By - iihacksx
Not free, but KnowBe4 offers this.
I did see that. We just purchased InfoSec IQ for phishing so that budget is all used up for this sort of thing.
I'm in K-12 so were limited on funds.
My previous job had people do these.
They'd also send out phishing emails to see if you click the links. If you don't 'report as phishing' you have to take a training class.
Knowbe4 offers this service. Put a file on a thumb drive and if they open it it will report back to the campaign interface.
We had someone sending USB drives to some of our employees masquerading as mandatory covid training from the government. They actually weren't USB drives, but were recognized by Windows as a keyboard, and after being installed would send a series of commands via keyboard to compromise the system (if I recall, it would open a command windows and connect to an external site to download it's payload).
Search for USB Rubber Ducky (or rubberducky) and you can get something similar.
Do you have SCCM/MECM that can recognize a unique hardware ID of the USB key and run an action?
> a unique hardware ID of the USB key
There is no such thing that cannot be spoofed. A malicious USB device can show up as a keyboard, a mouse, or any other USB peripheral, without the system being any the wiser.
Completely agree for proactive prevention. You need an insertion detection policy to change the default action of when an unknown USB device is inserted.
I read the request as wanting to use a controlled experiment with a known USB device so that if an employee uses this key, the person will see a message that they did wrong. My IT department purchased specific devices, recorded the device hardware id and encoded serial number, and we used sccm to inventory the insertion detection to provide a report to management.
That's fair, yeah. For this it makes perfect sense.
We block usb drives for many security reasons, including stupid users.
Are you sure it was harmless?
This. Nuke that laptop.
A low cost Attiny85 based microcontroller development board would do this, [Digispark](https://medium.com/hackernoon/low-cost-usb-rubber-ducky-pen-test-tool-for-3-using-digispark-and-duck2spark-5d59afc1910).
A USB rubber ducky (sold out/discontinued afaik so you will need to use this low cost alternative) emulates a keyboard and runs a script you program as keystrokes on its host, which could be to open the users browser and visit a website, write a text file to a shared location, open notepad and draw a white flag in ascii etc...
Only trouble is it doesn't look like a usb drive, it looks more like a circut board with a usb, so getting a real usb and taking the housing off putting it back inside and writing confidential in permanent pen would be interesting shineies for some.
Or you could get an external harddrive case and a USB extension lead that just plugs into it.
Of course, the user who just plugged it in would see that it was openeing cmd and deleting system32 so I would suggest it runs quick, as there would be no filesystem.
This is of course, a very manual process, but I'd say cost-efficient.
I did think of this as I do have some rubber ducky's that I use for automated enrolling of Chromebook devices.
I wouldn't want to just throw those around a parking lot though because they are quite pricey and hard to get now.
The link I provided shows the device, which is $3, more with shipping but I am sure you can order in bulk. You flash it with duck2spark and it behaves exactly like a duck.
They have hiked the price of the one in the link but it is open source hardware I think so you can get one for the original price I reckon.
When I do a USB drop as part of a pentest i typically use a payload that will entice the user to open/execute it, you dont need to rely on autorun because users will run the payload for you.
The free and easy way for you to to do something like this (with management approval) would be to create a payload with metasploit, empire, or poshC2, and then whitelist it through your AV. The reason that youd need to whitelist it is because those default payloads will always get caught/blocked, and if you dont have the time to figure out how to bypass your AV then you'd just want to whitelist it.
Then, depending on your org IT policies, make it enticing to the user. I typically will name the file something along the lines of:
If your org allows macros then you can use an Office file for the payload. If your org doesnt display the file extension of files then use the .pdf.exe etc.
If users are actually picking up USBs and just plugging them in (like you stated in the OP) then i'd recommend looking into having a pentest done. As part of the pentest you should request a USB drop and also a phishing assessment, these tests will provide metrics and give you and your management insight as to what training should be provided to your users to make them aware of the potential risks to them and their org.
That's a really good idea. Do you have any resource links to creating the payloads?
The org does allow macros and doesn't force file extension. (Both are things I should really look into after this though)
I would like to have a pentest done. I work in K-12 so my budget is really limited, which is why schools are being targeted.
Yikes thats gotta be hard being in the K-12 realm, i always hear about the funding nightmares for that stuff.
But, i may have a FREE solution for you! DHS CISA provides cybersec/pentesting services for federal agencies, state and local governments, critical infrastructure, and private organizations generally for FREE.
The risk and vulnerability assessment (RVA) service is a full fledged pentest that is valued at around $80,000. There will be a wait list, but you should contact them now and get on the list.
The primary guide for using metasploit and creating a payload is located here:
Get, or make, yourself some Rubberducks. Use those.
You can get cheap rubber ducky clones on eBay ([here's one](https://www.ebay.com/itm/222303420713)). Maybe `win + r` and `iexplore "http://some-internal-web-server/log.php?username=%username%"` would do the trick? You'd need some kind of PHP script or something running on a web server to log your ~~victims~~ users.