Key Croc
  • The Key Croc by Hak5
  • Key Croc Basics
    • Serial Console Access
    • Updating the Firmware
    • Factory Reset
  • Configuration
    • Default Settings
    • Understanding Languages
  • Files and Directory Structure
    • Understanding the File System
  • Getting the Key Croc Online
  • Configuring Cloud C²
  • Writing Payloads
    • Payload Development
    • Ducky Script Commands
    • Command Quick Reference
    • The MATCH Command
    • The SAVEKEYS Command
    • The ATTACKMODE Command
      • USB Identifiers
    • The QUACK Command
    • Advanced QUACK Commands
    • The LED Command
  • Beginner Guides
    • Password Sniffing with the Key Croc — Easy, or Super Easy?
    • New Features in Key Croc 1.3
  • Tips & Tricks
    • Interactive Payload Development
    • Installing Extras like Metasploit
    • Helpful Payload Snippets
Powered by GitBook
On this page
  • ATTACKMODE OPTIONS
  • EXAMPLE
  • CURRENT MODE
  • EXAMPLE

Was this helpful?

  1. Writing Payloads
  2. The ATTACKMODE Command

USB Identifiers

Last updated 1 year ago

Was this helpful?

USB devices identify themselves by combinations of unique identifiers, including a vendor ID (VID) and product ID (PID). These 16-bit IDs are specified in hex and are used by the target computer to find drivers (if necessary) for the specified device.

By default the Key Croc will automatically clone the identifiers of the connected keyboard.

These identifiers are saved to /tmp/ and may be used in your payloads. This may be overridden by specifying values in the .

ATTACKMODE accepts VID and PID parameters, in addition to SERIAL (Serial Number), MAN (Manufacturer) and PROD (Product)

ATTACKMODE OPTIONS

VID_XX – Vendor ID PID_XX – Product ID MAN_XX – Manufacturer SERIAL_XX – Serial Number PROD_XX – Product

EXAMPLE

ATTACKMODE STORAGE HID VID_0X0A5C PID_0X3025 MAN_LITE-ON SN_0 PROD_Keyboard

Emulates both a keyboard and usb flash disk with the identifiers of an IBM Corp. NetVista Full Width Keyboard

CURRENT MODE

When the Attack Mode changes, it is written to the /tmp/mode file. This may be queried in a payload in order to know which attack mode the device is currently operating. It may be useful to obtain VID and PID values from this file, or from /tmp/vidpid, in order to maintain the same device identifier when changing attack modes.

EXAMPLE

By default the Key Croc will boot into an attack mode with the HID option enabled, and the VID and PID values obtained from the connected keyboard. If a payload were to then enable the ECM_ETHERNET option in addition to the HID option, the following code may be used:

VENDOR=$(cat /tmp/vidpid | cut -d: -f1)
PRODUCT=$(cat /tmp/vidpid | cut -d: -f2)
ATTACKMODE HID ECM_ETHERNET VID_0X$VENDOR PID_0X$PRODUCT

As another example, in the case that the /tmp/mode file contained like the following:

HID VID_0X062A PID_0X4101

One may issue a single command to add the ECM_ETHERNET option to an existing mode:

ATTACKMODE ECM_ETHERNET $(cat /tmp/mode)
config.txt