Jump to content

[RELEASE] Key Croc Firmware 1.3


Darren Kitchen

Recommended Posts

Thank you all for the incredible feedback on the Key Croc – especially the 1.3 beta. We knew in development that we were on to something game changing, so to hear the enthusiasm from you all directly is truly rewarding. The amount of creativity shown in such a short period of time since initial release is encouraging.

We hope that with this Key Croc firmware 1.3 we can further that creativity. As always we welcome your feedback here on the forums and of course on our Discord channel.

Thanks for your support and happy hacking!

Huge thanks to our team – @Korben for his work on this firmware with the support of @Foxtrot and everyone including 0xdade for feature inspiration.

Changelog:

 

  • General
    • (optional) Password Protected Arming Mode built into framework/parser
      • ARMING_PASS and (optional) ARMING_TIMEOUT can be defined in config.txt (Credits: 0xdade)
    • Fix croc being shutdown by host machine going to sleep
    • C2 notifications added to relevant event handlers
    • iProduct can now be defined with PROD_ when calling ATTACKMODE, and defined in config.txt as PROD
    • iManufacturer can be defined in config.txt as MAN
    • Croc now waits for keyboard to enter ATTACKMODE HID
    • Increase output log write speeds
    • Fixed $LOOT
    • ATTACKMODE now automatically populates /tmp/vid /tmp/pid /tmp/man /tmp/prod along with /tmp/mode
    • Fixed payload validation at boot and added payload validation to RELOAD_PAYLOADS

  • Payloads / Tools
    • Add SAVEKEYS [path] UNTIL [regex] syntax support to payloads (Credits:0xdade)
    • SAVEKEYS NEXT/UNTIL now also produce .filtered logs handling backspaces and removing control characters/modifiers.
    • Ported GET extension script from Bash Bunny
    • Added GET_VARS script giving your payload access to the following live data
      • VID
      • PID
      • MAN
      • PROD
      • HOST_IP
      • TARGET_IP
      • TARGET_HOSTNAME
    • Added the following helper scripts
      • QUACKFILE (alias QFILE)
      • ENABLE_PAYLOAD
      • DISABLE PAYLOAD
      • WAIT_FOR_KEYBOARD_ACTIVITY
      • WAIT_FOR_KEYBOARD_INACTIVITY
      • WAIT_FOR_LOOT
    • Framework functions exported
      • MOUNT_UDISK
      • UNMOUNT_UDISK
      • UPDATE_LANGUAGES
      • ENABLE_WIFI
      • ENABLE_INTERFACE
      • START_WLAN_DHCP
      • CLEAR_WIFI_CONFIG
      • CONFIG_PSK_WIFI
      • CONFIG_OPEN_WIFI
      • ENABLE_SSH
      • DISABLE_SSH
    • Added the following scripts
      • WAIT_FOR_ARMING_MODE
      • WAIT_FOR_BUTTON_PRESS
      • ARMING_MODE
      • GET_HELPERS

  • Misc
    • Added get_payloads.html to udisk
    • Fixed language file consistency, example: CONTROL/CTRL
    • Moved examples into library/examples
    • Debug logs moved to /root/loot so they will be automatically moved to udisk for easier debugging access
    • DEBUG ON in config.txt now enables parser and framework debug logs at boot

 

Download from https://downloads.hak5.org/croc

Documentation from https://docs.hak5.org/

Flashing Instructions from https://docs.hak5.org/hc/en-us/articles/360048015333-Updating-the-Key-Croc

  • Like 1
Link to comment
Share on other sites

Good Morning,

System = Dell XPS15 9530 (old laptop) Win 10 Pro64 Key Croc

Updated from shipping version to 1.3_510 easy, but now it does net see my Raspberry Pi Keyboard.

Yes it boots and see it's HD, but led stayed white with Pi keyboard plugged in.  Plug in the Logitech K400r (wireless) from days past that is what I am typing on.

M

Link to comment
Share on other sites

  • 3 weeks later...

