousin found a flash drive on the school bus. This was well before I even knew what "computer security" meant. We plugged it into a PC to see what was on it. Luckily it didn't do anything. It was just FULL of prawn. Lots and lots of really hardcore prawn. We erased the drive and I gave it back to him and we never mentioned it to anyone.
Generally don't stick random USB devices into your PC, USB killers are a thing and as the name imply they can kill your PC.
my 2 Favorite Tec channel cross over? hak5 was my fav in the past with Darren Kitchen and Snubs.... Now Linus is reviewing a Rubber Ducky key? amazing!
I used a usb rubber ducky to automate my old job’s login process and open everything i needed without me sitting there for 10 minutes. i love those things
Never, EVER plug any flashdrive you find on the ground ever. Who knows what might be on it. Or what device it might emulate
I always do! To be fair, I have an extra shitty computer that is connected to nothing and am not a afraid of losing anything on it. I'm not about to let some e-waste go to waste.
Also I pop them open first to check for caps
I had a college teacher do that to USB stick I left in his class. It was basically empty with just a couple photos on it from when I was in the military I kept it around as a backup, and it fell out of my backpack...dude literally just plugged it into his computer to find out what student left it in his class. He found it and gave it back to me and told me "be careful you wouldn't want to lose one of those with important information on it". This professor was the schools lead as far as like...tech classes. He pretty much ran the IT department..this was at a community college.
@@ScottCalvinsClause what do you mean by "checking for caps"?
Please more anthony and less everyone else??
PLEASE do the OMG Cable and the Flipper Zero!!!