The authoritative field manual for HΛX•STIK operators. This briefing provides a comprehensive deep-dive into the ESP32-S3 hardware architecture, secure management of the onboard HΛXSTIK OS, advanced DuckyScript payload engineering, and tactical evasion techniques for stealthy physical access audits.
The HΛX•STIK is a highly advanced physical access penetration testing tool. Built on the ESP32-S3 architecture, it features a Dual-core XTensa LX7 processor and 8MB of onboard SPIFFS Flash memory.
Unlike traditional flash drives, it operates in dual-mode (Hardware CDC + HID). This means it functions as a Keyboard/Mouse to inject keystrokes, and as a Serial Port to receive exfiltrated data, entirely bypassing Endpoint Detection & Response (EDR) systems.
To write payloads, deploy scripts, and view stolen data, you must access the HΛXSTIK OS.
Once connected, open your web browser and navigate to http://192.168.4.1.
Note: It is highly recommended to change these credentials from the Settings tab after your first login.
The Dashboard serves as the central command hub for your physical auditing operations. It provides a
real-time overview of all .txt DuckyScript payloads currently residing within the device's
internal SPIFFS memory.
From this primary interface, operators can rapidly trigger live injections, modify existing scripts on the fly, or immediately halt an active deployment using the emergency failsafe controls.
🛑 EMERGENCY STOP: This is your ultimate operational failsafe. Clicking this button immediately aborts any currently active payload execution, flushes the remaining command queue, and forcefully releases all held modifier keys (like CTRL or ALT) to prevent locked keyboard states on the target. Engage this immediately if the target machine loses window focus or if the payload begins injecting into an unintended application, preventing accidental damage or detection.
⟳ REFRESH LIST: Manually forces the HΛXSTIK OS to re-index the onboard SPIFFS flash memory and synchronize the web dashboard. Because the device handles file writes asynchronously to maintain performance, you should click this button to update your view if you have just saved a new script from the Payload Studio or if a recently uploaded text file fails to appear in your library automatically.
▶️ RUN: Instantly initiates the deployment of the selected payload against the connected target. Upon clicking, the onboard processor compiles the DuckyScript instructions and begins high-speed HID injection at over 1000 WPM. The device's physical blue LED will strobe rapidly to indicate active data transmission, allowing you to visually confirm from a distance when the execution has fully completed.
🖊️ EDIT: Seamlessly ports the selected script into the integrated Payload Studio for on-the-fly modifications. This allows operators to tweak timing delays, adjust commands, or rewrite logic directly from a smartphone browser without ever needing to mount the HΛX•STIK as a mass storage device—thereby maintaining perfect operational stealth during an active physical engagement.
✕ DELETE: Permanently removes the selected payload from the device's internal SPIFFS memory. This action is instantaneous and cannot be reversed. Operators should utilize this function to free up critical storage space for captured exfiltration data, or to rapidly wipe forensic evidence of specific attack vectors from the hardware immediately following a successful physical engagement.
📂 IMPORT FILE: Tap this to browse your phone/PC storage and upload a pre-written `.txt` DuckyScript file.
🖊️ FILENAME INPUT: Type the name of your payload here. Must include `.txt` (e.g., `wifi_grab.txt`). Overwrites if the name exists.
⏯ GRID BUTTONS: 16 quick-access buttons to rapidly build payloads on mobile without typing.
These modules elevate the HΛX•STIK from a simple keystroke injector into a covert, professional-grade auditing implant.
While standard "rubber duckies" blindly drop payloads and hope for the best, modern enterprise networks are actively hunting for anomalous USB behavior. The HΛXSTIK OS is engineered to give you the upper hand against strict Endpoint Detection & Response (EDR) systems.
The following tools are designed to provide Situational Awareness (knowing when it's safe to strike), Identity Evasion (bypassing hardware blocks), and Secure Exfiltration (stealing data without touching the internet). They ensure your physical presence remains completely undetected.
KEYLOGGER EXPLAINED: Enable memory-safe keystroke capture. This module listens for incoming keystroke data from the target machine and streams it live to your web panel via Wi-Fi.
// HOW IT WORKS & TARGET AUDIENCE:
Designed strictly for Red Teamers and Authorized Penetration Testers. The HΛX•STIK itself acts as
a secure receiver. To capture keystrokes, your injected payload must execute a background process (like
a hidden PowerShell script) on the target PC. This script reads the keyboard inputs and silently pushes
that data back to the HΛX•STIK's hidden Serial (COM) port.
