Inject keystrokes, set up a reverse shell, or install a payload to dump passwords, all from a distance.
This is a 3D printed Wi-Fi version of the well-known USB Rubber Ducky hacking device (featured in Mr Robot). It is a very powerful PEN test tool that bypasses common security protections since it is planted inside the network (requires some social engineering). I want to raise the awareness of this attack vector and encourage anyone to build it, test it and use it for good to improve security (white hat hacking).
This implementation uses a 3D printed circuit board that provides the following benefits:
- Quick and easy to build. (takes minutes to assemble)
- Using standard components that can be found at your local supplier. (or in your drawer)
- low cost (< $9) allows you to install several expendable units. (spray and pray)
- No need to wait for PCB delivery.
- Integrates the structure of the device.
- Compact since it stacks components in 3D. (44x30x11mm)
Credits to Darren Kitchen @ HAK5 for the original USB Rubber Ducky, and Stefan Kremser/ Spacehuhn for the WiFi version used in this build: “This is a tool. It’s neither good nor bad.
Use it to do good, to study, and to test. Never use it to do harm or create damage!”
- WeMosD1 mini, or clone (ESP8266 – without pin header). ~$3 on ebay
- Arduino pro micro 5V, or clone (ATmega32u4 – without pin header). ~$5 on ebay, $4 on Alibaba
- 3D printed circuit board (7g PLA)
- Micro USB sync cable (not charge cable) ~$1 on ebay
- Strands of copper wire 0.3mm
- 3D printer (FFF/FDM with PLA filament)
- Solder station with a narrow tip
- Basic tools: Needle- and cutting pliers, knife
- Computer to run Arduino IDE and upload firmware (using a Micro USB cable)
I wanted to test the Wi-Fi ducky and realised that I had all the parts needed at home . To keep it compact – I stacked the PCBs on top of each other and created a 3DPCB to separate and guide the connecting wires. The optional WS2812 LED was removed to keep the design as simple as possible.
I extended the unit in length to allow most part of the Wi-Fi antenna to operate freely instead of being dampened by the ground plane of the pro micro (This is the reason why the micro USB port of the WeMosD1 is not near the edge). First version worked great and this became one of those hacks where documentation took longer than the build ;)
Here is a step by step building instruction if you want to replicate the build
1. Print the 3DPCB
Print the core using a fff/fdm 3D printer. I used the following settings:
- 3D printer: I used Prusa i3 MK3S with 0.4mm nozzle
- Material: PLA
- Nozzle temperature: 210deg C
- Layer height: 0.2mm
- Infill: 20%
- Support: Yes
The printing time is just below one hour. While printing you can program the boards:
2. Program the two boards
- Download the Arduino code from: https://github.com/spacehuhn/wifi_ducky. You can also find a more detailed installation instruction there.
- Connect the Arduino pro micro, select board, port, compile and upload the corresponding firmware.
- Connect the WeMosD1, select board, port, compile and upload the corresponding firmware. Install possible missing libraries (I needed to install SimpleCLI)
3. Assemble the Ducky
- Remove 3Dprinted supports.
- Thread four wires through their channels. Start from the smaller pro micro. Each wire goes through three holes. Add some tension to ensure they are tightly routed and don’t protrude any surfaces.
- Thread four wires through the pro micro, put it in place and solder the wires from the backside of the Arduino board. Cut protruding wires.
- Thread four wires through the WeMosD1, add some tension and solder it in place. Cut protruding wires.
- Verify the build, ensure that the boards are firmly secured and that all solder joints look proper. Rework if anything looks funny.
- Connect the cable to the smaller pro micro board and connect it to your computer.
- Connect to the wifiduck WiFi network (password: wifiduck )
- Open a browser and visit http://wifi.duck or IP: 192.168.4.1
- Change SSID and password (optional, but recommended).
- Test this script to run hello world (on windows computers):
DEFAULTDELAY 200 ALT F2 GUI SPACE GUI r LEFT DELETE DELAY 100 STRING www.vonkonow.com ENTER
Visit Spacehuhn for detailed command descriptions and examples.
Note that microcontroller pads are exposed – do not place it on a conductive metal surface (since it might short circuit the device). Once tested you can wrap it with tape, heat shrink tubing or simply put it in the ESD bag that came with one of the microcontrollers.
Needless to say: This is an ethical hacking tool – I strongly disapprove of illegal activity and claim no responsibility nor liability for any use of this device.
Download project files
3D models for this project are available at this GitHub repository: https://github.com/vonkonow/3DPCB-Wi-Fi-Ducky
This project is open source under MIT License
(Attribution is optional, but appreciated /Johan von Konow ;)