-
Notifications
You must be signed in to change notification settings - Fork 33
DuckyScript™ Syntax Guide
DuckyScript™ syntax is simple. Each command resides on a new line and may have options follow. Commands are written in ALL CAPS. Most commands invoke keystrokes, key-combos or strings of text, while some offer delays or pauses. Some are used to control actions of the OMG device. Below is a list of commands and their function, followed by some example usage. Find a list of all the available keys here
Similar to the REM command in Basic and other languages, lines beginning with REM will not be processed. REM is a comment.
REM The next three lines execute a command prompt in Windows
GUI r
STRING cmd
ENTER
This is also a Comment, but in form of a block. This block will be removed by the compiler.
REM_BLOCK Hello,
World!
END_REM
Specify a language keymap used during payload execution to match your target host's keymap. When defined inside of a payload, it will override the system-wide default that is configured in the OMG Device settings.
OMG Devices support 191 keymaps. This represents every keymap supported by Windows, Mac OS, and Linux combined.
If a 2 character ISO 3166 Alpha-2 code exists, we use those. But there are many keyboards not represented by this standard. Those keyboards will be represented with a larger code that contains an underscore. See our full list below:
DUCKY_LANG US
REM setting the language to US english
DUCKY_LANG FR
REM setting the language to french
REM all 191 keymaps available:
AR_101, AR_102, AR_FR, AR_SY_P, AR_SY_S, AR_US, AS, AZ, AZ_C, AZ_L, BA, BE, BG, BG_P, BG_PT, BG_T, BN, BN_I, BN_IL, BO, BO_U, BR, BS, BUG, BY, CA, CA_FR, CA_N, CHR, CS, CS_101, CS_P, DA, DE, DE_CH, DV_P, DV_T, DVORAK, DVORAK_L, DVORAK_R, DZ, EL, EL_220, EL_220L, EL_319, EL_319L, EL_L, EL_P, ES, ES_A, ET, FA, FA_S, FI, FI_S, FO, FR, FR_CH, FTHRK, GD, GL, GN, GOTHIC, GU, HAWAII, HE, HE_S, HI, HR, HU, HU_101, HY, HY_P, HY_T, HY_W, IE, IN_EN, IN_SD, IR, IS, IT, IT_142, JP, JP_101, JP_102, JP_106, JP_AX2, JV, KA, KA_E, KA_MES, KA_O, KA_Q, KH, KK, KM, KN, KO, KO_103, KY, LA, LISU, LISU_B, LK411_AJ, LK411_JJ, LO, LT, LT_S, LT_T, LV, LV_Q, LV_S, MAORI, MK, MK_S, ML, MM, MN, MN_M, MN_S, MR, MT_47, MT_48, NE, NG, NI, NKO, NL, NO, NO_S, NO_SE, NSO, NTL, OGHAM, OLCHIKI, OR, PA, PHAGS, PL, PL_P, PS, PT, RO, RO_P, RO_S, RU, RU_M, RU_SAKHA, RU_T, SB, SB_E, SB_L, SI, SK, SK_Q, SORA, SQ, SR_C, SR_L, SV_FI, SV_SE, TA, TA_99, TAILE, TE, TFNG_B, TFNG_E, TG, TH_K, TH_KN, TH_P, TH_PN, TK, TR_F, TR_Q, TT, TT_102, TZM, UG, UG_L, UK, UK_E, UKR, UKR_E, UR, US, US_M, UZ, VI, WOLOF, YO
DELAY creates a momentary pause in the ducky script. It is quite handy for creating a moment of pause between sequential commands that may take the target computer some time to process. DELAY time is specified in milliseconds.
DELAY 500
REM will wait 500ms before continuing to the next command.
The DEFINE command is used to define a constant. One may consider the use of a DEFINE within a payload like a find-and-replace.
DEFINE #DELAY 2000
DEFINE #DEVICE OMG
DELAY #DELAY
STRING #DEVICE
STRING processes the text following taking special care to auto-shift. STRING can accept a single or multiple characters. STRING | a…z A…Z 0…9 !)`~+=_-“‘;:<,>.?[{]}/|!@#$%^&*()
GUI r
DELAY 50
STRING notepad.exe
ENTER
DELAY 100
STRING Hello World!
Type a sequence of letters, like with STRING, followed by an automatic ENTER.
GUI r
DELAY 50
STRINGLN notepad.exe
DELAY 100
STRING Hello World!
