
Real-World Rubber Ducky Attacks with Empire Stagers - sc0tfree
https://www.sc0tfree.com/sc0tfree-blog/optimizing-rubber-ducky-attacks-with-empire-stagers
======
vuln
If you're going to get close enough to the machine to interface with it I
would rather use PoisonTap[1] which tricks the machine to route everything
through the poisontap and add in semi-persistence with the use of cached
backdoors.

Some will say 'Well what if the corporation uses a webproxy like bluecoat.'
There is a simple work around you go buy a domain that is already categorized
as something like 'Business/Economy' which most corporations allow.

[1][https://samy.pl/poisontap/](https://samy.pl/poisontap/)

~~~
616c
This combined with cloud fronting is all the rage in pentest write-ups now.

[https://www.mdsec.co.uk/2017/07/categorisation-is-not-a-
secu...](https://www.mdsec.co.uk/2017/07/categorisation-is-not-a-security-
boundary/)

------
pavel_lishin
These all rely on a user being logged in, right? So the Watergate approach
doesn't seem as useful, unless the machines are unlocked by default.

~~~
dmurray
There's a delay command, so you can plug it in, ideally to a USB port that is
out of sight, and have the attack execute itself the next day.

~~~
LeifCarrotson
More precisely, it's using the Windows schtasks (1) tool. You can unplug the
USB device, and it will still run not only the next day, but every day.

(1) [https://msdn.microsoft.com/en-
us/library/windows/desktop/bb7...](https://msdn.microsoft.com/en-
us/library/windows/desktop/bb736357\(v=vs.85\).aspx)

~~~
dmurray
You can trigger that from the keyboard while the computer is locked?

