ATTACKMODE is a DuckyScript command which specifies which devices to emulate. The ATTACKMODE command may be issued multiple times within a given payload. For example, a payload may begin by emulating Ethernet, then switch to emulating a keyboard and serial later based on a number of conditions.

ATTACKMODE Description
SERIAL

ACM – Abstract Control Model
Serial Console

ECM_ETHERNET

ECM – Ethernet Control Model
Linux/Mac/Android Ethernet Adapter

RNDIS_ETHERNET

RNDIS – Remote Network Driver Interface Specification
Windows (and some Linux) Ethernet Adapter

AUTO_ETHERNET

Automatic Ethernet. This attack mode will first attempt to bring up ECM_ETHERNET. If after the default timeout of 20 seconds no connection is established, RNDIS_ETHERNET will be attempted. The timeout may be changed by adding ETHERNET_TIMEOUT_XX where XX is the number of seconds, e.g. ETHERNET_TIMEOUT_60 for one minute.

Requires firmware version 1.5+

STORAGE

UMS – USB Mass Storage
Flash Drive

HID

HID – Human Interface Device
Keyboard – Keystroke Injection via Ducky Script

Many combinations of attack modes are possible, however some are not. For example, ATTACKMODE HID STORAGE ECM_ETHERNET is valid while ATTACKMODE RNDIS_ETHERNET ECM_ETHERNET STORAGE SERIAL is not. Each attack mode combination registers using a different USB VID/PID (Vendor ID/Product ID) by default. VID and PID can be spoofed using the VID and PID commands.

ATTACKMODE COMBINATION VID / PID
SERIAL STORAGE 0xF000/0xFFF0
HID 0xF000/0xFF01
STORAGE 0xF000/0xFF10
SERIAL 0xF000/0xFF11
RNDIS_ETHERNET 0xF000/0xFF12
ECM_ETHERNET 0xF000/0xFF13
HID SERIAL 0xF000/0xFF14
HID STORAGE 0xF000/0xFF02
HID RNDIS_ETHERNET 0xF000/0xFF03
HID ECM_ETHERNET 0xF000/0xFF04
HID STORAGE RNDIS_ETHERNET 0xF000/0xFF05
HID STORAGE ECM_ETHERNET 0xF000/0xFF06
SERIAL RNDIS_ETHERNET 0xF000/0xFF07
SERIAL ECM_ETHERNET 0xF000/0xFF08
STORAGE RNDIS_ETHERNET 0xF000/0xFF20
STORAGE ECM_ETHERNET 0xF000/0xFF21