Type a block of text, like with multiple STRINGLN.
STRINGLN_BLOCK
Hello World!
This is a test!
END_STRINGLN
Emulates the Meta-Key, sometimes referred to as the Super-key, Windows-key or Command-Key.
GUI r
REM will hold the Windows-key and press r, on windows systems resulting in the Run menu.
Use the ENTER key.
ENTER
Sometimes it is necessary to press multiple keys at once, this can be achieved by adding the keys within the same line.
ALT y
REM a shortcut to press YES when UAC prompts appear (english layout)
CTRL SHIFT ENTER
REM key combo for pressing ENTER as administrator
Emulates a mouse via Ducky Script. By default, buttons are: 1 = Left Click, 2 = Middle, 3 = Right, 4 = Scroll Up, 5 = Scroll Down, 6 = Back, 7 = Forward
MOUSE MOVE [X: +/- INTEGER] [Y: +/- INTEGER]
MOUSE CLICK [MOUSE BUTTON NUMBER 1-15]
REM examples
MOUSE MOVE -10000 -10000
REM the mouse will move to the probable 0x0 coordinate
MOUSE CLICK 1
REM click the left mouse button
Turns USB on/off (enumerate the implant as a USB device to the host). This is automatically done when you run a payload but sometimes for debugging you want to enumerate the implant to the USB Host without pressing any keystrokes.
USB ON
USB OFF
Turns HIDX TCP Service on or off
HIDX ON
HIDX OFF
Turn mouse jiggler on or off. This will move the mouse randomly one pixel left or right every 25 seconds to keep the screen lock feature of the os from turning on.
JIGGLER ON
JIGGLER OFF
Check if CAPSLOCK is on. If so, toggle off for the duration of payload. On completion, return to previous state.
CAPSLOCK_DISABLE
Reboot backend cable firmware. Note: this will run the boot slot again if you have it enabled.
REBOOT
Add an automatic DELAY preceding each command for a number of milliseconds.
DEFAULT_DELAY 500
Take the value from DEFAULT_DELAY and select a random number between 0 and the value specified. The result is added to the DEFAULT_DELAY in milliseconds.
DEFAULT_DELAY_JITTER 500
Add an automatic DELAY between each STRING character for a number of milliseconds
DEFAULT_CHAR_DELAY 500
Take the value from DEFAULT_CHAR_DELAY and select a random number between 0 and the value specified. The result is added to the DEFAULT_CHAR_DELAY in milliseconds
DEFAULT_CHAR_DELAY_JITTER 500
Repeat the proceeding value a certain number of times.
REM Injects the string "Hello World!" for 50 times.
REPEAT 50 STRING Hello World!
Set Vendor ID.
VID 1234
Set Product ID.
PID ABCD
Set iManufacturer descriptor (max. length 40).
MAN O.MG
Set iProduct descriptor (max. length 40).
PRO O.MG-CABLE
Set iSerial descriptor (max. length 40).
SER 0123456789
OMG's version of DuckyScript includes various randomization features for random keystroke injection. This enables everything from payload obfuscation to unique values for device mass-enrollment, and even games!
| Command | Character Set |
|---|---|
| RANDOM_LOWERCASE_LETTER | abcdefghijklmnopqrstuvwxyz |
| RANDOM_UPPERCASE_LETTER | ABCDEFGHIJKLMNOPQRSTUVWXYZ |
| RANDOM_LETTER | abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ |
| RANDOM_NUMBER | 0123456789 |
| RANDOM_SPECIAL | !@#$%^&*() |
| RANDOM_CHAR | abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ 0123456789 !@#$%^&*() |
REM This will type out "RANDOM LOWERCASE LETTER:" and attach a random lower case letter at the end
DELAY 1000
STRING RANDOM LOWERCASE LETTER:
RANDOM_LOWERCASE_LETTER
Turn keylogger on or off. By default, the keylogging mode is keystrokes. But you may want to use the HID mode to get the raw values of the intercepted keystrokes.
KEYLOGGER ON
REM turn on keylogging
KEYLOGGER ON KEY
REM turn on keylogging for keystrokes specifically
KEYLOGGER ON HID
REM turn on keylogging for raw HID values
KEYLOGGER OFF
REM turn off keylogging
With geofencing features, you can prevent payload execution when the OMG device leaves your scope. The O.MG Cable can behave like a normal cable until it walks in the front door of your target scope. And you can use self destruct to clear your payloads and loot.
