The MATCH Command

MATCH specifies a string or regular expression that may be typed on the keyboard connected to the Key Croc to trigger the payload's execution.

MATCH STRINGS

A simple string, such as "hello", may be used as a match.

MATCH hello

The payload code following this MATCH command will be executed when the target types "hello".

MATCH MULTIPLE STRINGS

Multiple strings may be specified with this simple regular expression.

MATCH (root|admin|mubix)

In this case, the payload code following the MATCH command will be executed when the target types either "root" or "admin" or "mubix".

MATCH REGULAR EXPRESSIONS

Complex patterns may be specified using regular expressions.

MATCH [0-9]{5}(?:-[0-9]{4})?

In this case, the payload code following the MATCH will execute when the target types numbers which represent an American ZIP (postal) code.

Regular expressions should be in Python Regex format and should omit start and end line indicators as the MATCH pattern will be checked against a continuous stream of keystrokes. For example:

  • MATCH dallas – correct usage

  • MATCH ^dallas$ – incorrect usage

MATCH KEY COMBINATIONS

Any key combination defined in the language file (e.g. udisk/languages/us.json) may be used as a MATCH. Keep in mind, since MATCH expects a regular expression, escaping may be necessary. For example:

  • MATCH \[CTRL-ALT-DELETE] – correct usage

  • MATCH [CTRL-ALT-DELETE] – incorrect usage

ADDITIONAL MATCH CONSIDERATIONS

When the target types a pattern which matches the defined MATCH command in a payload, two important things happen.

First, a timestamped log entry is appended to the matches.log file. This file, like other loot, is stored in /root/loot while in Attack Mode, then synchronized with /root/udisk/loot when entering Arming Mode.

Second, the variable $loot will become available for use in the payload, containing the pattern which triggered the match.

Finally, one should consider that MATCH is not actually a bash command, rather a Key Croc command which is interpreted by the Payload Framework. As such, typing MATCH in the Key Croc command prompt will not yield results, and changing the MATCH value live will not have effect unless payloads are reloaded. See the section on interactive payload development for more on RELOAD_PAYLOADS.

Do not use the word "MATCH" in a payload's comment as doing so will cause interpretation issues with the Key Croc payload parser.

Last updated

Was this helpful?