Jump to content

Darren Kitchen

Root Admin
  • Content Count

  • Joined

  • Days Won


About Darren Kitchen

  • Rank
    Hak5 Junkie
  • Birthday 02/11/1983

Contact Methods

  • AIM
  • Website URL
  • ICQ

Profile Information

  • Gender
  • Location
    San Francisco, CA

Recent Profile Visitors

98,996 profile views
  1. Welcome to hacking - anything is possible. That said, the Key Croc isn't going to do this out of the box and I'd be hard pressed to give you a good answer on how exactly right now. I've seen some research in the field of capturing voltage variances over a USB hub which, with a lot of math, could yield some helpful results... But let's just go with a simple 'no' for the moment.
  2. I recommend checking that the target for your cross compiler is the MT7628DAN MIPS SoC.
  3. @Don Joe the tput command used in sharkjack.sh is to be executed on the host computer – not the Shark Jack itself.
  4. @Aaron Outhier the nmap log is from QA at time of manufacture. The Shark Jack will get warm, but not HOT. As mentioned in the important safety information and warnings from the documentation: https://docs.hak5.org/hc/en-us/articles/360034129974-Important-Safety-Information-and-Warnings It should only take 5-10 minutes max to fully charge. It does get warm while charging. Disconnect when the charging has completed. During operation, it may get warm but not hot. If this behavior continues please reach out to us. https://shop.hak5.org/contact
  5. @Aaron Outhier that web server was introduced in the latest firmware and is only present in arming mode. It's a convenient way to see loot and update payloads.
  6. To confirm - you are talking about having the Key Croc connect to the WiFi Pineapple NANO over WiFi – not USB? Just to be clear in case someone finds this thread attempting over USB – that's not a supported use case and may not work in either direction (pineapple->croc or croc->pineapple) due to power budget for the USB interface. As for your connection concerns assuming you're talking about WiFi – I've tested with a WiFi Pineapple TETRA and had no issues. Standard troubleshooting applies: if you're connecting to a spoofed PineAP network, ensure your filters are setup correctly and allow associations is enabled. If you're connecting to the management interface (recommended option) ensure the password has any special characters escaped in your config.txt This applied to any WIFI_SSID or WIFI_PASS – if you have special characters keep in mind those values are interpreted by bash so they would need to be escaped. For example: P@$$w0rd!! would be P\@\$\$w0rd\!\!
  7. @40trieslater here are my thoughts based on your posts: After a factory reset, the system is restored from a backup partition however the udisk may be untouched – so this probably explains the discrepancy with your udisk/version.txt The control keys you are seeing indicates that your keyboard is not a generic HID keyboard, but rather a "fancy" composite device containing multiple HID devices (usually for multimedia controls, RGB LED controls, etc). We have also seen this behavior with bluetooth keyboards that happen to have USB functionality (for charging) like the Apple Magic keyboard and Microsoft Surface keyboard. It may have nothing to do with your Windows 10 Home 1909 version but rather that you tried it on a different computer, and in doing so the race condition was in your favor. Meaning, when the "fancy" keyboard enumerated on the Key Croc it presented multiple HID interfaces (part of what's called a USB Composite device) and each of those interfaces were mapped to HID channels. The Key Croc from v1.0 - 1.3 is expecting a single HID channel, with the regular keyboard as the first device. The additional HID channels are currently ignored. When the multimedia keys enumerate first, you get these odd results. When the regular keyboard keys enumerate first, you get keystrokes as expected. My guess is that in this case with the Windows 10 Home box, the regular keyboard keys enumerated first and everything worked. In the case of these "fancy" composite keyboards, it's luck of the draw as far as that race condition goes. It's something we're working on and hope to have a firmware update to address soon. In the meantime, I recommend trying with a standard keyboard while we nail down this bug. I hope that sheds some light on your issue. I'm aware that it's not a perfect answer, but it's the honest truth for the moment until we solve for composite devices. Anyone reading this in the future please be aware that this is an issue specific to firmware 1.0 through 1.3 – I know how these threads tend to linger on (also I hope the world is in a better place future hackers).
