On this page
article
DuckyScript for the WiFi Pineapple Pager
Payloads are scripts integrated with DuckyScript commands which leverage the power of the WiFi Pineapple system.
DuckyScript is the payload language of Hak5 gear.
Originating on the Hak5 USB Rubber Ducky as a standalone language, the Packet Squirrel uses DuckyScript commands to bring the ethos of easy-to-use actions to the payload language.
DuckyScript commands are always in all capital letters to distinguish them from other system or script language commands. Typically, they take a small number of options (or sometimes no options at all).
Payloads can be constructed of DuckyScript commands alone, or combined with the power of bash scripting and system commands to create fully custom, advanced actions.
DuckyScript commands themselves are often writen in bash as well, though some commands are provided as binaries to increase performance.
Pager-specific DuckyScript commands
Pager DuckyScript commands interact with the pager UI: Use these to prompt the user to confirm actions, enter text, data, and addresses, make other selections, or just keep the user informed.
The majority of these commands must be run from inside a user or recon payload, since they take over the screen!
| DuckyScript command | Use | Details |
|---|---|---|
| ALERT | Raise a full-screen alert | Documentation |
| BATTERY_CHARGING | Return battery charging state | – |
| BATTERY_PERCENT | Return battery charging percentage | – |
| CONFIGURATION | Persistent configuration commands | Documentation |
| CONFIRMATION_DIALOG | Prompt the user with a yes or no confirmation | Documentation |
| DISABLE_DISPLAY | Turn off the Pager display | – |
| DPADLED_CONFIG | Configure the default DPAD LED color | – |
| ENABLE_DISPLAY | Turn the Pager display on | – |
| ERROR_DIALOG | Show the user error information | Documentation |
| IP_PICKER | Prompt the user to enter an IPv4 address | Documentation |
| LOG | Send text to the payload log | Documentation |
| MAC_PICKER | Prompt the user to enter a MAC address | Documentation |
| NUMBER_PICKER | Prompt the user to enter a numerical value | Documentation |
| PROMPT | Raise a modal alert and wait for the user to continue | Documentation |
| RINGTONE | Play a ringtone or ringtone file, with optional vibration | Documentation |
| START_SPINNER | Start an indefinite progress spinner | Documentation |
| STOP_SPINNER | Stop an indefinite progress spinner | Documentation |
| TEXT_PICKER | Prompt the user to enter free-form text | Documentation |
| VIBRATE | Activate the haptic vibration motor in sync with a ringtone file | Documentation |
| WAIT_FOR_BUTTON_PRESS | Wait for the user to press a physical button | Documentation |
| WAIT_FOR_INPUT | Wait for the user to press any physical button | Documentation |
Pineapple-specific DuckyScript commands
Pineapple DuckyScript commands interact with the WiFi Pineapple access point and recon functions: Use these to control Pineapple-specific configuration and functions.
