Jump to content

Darren Kitchen

Root Admin
  • Content Count

  • Joined

  • Days Won


About Darren Kitchen

  • Rank
    Hak5 Junkie
  • Birthday 02/11/1983

Contact Methods

  • AIM
  • Website URL
  • ICQ

Profile Information

  • Gender
  • Location
    San Francisco, CA

Recent Profile Visitors

99,263 profile views
  1. We were working on our infrastructure yesterday which caused a brief outage. Apologies for the inconvenience.
  2. Ensure that your fstab looks like the below. It can be edited from the Advanced page. config global option anon_swap '0' option anon_mount '0' option auto_swap '1' option auto_mount '1' option delay_root '5' option check_fs '0' config mount option target '/sd' option device '/dev/sdcard/sd1' option fstype 'auto' option options 'rw,sync' option enabled '1' Then make sure your MicroSD card has only a single, unnamed partition and is formatted EXT4.
  3. Welcome to hacking - anything is possible. That said, the Key Croc isn't going to do this out of the box and I'd be hard pressed to give you a good answer on how exactly right now. I've seen some research in the field of capturing voltage variances over a USB hub which, with a lot of math, could yield some helpful results... But let's just go with a simple 'no' for the moment.
  4. I recommend checking that the target for your cross compiler is the MT7628DAN MIPS SoC.
  5. @Don Joe the tput command used in sharkjack.sh is to be executed on the host computer – not the Shark Jack itself.
  6. @Aaron Outhier the nmap log is from QA at time of manufacture. The Shark Jack will get warm, but not HOT. As mentioned in the important safety information and warnings from the documentation: https://docs.hak5.org/hc/en-us/articles/360034129974-Important-Safety-Information-and-Warnings It should only take 5-10 minutes max to fully charge. It does get warm while charging. Disconnect when the charging has completed. During operation, it may get warm but not hot. If this behavior continues please reach out to us. https://shop.hak5.org/contact
  7. @Aaron Outhier that web server was introduced in the latest firmware and is only present in arming mode. It's a convenient way to see loot and update payloads.
  8. @40trieslater here are my thoughts based on your posts: After a factory reset, the system is restored from a backup partition however the udisk may be untouched – so this probably explains the discrepancy with your udisk/version.txt The control keys you are seeing indicates that your keyboard is not a generic HID keyboard, but rather a "fancy" composite device containing multiple HID devices (usually for multimedia controls, RGB LED controls, etc). We have also seen this behavior with bluetooth keyboards that happen to have USB functionality (for charging) like the Apple Magic keyboard and Microsoft Surface keyboard. It may have nothing to do with your Windows 10 Home 1909 version but rather that you tried it on a different computer, and in doing so the race condition was in your favor. Meaning, when the "fancy" keyboard enumerated on the Key Croc it presented multiple HID interfaces (part of what's called a USB Composite device) and each of those interfaces were mapped to HID channels. The Key Croc from v1.0 - 1.3 is expecting a single HID channel, with the regular keyboard as the first device. The additional HID channels are currently ignored. When the multimedia keys enumerate first, you get these odd results. When the regular keyboard keys enumerate first, you get keystrokes as expected. My guess is that in this case with the Windows 10 Home box, the regular keyboard keys enumerated first and everything worked. In the case of these "fancy" composite keyboards, it's luck of the draw as far as that race condition goes. It's something we're working on and hope to have a firmware update to address soon. In the meantime, I recommend trying with a standard keyboard while we nail down this bug. I hope that sheds some light on your issue. I'm aware that it's not a perfect answer, but it's the honest truth for the moment until we solve for composite devices. Anyone reading this in the future please be aware that this is an issue specific to firmware 1.0 through 1.3 – I know how these threads tend to linger on (also I hope the world is in a better place future hackers).
  9. This has now been addressed in firmware 1.3 – see the post at