  8. You may also wish to simply upgrade to firmware version 1.3 which includes a nifty QUACKFILE or QFILE command from which you can specify a file containing raw Ducky Script which will be interpreted without bash – so no need for special escape characters. In fact, the original USB Rubber Ducky payload may just run out of the box. See: root@croc:~# cat /root/udisk/duckyscript.txt STRING $pecial chara%ters don't m@tter here!! root@croc:~# QUACKFILE /root/udisk/duckyscript.txt More on firmware 1.3: More on QUACKFILE: https://docs.hak5.org/hc/en-us/articles/360047380954-Payload-Development-Basics Tip: Don't store the duckyscript.txt in udisk/payloads/ else the framework will try to treat the text file as a regular Key Croc payload.
  9. My guess is that special characters are breaking the powershell. Escaping in powershell is a little different - here's some info on that: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_special_characters?view=powershell-7
  10. Keep in mind everything passed to QUACK STRING is interpreted by bash - so you may need to escape some special characters.
  11. This has now been addressed in firmware 1.3 – see the post at
  12. Try the QUACK HOLD command, but that might do it. I'll give it a shot soon. See the section on HOLD and RELEASE at https://docs.hak5.org/hc/en-us/articles/360047381354-QUACK-and-Ducky-Script-2-0 Essentially you'd want to determine the scan code from the language json and pass it to QUACK HOLD. It looks like COMMAND-r from the us.json is 12,00,15 – so the command would be: QUACK HOLD 12,00,15 QUACK DELAY 5000 QUACK RELEASE That would hold COMMAND-r for 5 seconds.
  13. Thank you all for the incredible feedback on the Key Croc – especially the 1.3 beta. We knew in development that we were on to something game changing, so to hear the enthusiasm from you all directly is truly rewarding. The amount of creativity shown in such a short period of time since initial release is encouraging. We hope that with this Key Croc firmware 1.3 we can further that creativity. As always we welcome your feedback here on the forums and of course on our Discord channel. Thanks for your support and happy hacking! Huge thanks to our team – @Korben for his work on this firmware with the support of @Foxtrot and everyone including 0xdade for feature inspiration. Changelog: General (optional) Password Protected Arming Mode built into framework/parser ARMING_PASS and (optional) ARMING_TIMEOUT can be defined in config.txt (Credits: 0xdade) Fix croc being shutdown by host machine going to sleep C2 notifications added to relevant event handlers iProduct can now be defined with PROD_ when calling ATTACKMODE, and defined in config.txt as PROD iManufacturer can be defined in config.txt as MAN Croc now waits for keyboard to enter ATTACKMODE HID Increase output log write speeds Fixed $LOOT ATTACKMODE now automatically populates /tmp/vid /tmp/pid /tmp/man /tmp/prod along with /tmp/mode Fixed payload validation at boot and added payload validation to RELOAD_PAYLOADS Payloads / Tools Add SAVEKEYS [path] UNTIL [regex] syntax support to payloads (Credits:0xdade) SAVEKEYS NEXT/UNTIL now also produce .filtered logs handling backspaces and removing control characters/modifiers. Ported GET extension script from Bash Bunny Added GET_VARS script giving your payload access to the following live data VID PID MAN PROD HOST_IP TARGET_IP TARGET_HOSTNAME Added the following helper scripts QUACKFILE (alias QFILE) ENABLE_PAYLOAD DISABLE PAYLOAD WAIT_FOR_KEYBOARD_ACTIVITY WAIT_FOR_KEYBOARD_INACTIVITY WAIT_FOR_LOOT Framework functions exported MOUNT_UDISK UNMOUNT_UDISK UPDATE_LANGUAGES ENABLE_WIFI ENABLE_INTERFACE START_WLAN_DHCP CLEAR_WIFI_CONFIG CONFIG_PSK_WIFI CONFIG_OPEN_WIFI ENABLE_SSH DISABLE_SSH Added the following scripts WAIT_FOR_ARMING_MODE WAIT_FOR_BUTTON_PRESS ARMING_MODE GET_HELPERS Misc Added get_payloads.html to udisk Fixed language file consistency, example: CONTROL/CTRL Moved examples into library/examples Debug logs moved to /root/loot so they will be automatically moved to udisk for easier debugging access DEBUG ON in config.txt now enables parser and framework debug logs at boot Download from https://downloads.hak5.org/croc Documentation from https://docs.hak5.org/ Flashing Instructions from https://docs.hak5.org/hc/en-us/articles/360048015333-Updating-the-Key-Croc
  14. It could be that the drivers aren't installed. They usually install automatically. What does device manager say?
  15. When you say stream, you're talking video rather than screenshots? If so - it may be achieved with ffmpeg: https://trac.ffmpeg.org/wiki/StreamingGuide
  • Create New...