Ducky Script Volume 18 — Cheatsheet — Ducky Script · Hacking

The whole manual compressed — the language, the four devices, the deploy steps, the patterns, the decision tree, and the posture checklist

Section	Topic
1	About this volume
2	Ducky Script 1.0 — the core
3	Ducky Script 3.0 — the structured language
4	Smart-payload + exfil quick reference
5	Key names and modifiers
6	The four devices — quick reference
7	Deploy — quick reference per device
8	The payload patterns
9	The device decision tree
10	The posture checklist
11	Volume index

1. About this volume

Vol 18 is the cheatsheet — the whole 18-volume manual compressed to laminate-ready reference. Nothing new; pure synthesis. Every entry points back to the volume with the full treatment. This is the page you keep open while you work.

2. Ducky Script 1.0 — the core

(Vol 3 — runs on every device)

Command	Does
`REM <text>`	comment (inject nothing). Header every payload; include an authorization ref.
`STRING <text>`	type the text (auto-shifts for uppercase/symbols)
`STRINGLN <text>`	`STRING` + `ENTER`
`DELAY <ms>`	pause (min ~20 ms). The blind payload’s only sync tool.
named keys	`ENTER` `TAB` `SPACE` `ESCAPE` `DELETE` `BACKSPACE` `UP`/`DOWN`/`LEFT`/`RIGHT` `F1`-`F12` `HOME` `END` `PAGEUP`/`PAGEDOWN` … (layout-independent)
modifiers	`SHIFT` `ALT` `CONTROL`/`CTRL` `COMMAND` `WINDOWS`/`GUI` — combine on one line: `GUI r`, `CTRL c`, `ALT F4`

Rules: one command per line · command words UPPERCASE · STRING’s argument is literal to end-of-line · payload runs top-to-bottom, once · a 1.0 payload types blind (Vol 3 §9).

3. Ducky Script 3.0 — the structured language

(Vol 4 — Mark II Ducky + dialects on Bunny/Croc/O.MG)

VAR $x = 0              # variable: unsigned int 0-65535, global scope, $ sigil
$x = ($x + 1)           # reassign (no += ; parentheses for grouping)
DEFINE #NAME value      # compile-time constant, # sigil, find-and-replace

IF ( $x > 0 ) THEN      # conditional
    ...
ELSE                    # optional
    ...
END_IF                  # mandatory close

WHILE ( $x < 10 )       # loop (no FOR — counter + WHILE)
    ...
END_WHILE

FUNCTION name()         # reusable block
    ...
    RETURN <int/bool>   # optional early return / value
END_FUNCTION
name()                  # call

REM_BLOCK ... END_REM           # multi-line comment
STRING ... END_STRING           # multi-line type (strips leading ws)
STRINGLN ... END_STRINGLN       # multi-line type (preserves formatting)
RESTART_PAYLOAD / STOP_PAYLOAD / RESET   # payload control

Operators: + - * / % ^ · == != > < >= <= · && || · & | >> << · parentheses required for grouping.

4. Smart-payload + exfil quick reference

(Vols 5-6)

Feature	Key syntax
OS detection	`IF ($_OS == WINDOWS)` / `MAC` / …
Lock-key state	`$_CAPSLOCK_ON` `$_NUMLOCK_ON` `$_SCROLLLOCK_ON`
Wait on host signal	`WAIT_FOR_CAPS_ON/OFF/CHANGE` (+ `NUM`, `SCROLL`)
Save/restore lock state	`SAVE_HOST_KEYBOARD_LOCK_STATE` / `RESTORE_…`
Button	`WAIT_FOR_BUTTON_PRESS` · `BUTTON_DEF…END_BUTTON` · `DISABLE/ENABLE_BUTTON`
Jitter	`$_JITTER_ENABLED = TRUE` · `$_JITTER_MAX = <ms>`
Randomization	`RANDOM_LETTER` `RANDOM_NUMBER` `RANDOM_SPECIAL` `RANDOM_CHAR` … · `$_RANDOM_INT` (`$_RANDOM_MIN`/`MAX`)
Attack mode	`ATTACKMODE HID` / `STORAGE` / `HID STORAGE` / `OFF`
Identity spoof	`ATTACKMODE HID VID_xxxx PID_xxxx MAN_… PROD_… SERIAL_…` (+ `_RANDOM` variants)
Save/restore mode	`SAVE_ATTACKMODE` / `RESTORE_ATTACKMODE`
Exfil (Keystroke Reflection)	`$_EXFIL_MODE_ENABLED = TRUE` · `EXFIL $var` → `loot.bin`
Hide payload files	`HIDE_PAYLOAD` / `RESTORE_PAYLOAD` (needs `ATTACKMODE OFF` or `HID`)
LED	`LED_OFF` `LED_R` `LED_G`