| DuckyScript command | Use | Details |
|---|---|---|
| FIND_CLIENT_IP | Find the IP address of a client connected to a WiFi Pineapple access point | Documentation |
| GPS_CONFIGURE | Configure the serial port and speed of a USB GPS device | – |
| GPS_GET | Get the current GPS coordinates, if known | – |
| GPS_LIST | List available GPS serial ports | – |
| INSTALL_FIRMWARE | Validate and install an uploaded firmware | – |
| PINEAPPLE_DEAUTH_CLIENT | Deauthenticate a client from a Wi-Fi network | Documentation |
| PINEAPPLE_EXAMINE_BSSID | Stop channel hopping and lock to the channel used by a known access point | Documentation |
| PINEAPPLE_EXAMINE_CHANNEL | Stop channel hopping and lock to a channel | Documentation |
| PINEAPPLE_EXAMINE_RESET | Resume normal channel hopping | Documentation |
| PINEAPPLE_DEVICE_FILTER_ADD | Add a MAC address to the Pineapple AP device filters | Documentation |
| PINEAPPLE_DEVICE_FILTER_ADD_FILE | Add a list of MAC address in a file to the Pineapple AP device filters | Documentation |
| PINEAPPLE_DEVICE_FILTER_CLEAR | Delete all MAC addresses from the Pineapple AP device filters | Documentation |
| PINEAPPLE_DEVICE_FILTER_DEL | Delete a MAC address from the Pineapple AP device filters | Documentation |
| PINEAPPLE_DEVICE_FILTER_LIST | List MAC addresses in the Pineapple AP device filters | Documentation |
| PINEAPPLE_DEVICE_FILTER_MODE | Control Pineapple AP device filter mode | Documentation |
| PINEAPPLE_HOPPING_START | Resume recon channel hopping | – |
| PINEAPPLE_HOPPING_STOP | Stop recon channel hopping | – |
| PINEAPPLE_LOOT_ARCHIVE | Archive current loot (handshakes, pcap, wigle, and other loot) in a timestamped directory | – |
| PINEAPPLE_MIMIC_DISABLE | Disable open AP mimic mode | Documentation |
| PINEAPPLE_MIMIC_ENABLE | Enable open AP mimic mode | Documentation |
| PINEAPPLE_NETWORK_FILTER_ADD | Add a SSID to the Pineapple AP network filters | Documentation |
| PINEAPPLE_NETWORK_FILTER_ADD_FILE | Add a list of SSIDs in a file to the Pineapple AP network filters | Documentation |
| PINEAPPLE_NETWORK_FILTER_CLEAR | Delete all SSIDs from the Pineapple AP network filters | Documentation |
| PINEAPPLE_NETWORK_FILTER_DEL | Delete a SSID from the Pineapple AP network filters | Documentation |
| PINEAPPLE_NETWORK_FILTER_LIST | List SSIDs in the Pineapple AP network filters | Documentation |
| PINEAPPLE_NETWORK_FILTER_MODE | Control Pineapple AP network filter mode | Documentation |
| PINEAPPLE_RECON_NEW | Start a new recon session | Documentation |
| PINEAPPLE_SET_BANDS | Configure the Wi-Fi bands monitored by recon | Documentation |
| PINEAPPLE_SSID_POOL_ADD | Add a SSID to the Pineapple SSID impersonation pool | Documentation |
| PINEAPPLE_SSID_POOL_ADD_FILE | Add a list of SSIDs in a file to the Pineapple SSID impersonation pool | Documentation |
| PINEAPPLE_SSID_POOL_CLEAR | Clear the Pineapple SSID impersonation pool | Documentation |
| PINEAPPLE_SSID_POOL_COLLECT_START | Start automatic collection of probe requests in the Pineapple SSID impersonation pool | Documentation |
| PINEAPPLE_SSID_POOL_COLLECT_STOP | Stop automatic collection of the Pineapple SSID impersonation pool | Documentation |
| PINEAPPLE_SSID_POOL_DELETE | Delete a SSID from the Pineapple SSID impersonation pool | Documentation |
| PINEAPPLE_SSID_POOL_LIST | List the contents of the Pineapple SSID impersonation pool | Documentation |
| PINEAPPLE_SSID_POOL_START | Start advertising networks in the Pineapple SSID impersonation pool | Documentation |
| PINEAPPLE_SSID_POOL_STOP | Stop advertising networks in the Pineapple SSID impersonation pool | Documentation |
| WIFI_OPEN_AP | Configure the open access point | – |
| WIFI_OPEN_AP_CLEAR | Clear the open access point configuration | – |
| WIFI_OPEN_AP_DISABLE | Disable the open access point | – |
| WIFI_OPEN_AP_HIDE | Set the open access point to hidden | – |
| WIFI_PCAP_START | Start an optimized packet capture | Documentation |
| WIFI_PCAP_STOP | Stop packet capture | Documentation |
| WIFI_WPA_AP | Configure the WPA access point | – |
| WIFI_WPA_AP_CLEAR | Clear the WPA access point configuration | – |
| WIFI_WPA_AP_DISABLE | Disable the WPA access point | – |
| WIFI_WPA_AP_HIDE | Set the WPA access point to hidden | – |
| WIGLE_LOGIN | Fetch a Wigle login token | Documentation |
| WIGLE_LOGOUT | Remove Wigle API tokens | Documentation |
| WIGLE_START | Start a Wigle log | Documentation |
| WIGLE_STOP | Stop a Wigle log | Documentation |
| WIGLE_UPLOAD | Upload a Wigle log to the service | Documentation |
Payload configuration commands
Payload configuration DuckyScript commands store configuration values in the stanard UCI based configuration system.
