We’ve seen several Security-based hardware projects from Koko (@justcallmekoko) in the past, including the Masterkey keylogger which we explored a few days back. Looking through his projects on GitHub today, I stumbled on another security-based project called the Tinyduck.
A cheap alternative to the popular Rubber Ducky, the Tiny Duck is an Attiny85 microcontroller-based pentest tool that comes in the form factor of a thumb drive, poses as a keyboard to the host computer, and allows the user inject keystrokes at high speeds.
Like the Rubber Ducky and its application in the Mr. Robot series, the tiny duck can be used to execute keystrokes to install backdoors, exfiltrate documents, or capture credentials. It will execute a prewritten script of keystrokes on a target computer as though it were a keyboard so whatever you can do with a keyboard, you can do it faster with the tiny duck and some imagination.
While a lot of similar projects exist on the internet, the goal behind Koko’s project was to make the device as small as possible, and the results speak for itself, as the tiny duck is just about the size of what one could call an overgrown fingernail.
The Tinyduck device works the same way as the Digispark Attiny85 board, right down to the bootloader. So for users who already have the Arduino IDE Set up to work with the Digispark board, the firmware upload process should be quite straightforward. However, the Github page contains guides to set the device up on Arduino IDE, for those who need it.
Like the Rubber Ducky itself, the Tinyduck’s firmware is developed using Ducky Script, which is a straight forward scripting language used to create keystroke injection binaries to be run on the original USB Rubber Ducky. However since the Tinyduck requires the Arduino IDE for firmware upload and Ducky Script is not represented by the IDE, users will have to use one of the several community-developed tools like digiQuack which helps translate Ducky Script into Arduino Code with Digispark specific libraries. Instructions for the conversion process is also available on the Github page.
Speaking on the device’s usage, Koko wrote:
“Tinyduck is intended to be a fire and forget device. Once inserted into a computer, Tinyduck will execute its preprogrammed functions without any needed user intervention. Because of the required USB support, Tinyduck will take 5 seconds to run through the micronucleus bootloader before proceeding to its main code execution”.
More information on the device and guides to building your own version of it can be found on the project’s Github page here.