Attack Mode
ATTACKMODE is a DuckyScript command which specifies which devices to emulate. The ATTACKMODE command may be issued multiple times within a given payload. For example, a payload may begin by emulating Ethernet, then switch to emulating a keyboard and serial later based on a number of conditions.
| ATTACKMODE | Description |
|---|---|
SERIAL |
ACM – Abstract Control Model |
ECM_ETHERNET |
ECM – Ethernet Control Model |
RNDIS_ETHERNET |
RNDIS – Remote Network Driver Interface Specification |
AUTO_ETHERNET |
Automatic Ethernet. This attack mode will first attempt to bring up ECM_ETHERNET. If after the default timeout of 20 seconds no connection is established, RNDIS_ETHERNET will be attempted. The timeout may be changed by adding ETHERNET_TIMEOUT_XX where XX is the number of seconds, e.g. ETHERNET_TIMEOUT_60 for one minute. Requires firmware version 1.5+ |
STORAGE |
UMS – USB Mass Storage |
HID |
HID – Human Interface Device |
Many combinations of attack modes are possible, however some are not. For example, ATTACKMODE HID STORAGE ECM_ETHERNET is valid while ATTACKMODE RNDIS_ETHERNET ECM_ETHERNET STORAGE SERIAL is not. Each attack mode combination registers using a different USB VID/PID (Vendor ID/Product ID) by default. VID and PID can be spoofed using the VID and PID commands.
| ATTACKMODE COMBINATION | VID / PID |
|---|---|
| SERIAL STORAGE | 0xF000/0xFFF0 |
| HID | 0xF000/0xFF01 |
| STORAGE | 0xF000/0xFF10 |
| SERIAL | 0xF000/0xFF11 |
| RNDIS_ETHERNET | 0xF000/0xFF12 |
| ECM_ETHERNET | 0xF000/0xFF13 |
| HID SERIAL | 0xF000/0xFF14 |
| HID STORAGE | 0xF000/0xFF02 |
| HID RNDIS_ETHERNET | 0xF000/0xFF03 |
| HID ECM_ETHERNET | 0xF000/0xFF04 |
| HID STORAGE RNDIS_ETHERNET | 0xF000/0xFF05 |
| HID STORAGE ECM_ETHERNET | 0xF000/0xFF06 |
| SERIAL RNDIS_ETHERNET | 0xF000/0xFF07 |
| SERIAL ECM_ETHERNET | 0xF000/0xFF08 |
| STORAGE RNDIS_ETHERNET | 0xF000/0xFF20 |
| STORAGE ECM_ETHERNET | 0xF000/0xFF21 |