// EXECUTION STRATEGY & PAYLOAD TEMPLATE:
To utilize this feature, your DuckyScript must deploy the listener script. The HΛX•STIK expects
keystroke data to be continuously written to its COM port at a 9600 baud rate. Below is the
structural template for Windows:
HONEYPOT DETECTOR EXPLAINED: A smart evasion engine built directly into the HΛXSTIK OS that scans the target machine for Virtual Machine (VM) and Sandbox artifacts. If Blue Team traps or analysis tools are detected, it will warn you to abort the operation.
// WHY IT IS CRITICAL (TACTICAL ADVANTAGE):
Modern enterprise networks use "Honeypots" or isolated Sandboxes to bait attackers. If you inject a
payload into a Blue Team's trap, it will immediately trigger a high-severity EDR alert, exposing your
physical presence. This module ensures you only execute payloads on real, bare-metal machines.
// HOW TO USE IT:
No custom scripting is required. Before deploying your main payload, simply click the "RUN SMART
SCAN" button from the Web UI. The HΛX•STIK will seamlessly run its internal micro-reconnaissance
module on the target PC. If it detects a virtualized environment (like VMware, VirtualBox, or
Sandboxie), the UI will alert you. If the screen shows "CLEAR", you are safe to deploy your payloads.
STEALTH MODE EXPLAINED: By default, the device broadcasts the `HAXSTIK_OS` network publicly. Clicking this creates a hidden `.flag` file and reboots the device, making the Wi-Fi completely invisible to regular scans.
// TACTICAL ADVANTAGE (WHY USE IT):
During a physical audit in a corporate environment, broadcasting a strange network like "HAXSTIK_OS"
will instantly alert the IT department or Blue Team. Stealth Mode ensures your hardware implant remains
100% undetectable in the airwaves.
// HOW TO CONNECT TO A HIDDEN NETWORK:
Since the network won't show up in your standard Wi-Fi list, you must connect manually:
1. Open your Phone/PC Wi-Fi Settings.
2. Scroll to the bottom and select "Add Network" (or "Other Network").
3. Network Name (SSID): Type your exact network name (e.g., HAXSTIK_OS).
4. Security Type: Select WPA/WPA2-Personal.
5. Password: Enter your current password and connect.
BOOT CONFIG EXPLAINED: Select a payload from the dropdown. Once set, whenever you plug the HΛX•STIK into a target PC, it will wait 3 seconds and automatically execute that script without requiring any web interface interaction.
// TACTICAL ADVANTAGE (WHY USE IT):
Not every physical engagement allows you the luxury of standing near the target, connecting to Wi-Fi,
and manually triggering scripts from your phone. For "Hit and Run" audits, you need maximum speed. Boot
Config turns your HΛX•STIK into an autonomous "Plug and Play" weapon. Plug it in, let it inject at 1000+
WPM, pull it out, and walk away in seconds.
// HOW TO USE IT:
1. Create and save your desired payload in the Payload Studio.
2. Go to the Advanced Tools section and select that payload (e.g., /wifi_grab.txt) from the
dropdown menu.
3. Click "SET AS BOOT SCRIPT" to save the preference into the OS.
4. Disconnect the device. The next time it is plugged into any PC, it will bypass the standby mode and
instantly execute the chosen script. (Note: You can still connect to the Wi-Fi panel anytime to
disable or change this setting).
LOOT MANAGER EXPLAINED: This is your secure
vault. When your payload commands the target PC to exfiltrate data (like Wi-Fi passwords, system info,
or tokens) to the HΛX•STIK's hidden Serial (COM) port, the OS automatically saves that data into a
hidden file called /loot.txt.
// TACTICAL ADVANTAGE (WHY USE IT):
Traditional data exfiltration relies on the internet (e.g., sending data to a Discord webhook, FTP, or
remote server). Modern enterprise firewalls, proxy servers, and DNS sinkholes easily detect and block
these unauthorized outbound connections. Hardware exfiltration via the COM port bypasses network
monitoring completely. The stolen data never touches the internet—it goes directly from the target PC
into your physical hardware.
// HOW TO USE IT:
1. Ensure your injected payload is scripted to push output data into the detected USB COM port (see the
"Loot System & Exfiltration" section at the bottom of this manual for exact OS-specific scripts).
