• Jess Bishop

Project Title: OH NO! Covert Lipstick Pico-Ducky

This writeup is intended for educational purposes only.



Introduction:

Several people in the security industry have heard of the Hak5 Rubber Ducky. For those who haven’t, or who aren't in the industry, it’s a bad USB that can be purchased from Hak5 and can be loaded with scripts of your choosing. The target computer will recognize it as a keyboard instead of a USB device and is more likely to trust it than a USB. It can be used for a huge variety of projects from harmless pranks to much more malicious password and credential stealing, malware, virus, worms, and the works.

While this device can be used maliciously, it can also be used for offensive security purposes such as physical penetration tests and compromises. It is a very cool product. Unfortunately, experimentation with this product can be expensive.

In looking for more videos on the Rubber Ducky, I stumbled upon Network Chuck’s video titled, “bad USBs are SCARY!! (build one with a Raspberry Pi Pico for $8.)” I decided this project was in the right price range for me!

Following the tutorial by both Network Chuck and dbisu’s GitHub repository and modifying script from Hak5’s Rubber Ducky page, I made this project.


 

Part 1 - The Pico-Ducky

Supplies needed:

· Raspberry Pi Pico

· USB 2.0 A-Male to Micro USB B adapter

Since Network Chuck made his video in August of 2021, dbisu has updated the pico-ducky instructions. I first watched Chuck’s video a few times, then followed the instructions on the GitHub. Here are the links to those resources:

Network Chuck: https://www.youtube.com/watch?v=e_f9p-_JWZw

dbisu’s GitHub: https://github.com/dbisu/pico-ducky

The following instructions from dbisu’s GitHub were followed. In dbisu’s instructions, the setup mode warning was originally the last step. I move it to step seven and moved the payload script to step 8.

1. Download CircuitPython for the Raspberry Pi Pico. *Updated to 7.0.0

2. Plug the device into a USB port while holding the boot button. It will show up as a removable media device named RPI-RP2.

3. Copy the downloaded .uf2 file to the root of the Pico (RPI-RP2). The device will reboot and after a second or so, it will reconnect as CIRCUITPY.

4. Download adafruit-circuitpython-bundle-7.x-mpy-YYYYMMDD.zip here and extract it outside the device.

5. Navigate to lib in the recently extracted folder and copy adafruit_hid to the lib folder in your Raspberry Pi Pico.

6. Click here, press CTRL + S and save the file as code.py in the root of the Raspberry Pi Pico, overwriting the previous file.

7. Put the pico-ducky in setup mode, the device will reboot and after half a second, the script will run. Follow instructions below step 8 or go to link to go to setup mode.

8. Find a script here or create your own one using Ducky Script and save it as payload.dd in the Pico.

Note: If you notice that your text file is still being read as a text file even after changing it in “save as”, recheck your file. When I did this initially, it still saved as a text file. Make sure you change the “.txt” extension to “.dd” and don’t accidentally click on the old file name.



Screenshot of saving the file correctly

Putting the pico-ducky in setup mode

As dbisu pointed out, the device will reboot and the script will run on your computer. You can stop this from happening by putting the pico-ducky into setup mode.

To do this, I connected pin1 (GP0) to pin 3 (GND). This mode will also allow you to edit what’s on your pico-ducky.



These are the correct pins

Payload I Chose

In Network Chuck’s video, he chose the RickRoll script for his project. This script is cool. It simultaneously plays the RickRoll on the target computer and turns the volume up to full blast, ignoring a user’s attempt to turn it down.

I am going to work at modifying the RickRoll script to play a different song. For now, YouTube is the simplest way to play what I wanted. For that, I chose the YouTube Roll. The original script is as follows:



Screenshot of Payload youtube roll on Hak5’s GitHub page

I tested the above script, and although the video played on YouTube, it did not go full screen. I realized I was not accounting for my slow computer. I increased the delay to 10000 to overcome this.

Instead of playing the above video, I wanted the computer to play Capone’s version of “Oh No” on a long loop. I also wanted the YouTube player to turn the volume up. To accomplish this, I changed the string in the original script to match the URL of the video I wanted. I also tested how times I needed to press the “UP” arrow key to get the player to maximum volume. It is 20.

NOTE: If YouTube is set to “mute” the volume portion of the script will not work.

This is my modified script:



My script modified from Hak5’s YouTube Roll

One thing I do not care for with the YouTube roll is all the ads that YouTube now includes with videos. While it would still be annoying to have loud ads play, some of the ads can be 30 minutes long. Additionally, some of the ads have long silence at the end prior to playing another ad or going to the video.

There is a way to get YouTube to play without ads. To do this, you modify the URL to include a dash after the t. Like so: https://www.yout-ube.com/watch?v=kCVYHm4346c&t=69s.

However, doing this does not allow for auto play of the video.


Additional Experiments:

I modified the script by copying and pasting the script an additional 5 times because I wanted to see how annoying it would be to have multiple tabs pop up playing the same video. As I guessed, it was super annoying. Although I didn’t go as far to test this as a loop, I believe that looping it nonstop would cause the computer to crash or freeze.


Additional Future Projects:

Dbisu’s page gives instructions on how to make the pico-ducky not appear as a storage device on a computer. I didn’t follow it for this project, but will do so for future projects.

There are a huge number of projects to choose from on Hak5’s page: https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payloads


 

Part Two - Creating the Case



Original Lipstick prior to turning into a Pico case

The most difficult part of this project was creating the case for the Pico. It would have taken much less time to just buy a case, but where’s the fun in that?

