The Key Croc introduces enhancements to the Ducky Script keystroke injection command set – known as Ducky Script 2.0. This version builds on the ubiquitous language for keystroke injection that debuted with the USB Rubber Ducky and was further enhanced with the Bash Bunny.
The following are the basic "QUACK" commands – named in honor of the Rubber Ducky that invented the keystroke injection attack.
In order to use Ducky Script 2.0, or QUACK, in a payload the attack mode must contain the HID option. This is the default attack mode on boot. See the ATTACKMODE section for information on additional attack mode options.
Specified in the config.txt file on the root of the udisk partition (/root/udisk) – the DUCKY_LANG option configures the keyboard layout to be used in keystroke injection attacks. This is important to note as different computers and keyboards use different layouts around the world.
By default DUCKY_LANG is set to the US. Additional keyboard layouts are available from the languages directory on the Key Croc's USB Flash Disk (udisk). Language key maps are specified using the two letter country code.
# For deployments in Germany. Sehr gut!
Q is an alias for QUACK that may be used as shorthand substitution anywhere that QUACK may be used. Q does not have any further meaning and is otherwise not very impressive.
QUACK <Key Name>
There are nearly 2000 compatible keys which may be used directly with the QUACK command. For example, "QUACK y" will type "y", and "QUACK ENTER" will press enter. Likewise, "QUACK CTRL-c" will hold the Control key and press c. Additionally, "QUACK N" will hold Shift and press n – since there is no capital N key on a keyboard.
For a complete list, edit the json file from the languages directory specified by your particular DUCKY_LANG. Any single key or key combination may be specified. Here are a few choice examples:
# Holds the "Windows Key" and presses r, opening the Run dialog on Windows systems.
# Holds the Command key and presses the spacebar, opening the Spotlight Search on a Mac.
# Holds the ALT key and presses F2, opening the "Enter a Command" dialog on many Linux distributions.
# Holds these beloved keys for a three finger salute.
By default, QUACK will use the modifiers on the left side of the keyboard when injecting keystrokes. This behavior may be changed, either by modifying the language file or by using the keycode option with a specific modifier scan code. Both left and right side modifiers are specified in the language file for any given key combination/ The first instance is given priority. For example, CTRL-c can be pressed with the Control key on the left, or on the right side of the keyboard. This will result in either "01,00,06" or "10,00,06" scan code.
STRING processes the text following taking special care to auto-shift. STRING can accept a single or multiple characters. There will be no ENTER or Carriage return key at the end of a STRING – so if one is desired it must be specified with its own QUACK command. STRING will automatically use SHIFT to capitalize a character.
QUACK STRING The Quick Brown Fox Jumped Over The Lazy Dog
QUACK STRING "This string has special characters! Isn't it great?"
See the notes at the end of this section on handling requirements for QUACK STRING as it relates to quotes and escaping special bash characters.
DELAY creates a momentary pause in the ducky script. It is quite handy for creating a moment of pause between sequential commands that may take the target computer some time to process. DELAY time is specified in milliseconds from 1 to 10000. Multiple DELAY commands can be used to create longer delays.
QUACK GUI r
QUACK DELAY 500
QUACK STRING cmd /k tree c:\
# Open command prompt and list all files and folders on the C drive
Note the 500 millisecond delay between the keyboard shortcut "GUI r" and the cmd command? That's because it takes a few milliseconds for the run dialog to appear before we can inject keystrokes. We don't typically think about these nuances as a human, but when you consider the Key Croc is one computer speaking to another, every millisecond counts.
KEYCODE will inject an arbitrary keystroke from a three byte scan code. This may be useful when used in conjunction with HOLD, for language agnostics payloads, or when testing multimedia and other extended key functions not explicitly defined in the language file.
QUACK KEYCODE 00,00,56
# This will type the '-' character from the numpad row
ALTCODE allows the printing of alt-codes on Windows systems only.
QUACK ALTCODE 168
# This will print an upside down questionmark
QUACK ALTCODE 236
# This will print an infinity symbol
QUACK HOLD and RELEASE
HOLD will hold the specified key until QUACK RELEASE is issued. HOLD accepts either a KEYCODE or a STRING.
QUACK STRING G
QUACK HOLD STRING o
QUACK DELAY 1000
QUACK STRING d morning!
# This holds the o key for about 1 second, resulting in "Gooooooooooooooood morning!" (with the number of o's depending on the target's key-repeat setup.
QUACK HOLD KEYCODE 00,00,52
QUACK DELAY 1000
# Holds the up arrow key for about 1 second
Each target interprets held keys differently. When holding the spacebar on your keyboard, the keyboard is not sending a multitude of spacebar scan codes – rather a single hold and release. As you watch your cursor cross the screen, the rate is determined by the operating system.
QUACK LOCK and UNLOCK
LOCK will prevent the attached keyboard from passing through keystrokes to the target. This may be useful in payloads which need to temporarily lock out the user while a sensitive keystroke injection attack is occuring. Keys pressed on the attached keyboard are not buffered while using LOCK and will not be typed once unlocked.
UNLOCK will allow the attached keyboard to pass through keystrokes to the target once more after the QUACK LOCK command is issued.
Special Bash Considerations for QUACK STRING
The QUACK STRING command accepts strings interpreted by bash. Consider these key elements when using QUACK STRING.
QUACK STRING with Quotes
When using special characters, such as the apostrophe in the example below, wrap the string with quotes – otherwise bash will be expecting a second apostrophe to complete the quote, and the interpretation will not be what you expect.
QUACK STRING "Isn't this a cool string"
QUACK STRING and Escaping Special Characters
Alternatively, special characters may be escaped rather than wrapping the string in quotes.
QUACK STRING Isn\'t this a cool string
QUACK STRING with Command Substitution
Since QUACK STRING is interpreted by bash, command substitution may be used. In this example, the Key Croc will inject the keystrokes containing the output of the ifconfig command.
QUACK STRING "$(ifconfig usb0 | grep 'inet addr')"
Compare this to the following, without the $() command substitution directive, which actually injects the keystrokes of the command in question.
QUACK STRING "ifconfig usb0 | grep 'inet addr'"