When it comes to keystroke injection tools, the most popular option is the USB Rubber Ducky. Developed by Hak5, the device looks like an ordinary USB stick but is actually recognized as a generic keyboard. This allows the Rubber Ducky to perform keystroke injection attacks using preset keystroke payloads. The device is so popular; it was even featured on Mr. Robot. It’s a compact unit, but creator Just Call Me Koko wanted to see just how small it can get.
They developed their own version called Tinyduck, an ATtiny85-powered USB Rubber Ducky in the smallest form factor possible. Similar to the original, it executes keystroke injection attacks preprogrammed using the Arduino IDE. You can even create your own Ducky Script, which can be leveraged to create keystroke injection binaries that can run on the original Rubber Ducky. The keystroke injection scripts can be converted to Arduino-compatible code for the DigiSpark using the digiQuack convertor. It’s just like your standard Rubber Ducky but stripped down to the bare essentials.
The Tinyduck requires little user intervention. You just insert it into a computer, and the device will launch its preprogrammed functions without your input. It’ll only take about five seconds to run through the micronucleus bootloader before loading its main code execution.
Now available on Tindie, you can pick a Tinyduck up for $12. More details can be found on GitHub.