ATTACKMODE is a command which specifies which devices to emulate. The ATTACKMODE command may be issued multiple times within a given payload. For example, a payload may begin by emulating just HID (keyboard/keyboard passthrough), then switch to emulating both HID and Ethernet later based on a number of conditions.
ECM – Ethernet Control Model. In this attack mode, the Key Croc will emulate a USB Ethernet adapter for Linux, Mac and Android targets. For Windows targets, see RNDIS_ETHERNET.
RNDIS – Remote Network Driver Interface Specification. In this attack mode, the Key Croc will emulate a USB Ethernet adapter for Windows targets. Some Linux targets are known to support this microsoft-proprietary standard.
Sets the reported RNDIS speed to XX (where 0 < XX <= 4294967) in kilobytes.
ATTACKMODE RNDIS_ETHERNET RNDIS_SPEED_2000000
Emulates an RNDIS Ethernet adapter with a speed of 2Gbps
ATTACKMODE RNDIS_ETHERNET RNDIS_SPEED_10000
Emulates an RNDIS Ethernet adapter with a speed to 10Mbps. This may prevent Windows targets from recognizing the Key Croc as the default gateway since it is likely that a network interface with a higher metric (typically faster speed) already exists.
This attack mode will first attempt to bring up ECM_ETHERNET. If after the default timeout of 20 seconds no connection is established, RNDIS_ETHERNET will be attempted.
The timeout can be specified with the ETHERNET_TIMEOUT_XX parameter. Replace XX with a number of seconds.
ATTACKMODE ECM_ETHERNET ETHERNET_TIMEOUT_30
HID – Human Interface Device. This is the attack mode which emulates a keyboard, and enables keyboard passthrough, key logging and keystroke injection via Ducky Script 2.0.
Without this attack mode, the Key Croc will not pass through keyboard input to the target.
The VID and PID values of the connected keyboard are automatically cloned for this particular attack mode, as described in the section on Hardware ID Cloning.
UMS – USB Mass Storage. This attack mode emulates a standard flash drive, with the Key Croc presenting its udisk partition to the target as a USB mass storage device.
See the section on understanding the key croc file system for important notes on using this attack mode.
Similar to the STORAGE option, the RO_STORAGE attack mode presents the Key Croc udisk partition as a USB mass storage device – however in this case the emulated devices file system will be read only.
ACM – Abstract Control Model. This attack mode emulates a serial console. Connecting to the serial device from the target, the user will be presented with the Key Croc bash shell. See the Serial Console section for more information on access from your target computer.
Disables the USB interface until ATTACKMODE is executed again. In this mode, the target will not identify the Key Croc as being connected.
Hardware ID Cloning
USB devices identify themselves by combinations of unique identifiers, including a vendor ID (VID) and product ID (PID). These 16-bit IDs are specified in hex and are used by the target computer to find drivers (if necessary) for the specified device.
By default the Key Croc will clone or spoof the VID and PID of the connected keyboard. These identifiers are saved to /tmp/vidpid and may be used in your payloads.
ATTACKMODE accepts VID and PID parameters, in addition to SN (Serial Number) and MAN (Manufacturer).
VID_XX – Vendor ID
PID_XX – Product ID
MAN_XX – Manufacturer
SN_XX – Serial Number
ATTACKMODE STORAGE HID VID_0X0A5C PID_0X3025 MAN_LITE-ON SN_0
Emulates both a keyboard and usb flash disk with the identifiers of an IBM Corp. NetVista Full Width Keyboard
When the Attack Mode changes, it is written to the /tmp/mode file. This may be queried in a payload in order to know which attack mode the device is currently operating. It may be useful to obtain VID and PID values from this file, or from /tmp/vidpid, in order to maintain the same device identifier when changing attack modes. For example:
By default the Key Croc will boot into an attack mode with the HID option enabled, and the VID and PID values obtained from the connected keyboard. If a payload were to then enable the ECM_ETHERNET option in addition to the HID option, the following code may be used:
VENDOR=$(cat /tmp/vidpid | cut -d: -f1)
PRODUCT=$(cat /tmp/vidpid | cut -d: -f2)
ATTACKMODE HID ECM_ETHERNET VID_0X$VENDOR PID_0X$PRODUCT
As another example, in the case that the /tmp/mode file contained like the following:
HID VID_0X062A PID_0X4101
One may issue a single command to add the ECM_ETHERNET option to an existing mode:
ATTACKMODE ECM_ETHERNET $(cat /tmp/mode)