The ATTACKMODE Command
ATTACKMODE
is a command which specifies which devices to emulate. The ATTACKMODE
command may be issued multiple times within a given payload. For example, a payload may begin by emulating just HID (keyboard/keyboard passthrough), then switch to emulating both HID and Ethernet later based on a number of conditions.
ECM_ETHERNET
ECM – Ethernet Control Model. In this attack mode, the Key Croc will emulate a USB Ethernet adapter for Linux, Mac and Android targets. For Windows targets, see RNDIS_ETHERNET.
RNDIS_ETHERNET
RNDIS – Remote Network Driver Interface Specification. In this attack mode, the Key Croc will emulate a USB Ethernet adapter for Windows targets. Some Linux targets are known to support this microsoft-proprietary standard.
OPTIONS
RNDIS_SPEED_XX
Sets the reported RNDIS speed to XX (where 0 < XX <= 4294967) in kilobytes.
EXAMPLES
Emulates an RNDIS Ethernet adapter with a speed of 2Gbps
Emulates an RNDIS Ethernet adapter with a speed to 10Mbps. This may prevent Windows targets from recognizing the Key Croc as the default gateway since it is likely that a network interface with a higher metric (typically faster speed) already exists.
AUTO_ETHERNET
This attack mode will first attempt to bring up ECM_ETHERNET
. If after the default timeout of 20 seconds no connection is established, RNDIS_ETHERNET
will be attempted.
OPTIONS
The timeout can be specified with the ETHERNET_TIMEOUT_XX
parameter. Replace XX with a number of seconds.
EXAMPLE
HID
HID – Human Interface Device. This is the attack mode which emulates a keyboard, and enables keyboard passthrough, key logging and keystroke injection via Ducky Script 2.0.
Without this attack mode, the Key Croc will not pass through keyboard input to the target.
The VID
and PID
values of the connected keyboard are automatically cloned for this particular attack mode, as described in the section on Hardware ID Cloning. This may be overridden by specifying a VID and PID value in the config.txt.
STORAGE
UMS – USB Mass Storage. This attack mode emulates a standard flash drive, with the Key Croc presenting its udisk partition to the target as a USB mass storage device.
See the section on understanding the key croc file system for important notes on using this attack mode.
RO_STORAGE
Similar to the STORAGE option, the RO_STORAGE attack mode presents the Key Croc udisk partition as a USB mass storage device – however in this case the emulated devices file system will be read only.
SERIAL
ACM – Abstract Control Model. This attack mode emulates a serial console. Connecting to the serial device from the target, the user will be presented with the Key Croc bash shell. See the Serial Console section for more information on access from your target computer.
OFF
Disables the USB interface until ATTACKMODE is executed again. In this mode, the target will not identify the Key Croc as being connected.
Last updated