The Key Croc is a smart keylogger and pentest implant featuring a pattern matching payload system and remote management capabilities. This documentation covers the basics of operation and deployment, accessing the Linux shell for advanced operations, Internet connectivity, software updates and payload development.
In its most basic state, the Key Croc acts as a keylogger. To deploy, simply plug the Key Croc into a computer – known herein as the target. Within a few seconds the Key Croc will boot, lighting multiple colors along the way to indicate its state (described below). If a keyboard is not attached to the Key Croc at boot, the LED indicates such with a white light. Plugging a standard IBM-PC compatible USB keyboard into the Key Croc will cause the LED to turn off and the device to enter what is known as Attack Mode. The Key Croc will then clone the hardware identifiers of the keyboard and present itself to the target as that keyboard. Keystrokes typed on the keyboard will be passed through to the target, while simultaneously saving to a log file on the Key Croc. Any active payload will execute once the target types a defined matching key sequence.
Pressing the hidden arming button on the bottom side of the Key Croc will stop the keystroke passthrough and recording. The Key Croc will enter what is known as Arming Mode, indicated by a blue blinking LED. Instead of emulating the connected keyboard, the Key Croc will now emulate both a serial device and USB flash disk – known as the udisk. Accessing this USB flash disk or udisk, with its drive label "KeyCroc", will present the operator with a number of files and folders.
Among the files and folders present on the USB flash disk is config.txt. Editing this file with a standard text editor (like Notepad on Windows, TextEdit on Mac, vim/nano on Linux) will let you configure settings such as keymap, WiFi, SSH and DNS.
The only mandatory configuration is the language/keymap, which by default is set to US.
# Mandatory configurations:
# Specifies the keymap with the corresponding two letter json file name from the languages/ directory on the udisk. The default is US for a US English keyboard. Change this depending on the language/keymap of your target.
WIFI_SSID [network name]
# Specifies the SSID of the WiFi network in which to connect.
# Special characters & spaces must be escaped with '\'. EX: My\ Network\!\!
WIFI_PASS [network password]
# Specifies the WPA-PSK passphrase for the WiFi network.
# Omit this value for open networks.
# Special characters & spaces must be escaped with '\': EX: MyP\@\$\$word\!\!
SSH [ENABLE, DISABLE]
# If enabled, the Key Croc will be accessible by SSH in both attack and arming modes.
DNS [address 1] [address 2]
# Overrides the DNS setting provided by the WiFi network's DHCP server.
VID [VID_0X<vid hex>]
# Overrides the cloned Vendor ID from the attached keyboard
PID [PID_0X<pid hex>]
# Overrides the cloned Product ID from the attached keyboard
# Specifies the Manufacturer USB descriptor
# Specifies the iProduct USB descriptor
Protected Arming Mode
# Requires [password] to be typed on the keyboard attached to the Key Croc to enter arming mode.
# (OPTIONAL WITH ARMING_PASS) Defining this adds a timeout to the protected arming mode listener
# ARMING_PASS hak5croc
# ARMING_TIMEOUT 5
# This allows 5 seconds to press the button after typing hak5croc on the attached keyboard
# WARNING: MISCONFIGURATIONS BELOW WILL LOCK YOU OUT OF YOUR DEVICE.
Files and Directory Structure
- config.txt – configuration file
- upgrade.html – shortcut to software update documentation
- version.txt – current version
- docs/ – license and quick start guide
- languages/ – hosts keymap files used for recording and injection
- library/ – hosts inactive payloads
- loot/ – hosts captured keystrokes and other logs
- payloads/ – hosts active payloads
- tools/ – used to install additional packages
- username: root
- password: hak5croc
- hostname: croc
LED Status Indications
- Green – Booting up
- Red – Error
- Cyan – Configuring WiFi per config.txt
- Magenta – Configuring Keylogger
- Blue – Arming Mode
- Yellow – Disk Full
- White – No Keyboard Detected