Run the payload if a 2.4GHz SSID/BSSID is seen. This only scans once. Optionally, specify SIGNAL for a minimum signal strength, measured in RSSi, with a range from high to low of 00 - 99 (00 being the strongest signal).
IF_PRESENT SSID="SSIDNAME"
IF_PRESENT BSSID="AA:BB:CC:DD:EE:FF"
Run the payload if a 2.4GHz SSID/BSSID is NOT seen. This only scans once. Optionally, specify SIGNAL for a minimum signal strength, measured in RSSi, with a range of 00 - 99 (00 being the strongest signal).
IF_NOTPRESENT SSID="SSIDNAME"
IF_NOTPRESENT BSSID="AA:BB:CC:DD:EE:FF"
Wait for a 2.4GHz SSID/BSSID to be present before continuing the rest of the payload. Specify MINUTES for a timeout, or it will run forever. Specify INTERVAL in seconds for how often the scan will happen. An INTERVAL less than 60sec tends to make it hard for most clients to retain a connection to the Web UI.
⚠️ In some use-cases, an infinite timeout can prevent you from accessing the wifi interface until the payload triggers. You can simply reflash the firmware if you lock yourself out.
WAIT_FOR_PRESENT SSID="MySSID"
WAIT_FOR_PRESENT BSSID="AA:BB:CC:DD:EE:FF"
WAIT_FOR_PRESENT SSID="MySSID" MINUTES="2" INTERVAL="90"
WAIT_FOR_PRESENT BSSID="AA:BB:CC:DD:EE:FF" MINUTES="2" INTERVAL="90"
Wait for a 2.4GHz SSID/BSSID to NOT be present before continuing the rest of the payload. Specify MINUTES for a timeout, or it will run forever. Specify INTERVAL in seconds for how often the scan will happen. An INTERVAL less than 60sec tends to make it hard for most clients to retain a connection to the Web UI.
⚠️ In some use-cases, an infinite timeout can prevent you from accessing the wifi interface until the payload triggers. You can simply reflash the firmware if you lock yourself out.
WAIT_FOR_NOTPRESENT SSID="MySSID"
WAIT_FOR_NOTPRESENT BSSID="AA:BB:CC:DD:EE:FF"
WAIT_FOR_NOTPRESENT SSID="MySSID" MINUTES="2" INTERVAL="90"
WAIT_FOR_NOTPRESENT BSSID="AA:BB:CC:DD:EE:FF" MINUTES="2" INTERVAL="90"
OMG devices that support self-destruct are able to neutralize the device until you reflash it with firmware. This will remove payloads, keylogs/loot, and active firmware.
Self-Destruct allows you to disarm the cable and erase sensitive data. Full functionality can only be restored once the cable is physically reclaimed and the firmware is re-flashed. Until then, the cable stays neutralized. You even have the option to disconnect the cable’s data lines to make it appear “broken”, which encourages the target to dispose of the cable.
Completely erase all data and disconnect data lines to make cable's data lines behave "broken". You will need to reflash the firmware to recover.
⚠️ ALL SAVED CONFIGURATIONS AND PAYLOADS WILL BE ERASED!
SELF-DESTRUCT 1
Erase all data, but leave data lines connected so it behaves like a normal cable. You will need to reflash the firmware to recover.
⚠️ ALL SAVED CONFIGURATIONS AND PAYLOADS WILL BE ERASED!
SELF-DESTRUCT 2
A small example payload which opens notepad.exe, writing "Watch me self destruct!" and executing the first version of self-destruction, which completely erases all data and disconnects data lines to make cable behave "broken"
DELAY 2000
GUI r
DELAY 250
STRING notepad.exe
ENTER
DELAY 250
STRING Watch me self destruct!
DELAY 1500
REM I will now destroy myself!
SELF-DESTRUCT 1
The OMG version of DuckyScript™ supports a wide variety of keys, these are all listed down below.
Use the NOKEY key. This will basically send a value of NULL.
NOKEY
Use the ENTER key.
ENTER
Use the ESC key.
ESC
Use the BACKSPACE key.
BACKSPACE
Use the TAB key
TAB
Use the SPACE key.
SPACE
Use the CAPSLOCK key.
CAPSLOCK
Use the F1-F24 key, according to which you do choose.
