DroidDucky - Can an Android quack like a duck?

Intro

In this article, I’m going to present a way to perform Keystroke Injection attacks from a plain Android device. A keyboard is the main way of communicating between the user and the computer. Because of this special connection, computers always trust keyboards. Keystroke Injection takes advantage of this inherent trust. In short, whenever you connect a device claiming to be a keyboard, a computer will automatically recognize it and accept, without a doubt. How can a device claim to be a keyboard? Simple, using a universal specification called HID (Human Interface Device). It just has to enumerate itself as a Keyboard HID, and that’s it.

Have you ever heard of USB Rubber Ducky? It’s a quite simple and lovely piece of hardware that does just what I’ve described in the paragraph above. It quacks like a keyboard, so it must be a keyboard. You can check it out (or even purchase it) here.
Why is USB Rubber Ducky interesting for the sake of this article? It has a nice and simple scripting language (duckyscript), a big community, and lots of already written payloads.

In this article, I’ll explain how Android device can act as a keyboard, how to install the required driver, and how to use DroidDucky to execute duckyscript payloads. DroidDucky is a duckyscript interpreter written in Bash which brings all of ducky scripting goodness to Android. Also, I’ll provide some details of DroidDucky implementation.

Android device as a HID Keyboard?

Turning an Android device into a HID keyboard (or a mouse, or even a joystick) is possible because of the great developer(s) of an open-source driver called android-keyboard-gadget. The driver adds two new devices called /dev/hidg0 (keyboard) and /dev/hidg1 (mouse) which accept raw keyboard/mouse events and can be easily used with standard system calls. The nicest thing, of course, is that it emulates a HID so neither drivers nor installations are necessary on the computer. It can be used even in BIOS and bootloader mode. It’s truly plug and play. Since it’s a custom driver, it has to be embedded in the kernel, and, unfortunately, not all Android devices are supported out-of-the-box yet. Guides on compiling, embedding and using a custom kernel are available on the project page as well, and so is a list of currently supported devices. Just a thing to note, installing a custom kernel usually requires unlocking your device’s bootloader and rooting, so it’ll probably void your warranty.

Using the driver

The basic idea would be to send raw keyboard/mouse events to newly created devices using write() system call. Fortunately, android-keyboard-gadget project also provides a lovely little utility called hid-gadget-test that supports scripting and makes the usage a whole lot easier. The DroidDucky duckyscript interpreter I’m using is a wrapper around this utility.

The interpreter

Implementation

DroidDucky is just a simple Bash script. The syntax is based on duckyscript’s documentation and it should be fully compatible with duckyscript codes, even with some undocumented features. I’ve personally tried a couple of payloads available online and it worked without an issue. The list of supported commands and a basic usage tutorial can be found here. (courtesy of hak5darren)

Developing a full Android application based on DroidDucky to simplify the whole process is a possibility I’m currently working on.

Payload files

A file that contains payload code must have Unix line endings, otherwise the script can get buggy. In fact, if it is buggy, this is the first thing to check. Extension of the payload files is not important.

Usage

In order to use DroidDucky you have to have some kind of Android terminal emulator application. Lots of them can be found on the Play Store (both free and paid). I’m currently using JuiceSSH, and I can recommend it.

Syntax is quite simple. Just run droidducky.sh with payload file name as the first argument. Make sure that droidducky.sh has execution permission.

Example:

bash droidducky.sh payload.dd

Code

DroidDucky is, of course, an open-source project. The whole code can be accessed at my github repository.

Demonstration

Payload code:

REM Loading payload code.
GUI r
STRING cmd
REM Opening command prompt.
ENTER
DELAY 100
REM Sending the message.
STRING Hello World! I'm in guys.


Running the payload

Command prompt open

Edit: Video demonstration

Possibilities

How many times have you seen a computer with a user logged in with no one around? I’m guessing a lot. The possibilities are just endless. Whether is it just playing a prank on your friends like changing their background or rebooting their PC, to running reverse shells or meterpreter. It’s really up to you. Plug in the USB, start the payload and, with typing speed only limited by USB cable’s bandwidth (more than 1000 words per minute), you’ll be done in no time. You can find lots of payloads here. Other resources are available online.

Outro

Please note that this article does not, in any way, support illegal activities while using DroidDucky.