Jump to content


Active Members
  • Posts

  • Joined

  • Last visited

  • Days Won


Everything posted by lartsch

  1. Hey all, since the size of the udisk partition is quite... pathetic?... being only 2GB big, I want to stark work on a firmware/framework mod that allows to attach USB storage devices instead of a keyboard to the Key Croc. This would be useful for matchless payloads that exfiltrate a great amount of data when there is no possibility to send this data to a remote storage. My question: Did anyone on here already did some research on that matter or tried to do the same? Any inputs would be appreciated. Just starting with this mod, but if there is some knowledge already I would like to gather it. Thank you! //edit: i am aware of this post
  2. For those of you interested, I have attached a modified croc_framework that allows you to enable and configure an AP on your Croc from the usual config.txt. It supports wpa2 password / no password, has an option for hiding SSID (e.g. prevent broadcasting) and set the gateway address. Example config is included. Install hostapd - do not configure it any further (croc needs to be online obviously): apt install hostapd Replace /usr/local/croc/bin/croc_framework (check encoding and EOL before replacing, check file permissions afterwards) Build your config.txt (see example config attached) Secure-eject and re-plug the Croc Changes in code are marked with comment lines. No other modifications than those needed for the AP in this file. LED will blink yellow during AP setup on boot, will blink red if it failed due to missing hostapd package and will blink green when the setup seems to be successful. NOTE: You will have to set a static IP on the devices you want to connect to the AP, since DHCP is not supported with this mod as of now. Note that interface combinations are not supported by the chip, so you won't see hosting an AP and connecting to one at the same time USE AT YOUR OWN RISK. If this breaks your device and you point at me, I will laugh at you. croc_framework example_config.txt
  3. Hi Darren, you're welcome. I got quite some more framework fixes and would love to contribute if there was a public repository (at least for everything in /usr/local/croc and for the documentation). For your fix, please see my edit in my last post here in the thread. Best regards, lartsch // ... and great to hear you guys are working on an update - any chance you can release a tool / information on how to modify the kernel?
  4. I found a solution: reboot -f OR systemctl --force reboot
  5. Hey all, anyone found a way to reboot the Key Croc via SSH? I tried with "reboot" and "shutdown -r", both won't work so I guess something has been disabled. Hoping for a good tip on that 🙂 Best regards, lartsch // edit: "/sbin/init 6" also not working
  6. Okay, I fixed the ethernet related env vars by adding this to the execute_non_match_payloads in croc_framework: source /usr/local/croc/bin/GET export -f GET Without only source it did not work, so the extra export // Edit: by the way, setting / sourcing DUCKY_LANG and GET in every (matchless) payload directly would also work, but to me this is something that should work automatically, therefore the fix
  7. That would be perfect. With a framework/firmware that was not updated in more than a year, with plenty of bugs / missing features, it would be nice to be able to do modifications on all levels of the firmware/OS.
  8. Hey chrizree, thanks for your reply. Good to know someone else is facing the problem. In terms of ethernet mode related variables like TARGET_IP, TARGET_OS etc. I noticed the following: Match based payloads are run from /usr/local/croc/croc.py - for each payload run, a subprocess is started and /usr/local/croc/bin/GET as well as /usr/local/croc/bin/GET_VARS are each sourced for this subprocess. Therefore, for match based payloads, using (for ex.) GET TARGET_IP in the payload would work after going in ethernet attack mode. They don't work for MATCHLESS payloads, since those are run from /usr/local/croc/bin/croc_framework on boot. And in this implementation, no files are sourced so matchless payloads don't have access to GET [var]. I am a little bugged out about the issues with the framework/firmware at this point. It's such a capable tool but for its price I think one could expect a little higher quality in terms of software. A repository where we could do pull request would also be a benefit, both for hak5 and the community.
  9. Well, while this still poses an issue, I fixed it for me in terms of DUCKY_LANG at least, by adding this to the config parser in croc_framework: if [[ "$line" == DUCKY_LANG* ]]; then export DUCKY_LANG="$(echo "$line"| cut -d ' ' -f2- | awk '{print tolower($0)}')" sed -i "/export DUCKY_LANG/d" /root/.profile echo "export DUCKY_LANG=${DUCKY_LANG}" >> /root/.profile croclog "LANGUAGE DETECTED ${DUCKY_LANG}" continue fi This will export the variable to all interactive shell sessions (through /root/.profile) and also make it available to all payloads. Works fine this way, but other environment variables are still not set, like TARGET_IP. // edit: plus see my other comment. these fixes are QUICK AND DIRTY, keep that in mind - if you find a better way, please tell here 🙂
