DuckyScript™ officially licensed and supported devices are backwards compatible with previous versions, excluding any device specific functionality.
E.g. DuckyScript™ 1.0 payloads written for the USB Rubber Ducky are valid DuckyScript™ 3.0 and will function on the New USB Rubber Ducky without modification
DuckyScript™ includes commands/syntax which only work on some devices. For example, MATCH and SAVEKEYS are DuckyScript™ commands which are only for Key Croc payloads and will not work on other devices.
Hak5 does NOT guarantee payload functionality for unlicensed device's, or payloads NOT compiled usingHak5 PayloadStudio
The REM command does not perform any keystroke injection functions. REM gets its name from the word remark. While REM may be used to add vertical spacing within a payload, blank lines are also acceptable and will not be processed by the compiler.
Defining a comment block is simple! Start the comment with REM_BLOCK and end the comment with END_REM; everything in between will be considered a comment without the need to prepend every new line with REM. Comment blocks can be especially useful when you have multiple lines to be included in a single comment or want to retain formatting.
REM_BLOCK DOCUMENTATION
USAGE:
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
TARGETS:
Any system that reflects CAPSLOCK will detect minimum required delay
Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms
END_REM
The STRING command keystroke injects (types) a series of keystrokes. STRING will automatically interpret uppercase letters by holding the SHIFT modifier key where necessary. The STRING command will also automatically press the SPACE cursor key, however trailing spaces will be omitted.
STRING The quick brown fox jumps over the lazy dog
System keys are primarily used by the operating system for special functions and may be used to interact with both text areas and navigating the user interface.
Modifier keys held in combination with another key to perform a special function. Common keyboard combinations for the PC include the familiar CTRL c for copy, CTRL x for cut, and CTRL v for paste.
SHIFT
ALT
CONTROL or CTRL
COMMAND
WINDOWS or GUI
REM Windows Modifier Key Example
REM Open the RUN Dialog
GUI r
REM Close the window
ALT F4
Injecting a modifier key alone without another key — such as pressing the WINDOWS key — may be achieved by prepending the modifier key with the INJECT_MOD command.
REM Example pressing Windows key alone
INJECT_MOD WINDOWS
Lock keys toggle the lock state (on or off) and typically change the interpretation of subsequent keypresses. For example, caps lock generally makes all subsequent letter keys appear in uppercase.
The DELAY command instructs the USB Rubber Ducky to momentarily pause execution of the payload. This is useful when deploying a payload which must "wait" for an element — such as a window — to load. The DELAY command accepts the time parameter in milliseconds.
DELAY for 100 milliseconds (one tenth of a second)
DELAY 100
The minimum delay value is 20.
The DELAY command may also accept an integer variable.
VAR $WAIT = 500
DELAY $WAIT
DELAY timings might differ slightly depending on the ATTACKMODE the USB Rubber Ducky is in when executing the DELAY and depending on the target host.
By default, if no other button command is currently in use, pressing the button during payload execution will make the USB Rubber Ducky stop any further keystroke injection. It will then become an ordinary USB flash drive, commonly referred to as "arming mode".
The BUTTON_DEF command defines a function which will execute when the button is pressed anytime within the payload so long as the button control is not already in use by the WAIT_FOR_BUTTON_PRESS command or other such function.
BUTTON_DEF
STRINGLN The button was pressed.
END_BUTTON
STRINGLN Press the button with the next 10 seconds
DELAY 10000
An attack mode is the device type that a USB Rubber Ducky, is functioning as or emulating. If no ATTACKMODE command is specified as the first command (excluding REM), the HID attack mode will execute, allowing the device to function as a keyboard. The ATTACKMODE command may be run multiple times within a payload, which may cause the device to be re-enumerated by the target if the attack mode changes.
Required Parameters
ATTACKMODE Parameter
Description
HID
Functions as a Human Interface Device, or Keyboard, for keystroke injection.