F1
REM press the F1 key
F23
REM press the F23 key
Use the PRINTSCREEN key.
PRINTSCREEN
Use the SCROLLLOCK key.
SCROLLLOCK
Use the PAUSE key.
PAUSE
Use the INSERT key.
INSERT
Use the HOME key.
HOME
Use the PAGEUP key.
PAGEUP
Use the DELETE key.
DELETE
Use the END key.
END
Use the PAGEDOWN key.
PAGEDOWN
Use the different ARROW keys.
RGHTARROW
REM use the rightarrow key
LEFTARROW
REM use the leftarrow key
DOWNARROW
REM use the downarrow key
UPARROW
REM use the uparrow key
Use the NUMLOCK key.
NUMLOCK
Use the KPAD_SLASH key.
KPAD_SLASH
Use the KPAD_ASTERISK key.
KPAD_ASTERISK
Use the KPAD_MINUS key.
KPAD_MINUS
Use the KPAD_PLUS key.
KPAD_PLUS
Use the KPAD_ENTER key.
KPAD_ENTER
Use the different keypad number keys
KPAD_9
REM use the KPAD_9 key
KPAD_5
REM use the KPAD_5 key
Use the KPAD_DOT key.
KPAD_DOT
Use the 102ND key.
102ND
Use the COMPOSE key.
COMPOSE
Use the POWER key.
POWER
Use the KPEQUAL key.
KPEQUAL
Use the OPEN key.
OPEN
Use the HELP key.
HELP
Use the PROPS key.
PROPS
Use the FRONT key.
FRONT
Use the STOP key.
STOP
Use the AGAIN key.
AGAIN
Use the UNDO key.
UNDO
Use the CUT key.
CUT
Use the COPY key.
COPY
Use the PASTE key.
PASTE
Use the FIND key.
FIND
Use the MUTE key.
MUTE
Use the VOLUMEUP key.
VOLUMEUP
Use the VOLUMEDOWN key.
VOLUMEDOWN
Use the LOCKING_CAPSLOCK key.
LOCKING_CAPSLOCK
Use the LOCKING_NUMLOCK key.
LOCKING_NUMLOCK
Use the LOCKING_SCROLLLOCK key.
LOCKING_SCROLLLOCK
Use the KPAD_COMMA key.
KPAD_COMMA
Use the KPAD_EQUAL key.
KPAD_EQUAL
Use the RO key.
RO
Use the KATAKANAHIRAGANA key.
KATAKANAHIRAGANA
Use the YEN key.
YEN
Use the HENKAN key.
HENKAN
Use the MUHENKAN key.
MUHENKAN
Use the KPJPCOMMA key.
KPJPCOMMA
Use the INT7 key.
INT7
Use the INT8 key.
INT8
Use the INT9 key.
INT9
Use the HANGEUL key.
HANGEUL
Use the HANJA key.
HANJA
Use the KATAKANA key.
KATAKANA
Use the HIRAGANA key.
HIRAGANA
Use the ZENKAKUHANKAKU key.
ZENKAKUHANKAKU
Use the, for example, LANG6 key.
LANG6
REM press the LANG6 key
LANG8
REM press the LANG8 key
Use the ALTERASE key.
ALTERASE
Use the SYSREQ key.
SYSREQ
Use the CANCEL key.
CANCEL
Use the CLEAR key.
CLEAR
Use the PRIOR key.
PRIOR
Use the RETURN key.
RETURN
Use the SEPARATOR key.
SEPARATOR
Use the OUT key.
OUT
Use the OPER key.
OPER
Use the CRSEL key.
CRSEL
Use the EXSEL key.
EXSEL
Use the KPAD_00 key.
KPAD_00
Use the KPAD_000 key.
KPAD_000
Use the KPAD_THOUSANDSSEPARATOR key.
KPAD_THOUSANDSSEPARATOR
Use the KPAD_DECIMALSEPARATOR key.
KPAD_DECIMALSEPARATOR
Use the KPAD_CURRENCYUNIT key.
KPAD_CURRENCYUNIT
Use the KPAD_CURRENCYSUBUNIT key.
KPAD_CURRENCYSUBUNIT
Use the KPAD_LEFTPAREN key.
KPAD_LEFTPAREN
Use the KPAD_RIGHTPAREN key.
KPAD_RIGHTPAREN
Use the KPAD_{ key.
KPAD_{
Use the KPAD_} key.