2. Once the payload executes, the onboard OS will silently intercept the incoming serial data and append
it to the internal memory.
3. Connect to the Web UI from your phone and click the "💰 VIEW CAPTURED LOOT" button to
instantly read, copy, or clear your secured data.
JIGGLER EXPLAINED: A built-in Anti-AFK (Away From Keyboard) module that simulates microscopic mouse movements on the target machine.
// TACTICAL ADVANTAGE (WHY USE IT):
During a long physical audit or while waiting for a reverse shell to connect, a target PC might
automatically go to sleep or lock its screen due to inactivity policies. If the screen locks, your
keyboard payloads become useless. The Jiggler keeps the session alive without raising suspicion.
// HOW IT WORKS & HOW TO USE IT:
Because the HΛX•STIK acts as an absolute USB Mouse alongside being a keyboard, clicking "ENABLE
JIGGLER" commands the device to move the cursor 5 pixels left and right every 30 seconds. This
movement is so small that a user sitting at the desk won't notice it, but the OS registers the activity
and prevents the screen lock.
SPOOFER EXPLAINED: A hardware-level identity masking tool that rewrites the HΛX•STIK's internal USB Vendor ID (VID) and Product ID (PID).
// TACTICAL ADVANTAGE (WHY USE IT):
High-security corporate environments (like banks or government offices) use strict Endpoint Detection
and Response (EDR) software. These systems often block unknown or generic USB devices from being
recognized. However, they almost always whitelist standard peripherals from trusted brands. By spoofing
your identity, the EDR blindly trusts your device.
// HOW IT WORKS & HOW TO USE IT:
1. Click the dropdown menu in the Identity Spoofer panel.
2. Select a trusted brand (e.g., Apple Magic Keyboard, Dell, or Razer).
3. Click "APPLY & REBOOT".
4. The OS will rewrite its core USB descriptors and restart. When plugged into the target PC,
Windows/macOS Device Manager will legally recognize it as that exact branded keyboard, bypassing USB
restriction policies.
The core administrative and OPSEC (Operational Security) center of the HΛXSTIK OS. From this secure panel, operators can monitor critical Internal Storage allocation, dynamically reconfigure network broadcast parameters, and enforce strict access controls to the web interface. It also houses the emergency deployment protocols necessary to instantly wipe all forensic artifacts and return the hardware back to a factory state.
STORAGE STATUS EXPLAINED: Provides a real-time, visual
donut chart detailing the allocation of your onboard flash memory. The device utilizes an 8MB storage
partition, which is shared between the core operating system files, your saved DuckyScript payloads, and
the captured /loot.txt exfiltration data.
WHY IT IS NECESSARY:
Hardware-based exfiltration is incredibly stealthy,
but it is bound by physical storage limits. If your payload attempts to steal massive files (like full
databases or entire image directories) and the storage reaches 100% capacity, the device will halt the
exfiltration process to prevent system corruption. Regularly monitoring this metric ensures you have
sufficient overhead before launching high-volume data theft operations, and reminds you to routinely
clear old payloads or captured loot to maintain peak operational efficiency.
WIFI CONFIG EXPLAINED: Allows you to dynamically alter the broadcasted network name (SSID) and the WPA2 security passphrase of the HΛX•STIK's onboard access point. The device will automatically reboot to commit these changes to its non-volatile memory.
WHY IT IS NECESSARY (OPSEC & CAMOUFLAGE):
Deploying a device that broadcasts the default "HAXSTIK_OS" network in a secure corporate environment is
an immediate red flag that will trigger Blue Team rogue access point alarms. Changing the SSID allows
you to camouflage your hardware as benign office equipment (e.g., "HP_LaserJet_Pro",
"Conference_Room_TV", or "Guest_Net_Extender"). Furthermore, changing the default password
ensures that network defenders cannot connect to your control panel to analyze your payloads or
intercept your stolen loot.
HOW IT WORKS:
The HΛX•STIK utilizes the hardware-level SoftAP (Software Access Point) mode of its core processor. When
you submit new credentials, the OS securely overwrites the old configuration files within the internal
storage and instantly triggers a soft reboot of the networking module. This tears down the old broadcast
and spins up your newly disguised network in a matter of seconds.
