Key Croc
Search…
The Key Croc by Hak5
Getting Started
Key Croc Basics
Configuration
Files and Directory Structure
Default Settings
Getting the Key Croc Online
Configuring Cloud C²
Understanding Languages
Beginner Guides
Password Sniffing with the Key Croc — Easy, or Super Easy?
New Features in Key Croc 1.3
Payloads and Loot
Payload Primer
Getting Payloads
Activating and Deactivating Payloads
Loot
Advanced Usage
Serial Console Access
Updating the Firmware
Factory Reset
Writing Payloads
Key Croc Payload Development
The MATCH Command
The SAVEKEYS Command
The ATTACKMODE Command
Hardware ID Cloning
The QUACK Command
Advanced QUACK Commands
The LED Command
Ducky Script Commands
Command Quick Reference
Tips & Tricks
Understanding the File System
Interactive Payload Development
Installing Extras like Metasploit
Helpful Payload Snippets
Product Information
Important Safety Information and Warnings
Specifications
Powered By GitBook
Hardware ID Cloning
USB devices identify themselves by combinations of unique identifiers, including a vendor ID (VID) and product ID (PID). These 16-bit IDs are specified in hex and are used by the target computer to find drivers (if necessary) for the specified device.
By default the Key Croc will clone or spoof the VID and PID of the connected keyboard. These identifiers are saved to /tmp/vidpid and may be used in your payloads. This may be overridden by specifying a VID and PID value in the config.txt.
ATTACKMODE accepts VID and PID parameters, in addition to SN (Serial Number) and MAN (Manufacturer).

VID_XX – Vendor ID PID_XX – Product ID MAN_XX – Manufacturer SN_XX – Serial Number PROD_XX – Product

ATTACKMODE STORAGE HID VID_0X0A5C PID_0X3025 MAN_LITE-ON SN_0 PROD_Keyboard
Emulates both a keyboard and usb flash disk with the identifiers of an IBM Corp. NetVista Full Width Keyboard

When the Attack Mode changes, it is written to the /tmp/mode file. This may be queried in a payload in order to know which attack mode the device is currently operating. It may be useful to obtain VID and PID values from this file, or from /tmp/vidpid, in order to maintain the same device identifier when changing attack modes.

By default the Key Croc will boot into an attack mode with the HID option enabled, and the VID and PID values obtained from the connected keyboard. If a payload were to then enable the ECM_ETHERNET option in addition to the HID option, the following code may be used:
VENDOR=$(cat /tmp/vidpid | cut -d: -f1)
PRODUCT=$(cat /tmp/vidpid | cut -d: -f2)
ATTACKMODE HID ECM_ETHERNET VID_0X$VENDOR PID_0X$PRODUCT
As another example, in the case that the /tmp/mode file contained like the following:
HID VID_0X062A PID_0X4101
One may issue a single command to add the ECM_ETHERNET option to an existing mode:
ATTACKMODE ECM_ETHERNET $(cat /tmp/mode)
Writing Payloads - Previous
The ATTACKMODE Command
Next - Writing Payloads
The QUACK Command
Last modified 1yr ago
Copy link
On this page
ATTACKMODE OPTIONS
EXAMPLE
CURRENT MODE
EXAMPLE