The MATCH Command
MATCH specifies a string or regular expression that may be typed on the keyboard connected to the Key Croc to trigger the payload's execution.A simple string, such as "hello", may be used as a match.
MATCH hello
The payload code following this
MATCH command will be executed when the target types "hello".Multiple strings may be specified with this simple regular expression.
MATCH (root|admin|mubix)
In this case, the payload code following the
MATCH command will be executed when the target types either "root" or "admin" or "mubix". Complex patterns may be specified using regular expressions.
MATCH [0-9]{5}(?:-[0-9]{4})?
In this case, the payload code following the
MATCH will execute when the target types numbers which represent an American ZIP (postal) code.Regular expressions should be in Python Regex format and should omit start and end line indicators as the
MATCH pattern will be checked against a continuous stream of keystrokes. For example:MATCH dallas– correct usageMATCH ^dallas$– incorrect usage
The regex101.com is a recommended third party resource for testing regular expressions in Python format.
Any key combination defined in the language file (e.g.
udisk/languages/us.json) may be used as a MATCH. Keep in mind, since MATCH expects a regular expression, escaping may be necessary. For example: MATCH \[CTRL-ALT-DELETE]– correct usageMATCH [CTRL-ALT-DELETE]– incorrect usage
When the target types a pattern which matches the defined
MATCH command in a payload, two important things happen. First, a timestamped log entry is appended to the matches.log file. This file, like other loot, is stored in /root/loot while in Attack Mode, then synchronized with
/root/udisk/loot when entering Arming Mode.Second, the variable
$loot will become available for use in the payload, containing the pattern which triggered the match.Finally, one should consider that
MATCH is not actually a bash command, rather a Key Croc command which is interpreted by the Payload Framework. As such, typing MATCH in the Key Croc command prompt will not yield results, and changing the MATCH value live will not have effect unless payloads are reloaded. See the section on interactive payload development for more on RELOAD_PAYLOADS.Do not use the word "
MATCH" in a payload's comment as doing so will cause interpretation issues with the Key Croc payload parser.