HOW TO USE IT:
1. Enter your desired camouflage name in the "New SSID Name" field.
2. Enter a secure passphrase (must be at least 8 characters long) in the "New Password"
field.
3. Click "SAVE WIFI SETTINGS".
4. The current web interface will freeze as the device reboots. Open your smartphone or PC's Wi-Fi
settings, scan for your newly created network name, and reconnect using the new password to regain
dashboard access.
ACCESS CONTROL EXPLAINED: Secures the web panel
against unauthorized entry by updating the master login credentials (default: admin /
haxstik). This acts as your second layer of defense after the Wi-Fi password.
WHY IT IS NECESSARY (DENIAL OF ACCESS):
Even if a Blue Team member or a curious target cracks or guesses your spoofed Wi-Fi password, they still
need to bypass the web interface login. If you leave the default credentials active, anyone on the local
network can view your stored payloads, reverse-engineer your attack vectors, or steal your captured
loot. Changing this ensures your operations remain compartmentalized and completely inaccessible to the
enemy.
HOW IT WORKS:
The HΛXSTIK OS uses a lightweight HTTP authentication protocol. When you update the credentials, the OS
hashes and saves the new username and password directly into the root configuration file of the onboard
memory. Any subsequent login attempts to access the Dashboard or Payload Studio are strictly
cross-referenced against this secure file.
HOW TO USE IT:
1. Input your custom secure username in the "New Username" field.
2. Input your new secure password in the "New Password" field.
3. Click "UPDATE CREDENTIALS" to save the changes.
4. The current session will instantly terminate, and your browser will prompt you to log back in using
your newly defined credentials.
FORMAT DISK EXPLAINED: The nuclear option. This instantly wipes the entire internal flash memory, permanently destroying all saved payloads, captured loot, and custom configurations, effectively returning the device to a blank factory state.
WHY IT IS NECESSARY (ANTI-FORENSICS & SCORCHED EARTH):
If your physical engagement is compromised, or you are at risk of having your hardware intercepted by
security personnel, you cannot afford to have malicious scripts or stolen corporate data discovered on
your person. Formatting the disk acts as a rapid "Scorched Earth" protocol. It sanitizes the hardware,
leaving absolutely zero forensic artifacts behind for a Blue Team or incident responder to analyze.
HOW IT WORKS:
Instead of just deleting file references, the OS issues a low-level format command directly to the
internal flash memory partition. It rapidly drops the entire file system architecture and rebuilds a
blank one from scratch. This ensures that standard data recovery tools cannot pull your deleted
DuckyScripts or /loot.txt files back from the dead.
HOW TO USE IT:
1. Scroll to the DANGER ZONE at the bottom of the settings panel.
2. Click the solid red "FORMAT DISK (FACTORY RESET)" button.
3. A browser confirmation alert will pop up to prevent accidental clicks. Confirm your decision to
proceed.
4. The device will format the memory and automatically reboot.
(Note: This also resets your Wi-Fi camouflage and Web Panel logins. After the reboot, you must
reconnect using the default HAXSTIK_OS network and admin /
haxstik credentials).
The OS executes standard DuckyScript. It reads line-by-line and processes instructions instantly.
The HΛX•STIK injects keystrokes at over 1000+ Words Per Minute. If you command it to open the Start Menu and immediately type "cmd", the text will be injected before the computer's Start Menu has finished rendering on the screen. The keystrokes will be lost.
Always insert a DELAY after opening an application, opening a menu, or pressing Enter.
Every operating system handles keyboard shortcuts differently. Since the HΛX•STIK is a blind keyboard (it cannot "see" the screen), you must write your script to open a terminal or command prompt as reliably as possible before injecting your actual payload. Here are the best practices for each OS:
On Windows, the absolute safest way to execute code is by using the "Run" dialog box. It is much more reliable than opening the Start Menu, which can sometimes lag or search the web instead of finding your app.
On Mac computers, the equivalent of the Run dialog is Spotlight Search. We use the Command+Space shortcut to open it, search for the Terminal app, open it, and then inject our bash commands.
