Skip to content

Latest commit

 

History

History
145 lines (87 loc) · 6.46 KB

README.md

File metadata and controls

145 lines (87 loc) · 6.46 KB

Rubber-Nugget

Deploy up to 5 different Duckyscript payloads with an S2 Wi-Fi Nugget

S2 Nugget

GitHub code size in bytes GitHub license GitHub contributors GitHub commit activity GitHub Repo stars

This is a port of the Pico-Ducky project by Dave Bailey (dbisu, @daveisu), converted to run on the S2 Wi-Fi Nugget

You can buy one here: (https://retia.io/products/wi-fi-nugget-s2-nugget-esp32s2).

Major changes:

To hide the USB drive, hold the DOWN button when plugging in the S2 Nugget and release when the menu face appears.

To auto-inject payload.dd, hold the RIGHT button when plugging in the S2 Nugget.

Once the menu face appears, you can run any one of 4 duckyscript payloads:

  • press the UP button to run payload1.dd
  • press the DOWN button to run payload2.dd
  • press the LEFT button to run payload3.dd
  • press and the RIGHT button to run payload4.dd

To add new payloads, replace the payload.dd files on the CircuitPython drive.

Install

Install and have your USB Rubber Nugget working in less than 5 minutes.

  1. Download CircuitPython for the S2 Mini. *Updated to 7.0.0

  2. Plug the device into a USB port while holding the RESET button, click the 0 button, then release the RESET button. It will show up as a removable media device named S2MINIBOOT.

  3. Copy the downloaded .uf2 file to the root of the S2 Mini (S2MINIBOOT). The device will reboot and after a second or so, it will reconnect as CIRCUITPY.

  4. Download and extract the .ZIP file for this project on your computer.

  5. Copy the following files and folders to your Nugget: code.py, boot.py, lib, faces, payload.dd, payload1.dd, payload2.dd, payload3.dd, payload4.dd

  6. Find a script here or create your own one using Ducky Script and save it as payload1.dd in the S2 Nugget. You can add to 4 payloads the same way, adding a number to each payload file name.

  7. If you want device to load in stealth mode, hold the down button when plugging in your Nugget to prevent the USB drive from appearing.

Attack mode

To edit a payload, setup mode is entered automatically when inserted. You can deploy a payload at any time by pressing one of the 4 payload buttons.

If you want to inject a script with maximum speed, hold the RIGHT button down when inserting your S2 Nugget into the target computer.

This will cause payload1.dd to be automatically injected as soon as the S2 Nugget is powered up.

USB enable/disable mode

If you need the S2 Nugget to not show up as a USB mass storage device for stealth, follow these instructions:

Hold the DOWN button when plugging in your S2 Nugget. It should load the menu and inject payloads, but not appear as a USB device.

Reset the board without holding down the button to make the device appear as a USB drive again.

Changing Keyboard Layouts

Copied from Neradoc/Circuitpython_Keyboard_Layouts

How to use one of these layouts with the RubberNugget repository.

Go to the latest release page, look if your language is in the list.

If your language/layout is in the bundle

Download the py zip, named circuitpython-keyboard-layouts-py-XXXXXXXX.zip

NOTE: You can use the mpy version targetting the version of Circuitpython that is on the device, but on the S2 Nugget you don't need it - they only reduce file size and memory use on load, which the S2 Nugget has plenty of.

If your language/layout is not in the bundle

Try the online generator, it should get you a zip file with the bundles for yout language

https://www.neradoc.me/layouts/

Now you have a zip file

Find your language/layout in the lib directory

For a language LANG, copy the following files from the zip's lib folder to the lib directory of the board.
DO NOT modify the adafruit_hid directory. Your files go directly in lib.
DO NOT change the names or extensions of the files. Just pick the right ones.
Replace LANG with the letters for your language of choice.

  • keyboard_layout.py
  • keyboard_layout_win_LANG.py
  • keycode_win_LANG.py

Don't forget to get the adafruit_hid library.

This is what it should look like if your language is French for example.

CIRCUITPY drive screenshot

Modify the RubberNugget code to use your language file:

At the start of the file comment out these lines:

from adafruit_hid.keyboard_layout_us import KeyboardLayoutUS as KeyboardLayout
from adafruit_hid.keycode import Keycode

Uncomment these lines:
Replace LANG with the letters for your language of choice. The name must match the file (without the py or mpy extension).

from keyboard_layout_win_LANG import KeyboardLayout
from keycode_win_LANG import Keycode

Useful links and resources

Docs

CircuitPython

CircuitPython HID

Ducky Script

Video tutorials

pico-ducky tutorial by NetworkChuck

USB Rubber Ducky playlist by Hak5

CircuitPython tutorial on the Raspberry Pi Pico by DroneBot Workshop