Specific Ducky

Prerequisites & Requirements

• Protocol Analysis: Proficiency with Wireshark, specifically filtering URB (USB Request Block) traffic and HID report descriptors.
• USB HID Specifications: Fundamental understanding of usage pages and how keyboard scan codes are mapped to characters.
• PowerShell Analysis: Ability to deobfuscate and refactor scripts utilizing bxor and system-level environment variables.
• Environmental Keying: Understanding how malware uses system metadata (like Keyboard Layout IDs) as cryptographic seeds to evade sandboxes.

What will you learn?

• HID Forensics: Programmatically extracting and parsing raw USB interrupt data to reconstruct attacker keystrokes.
• Keystroke Injection Analysis: Identifying "Rubber Ducky" style attacks and recovering the automated payloads they inject.
• Cryptographic Recovery: Identifying logical errors in PowerShell scripts and performing a dictionary-based brute-force attack against LCIDs (Locale IDs).
• C2 Discovery: Recovering hidden Command and Control (C2) domains from encrypted stage-1 payloads.

Tools

• Forensics: Wireshark (USBPcap)
• Automation: Python (with pyshark for automated packet parsing)
• Reference: Microsoft MSDN (Keyboard Layout and HID Usage tables)