Your Cart is Empty
Founded in 2005, Hak5's mission is to advance the InfoSec industry. We do this through our award winning podcasts, leading pentest gear, and inclusive community – where all hackers belong.
Founded in 2005, Hak5's mission is to advance the InfoSec industry. We do this through our award winning podcasts, leading pentest gear, and inclusive community – where all hackers belong.
Community developed payloads for Hak5 gear are featured and awarded at PayloadHub — a growing library of currated content.
Unleash your hacking creativity with the online payload editor: PayloadStudio
Link to your collections, sales and even external links
Add up to five columns
Community developed payloads for Hak5 gear are featured and awarded at PayloadHub — a growing library of currated content.
Unleash your hacking creativity with the online payload editor: PayloadStudio
Link to your collections, sales and even external links
Add up to five columns
A script used to exfiltrate the Standard username and password by a phishing campaign. This DuckyScript code performs several actions related to downloading and unzipping a file from a specified link. The script creates a new random directory, downloads a zip file from the specified URL, and unzips it. It also opens a login page. This payload was created and tested on Linux but since the HTML markup code and JavaScript language are cross platform it will certainly be usable on machines running Windows or MacOS as well. However, it is essential to modify the DuckyScript script appropriately according to the terminal emulator used (PowerShell for Windows, Shell MacOS for Macs) since the commands are often not the same. To make it easier to use below you can find the various tested configurations, at the moment it is not available for macOS because since I do not have one it cannot be tested and therefore I cannot give the certainty that it works, however I hope that in the Hak5 community there may be someone who can contribute to this payload by completing it with this missing part.
Phishing is a popular technique for gaining access to a target. Generally, phishing is a digitally delivered social engineering method. Phishing techniques may use a wide net, or specifically target one role or individual — known as spearphishing. Many phishing campaigns involve tricking a target into divulging confidential information, such as by mimicking a known-trusted source — be it a website or person. See all phishing payloads.
This payload is for the USB Rubber Ducky — a "flash drive" that types keystroke injection payloads into unsuspecting computers at incredible speeds. It's no wonder this little quacker has made appearances on Mr. Robot, FBI, Blacklist, National Geography and more!
Submit your own payload, or browse more featured USB Rubber Ducky Payloads.
Get RewardedGet your payload in front of thousands. Enter to win over $2,000 in prizes in the Hak5 Payload Awards!
Awarded Payloads
ContributeSubmit entries to a payload repository by pull request. New to github? See this Hak5 tutorial video.
CollaborateGet inspired, showcase your work and receive helpful feedback on your payloads in the Hak5 Community!
CautionThird-party payloads executing as root may cause damage and come AS-IS without warranty or guarantees.
DisclaimerPayloads are for education and auditing where permitted subject to local and international laws. Users are solely responsible for compliance. Hak5 claims no responsibility for unauthorized or unlawful use.
Stats442 featured payloads in this library. Hundreds more at GitHub.com/Hak5.
Leaderboard