Key Croc
  • The Key Croc by Hak5
  • Key Croc Basics
    • Serial Console Access
    • Updating the Firmware
    • Factory Reset
  • Configuration
    • Default Settings
    • Understanding Languages
  • Files and Directory Structure
    • Understanding the File System
  • Getting the Key Croc Online
  • Configuring Cloud C²
  • Writing Payloads
    • Payload Development
    • Ducky Script Commands
    • Command Quick Reference
    • The MATCH Command
    • The SAVEKEYS Command
    • The ATTACKMODE Command
      • USB Identifiers
    • The QUACK Command
    • Advanced QUACK Commands
    • The LED Command
  • Beginner Guides
    • Password Sniffing with the Key Croc — Easy, or Super Easy?
    • New Features in Key Croc 1.3
  • Tips & Tricks
    • Interactive Payload Development
    • Installing Extras like Metasploit
    • Helpful Payload Snippets
Powered by GitBook
On this page
  • MATCH STRINGS
  • MATCH MULTIPLE STRINGS
  • MATCH REGULAR EXPRESSIONS
  • MATCH KEY COMBINATIONS
  • ADDITIONAL MATCH CONSIDERATIONS

Was this helpful?

  1. Writing Payloads

The MATCH Command

MATCH specifies a string or regular expression that may be typed on the keyboard connected to the Key Croc to trigger the payload's execution.

MATCH STRINGS

A simple string, such as "hello", may be used as a match.

MATCH hello

The payload code following this MATCH command will be executed when the target types "hello".

MATCH MULTIPLE STRINGS

Multiple strings may be specified with this simple regular expression.

MATCH (root|admin|mubix)

In this case, the payload code following the MATCH command will be executed when the target types either "root" or "admin" or "mubix".

MATCH REGULAR EXPRESSIONS

Complex patterns may be specified using regular expressions.

MATCH [0-9]{5}(?:-[0-9]{4})?

In this case, the payload code following the MATCH will execute when the target types numbers which represent an American ZIP (postal) code.

Regular expressions should be in Python Regex format and should omit start and end line indicators as the MATCH pattern will be checked against a continuous stream of keystrokes. For example:

  • MATCH dallas – correct usage

  • MATCH ^dallas$ – incorrect usage

MATCH KEY COMBINATIONS

Any key combination defined in the language file (e.g. udisk/languages/us.json) may be used as a MATCH. Keep in mind, since MATCH expects a regular expression, escaping may be necessary. For example:

  • MATCH \[CTRL-ALT-DELETE] – correct usage

  • MATCH [CTRL-ALT-DELETE] – incorrect usage

ADDITIONAL MATCH CONSIDERATIONS

When the target types a pattern which matches the defined MATCH command in a payload, two important things happen.

First, a timestamped log entry is appended to the matches.log file. This file, like other loot, is stored in /root/loot while in Attack Mode, then synchronized with /root/udisk/loot when entering Arming Mode.

Second, the variable $loot will become available for use in the payload, containing the pattern which triggered the match.

Finally, one should consider that MATCH is not actually a bash command, rather a Key Croc command which is interpreted by the Payload Framework. As such, typing MATCH in the Key Croc command prompt will not yield results, and changing the MATCH value live will not have effect unless payloads are reloaded. See the section on interactive payload development for more on RELOAD_PAYLOADS.

Do not use the word "MATCH" in a payload's comment as doing so will cause interpretation issues with the Key Croc payload parser.

Last updated 1 year ago

Was this helpful?

The is a recommended third party resource for testing regular expressions in Python format.

regex101.com