Awesome
What is it?
It's a device that can be connected to a PC and pretend to be keyboard and mouse, allowing the user to trigger specific actions using smartphone through wifi or bluetooth.
What can you do with it?
Plug it in to your friend's PC and by pressing a button on your smartphone:
- :satellite: access a website
- :tv: play a youtube video
- :capital_abcd: type pre-defined text of your choice
- :open_file_folder: download and execute file
- :squirrel: exfiltrate files to Dropbox and Gmail
- :diamond_shape_with_a_dot_inside: move mouse cursor
- :duck: run ducky script
- and much more
Notable features
- Automatic OS detection, allowing it to work on Windows, Linux, and macOS.
- Built-in presets with funny/weird videos and images.
- Preview feature, it allows to see what youtube video, wallpaper or website will be launched on the target PC.
- Option to use alt+numpad combinations on Windows (to type correct characters regardless of system language)
- Language switching to match the language setting on target machine without the need to reprogram the device. Supported settings are:
Belgian | Brazilian | Canadian | Switzerland | Czech | German |
Danish | Spanish | Finnish | French | UK | Croatian |
Italian | Norwegian | Portuguese | Slovenian | El Salvador | US |
You can see how reliable are some of these settings here
- "Live text execution" checkbox <img src="https://raw.githubusercontent.com/michalmonday/files/master/supremeDuck/resources/repository%20stuff/readme_images/live_text.png" height="100">
Video
Review and presentation video thanks to:
Edit: Unfortunately Jacks youtube channel got closed (because it had educational hacking videos).
Is it going to work on any PC and work instantly?
It was tested and working well with Windows 10 :heavy_check_mark:, Windows 8 :heavy_check_mark:, Lubuntu 18.10 :heavy_check_mark:, Ubuntu 18.04 :heavy_check_mark:, straight after pluggin-in. On macOS 10.12:zap: it prompted the user to setup the keyboard, after that it worked well, see macOS setup for details. It is problematic on Windows 7:zap: (driver installation popup takes long time and sometimes requires replugging device, after that it usually works).
Implementation details
The smartphone application was made using "MIT App Inventor 2" and is open source. Initially it was made with Arduino Pro Micro and HC-06 bluetooth module. Currently it can also be made and used with Esp8266 wi-fi module instead of HC-06 using the same hardware setup spacehuhn used in wifi_ducky, see the guide for more details. It can be also made with JDY-10 and JDY-08 (BLE) modules (more details below).
Resources
- Application
- DIY guide - bluetooth version
- DIY guide - wifi version
- Documentation of Esp-12F (Wifi) based board
- Documentation of JDY-08 (BLE) based board
- Documentation of JDY-10 (BLE) based board
- Device types comparison (advantages and disadvantages of using Wifi/BLE/Bluetooth versions)
- OS specific functionality details
- List of updates
- :moneybag:Devices for sale:moneybag:
Future
According to MIT App Inventor Team it will be possible to run application made using App Inventor on iOS soon which means that the supremeDuck application will not be limited to Android only.
As of March 2021, it seems that MIT App Inventor application is available for iOS (as mentioned in this article), however there is no way to compile apps for iOS yet. As mentioned in this post, it will be possible when MIT finishes testng the iOS compiler.
Credits / thanks to / kudos
:star: HAK5 and :star: mame82 - encoding for different languages used in this project is in 99% based on their work. This project was created thanks to the long chain of people building on top of other people's ideas. If HAK5 did not popularize HID attacks with Rubber Ducky then most of projects like this would not exist. Thanks to :star: authors of ducky scripts posted on HAK5Darren's page with payloads this project is richer in features. Thanks to :star: Darren Kitchen for Dropbox Exfiltration and similar videos that all contributed in one way or another to this project.
:star: Seytonic - in a series of youtube tutorials presented how to use cheap Arduino Pro Micro as "Rubber ducky". It's worth to mention that :star: Samy Kamkar also presented this kind of functionality with Teensy in 2014.
:star: Dejan from howtomechatronics.com - thanks for the tutorials about using Arduino with bluetooth module and App inventor.
:star: Mr Jesse Vincent who created FingerprintUSBHost which allows to recognize operating system of the target machine. Noteworthy is that :star: gloglas used it in WifiDuckV2 (giving me idea to use it too) which is rewrite of :star: spacehuhns's wifi_ducky.
:star: JackkTutorials - thanks for presenting this project in a video.
:star: Taifun - thanks for great App Inventor resources and extensions, this project is using few of them.
:star: Mr Martyn Currey for excellent BLE tutorial and resources.
Similar projects
Offensive MG Cables (O.MG) - the smallest of all publicly available wireless HID devices (based on espusb), resembles NSA tools with its' compactness.
wifi_ducky - very similar project to this but using browser instead of application.
WiFiDuck - the improved successor of wifi_ducky
Modified wifi_ducky versions - 4 different implementations.
ESPloitV2 - similar to wifi_ducky but has built-in exfiltration/phishing methods (browser based).
WiDucky - similar to wifi_ducky but has various ways of controlling it (Python, Windows program, Android app).
WHID - cheap board that can be used with various projects (e.g. wifi_ducky, ESPloitV2, supremeDuck).
WHID_elite - SMS based HID with neat exfiltration method, mousejacking and other features.
Bluetooth Rubber Duck - Digispark + HC-06 + application wireless HID.
The Darkwing Duck - Pro Micro + HC-06 + App inventor application wireless HID.
badusb.pw - I can't understand much but there are some relevant designs (of a board like WHID).