Interactive Payload Development

Sometimes the quickest way to rapidly develop a payload is to write it interactively on the device. This saves time entering arming mode, editing the payload file on the "KeyCroc" USB Flash Disk, safely ejecting the drive, unplugging and replugging the KeyCroc from the host, then finally typing the matching pattern on the attached keyboard.

This can be achieved with an SSH connection, either directly from a local network by adding the SSH ENABLE option to config.txt, or from the Terminal in Cloud C2. See the guides on Getting the Key Croc Online and Configuring Cloud C2 from the Getting Started section.

If taking the SSH connection from a local network route, you may find the example_crocctl-ipinfo payload from the included library helpful. With it, typing "__crocctl-ipinfo" will cause the Key Croc to type out it's IP address - saving you time checking DHCP logs or scanning the network.

It is best to have two different physical computers – a dev box and a target box – for interactive development. From the Key Croc shell on the dev box, either by SSH or Cloud C2 Terminal, you can issue commands directly. For example, typing "QUACK STRING hello world" into the Bash prompt will inject the "hello world" keystrokes on the target.


Payload files may be edited directly from /root/udisk/payloads/ using a text editor like nano or vim. You may find a cached copy of payloads on the primary partition. Do not edit these. Doing so may cause unexpected results as they relate to MATCH handling. For this reason, you are advised to only edit the payloads from /root/udisk/payloads/.

It is important to note the special udisk considerations when interactively writing a payload which utilizes the ATTACKMODE STORAGE option. See the guide on Understanding the Key Croc file system for more information.

When editing payload files on the Key Croc interactively, they must be reloaded in order for changes to take effect. To do so, issue the "RELOAD_PAYLOADS" command.


While developing payloads interactively, it may be useful to check payloads for potential MATCH and SAVEKEYS syntax issues. Running the "CHECK_PAYLOADS" command will report the possible pattern matches and corresponding payloads.

Last updated