Most Linux desktop environments (like Ubuntu, Kali, or Mint) have a built-in keyboard shortcut to instantly open a terminal window. This makes Linux the fastest OS to compromise.
| COMMAND | EXPLANATION & USAGE |
|---|---|
| REM [text] | A comment. The OS ignores this. Ex: REM Opens Command Prompt |
| DELAY [ms] | Pauses execution in milliseconds (1000 = 1 sec). |
| STRING [text] | Types the exact text at extremely high speed. Handles all standard characters. |
| GUI / WINDOWS | Presses the Windows key (or Command on Mac). Can be combined with a single letter. Ex: GUI r (Run) | GUI d (Show Desktop) |
| CTRL / CONTROL | Modifier key. Hold Control and press a key. Ex: CTRL c (Copy) | CTRL ALT t (Linux Terminal) |
| ALT | Modifier key. Hold Alt and press a key. Ex: ALT F4 (Close Window) | ALT F2 (Linux Run) |
| SHIFT | Modifier key. Hold Shift and press a key. Ex: SHIFT TAB (Reverse tab) | SHIFT F10 (Right-click menu on Windows) |
| ENTER / RETURN | Simulates pressing the Enter/Return key. |
| SPACE | Simulates pressing the Spacebar. |
| TAB | Simulates the Tab key. |
| ESC / ESCAPE | Simulates the Escape key. |
| BACKSPACE / BS | Deletes the previous character. |
| DELETE / DEL | Simulates the Delete key. |
| UPARROW / UP | Presses the Up Arrow key. |
| DOWNARROW / DOWN | Presses the Down Arrow key. |
| LEFTARROW / LEFT | Presses the Left Arrow key. |
| RIGHTARROW / RIGHT | Presses the Right Arrow key. |
| PAGEUP / PAGEDOWN | Scrolls the page up or down. |
| HOME / END | Moves cursor to the start or end of the current line. |
| INSERT | Toggles Insert mode. |
| PRINTSCREEN | Takes a screenshot. |
| CAPSLOCK | Toggles Caps Lock on/off. |
| F1 to F12 | Presses the corresponding Function key. Ex: ALT F4 (Close) | F11 (Fullscreen) |
The HΛX•STIK is not just a keyboard; it also acts as an absolute USB Mouse. You can write payloads that physically move the cursor to bypass UI restrictions that block keyboard navigation.
| SYNTAX | EXPLANATION & USAGE |
|---|---|
| MOUSE_MOVE [X] [Y] | Moves the cursor based on pixel coordinates. X is horizontal, Y is vertical. Movement Logic: • Positive X = Move Right • Negative X = Move Left • Positive Y = Move Down • Negative Y = Move Up Ex: MOUSE_MOVE 100 -50 (Moves 100px right, 50px up) |
| CLICK / LEFT_CLICK | Simulates a standard Left Mouse Click at the current cursor location. |
| RIGHT_CLICK | Simulates a Right Mouse Click (opens context menus). |
The HΛX•STIK doesn't just inject code; it can also steal data via its hidden Serial Communications Port (CDC). This works seamlessly across Windows, macOS, and Linux by commanding the target PC to push data directly into the device's port. Unlike traditional USB drives, the target PC does not see a "Storage Drive" to copy files into. Instead, it sees a "Serial Modem" that we can send text messages to.
The ESP32-S3 chip has a total of 8MB SPIFFS Memory, which is shared between the OS files, your saved payloads, and the `loot.txt` file.
DO NOT attempt to exfiltrate massive files (like databases, images, or entire hard drives). The device will run out of memory and crash. The Loot system is strictly designed for high-value text extraction, such as:
On Windows, we use PowerShell to find the HΛX•STIK's COM Port (e.g., COM3 or COM4) and write text data into it. The script below demonstrates how to extract the current username and Windows version, and save it to your device.
// SYNTAX BREAKDOWN:
• gwmi Win32_SerialPort: Tells Windows to list all connected Serial Ports.
• $p.WriteLine(...): This is the command that actually pushes your stolen text into the HΛX•STIK.
On macOS, the HΛX•STIK mounts as a serial modem in the hidden /dev/ folder (e.g., /dev/tty.usbmodem1234). We use a bash command via Terminal to push data to it.
// SYNTAX BREAKDOWN:
• $(ls /dev/tty.usbmodem* | head -n 1): Automatically finds the exact name of your HΛX•STIK port.
• echo "DATA" > "$port": Shoots the text directly into the device.
On Linux, the device typically mounts as /dev/ttyACM0 or /dev/ttyUSB0. We open the terminal directly with the keyboard shortcut and inject our bash script.
// This documentation is strictly for authorized use cases. Ensure you have explicit permission before deploying payloads on any system.