The case was made from a lipstick tube, 2 pieces broken off of hair clips, and 2 magnets.

Tools used for project include:


  • safety goggles

  • box cutter

  • hack saw

  • pliers

  • dish soap

  • small toothbrush

  • cotton swabs

  • Dremel,

  • 1/8” Carbine Grout removal bit for Dremel

  • file (not the computer type. The tool type for filing down rough edges)

  • canned air

  • spray paint

  • paint brush

  • small dish or paint palette

  • E6000 Industrial Strength Adhesive

  • 2 additional magnets besides the 2 used for the actual case

  • lots of patience


First Part – Getting the Top Off

I initially thought that getting the top part of the lipstick tube off would be as simple as taking a heavy-duty pair of pliers and brute-forcing it. This did not work. I came to the realization that there was a good chance that the tube was a single piece. I wanted to get the top off as clean as possible. I did this using a box-cutter to create a small ridge around the top of the tube and using a hack saw to gently saw the top off.



After the top was loosened enough, I used a pair of pliers to pull the top portion of the tube off.



When the top was off, I cleaned out the inside of the lipstick tube with dish soap and water and scrubbed it with a small toothbrush and some cotton swabs.

I was disappointed to find, after cleaning it out, that the tube was painted the same color as the lipstick, making it appear as though the tube was full of lipstick. This makes me wonder how much is really included in a full tube of lipstick.

Not pictured is how I modified the lid. I used a pair of needle nose pliers to remove all parts from the interior of the lid.


Modifying the Tube to Allow for Fit

As you can see, the Pico was too large for the tube.



To modify the tube so the Pico would fit, I used a Dremel with a 1/8” Carbine Grout removal bit.

The plastic in this lipstick tube was amazingly strong and difficult to file down. I made sure I wore safety goggles for this part. The plastic also got very hot, so I had to make sure I used the Dremel at an extremely low speed to keep the plastic from both melting and burning me.



Every now and again I had to stop and use the canned air to blow all the particles out of the tube and see if it was filed down small enough to fit the Pico and the USB Adapter.



When done, the Pico fit very nicely inside the tube. The downside was that it was very obvious that there was something besides lipstick in the tube.



Disguising Dremel Damage:

To disguise the damage done by the Dremel, I decided to paint match the best I could. I decided to use spray paint because of its durability. To match this color, I used a mixture of Rusto-Oleum’s Painter’s Touch 2x Ultracover in Satin Sweet Pea and Krylon’s Colormaxx Satin Burgundy.



Initially the paint didn’t appear to be a close match. I allowed it to dry for a few hours and checked it again. At this point, it was close enough of a match to work for the project.


Stripping the USB Adapter

I knew I would use a USB adapter so that the Pico-Ducky would be able to plug into a computer. Although it may have been easier just to include an additional cable in a purse or bag to use, I wanted everything to be in one spot. I settled on a mini-USB to USB 2.0 adapter.



Unfortunately, the adapter would not fit as is. I decided to try and modify it.

To modify it, I used the box knife to cut the black rubber material from the outside of the adapter. I wasn’t sure what I would find inside.



Unfortunately once stripped, I found the wires for the adapter enclosed in a hard plastic. I would not be able to remove the plastic without damaging the adapter.



I connected it to the Pico. It would not fit into the cap of the lipstick tube though. Luckily, there is enough room inside of the lipstick tube to fit both the Pico and the adapter perfectly.


Attaching the Lid to the Modified Tube

The part of the project that took me longer than all the rest of the project combined was finding a way to make the lid attach back to the tube itself.

The plastic on this lipstick tube is incredibly difficult to work with. It’s extremely hard. The top of off, after modifying it, it was too thin to create slits in to attach anything. I tried hinges, I tried various hardware metals. Nothing was solid yet flexible enough. The Industrial Adhesive was just not bonding to the two different surfaces either.

Eventually I decided to try pieces of metal from hair clips in the tube and used magnets in the lid.



This brings up a point I had to research. I wasn’t sure if the magnets would damage anything I was working with. Through multiple forums and websites, it appeared as though magnets would have no effect on the Pico.

For the tube, I used the E6000 Industrial Adhesive and made sure to get enough in there that it would encase the metal from the hair clips but wouldn’t take up any extra space.



Lipstick tube with hair clip pieces glued in. Lid awaiting magnets.

For the lid, I needed to use 4 magnets total. Two were glued inside the lid. I discovered through trial and error that two needed to be used on the outside of the lid to keep the magnets on the inside from flying out of the adhesive and sticking to one another.


Finished Product

After cleaning up the glue, the Pico-Ducky was finally finished! While it isn’t as pretty as I would like it, were I to use it in real-life I would go back and touch up the paint and add some detail to the lid so that it would look more convincing. On the other hand, if someone were to look inside a purse or makeup bag, it looks convincing enough to look like a well-used tube of lipstick and nobody would want to do anything with it.

It is also fairly sturdy. With enough shaking the lid would come off. But from initial testing, the lid stayed on while I held the tube upside down and shook it vigorously.







Conclusion:

This project was very fun to make and experiment with. I look forward to experimenting more with Ducky Script


Reference Links:

Network Chuck: https://www.youtube.com/watch?v=e_f9p-_JWZw

dbisu pico-ducky GitHub page: https://github.com/dbisu/pico-ducky

Hak5 Rubber Ducky: https://shop.hak5.org/products/usb-rubber-ducky-deluxe

Hak5 Ducky Script Overview: https://docs.hak5.org/usb-rubber-ducky-1/the-ducky-script-language/ducky-script-quick-reference

Hak5 Payload Page: https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payloads