BLEShark Nano vs USB Rubber Ducky
Table of Contents
Overview
The USB Rubber Ducky and the BLEShark Nano's Bad-BT feature share something unusual: they both use DuckyScript. Same scripting language, same payload syntax, same basic concept of injecting keystrokes into a target machine. The difference is the delivery channel. The Rubber Ducky plugs into USB. Bad-BT connects over Bluetooth. That single difference changes the entire operational profile.
What Is the USB Rubber Ducky?
The USB Rubber Ducky, made by Hak5, is the original keystroke injection tool. It looks like a standard USB flash drive. When plugged into a computer, it enumerates as a keyboard and immediately starts typing pre-loaded DuckyScript payloads at speeds no human could match. The current Mark III version costs around $80 and adds features like OS detection, conditional logic, and storage for exfiltrated data.
The Ducky has been a penetration testing staple since its release. It is proven, reliable, and fast. Plug it in, payloads execute in seconds, pull it out. The entire attack can take under 10 seconds with a well-written script.
What Is Bad-BT?
Bad-BT is the BLEShark Nano's Bluetooth HID injection feature. It advertises as a Bluetooth keyboard, pairs with a target device, and then executes DuckyScript payloads wirelessly. It includes an on-device DuckyScript editor for writing and modifying payloads without a separate computer. Bluetooth range is approximately 10 meters.
The DuckyScript Connection
Both tools use DuckyScript as their payload language. A payload written for the Rubber Ducky works on Bad-BT and vice versa (with minor timing adjustments). This means the extensive library of community DuckyScript payloads is available to both platforms. The commands are the same: DELAY, STRING, ENTER, GUI, ALT, CTRL, and the rest of the DuckyScript keyword set.
If you already know DuckyScript from either tool, switching to the other requires zero relearning of the payload language. The only adjustments are timing-related, since Bluetooth HID has slightly more latency than USB HID.
graph TD
subgraph "Shared Language"
DS[DuckyScript Payload]
DS --> CMD1[DELAY 500]
DS --> CMD2[GUI r]
DS --> CMD3[STRING powershell]
DS --> CMD4[ENTER]
DS --> CMD5[STRING Invoke-Command...]
DS --> CMD6[ENTER]
end
subgraph "USB Rubber Ducky Delivery"
D1[Physical USB Port Access]
D2[Plug in - instant USB HID enum]
D3[No pairing - instant execution]
D4[USB typing speed - very fast]
D5[Pull out in under 10 seconds]
D1 --> D2 --> D3 --> D4 --> D5
end
subgraph "Bad-BT Delivery"
B1[Bluetooth Range - ~10m]
B2[Advertise as BT Keyboard]
B3[Target must accept pairing]
B4[Bluetooth typing speed - slightly slower]
B5[Wireless - no physical contact]
B1 --> B2 --> B3 --> B4 --> B5
end
DS --> D1
DS --> B1
Same scripting language, fundamentally different delivery channels
Where the Rubber Ducky Wins
Instant execution. USB HID enumeration is automatic. When you plug in the Ducky, the OS recognizes it as a keyboard within milliseconds and the payload starts executing immediately. There is no pairing step, no user prompt, no waiting. This speed is critical in social engineering scenarios where you have seconds of physical access.
Reliability. USB HID is one of the most reliable interfaces in computing. Every operating system supports it. There are no driver issues, no connection drops, no range limitations while plugged in. Bluetooth connections can occasionally stutter or disconnect, especially in RF-noisy environments.
Typing speed. USB HID communication is faster than Bluetooth HID. For long payloads that type hundreds of characters, the Ducky completes execution measurably faster. The difference might be seconds on a short payload but can add up on complex scripts.
No pairing required. This is the Ducky's biggest operational advantage. Bluetooth pairing pops up a visible dialog on most operating systems. The target user might see "Keyboard wants to pair" and decline it. USB enumeration happens silently with no user interaction required.
OS detection (Mark III). The latest Rubber Ducky can detect the target operating system and run platform-specific payloads. This eliminates the "does this target run Windows or Mac" guessing that affects all HID attacks.
Where the BLEShark Nano Wins
Wireless operation. Bad-BT works at up to 10 meters without touching the target machine. If you can get within Bluetooth range and the target device accepts pairing, you can inject keystrokes from across the room, from the hallway, or from the next office. The Rubber Ducky requires hands-on access to a USB port.
On-device editing. The Nano has a DuckyScript editor built into the device. You can write, test, and modify payloads on the fly using the OLED display and 3-button navigation. The Rubber Ducky requires a computer and the Hak5 payload editor to load new scripts.
Multi-function beyond HID. After running a Bad-BT payload, you still have a full WiFi/BLE/IR multi-tool. Scan the network, enumerate BLE devices, clone an IR remote - all without swapping devices. The Rubber Ducky does exactly one thing.
Mobile device targeting. Bluetooth HID works with phones and tablets that have Bluetooth enabled. Most mobile devices do not have USB-A ports for a Ducky (though USB-C adapters exist). Bad-BT can target Android phones and tablets directly over Bluetooth.
Price. $36.99 for the full BLEShark Nano versus $80 for the Rubber Ducky. And the Nano does far more than just HID injection.
Delivery Method Comparison
The choice between USB and Bluetooth delivery comes down to your access model.
If you have brief physical access to the target machine (dropped USB drive scenario, walk-up to an unlocked workstation, malicious cable swap), the Rubber Ducky's instant execution is the right tool. Five seconds of physical access is all you need.
If you have proximity but not physical access (sitting in a waiting room near a receptionist's computer, adjacent office, shared workspace), Bad-BT's wireless delivery lets you inject keystrokes without ever touching the target. The requirement for Bluetooth pairing is a significant hurdle, but in environments with auto-pairing or lax Bluetooth security, it works.
Final Verdict
The USB Rubber Ducky is a more reliable, faster, and stealthier HID injection tool than Bad-BT. If your engagement specifically requires keystroke injection and you can get physical USB access, the Ducky is the proven choice. It has years of battle-testing in professional pentests.
The BLEShark Nano's Bad-BT adds wireless HID injection to a multi-function tool at a lower price. It is not as fast or reliable as USB delivery, and it requires pairing, but the wireless capability opens scenarios that USB cannot reach. And when the HID work is done, you still have WiFi scanning, BLE enumeration, IR control, and mesh networking in your pocket.
Same language, different delivery. Pick the delivery that matches your access model.
HID injection attacks should only be conducted during authorized penetration tests. Unauthorized keystroke injection is illegal. Always obtain written permission before testing.
Get the BLEShark Nano - $36.99+