The USB Rubber Ducky
Edit: This tool was featured on a Hak5 episode (http://hak5.org/episodes/hak5-1716). To the Hak5 guys, thanks for the kind words!Â
Guys, gals, and inbetweeners, please feel free to jump in and fork the project or contribute by sending in some pull requests. Authentication, and some other security features for safer external access would be awesome and I just don't have the time to extend this at the moment.Â
---
I finally purchased a USB Rubber Ducky from Hak5. The USB Rubber Ducky is a Human Interface Device (HID) attack tool, which essentially emulates a user sitting at a keyboard. All in all, the tool is easy to set up and use. It seems to sometimes skip keys on my virtual machine running Windows but that issue seems to be due to the performance of the guest in general. I haven't encountered any issues on machines with decent specs.
One gripe I had was that the encoder is built on Java. My Android device, like many (or all?) Android devices, does not use a full fledged version of Java which means I can't encode my scripts in the middle of an engagement to 're-flash' the duck unless I had my PC with me. After some googling I found an online encoder, however, I was uncomfortable with using a bin file generated by a third party on my clients' machines and I was also uncomfortable with the idea of posting my mail and ftp credentials on a third party site if they were a part of my scripts - after all, what kind of security professional would I be if I just *gave away* my own passwords?!
I decided that the best thing to do would be to roll my own online encoder (pictured below).
It is essentially a web app based wrapper for the hak5 encoder which lives on a computer at home. It gives you the ability to upload a script and download a replacement inject.bin file based on that script. After spending a few minutes configuring my router to forward a dyndns address to this server I could access this tool to encode my ducky scripts from my Android phone and tablet anywhere in the world without sacrificing my privacy or risking third party compromise of my clients' systems.
It is easy to set up, and I welcome any and all to install a local instance of this app for their own use.
You can find it here:Â https://github.com/tresacton/DuckEncoder
Enjoy :)