STORAGE
Functions as USB Mass Storage, or a Flash Drive, for copying files to/from the target.
HID STORAGE
Functions as both USB Mass Storage and Human Interface Device
OFF
Will not function as any device. May be used to disconnect the device from the target.
ATTACKMODE HID STORAGE
REM The USB Rubber Ducky will act as both a flash drive and keyboard
Optional Parameters
When using these optional parameters, VID and PID must be used as a set. Further, MAN, PROD and SERIAL must also be used as a set.
ATTACKMODE Parameter
Description
VID_
Vendor ID (16-bit HEX)
PID_
Product ID (16-bit HEX)
MAN_
Manufacturer (32 alphanumeric characters)
PROD_
Product (32 alphanumeric characters)
SERIAL_
Serial (12 digits)
ATTACKMODE HID VID_046D PID_C31C MAN_HAK5 PROD_DUCKY SERIAL_1337
REM Emulated a Keyboard with the following values:
REM - Vendor ID: 046D
REM - Product ID: C31C
REM - Manufacturer: HAK5
REM - Product: DUCKY
REM - Serial: 1337
The SAVE_ATTACKMODE command will save the currently running ATTACKMODE state (including any specified VID, PID, MAN, PROD and SERIAL parameters) such that it may be later restored.
The VAR command will initiate a variable. Unlike constants, variables begin with a dollar sign ("$"). Variables contain unsigned integers with values from 0 to 65535. Booleans may be represented as well, either by TRUE/FALE or any non-zero number and 0 respectively.
Bitwise AND. If the corresponding bits of the two operands is 1, will result in 1. Otherwise if either bit of an operand is 0, the result of the corresponding bit is evaluated as 0.
|
Bitwise OR. If at least one corresponding bit of the two operands is 1, will result in 1.
>>
Right Shift. Accepts two numbers. Right shifts the bits of the first operand. The second operand determines the number of places to shift.
<<
Left Shift. Accepts two numbers. Left shifts the bits of the first operand. The second operand decides the number of places to shift.
ATTACKMODE HID STORAGE VID_05AC PID_021E
VAR $FOO = $_CURRENT_VID
REM Because VID and PID parameters are little endian,
$FOO = ((($FOO >> 8) & 0x00FF) | (($FOO << 8) & 0xFF00))
REM $FOO will now equal 0xAC05
The flow control statement IF will determine whether or not to execute its block of code based on the evaluation of an expression. One way to interpret an IF statement is to read it as "IF this condition is true, THEN do this".
$FOO = 42
$BAR = 1337
IF ( $FOO < $BAR ) THEN
STRING 42 is less than 1337
END_IF
The block of code within the WHILE statement will continue to repeatedly execute for a number of times (called iterations) for as long as the condition of the WHILE statement is TRUE.
VAR $FOO = 42
WHILE ( $FOO > 0 )
STRINGLN This message will repeat 42 times.
$FOO = ( $FOO - 1 )
END_WHILE
WHILE TRUE
SRINGLN This is an infinite loop. This message repeats forever.
END_WHILE
Functions are blocks of organized single-task code that let you more efficiently run the same code multiple times without the need to copy and paste large blocks of code over and over again.
A function may return a integer or boolean value which may also be evaluated.
FUNCITON TEST_CAPS_AND_NUM()
IF (($_CAPSLOCK_ON == TRUE) && ($_NUMLOCK_ON == TRUE)) THEN
RETURN TRUE
ELSE
RETURN FALSE
END_IF
END_FUNCTION
IF (TEST_CAPS_AND_NUM() == TRUE) THEN
STRINGLN Caps lock and num lock are on.
END_IF
The pseudorandom number generator provides randomization for keystroke injection, variables and attackmode parameters. The first time a randomization feature is used, a seed.bin will be generated on the root of the MicroSD card. One may also be generated from the Hak5 IDE.
The internal variable $_RANDOM_INT assigns a random integer between the specified $_RANDOM_MIN and $_RANDOM_MAX values. May be 0-65535. The default values are 0-9.