KPAD_}
Use the KPAD_Tab key.
KPAD_Tab
Use the KPAD_Backspace key.
KPAD_Backspace
Use the KPAD_A key.
KPAD_A
Use the KPAD_B key.
KPAD_B
Use the KPAD_C key.
KPAD_C
Use the KPAD_D key.
KPAD_D
Use the KPAD_E key.
KPAD_E
Use the KPAD_F key.
KPAD_F
Use the KPAD_XOR key.
KPAD_XOR
Use the KPAD_^ key.
KPAD_^
Use the KPAD_% key.
KPAD_%
Use the KPAD_< key.
KPAD_<
Use the KPAD_> key.
KPAD_>
Use the KPAD_& key.
KPAD_&
Use the KPAD_&& key.
KPAD_&&
Use the KPAD_| key.
KPAD_|
Use the KPAD_|| key.
KPAD_||
Use the KPAD_: key.
KPAD_:
Use the KPAD_# key.
KPAD_#
Use the KPAD_Space key.
KPAD_Space
Use the KPAD_@ key.
KPAD_@
Use the KPAD_! key.
KPAD_!
Use the KPAD_MEMSTORE key.
KPAD_MEMSTORE
Use the KPAD_MEMRECALL key.
KPAD_MEMRECALL
Use the KPAD_MEMCLEAR key.
KPAD_MEMCLEAR
Use the KPAD_MEMADD key.
KPAD_MEMADD
Use the KPAD_MEMSUB key.
KPAD_MEMSUB
Use the KPAD_MEMMULT key.
KPAD_MEMMULT
Use the KPAD_MEMDIV key.
KPAD_MEMDIV
Use the KPAD_PLUSMINUS key.
KPAD_PLUSMINUS
Use the KPAD_CLEAR key.
KPAD_CLEAR
Use the KPAD_CLEARENTRY key.
KPAD_CLEARENTRY
Use the KPAD_BINARY key.
KPAD_BINARY
Use the KPAD_OCTAL key.
KPAD_OCTAL
Use the KPAD_DECIMAL key.
KPAD_DECIMAL
Use the KPAD_HEXADECIMAL key.
KPAD_HEXADECIMAL
Use the LEFTCTRL key.
LEFTCTRL
Use the LEFTSHIFT key.
LEFTSHIFT
Use the LEFTALT key.
LEFTALT
Use the LEFTMETA key, also known as Windows or Command key.
LEFTMETA
Use the RIGHTCTRL key.
RIGHTCTRL
Use the RIGHTSHIFT key.
RIGHTSHIFT
Use the RIGHTALT key.
RIGHTALT
Use the RIGHTMETA key, also known as Windows or Command key.
RIGHTMETA
Use the MEDIA_PLAYPAUSE key.
MEDIA_PLAYPAUSE
Use the MEDIA_STOPCD key.
MEDIA_STOPCD
Use the MEDIA_PREVIOUSSONG key.
MEDIA_PREVIOUSSONG
Use the MEDIA_NEXTSONG key.
MEDIA_NEXTSONG
Use the MEDIA_EJECTCD key.
MEDIA_EJECTCD
Use the MEDIA_VOLUMEUP key.
MEDIA_VOLUMEUP
Use the MEDIA_VOLUMEDOWN key.
MEDIA_VOLUMEDOWN
Use the MEDIA_MUTE key.
MEDIA_MUTE
Use the MEDIA_WWW key. Depending on your target device, this will open the default browser.
MEDIA_WWW
Use the MEDIA_BACK key.
MEDIA_BACK
Use the MEDIA_FORWARD key.
MEDIA_FORWARD
Use the MEDIA_STOP key.
MEDIA_STOP
Use the MEDIA_FIND key.
MEDIA_FIND
Use the MEDIA_SCROLLUP key.
MEDIA_SCROLLUP
Use the MEDIA_SCROLLDOWN key.
MEDIA_SCROLLDOWN
Use the MEDIA_EDIT key.
MEDIA_EDIT
Use the MEDIA_SLEEP key.
MEDIA_SLEEP
Use the MEDIA_COFFEE key. It is used on a few devices, but it got it’s start from the Confidential Coffee Maker.
MEDIA_COFFEE
Use the MEDIA_REFRESH key.
MEDIA_REFRESH
Use the POP_CALC key. Depending on the target device, this will open up the calculater.
POP_CALC