Vault Exfiltrator – USB Rubber Ducky Physical Exfiltration Payload

Vault Exfiltrator is a payload designed for the USB Rubber Ducky that physically extracts password manager database files from a target Windows system. Unlike remote exfiltration payloads, it copies the files directly to the Rubber Ducky’s own USB storage, demonstrating data exposure risks in environments with physical access.

The payload is officially included in the Hak5 official repository and was published in January 2026 after review and acceptance.

How It Works

When inserted into an unlocked Windows computer, the USB Rubber Ducky executes a DuckyScript that:

  • Opens a hidden terminal using WINDOWS + R and launches PowerShell in invisible mode.
  • Runs an in‑memory script that scans standard locations of more than eight common password managers, including KeePass, Bitwarden, 1Password, LastPass, Dashlane, RoboForm, Keeper, Password Safe, and others.
  • For each discovered database file, copies its content to the Rubber Ducky USB drive (by default into a folder named Exfiltrated_Vaults).
  • Ends execution without leaving traces on the system: the PowerShell session closes automatically and no interactive logs are generated.

The payload uses the USB drive’s volume label to locate itself. By default it expects the drive to be named «DUCKY», although this parameter can be modified in the script.

Payload Preparation

  1. Download the original payload: Go to the official Hak5 repository and obtain the payload.txt file.
  2. Configure your USB Rubber Ducky drive name: The script contains the line:
    STRING $drive = "DUCKY"
    If your drive has a different label (e.g., RUBBERDUCKY or USB), modify this line accordingly. Alternatively, rename the USB drive itself from the operating system.
  3. Optional: change the destination folder. By default files are saved in Exfiltrated_Vaults\ on the USB drive. Edit the $outputFolder variable to change the path.
  4. Encode the payload: Use PayloadStudio (available on the Hak5 website) to convert payload.txt into inject.bin. You can also use the command‑line duckencoder if preferred.
  5. Load the payload onto the Rubber Ducky: Copy the generated inject.bin file to the root of the Rubber Ducky USB drive.

Deployment

  • Insert the USB Rubber Ducky into the target computer (must be unlocked).
  • The payload executes automatically in less than 5 seconds, without user interaction.
  • Password manager database files are copied to the Exfiltrated_Vaults folder on the Rubber Ducky itself.
  • Once finished, you can remove the device. No processes remain running, and no PowerShell activity is logged.

Why Physical Exfiltration Is Effective

Physical exfiltration using a USB Rubber Ducky has several advantages over network‑based exfiltration:

  • No outbound connection required: Works in air‑gapped networks or environments with strict firewall controls.
  • Generates no suspicious network traffic: Copying is done directly to the USB device.
  • Bypasses network‑based DLP solutions: Since the transfer is local, no network exfiltration alerts are triggered.
  • Fast and silent: The entire process takes only seconds and leaves no system logs.

Ethical Notice

FOR AUTHORIZED PENETRATION TESTING AND EDUCATIONAL PURPOSES ONLY
This payload is designed exclusively for authorized penetration testing and educational purposes. It must only be used on systems you own or with explicit written permission from the system owner. Unauthorised use may constitute a computer crime.

Official Repository

Vault Exfiltrator is an official payload included in the Hak5 usbrubberducky-payloads repository. You can review the source code, full documentation, and installation instructions at:

https://github.com/ex-cal1bur/usbrubberducky-payloads/tree/master/payloads/library/exfiltration/Vault_Exfiltrator

Copyright © 2026 – Daniel Miranda Barcelona | Excal1bur. Technical description for educational purposes.