$_RANDOM_MIN = 42
$_RANDOM_MAX = 1337
VAR $FOO = $_RANDOM_INT
REM The variable $FOO will be between 42 and 1337
A key may be held, rather than pressed, by specifying a HOLD and RELEASE command with a DELAY in between the two. Both HOLD and RELEASE must specify a key. Multiple simultaneous keys may be held.
HOLD a
DELAY 2000
RELEASE a
REM May produce any mumber of "aaaaa" keys, depending on the repeat rate of
REM the target OS. On macOS may open the accent menu.
INJECT_MOD
HOLD WINDOWS
DELAY 4000
RELEASE WINDOWS
REM Will hold the Windows key for 4 seconds. Note the use of INJECT_MOD
REM when using a modifier key without a key combination.
The inject.bin and seed.bin file may be hidden from the MicroSD card before implementing ATTACKMODE STORAGE. The HIDE_PAYLOAD and RESTORE_PAYLOAD commands must be run while using ATTACKMODE OFF or ATTACKMODE HID.
USB HID devices contain both IN endpoints for data (keystrokes) from the keyboard to computer, and OUT endpoints for data (LED states) from the computer to the keyboard. In many cases the LED state control codes sent from the computer to the attached keyboard are sent to all attached "keyboards". Versions of macOS behave differently.
The currently reported lock key states may be saved and later recalled using the SAVE_HOST_KEYBOARD_LOCK_STATE and RESTORE_HOST_KEYBOARD_LOCK_STATE commands.
REM Save the LED states of the primary keyboard
SAVE_HOST_KEYBOARD_LOCK_STATE
REM Change the lock states
CAPSLOCK
NUMLOCK
REM Restore the original lock states
RESTORE_HOST_KEYBOARD_LOCK_STATE
Exfiltration is the unauthorized transfer of information from a system. Typically performed over a physical medium (copying to a USB flash disk such as the USB Rubber Ducky while using ATTACKMODE STORAGE) or a network medium such as email, ftp, smb, http, etc.
By taking advantage of the HID OUT endpoint as described in the lock keys section, binary data may be exfiltrated "out of band" using the Keystroke Reflection side-channel attack. This is done by using the $_EXFIL_MODE_ENABLED internal variable. The reflected lock keystrokes are saved to loot.bin on the root of the MicroSD card. For a detailed example, see the section on Keystroke Reflection.
Similarly, arbitrary variable data may be saved to the loot.bin file using the EXFIL command.
VAR $FOO = 1337
EXFIL $FOO
Internal Variables
Internal Variable
Description
BUTTON
$_BUTTON_ENABLED
Returns TRUE if the button is enabled or FALSE if the button is disabled.
$_BUTTON_USER_DEFINED
Returns TRUE if a BUTTON_DEF has been implemented in the payload or FALSE if it hasn't been implemented.
$_BUTTON_PUSH_RECEIVED
Returns TRUE if the button has ever been pressed. May be retrieved or set.
$_BUTTON_TIMEOUT
The button debounce, or cooldown time before counting the next button press, in milliseconds. The default value is 1000.
LED
$_SYSTEM_LEDS_ENABLED
Default set TRUE. May be retrieved or set. Boot and ATTACKMODE change LED.
$_STORAGE_LEDS_ENABLED
Default set TRUE. May be retrieved or set.
Blinks the LED red/green on storage read/write in ATTACKMODE STORAGE.
$_LED_CONTINUOUS_SHOW_STORAGE_ACTIVITY
Default set TRUE. May be retrieved or set.
The LED will light solid green when the storage has been inactive for longer than $_STORAGE_ACTIVITY_TIMEOUT (default 1000 ms). Otherwise, the LED will light red when active.
$_INJECTING_LEDS_ENABLED
Default set TRUE. May be retrieved or set. When TRUE the LED will blink green on payload execution.
