How to Build a WiFi Rubber Ducky for Cybersecurity with Open Source Tools

SUWAAAAAAAAsSUWAAAAAAAAs
6 min read

Table of contents

GitHub

Introduction

The Rubber Ducky is a specialized USB gadget that functions as a keyboard and can quickly and automatically type commands on a target computer. Hak5 was the original creator of this popular penetration testing tool, which shows how easy a machine can be hacked if physical access is obtained.

Commercial instruments like the Hak5 Rubber Ducky are difficult and expensive to purchase in Nepal. So, I made the decision to use the open-source WiFi Duck project to construct my own. In addition to being wireless, it's also affordable, adaptable, and an excellent method to learn cybersecurity and hardware hacking.

What Is a Rubber Ducky?

A Rubber Ducky works like this:

  • Plug it into a USB port.

  • It emulates a keyboard (HID device).

  • It types commands at lightning speed.

  • The victim’s computer thinks it’s just a human typing.

This method can be applied to security awareness training, red teaming, or approved penetration testing. Imagine being able to open your browser, download a file, or start the terminal by simply plugging in a USB without using your keyboard. That's what HID attacks are capable of and many more.

Why Go DIY?

Commercial devices such as the Hak5 Rubber Ducky are not readily available in Nepal, where I reside. Shipping and customs make it costly and unfeasible, even when shopping online. However, I discovered that I could construct a fully functional wireless Rubber Ducky with a few rupees worth of components owing to open-source initiatives like WiFi Duck. It demonstrates that creativity is feasible and enjoyable even in settings with minimal resources.

Hardware We Used

Here’s my simple, low-cost shopping list:

ComponentPurposeApprox. Cost
D1 Mini V2 NodeMcu(ESP8266)Acts as a wifi access point, also saves your DuckyscriptRs. 550
Pro Micro Board(Atmega32U4)Acts as a USB keyboardRs. 1,350
USB Type C Data CableTo plug into the victim’s computer and for flashing the firmware on Pro MicroRs. 200
Jumper WiresConnect componentsRs. 80
Micro USB data cableFor flashing the firmware on D1 MiniRs. 300
BreadboardFor prototypingRs. 120

I’ve included photos of my build below—scroll through to see the raw components, wired connections, and final assembly.

D1 Mini V2 NodeMcu(ESP8266)

Assembling the Device

I decided to put the WiFi Rubber Ducky together using a breadboard. It's ideal for solderless prototyping, non-permanent, and simple to debug. This is a work in progress, and i will eventually make it look just like a USB stick.

Here’s how i set it up

Step 1: Mount the ESP8266 (D1 Mini) and Pro Micro Board(Atmega32U4)

Place the ESP8266 and Atmega32U4 board onto the breadboard, making sure it sits firmly and that each row remains isolated from the next.

Step 2: Wiring with Jumper Cables

Using jumper wires, I connected the ESP8266 and the Atmega32U4 according to the diagram below:

Atmega32u4ESP8266
3 aka. SCLD1 aka. GPIO 5
2 aka. SDAD2 aka. GPIO 4
GNDGND

⚠️ Note: Make sure your connections are solid before flashing firmware. A loose wire can cost you hours of debugging! WHICH TOTALLY DIDN’T HAPPEN TO ME .

Flashing the WiFi Duck Firmware

I used the official WiFi Duck GitHub repo by Spacehuhn.

Flashing the ATmega

Before the device could act as a USB keyboard, I needed to flash the ATmega chip with the custom firmware provided by the WiFi Duck project. I connected the ATmega chip to my computer using a USB Type-C data cable and flashed the HID (Human Interface Device) firmware using the Arduino IDE. I made sure to install the required board definitions and selected the right port and board type.

Once uploaded, the ATmega was ready to act like a Rubber Ducky—it could emulate a keyboard and type commands automatically.

Flashing the ESP8266 (D1 Mini)

Next, I flashed the D1 Mini. Using a Micro-USB cable, I connected the board to my PC and opened the WiFi Duck firmware in Arduino IDE. After selecting the correct board (LOLIN/Wemos D1 Mini), I uploaded the code.

This firmware turns the D1 Mini into a WiFi access point that hosts a web interface. From there, I could write, manage, and execute payloads wirelessly.

⚠️ Note: Make sure your Micro-USB cable has data sharing capability.

Powering and Running the Device

Once both boards were flashed, I powered the entire device via the ATmega board using a Type C charger cable. D1 Mini chip is powered through the jumper connection from the ATmega.

When plugged into a target system:

  • The ATmega acts as a USB keyboard, ready to inject keystrokes.

  • The D1 Mini broadcasts a WiFi network (e.g., duck_wifi).

  • I can connect to it from my phone or laptop, access 192.168.4.1, and upload payloads using the web interface.

Writing Payloads

The WiFi Duck defines what keystrokes should be "typed" when the device is triggered using a programming language known as Ducky Script. The original USB Rubber Ducky's developers, Hak5, created Ducky Script, which is now extensively utilized in the ethical hacking and cybersecurity communities.

You can know more about the DUCKY SCRIPT from this website:

https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-tm-quick-reference

But for those of you who don’t want to go to the website and LEARN this simple scripting language here’s a basic example:

DELAY 1000
GUI r
DELAY 200
STRING notepad
ENTER
DELAY 500
STRING Are you not entertained?

WHAT DOES THIS DO? just go to the damn website and LEARN!!!!!!!! ( i am just kidding or am i ?)

Waits 1 second after the device is plugged in.

Presses Win + R to open the Run dialog.

Types "notepad" and hits Enter.

Waits half a second for Notepad to open.

Types the string message into Notepad.

The target computer doesn't need to trust the device because it functions as a USB keyboard.The operating system recognizes it as a standard input device and there is no software to install. Keystroke injection is extremely potent because of this (and could be harmful if used improperly).

DEMO TIME!!!!

( VIDEO REMOVED FOR SECURITY PURPOSE but dont worry i’ll add it again)

Yes! I recorded a full attack demo video

⚠️ Note: DONOT do this without permission. It’s actually kinda ILLEGAL.

  • Plugged the device into a victim’s Windows laptop

  • Connected to the Duck’s WiFi from attackers laptop.

  • Selected the payload

  • Watched it type commands instantly on the victim machine

⚠️ Disclaimer

This project is for educational and ethical use only.
Never use this device on machines you don’t own or have permission to test. Doing this without permission is ILLEGAL.

What’s Next?

Test the Duck with a long-range directional antenna( YAGI-UDA antenna).

See if modern antivirus solutions detect the keystroke injections.

Final Thoughts

I learned from this study that investigating cybersecurity doesn't require a large lab or expensive supplies. Even in a place like Nepal where access to such equipment is limited, you may get started with ethical hacking, scripting, and microcontroller-based projects with just a few parts and a little bit of curiosity.

Innovation doesn’t need a lot of money— just passion, music and a lot of DAL BHAT POWER 24 HOUR.

0
Subscribe to my newsletter

Read articles from SUWAAAAAAAAs directly inside your inbox. Subscribe to the newsletter, and don't miss out.

DIYrubber duckyEthical Hackingethicalhackingethical hacking training#cybersecurityiotiot projectIoT securityESP8266

Written by

SUWAAAAAAAAs
SUWAAAAAAAAs

rm -rf bullshit