Timing-reliability hierarchy (best→worst): operator-gated (WAIT_FOR_BUTTON_PRESS) → host-confirmed (WAIT_FOR_CAPS_CHANGE) → OS-branched (IF $_OS) → blind DELAY. Climb it as far as the job allows.

5. Key names and modifiers

(Vol 3 §6-7 — named keys are LAYOUT-INDEPENDENT; typed characters are NOT — Vol 7)

Navigation : UP DOWN LEFT RIGHT (UPARROW…) PAGEUP PAGEDOWN HOME END
             INSERT DELETE/DEL BACKSPACE TAB SPACE
System     : ENTER ESCAPE PAUSE/BREAK PRINTSCREEN MENU/APP F1-F12
Lock       : CAPSLOCK NUMLOCK SCROLLLOCK
Modifiers  : SHIFT ALT CONTROL/CTRL COMMAND WINDOWS/GUI
Combos     : CTRL SHIFT · ALT SHIFT · COMMAND CTRL · CONTROL ALT DELETE …
Standalone : INJECT_MOD WINDOWS   (taps a modifier alone)
Hold       : HOLD <key> / RELEASE <key>

Cross-OS gotchas: GUI r = Run dialog (Win only) · GUI SPACE = Spotlight (macOS) · branch on $_OS for portability.

6. The four devices — quick reference

(Vols 8-11)

	Rubber Ducky	Bash Bunny	Key Croc	O.MG
Is	microcontroller	Linux box	Linux box	ESP implant
Form	”flash drive”	chunky stick	inline adapter	cable/plug/adapter
Fires on	plug-in	plug-in (~7s boot)	a `MATCH`	remote / geo trigger
Vectors	HID (+storage)	HID/storage/serial/ETH	HID/storage/serial/ETH	HID
Network	none	ETH emulation	Wi-Fi	Wi-Fi
Remote ops	no	no	yes	yes (web UI)
Covert	visual only	no	visible if looked-for	yes — IS the object
Exfil	Keystroke Reflection	SSD / network	keylog + Wi-Fi	over its Wi-Fi
Best at	fast clean injection	multi-vector + tooling	observe-then-act	covert + remote + leave

7. Deploy — quick reference per device

(Vol 12)

Device	Author/encode	Deploy
Rubber Ducky	Payload Studio (official editor+encoder) → `inject.bin`	copy `inject.bin` to the microSD card
Bash Bunny	bunny script (DuckyScript + bash)	arming switch → copy into a slot folder
Key Croc	`MATCH` + action	arming/`udisk` mode → copy payload + set matches + Wi-Fi
O.MG	author in the web UI	web UI over Wi-Fi → slot (remote, re-deployable)

Payload Studio tips: default tool, always-current · set the keyboard layout deliberately every time (Vol 7 — wrong layout = silent garbage) · keep payload.txt in scripts/ under version control · REM-header (what / OS / layout / auth) · DEFINE tuning constants up top · re-encode after every edit (inject.bin is a build artifact) · a successful encode = valid syntax, not correct payload.

Testing gate (Vol 12 §10): owned machine · target layout · target OS (both branches) · watched doing the right thing · re-tested after the last edit · community payloads read line-by-line.