| DuckyScript command | Use | Details |
|---|---|---|
| PAYLOAD_DEL_CONFIG | Delete a payload configuration value | – |
| PAYLOAD_GET_CONFIG | Get a payload configuration value | – |
| PAYLOAD_SET_CONFIG | Set a payload configuraton value | – |
Wi-Fi configuration commands
Configure Wi-Fi client mode and the management access point.
| DuckyScript command | Use | Details |
|---|---|---|
| WIFI_CLEAR | Clear client Wi-Fi mode configuration | – |
| WIFI_CONNECT | Connect to a Wi-Fi network as a client | – |
| WIFI_DISCONNECT | Disconnect from client mode Wi-Fi | – |
| WIFI_MGMT_AP | Configure the management access point | – |
| WIFI_MGMT_AP_CLEAR | Clear the management access point configuration | – |
| WIFI_MGMT_AP_DISABLE | Disable the management access point | – |
| WIFI_MGMT_AP_HIDE | Set the management access point to hidden | – |
| WIFI_WAIT | Wait for the client-mode Wi-Fi to connect | – |
VPN configuration commands
The WiFi Pineapple Pager supports the OpenVPN and Wireguard VPN protocols out of the box.
| DuckyScript command | Use | Details |
|---|---|---|
| OPENVPN_CONFIGURE | Provision an OpenVPN configuration | – |
| OPENVPN_DISABLE | Disable OpenVPN | – |
| OPENVPN_ENABLE | Enable OpenVPN | – |
| WIREGUARD_CONFIGURE | Configure the Wireguard VPN | – |
| WIREGUARD_DISABLE | Disable the Wireguard VPN | – |
| WIREGUARD_ENABLE | Enable the Wireguard VPN | – |
AutoSSH commands
AutoSSH maintains a standard SSH connection (with port forwarding).
| DuckyScript command | Use | Details |
|---|---|---|
| AUTOSSH_ADD_PORT | Add a port forward to AutoSSH | – |
| AUTOSSH_CLEAR | Clear AutoSSH configuration | – |
| AUTOSSH_CONFIGURE | Configure AutoSSH | – |
| AUTOSSH_DISABLE | Disable AutoSSH | – |
| AUTOSSH_ENABLE | Enable AutoSSH | – |
| SSH_ADD_KNOWN_HOST | Add a known SSH host | – |
DNS Spoof commands
Manipulate the local DNS server provided to clients of the Pineapple access points.
| DuckyScript command | Use | Details |
|---|---|---|
| DNSSPOOF_ADD_HOST | Add a host to DNS spoofing | – |
| DNSSPOOF_CLEAR | Clear DNS spoofing configuration | – |
| DNSSPOOF_DEL_HOST | Delete a host from DNS spoofing | – |
| DNSSPOOF_DISABLE | Disable DNS spoofing engine | – |
| DNSSPOOF_ENABLE | Enable DNS spoofing engine | – |
Miscellaneous commands
| DuckyScript command | Use | Details |
|---|---|---|
| LED | Change the LED | – |
| SYSTEM_DNS | Override the system DNS | – |