  10. Hey Konstantin, I've found the following which may help you (provided you use the matchless fix): For a matchless payload to run WITH a keyboard attached, OMIT the ATTACKMODE HID. Test it by writing a payload with only QUACK DELAY 10000 and QUACK STRING "test". Focus a text field, replug the Key Croc (with the keyboard attached) and (hopefully) see it working. EDIT: THIS MIGHT NOT BE TRUE, as I just found that croc_framework runs the keyboard cloning init function AFTER starting matchless payload execution - since these run as background process it's kind of gamble if the cloning is done BEFORE the payload is actually run. I fixed it for me by initializing the keyboard cloning before running matchless and making the execute_non_match_payloads function run in foreground (key parser for match based payloads will start AFTER the matchless are finished, which is a behavior I prefer but probably not everybody) For matchless payload to run WITHOUT a keyboard attached, include the ATTACKMODE HID, either with or without specifying VID and PID. Test it by adding ATTACKMODE HID before the other 2 lines from the test above. For match based payloads, since you always have a keyboard attached in this case, you can OMIT the ATTACKMODE HID if you want to use the cloned keyboard properties. Or overwrite them using the ATTACKMODE options. General notes: always eject the Key Croc in a secure way add delays if something does not work as intended, might help Hope it helps! Best regards, Lartsch
  11. Hey all, I have the problem that some environment variables are not set on boot, like DUCKY_LANG, creating issues with payloads. Mainly, my characters are not injected correctly with Q STRING. I have checked the parser logs and the language file is correctly loaded on boot. Also, key recording and Q KEYCODE works as intended. So I have looked into the QUACK script and found that the language setting is obtained with os.getenv("DUCKY_LANG", default="us"). I checked, and the variable is empty after boot so it defaults to US layout, explaining the problems I experience. I then noticed that other environment variables are also not set, for example TARGET_IP after going to an ethernet attack mode. Please help me with this issue. Thanks and best regards, lartsch
  12. Like soh_hos said, the Key Croc can be used like a Bash Bunny by omitting any MATCH commands in the payload. Also see my framework fix for more reliable matchless payload detection. You can basically do anything with the Key Croc you can do with Bash Bunny, but Key Croc can additionally be used as a hardware keylogger and features a WiFi module, opening some more possiblities for exploitation / red teaming scenarios. By modifying the firmware you can also host a AP on the Key Croc, really useful. Just the firmware/framework has its problems, also the 2GB udisk is too small for today's requirements. The Bash Bunny Mark II though has a low energy BT module for geofencing and remote triggering, something a Key Croc Mark II will hopefully get as well
  13. I would really like to try and enable this kernel settings, but I am unsure how to rebuild the current kernel. Can anyone assists on that?
  14. @NinjaSnicker If you need any assistance shoot me a DM
  15. Hey all, I found myself in the situation that any matchless payloads I wrote (e.g. payloads without a MATCH sequence) would not run on boot of the Key Croc. I tried many things, like setting ATTACKMODE HID with and without specific hardware properties, attaching a keyboard even though it should not be necessary etc. Nothing worked. While debugging I found the matchless payload detection in the "croc_framework" file (/usr/local/croc/bin) being badly implemented. The grep would not reliably detect non-match payloads and also did not take into account commented lines (#) or whitespace. This can be found in line 538 in the function execute_non_match_payloads() in the original 06/2020 firmware. The original line 538 is: for p in $(find /root/udisk/payloads -type f | xargs grep -c 'MATCH'|grep 0$|cut -d':' -f1) Replace it with: for p in $(find /root/udisk/payloads -type f | xargs grep -cHP '^(?=[\s]*+[^#])[^#]*(MATCH)' | grep 0$ | cut -d':' -f1) ... and now find yourself with working matchless payloads! For me, these are really important and provide great use cases. Best regards, lartsch
  16. yes it is possible. just configure hostapd and modify the croc_framework, so when an option WIFI_AP ENABLE is present, it runs hostapd instead of connecting to a hotspot. the wifi module has AP capability. works pretty reliably for me
  • Create New...