$_EXFIL_LEDS_ENABLED
Default set TRUE. May be retrieved or set. When TRUE the LED will blink green during Keystroke Reflection.
$_LED_SHOW_CAPS
Default set FALSE. May be retrieved or set. When TRUE will bind the GREEN LED state to the CAPSLOCK state.
$_LED_SHOW_NUM
Default set FALSE. May be retrieved or set. When TRUE will bind the RED LED state to the NUMLOCK state.
$_LED_SHOW_SCROLL
Default set FALSE. May be retrieved or set. When TRUE will bind the GREEN LED state to the SCROLLLOCK state.
ATTACKMODE
$_CURRENT_VID
Returns the currently operating Vendor ID with endian swapped. May only be retrieved. Cannot be set.
$_CURRENT_PID
Returns the currently operating Product ID with endian swapped. May only be retrieved. Cannot be set.
$_CURRENT_ATTACKMODE
Returns the currently operating ATTACKMODE represented as 0 for OFF, 1 for HID, 2 for STORAGE and 3 for both HID and STORAGE
RANDOM
$_RANDOM_INT
Random integer within set range.
$_RANDOM_MIN
Random integer minimum range (unsigned, 0-65535)
$_RANDOM_MAX
Random integer maximum range (unsigned, 0-65535)
$_RANDOM_SEED
Random seed from seed.bin
$_RANDOM_LOWER_LETTER_KEYCODE
Returns random lower letter scancode (a-z)
$_RANDOM_UPPER_LETTER_KEYCODE
Returns random upper letter scancode (A-Z)
$_RANDOM_LETTER_KEYCODE
Returns random letter scancode (a-zA-Z)
$_RANDOM_NUMBER_KEYCODE
Returns random number scancode (0-9)
$_RANDOM_SPECIAL_KEYCODE
Returns random special char scancode (shift+0-9)
$_RANDOM_CHAR_KEYCODE
Returns random letter number or special scancode
JITTER
$_JITTER_ENABLED
Set TRUE to enable jitter. Default FALSE.
$_JITTER_MAX
Sets the maximum time between key presses in milliseconds. The default maximum is 20 ms.
LOCK KEYS
$_CAPSLOCK_ON
TRUE if on, FALSE if off.
$_NUMLOCK_ON
TRUE if on, FALSE if off.
$_SCROLLLOCK_ON
TRUE if on, FALSE if off.
$_SAVED_CAPSLOCK_ON
On USB attach or SAVE_HOST_KEYBOARD_LOCK_STATE, sets TRUE or FALSE depending on the reported OS condition.
$_SAVED_NUMLOCK_ON
On USB attach or SAVE_HOST_KEYBOARD_LOCK_STATE, sets TRUE or FALSE depending on the reported OS condition.
$_SAVED_SCROLLLOCK_ON
On USB attach or SAVE_HOST_KEYBOARD_LOCK_STATE, sets TRUE or FALSE depending on the reported OS condition.
$_RECEIVED_HOST_LOCK_LED_REPLY
On receipt of any lock state LED control code, sets TRUE. This flag is helpful for fingerprinting certain operating systems (e.g. macOS) or systems which do not reflect lock keys.
STORAGE
$_STORAGE_ACTIVITY_TIMEOUT
As payload is running, this value decrements if storage activity is not detected. Default value is 1000.
EXFILTRATION
$_EXFIL_MODE_ENABLED
Default FALSE. Set TRUE to enable Keystroke Reflection. Will listen for CAPSLOCK and NUMLOCK changes, writing binary values to loot.bin. num=1, caps=0.
OS_DETECT
$_HOST_CONFIGURATION_REQUEST_COUNT
Used by OS_DETECTEXTENSION to detect device enumeration count.
$_OS
Used by OS_DETECTEXTENSION to return value of fingerprinted operating system. May return WINDOWS, MACOS, LINUX, CHROMEOS, ANDROID, IOS. These names are reserved and should not be used in user variables.