The Wifi Ducky or Wifi Duck is a small stealthy device that hackers can use as an entry point into your network. These pentest devices work exceptionally well because they violate the inherent trust computers have in allowing USB devices to be plugged in without authentication. This vulnerability allows hackers to install backdoors, exfiltrate documents, and capture credentials.

The Wifi Duck, Hak5’s Rubber Ducky, or BadUSB attacks work because they all exploit a vulnerability that allows USB devices to operate as a human interface device (HID). Computers trust USB devices because they mimic keyboards or mice. Once connected, this virtual keyboard can inject keystrokes into the unsuspecting users’ computer and discreetly execute harmful commands or inject malicious payloads.

Think of the Wifi Ducky as a Wifi-enabled version of a Rubber Ducky or BadUSB. Simply plug the USB device into a target computer and you connect to the Wifi from an attacking computer to deploy malicious payloads or launch an attack. This Wifi-enabled tool can infiltrate machines behind your firewall and network defenses. Keep in mind that these attacks can be in the same room, the office next door, or the parking lot.

Conditions

This type of attack does have several limitations:

• Unlocked computer
• Opportunity to connect Wifi Duck unseen
• Well-written scripts
• Knowledge of the operating system and tools available
• Close proximity to connect to Wifi Ducky access point

Launching an Attack

Establishing a foothold into a victim’s computer is as simple as plugging in the USB device. The attack begins by plugging the Wifi Duck into an open USB port on a victim’s computer.

Allow a couple of minutes for the P4wnP1 to boot up and then connect to the Wifi Ducky access point from your attacking machine. For this example, we are using Kali Linux.

The default password is: quackquack.

Once connected, point your web browser to the Wifi Ducky’s main configuration screen at http://192.168.244.1/.

Wifi Ducky script repositories are available with a simple google search. Most of these are ported from Rubber Ducky scripts because the configuration scripts are written in the Ducky Script language.

For example, the following code snippet opens Powershell on the victim’s computer:

DELAY 100
GUI r
DELAY 100
STRING powershell
DELAY 100

All that is needed is a little bit of creativity to continue an attack.

Clicking on the Scripts tab loads available scripts and a place to upload your own scripts.

Spending a few minutes reading up on Ducky Script, we wrote this simple script to send a message to the screen of our Windows 10 victim machine.

When you are ready to deploy your script, click the Run button.

Over on the victim’s Windows 10 screen, the script launches notepad and types in the following text.

This example uses a simple harmless exploit that shows the open USB vulnerability. This tool can also launch and execute Powershell commands, disable Windows Defender, encrypt your data, and serve as a foothold into your network.

How to Protect Against Wifi Ducky Attacks

This is a simple attack that ordinary good security policies can prevent. Along with common sense, consider these preventative measures:

• Don’t allow anybody to plug a USB device into your computer
• Educate users on USB devices
• USB blocking software
• Duckhunter watches for these type of attacks by monitoring for keystrokes that are typed at superhuman speeds.
• Policies on least privilege to limit the scope of the attack