Re: DIY Rubber Ducky or HID Input stick

Kempy · ‎11-18-2018

I built a prototype device so I could make very long password entry easier, the device just used bluetooth to a mobile app, but the magic took place in a leonardo chip that spoke HID over usb. This allowed me to replay a sequence of keys to unlock a workstation.

I never went into the rubber ducky use case, but effectively any key sequence you would have to invoke to infect a system can also be replayed.

The article is here REF:http://www.blogsploit.co.uk/2018/01/project-bluepass-easy-password-entry.html

solhuebner · ‎11-18-2018

It seems like a fun project. Thanks for sharing 🙂

Nobody · ‎11-19-2018

Nice project. Thanks for sharing. Did something similar but was a RFID implmenetation instead of BT.

https://gmgolem.wordpress.com/2014/06/11/rfid-password-keeper-adapts-to-usage-scenarios-to-emit-pass...

Cheers,
Dennis

Kempy · ‎11-19-2018

I like it, I have an RFID version 😊 however I chose to keep the secrets on the smartphone.

Nobody · ‎11-20-2018

With you, keeping secrets on phone is neat. Just that personally i do find it more convenient to swipe card to login just as natural to opening the office locked doors 😉

Also agree with you smartphones give better versatility. While attempting to add TOTP feature, the dilemma between giving up the name card holder form factor to add RTC chip and coin cell battery holder, or some unholy powershell script was a hard choice. I ended up succumbed to the easier scripting solution to feed the MCU with a timestamp via serial. With a smartphone talking bluetooth, TOTP should be a piece of cake.