  10. Try the QUACK HOLD command, but that might do it. I'll give it a shot soon. See the section on HOLD and RELEASE at https://docs.hak5.org/hc/en-us/articles/360047381354-QUACK-and-Ducky-Script-2-0 Essentially you'd want to determine the scan code from the language json and pass it to QUACK HOLD. It looks like COMMAND-r from the us.json is 12,00,15 – so the command would be: QUACK HOLD 12,00,15 QUACK DELAY 5000 QUACK RELEASE That would hold COMMAND-r for 5 seconds.
  11. Thank you all for the incredible feedback on the Key Croc – especially the 1.3 beta. We knew in development that we were on to something game changing, so to hear the enthusiasm from you all directly is truly rewarding. The amount of creativity shown in such a short period of time since initial release is encouraging. We hope that with this Key Croc firmware 1.3 we can further that creativity. As always we welcome your feedback here on the forums and of course on our Discord channel. Thanks for your support and happy hacking! Huge thanks to our team – @Korben for his work on this firmware with the support of @Foxtrot and everyone including 0xdade for feature inspiration. Changelog: General (optional) Password Protected Arming Mode built into framework/parser ARMING_PASS and (optional) ARMING_TIMEOUT can be defined in config.txt (Credits: 0xdade) Fix croc being shutdown by host machine going to sleep C2 notifications added to relevant event handlers iProduct can now be defined with PROD_ when calling ATTACKMODE, and defined in config.txt as PROD iManufacturer can be defined in config.txt as MAN Croc now waits for keyboard to enter ATTACKMODE HID Increase output log write speeds Fixed $LOOT ATTACKMODE now automatically populates /tmp/vid /tmp/pid /tmp/man /tmp/prod along with /tmp/mode Fixed payload validation at boot and added payload validation to RELOAD_PAYLOADS Payloads / Tools Add SAVEKEYS [path] UNTIL [regex] syntax support to payloads (Credits:0xdade) SAVEKEYS NEXT/UNTIL now also produce .filtered logs handling backspaces and removing control characters/modifiers. Ported GET extension script from Bash Bunny Added GET_VARS script giving your payload access to the following live data VID PID MAN PROD HOST_IP TARGET_IP TARGET_HOSTNAME Added the following helper scripts QUACKFILE (alias QFILE) ENABLE_PAYLOAD DISABLE PAYLOAD WAIT_FOR_KEYBOARD_ACTIVITY WAIT_FOR_KEYBOARD_INACTIVITY WAIT_FOR_LOOT Framework functions exported MOUNT_UDISK UNMOUNT_UDISK UPDATE_LANGUAGES ENABLE_WIFI ENABLE_INTERFACE START_WLAN_DHCP CLEAR_WIFI_CONFIG CONFIG_PSK_WIFI CONFIG_OPEN_WIFI ENABLE_SSH DISABLE_SSH Added the following scripts WAIT_FOR_ARMING_MODE WAIT_FOR_BUTTON_PRESS ARMING_MODE GET_HELPERS Misc Added get_payloads.html to udisk Fixed language file consistency, example: CONTROL/CTRL Moved examples into library/examples Debug logs moved to /root/loot so they will be automatically moved to udisk for easier debugging access DEBUG ON in config.txt now enables parser and framework debug logs at boot Download from https://downloads.hak5.org/croc Documentation from https://docs.hak5.org/ Flashing Instructions from https://docs.hak5.org/hc/en-us/articles/360048015333-Updating-the-Key-Croc
  12. It could be that the drivers aren't installed. They usually install automatically. What does device manager say?
  13. When you say stream, you're talking video rather than screenshots? If so - it may be achieved with ffmpeg: https://trac.ffmpeg.org/wiki/StreamingGuide
  14. I see how that wording is confusing. The intention was not to mislead. I will update it to make it more clear. The sales page states that video captures save mpeg files in various bitrates. When we finish up the currently in progress feature release of the Key Croc, we will investigate adding the C2EXFIL option for video files with an update. Live video streaming could be setup today using ffmpeg, which may be installed from apt on the device. There is a root shell accessible via serial. That said, this setup would require an RTMP server in order to receive the video signal. That's outside of the scope of Cloud C2 for now - however it doesn't look difficult to deploy based on this: https://obsproject.com/forum/resources/how-to-set-up-your-own-private-rtmp-server-using-nginx.50/ Now I understand this answer may be disappointing. I wish you only the best experience with Hak5 gear. Should it not be to your satisfaction, please submit a ticket at https://shop.hak5.org/contact and we will make it right.
  15. This is by design. We can look into adding it in a future version.
  • Create New...