In this case, the correct syntax for stealing a file called secrets.txt off a folder on the Desktop called TARGET to the USB Rubber Ducky (named SAD) would be:Ĭp -av ~/Desktop/TARGET/secrets.txt /Volumes/SAD/ The man page for cp displaying various options. When considering how to exfiltrate data, there were a number of tools I weighed, but for this proof of concept I focused on cp as it's very simple and easy to use. Often the hardest part of using USB mass storage is finding the drive, but macOS makes this nice and simple for us with the syntax in the cp command. MacOS is particularly vulnerable to grabbing files because they are stored in predictable places, and it's easy to name your Rubber Ducky to whatever you need to make your script work. Robot, Angela uses a USB Rubber Ducky paired with Mimikatz to steal passwords from memory in Windows, writing the results back to the Ducky's USB Mass Storage.ĭon't Miss: Metasploit for the Aspiring Hacker, Part 11 (Post-Exploitation with Mimikatz) Step 1: Using CP on macOS The Twin Duck is one of the more popular firmware variants available, and a number of big-screen representations of the Rubber Ducky are actually running the Twin Duck firmware.