8. The payload patterns

(Vol 13)

Pattern	Shape	Use
Launcher	settle → open a runner → type a command	the 80% case: “execute this”
Staged loader	type a SHORT loader → it pulls/runs the real payload	long/symbol-heavy payloads; minimal typed footprint
OS-adaptive	`IF $_OS` → per-OS body	one payload, multiple targets (3.0)
Exfiltrator	get data off — mechanism differs per device	objective is a credential/token/file
Operator-gated	`WAIT_FOR_BUTTON_PRESS` → body	operator confirms the moment (best timing)
Conditional/triggered	`MATCH` / geo-fence → body	fires on target behaviour or environment

Payload anatomy: HEADER (REM + auth) · CONFIG (DEFINE/ATTACKMODE/VAR) · GATE (optional) · SETTLE (DELAY/RESET) · BODY (the pattern) · CLOSE (restore state, leave clean).

9. The device decision tree

(Vol 17)

WHEN must it fire?
  plug-in + just typing .............. USB RUBBER DUCKY
  plug-in + need network/storage/
    serial/Linux tooling ............. BASH BUNNY
  when the TARGET types a trigger .... KEY CROC
  when I decide / a condition ........ O.MG

OVERRIDES:
  must be genuinely COVERT ........... O.MG (overrides above)
  must CAPTURE what's typed ......... KEY CROC (overrides above)
  needs more than one device ........ COMBINED workflow (Vol 14)

Four axes: timing (when fires — dominant) · access (what physical access) · capability (is typing enough) · detection (stealth requirement).

10. The posture checklist

(Vol 16 — EVERYONE reads Vol 16)

THE CORE FACT: there is NO passive mode. If a Ducky Script
device is doing anything, it is ACTING on a computer system.
THE LINE: owned hardware OR explicit written authorization.
No third lawful category.

PRE-ENGAGEMENT
  □ Written authorization artifact — IN HAND, ON me
  □ Names: who / which systems / which actions / which devices
  □ Implants explicitly authorized to be LEFT
  □ Keylogging (Key Croc) authorized explicitly — incl.
    interception/consent (Vol 16 §7 — the hard gate)
  □ Data handling + destruction specified
  □ Points of contact named
  □ Every payload: REM-headed, vetted, scoped, TESTED
  □ Community payloads edited DOWN to scope
  □ Implants: trigger/geo-fence scoped tight; retrieval plan
  □ I can articulate the legal basis for every planned action

IF DISCOVERED
  □ STOP · PRODUCE the artifact · CONTACT the POC ·
    don't destroy/flee/lie · DOCUMENT

CLOSEOUT
  □ Every device accounted for; every implant RETRIEVED
  □ Every changed host RESTORED — left clean
  □ All captured data handled + DESTROYED per the artifact
  □ Added attack surface (C2, device Wi-Fi) torn down
  □ Report written — incl. which controls would have stopped it

11. Volume index

Vol	Title	Vol	Title
1	Overview — keystroke injection, the device family, the decision tree	10	The Key Croc
2	History & generations	11	The O.MG Family: Cable, Plug & Adapter
3	The language core (Ducky Script 1.0)	12	The encode & deploy workflow (Payload Studio)
4	Ducky Script 3.0 — the structured language	13	Payload patterns, worked examples & the Payload Hub
5	Smart payloads — detection, jitter & timing	14	Combined-device & combined-tool workflows
6	Exfiltration & ATTACKMODE	15	Defense & detection
7	Keyboard layouts — the cross-locale problem	16	Operational posture — legal, ethics & OPSEC
8	The USB Rubber Ducky	17	Device comparison & which-to-use-when
9	The Bash Bunny	18	Cheatsheet (this volume)

Sibling reference: the WiFi Pineapple deep dive — (combined workflows: Vol 14). Hub: ../_shared/comparison.md · ../_shared/legal_ethics.md.

This is Volume 18 of an 18-volume series — the final volume. The manual is complete: Part I (Vols 1-7) is the language, Part II (Vols 8-12) is the four owned devices and the deploy workflow, Part III (Vols 13-18) is payloads, combined workflows, defense, posture, device selection, and this cheatsheet. Start anywhere the [volume index] points you; everyone reads Vol 16.

Ducky Script Volume 18 — Cheatsheet

Contents