ATTACKMODE
ATTACKMODE is a DuckyScript command which specifies which devices to emulate. The ATTACKMODE command may be issued multiple times within a given payload. For example, a payload may begin by emulating Ethernet, then switch to emulating a keyboard and serial later based on a number of conditions.
| ATTACKMODE | Description |
|---|---|
| ACM – Abstract Control Model Serial Console |
| ECM – Ethernet Control Model Linux/Mac/Android Ethernet Adapter |
| RNDIS – Remote Network Driver Interface Specification Windows (and some Linux) Ethernet Adapter |
| Automatic Ethernet. This attack mode will first attempt to bring up ECM_ETHERNET. If after the default timeout of 20 seconds no connection is established, RNDIS_ETHERNET will be attempted. The timeout may be changed by adding ETHERNET_TIMEOUT_XX where XX is the number of seconds, e.g. ETHERNET_TIMEOUT_60 for one minute. Requires firmware version 1.5+ |
| UMS – USB Mass Storage Flash Drive |
| HID – Human Interface Device Keyboard – Keystroke Injection via Ducky Script |
Many combinations of attack modes are possible, however some are not. For example, ATTACKMODE HID STORAGE ECM_ETHERNET is valid while ATTACKMODE RNDIS_ETHERNET ECM_ETHERNET STORAGE SERIAL is not. Each attack mode combination registers using a different USB VID/PID (Vendor ID/Product ID) by default. VID and PID can be spoofed using the VID and PID commands.
| ATTACKMODE COMBINATION | VID / PID |
|---|---|
SERIAL STORAGE | 0xF000/0xFFF0 |
HID | 0xF000/0xFF01 |
STORAGE | 0xF000/0xFF10 |
SERIAL | 0xF000/0xFF11 |
RNDIS_ETHERNET | 0xF000/0xFF12 |
ECM_ETHERNET | 0xF000/0xFF13 |
HID SERIAL | 0xF000/0xFF14 |
HID STORAGE | 0xF000/0xFF02 |
HID RNDIS_ETHERNET | 0xF000/0xFF03 |
HID ECM_ETHERNET | 0xF000/0xFF04 |
HID STORAGE RNDIS_ETHERNET | 0xF000/0xFF05 |
HID STORAGE ECM_ETHERNET | 0xF000/0xFF06 |
SERIAL RNDIS_ETHERNET | 0xF000/0xFF07 |
SERIAL ECM_ETHERNET | 0xF000/0xFF08 |
STORAGE RNDIS_ETHERNET | 0xF000/0xFF20 |
STORAGE ECM_ETHERNET | 0xF000/0xFF21 |
Last updated