SAVEKEYS
allows the payload to save specific keys typed by the target when the payload has executed with a valid MATCH
. SAVEKEYS
can either save the LAST
keys typed before a MATCH
, or the NEXT
keys typed after a MATCH
.SAVEKEYS
with NEXT
:MATCH
statement. The second line of the payload would then instruct the framework to save the next 6 keypresses to a test.log file in /root/loot/
./root/loot/test.log
containing " world".NEXT
parameter, SAVKEYS
also features a UNTIL
function (added in 1.3) which will save up to 255 keys UNTIL
the specified key (regex value) is pressed.pass.txt
file when the CONTROL-ALT-DELETE
keyboard combination is pressed, and continues to record until the ENTER
key is pressed.[
and ]
in these regular expressions. MATCH
, the SAVEKEYS
command may be used to save the LAST
keys typed before a MATCH
.SAVEKEYS NEXT
example above, we could modify with the following:MATCH
"world" were completed, and the previously typed 7 keys would be saved to the /root/loot/test.log
file. This would result in a log file containing "hello ".SAVEKEYS
ConsiderationsSAVEKEYS
either NEXT
or LAST
.SAVEKEYS
requires an absolute path for the output file. It cannot take a variable.SAVEKEYS /tmp/keys.txt LAST 10
– correct usageSAVEKEYS $keyfile LAST 10
– incorrect usageSAVEKEYS
is to be used in a payload, it must immediately follow a MATCH
command.SAVEKEYS
usageSAVEKEYS
usageSAVEKEYS
may be extracted systematically using text processing tools and used later as variables in a payload. It is important to note a payload will need to wait until the keys are saved – so pay special attention to the while command. For example:MATCH
, one should consider that SAVEKEYS
is not actually a bash command but rather a Key Croc command which is interpreted by the Payload Framework. Changes to the SAVEKEYS
command requires a reboot or issuing the RELOAD_PAYLOADS
command. Additionally, the CHECK_PAYLOADS
command will check the syntax and display the payload which will execute after the corresponding MATCH
is typed by the target.SAVEKEYS
" in a payload's comment as doing so will cause interpretation issues with the Key Croc payload parser.