My keycroc worked just fine with a mac keyboard (a pretty old one) but a USB keyboard.  After the update, which I did today, the same day I got the Croc, it didn't work.  The croc behaved as if there was no keyboard connected.  The keyboard just fine without the croc.

Next I tried a Logitech wireless keyboard, which shares a receiver with a mouse.  The Croc worked with that keyboard as expected.  HOWEVER - when I moved the mouse, it's movements came out as jumbled text in the computer.  I would have to say that with such a keyboard, this would not be a good thing.

Finally I tried a very old dell keyboard (which is old enough to drink), has a DIN connector.  I happen to have a DIN to USB adapter.  That worked exactly as advertised with Version 1.3.

I think 1.3 needs some more work.  To summarize, that which worked before does not work in 1.3.  MAC keyboard on a PC is admittedly unlikely in the real world. Logitech wireless keyboard + mouse is a bit more likely.

Geoff

 

Edited by Struthian
Link to comment
Share on other sites

Further experimenting.  It appears that if one disconnects a "good" keyboard and then reconnects it - that works.  However, if one disconnects a good one and then connects one of the ones that seem to not work, then goes back to the good one - it doesn't work.  Can someone confirm this?  If so it appears that keyboards that won't log cause some internal error that prevents further function.

 

Link to comment
Share on other sites

  • 2 months later...

I would love to have some more explanation of that this commands all do.

  • ENABLE_WIFI
  • ENABLE_INTERFACE
  • START_WLAN_DHCP
  • CLEAR_WIFI_CONFIG
  • CONFIG_PSK_WIFI
  • CONFIG_OPEN_WIFI

I see that CLEAR_WIFI_CONFIG will rm /etc/wpa_supplicant.conf but I cant seem to get any of the other commands in my payload to work like ENABLE_WIFI 'SSID' 'PASSWORD' will not edit the /etc/wpa_supplicant.conf or the config.txt file so i am not sure what these commands do. Maybe they are broken. Please help. 

Link to comment
Share on other sites

On 10/20/2020 at 4:29 AM, RootJunky said:

I would love to have some more explanation of that this commands all do.

  • ENABLE_WIFI
  • ENABLE_INTERFACE
  • START_WLAN_DHCP
  • CLEAR_WIFI_CONFIG
  • CONFIG_PSK_WIFI
  • CONFIG_OPEN_WIFI

I see that CLEAR_WIFI_CONFIG will rm /etc/wpa_supplicant.conf but I cant seem to get any of the other commands in my payload to work like ENABLE_WIFI 'SSID' 'PASSWORD' will not edit the /etc/wpa_supplicant.conf or the config.txt file so i am not sure what these commands do. Maybe they are broken. Please help. 

Well, I am not sure you can call these "commands" and I don't really see why you'd make  a payload for that as you can simply edit the config file.

 

Can you explain what you're trying to do with more details?

Link to comment
Share on other sites

 

21 minutes ago, heck5 said:

Well, I am not sure you can call these "commands" and I don't really see why you'd make  a payload for that as you can simply edit the config file.

 

Can you explain what you're trying to do with more details?

I just want to know what what they do. you can leave it up to me to figure out if i want to use them. 

Link to comment
Share on other sites

Quote

I just want to know what what they do. you can leave it up to me to figure out if i want to use them. 

 

It's just on basic config file.. you don't need to enter these in your payload.

See the documentation below

https://docs.hak5.org/hc/en-us/articles/360047380574-Key-Croc-Basics

 

https://docs.hak5.org/hc/en-us/articles/360048015093-Getting-the-Key-Croc-Online

So you need to boot in arming mode to edit the config file which is at the root of the disk... Then if for example you enter a ssid, a password, and enable ssh, all you need is to reboot in arming mode and it will connect to that access point and you will be able to ssh into it.

 

You can see what other options are there for in the above documentation

 

I hope it answered your questions

 

Edited by heck5
Link to comment
Share on other sites

4 hours ago, heck5 said:

 

It's just on basic config file.. you don't need to enter these in your payload.

See the documentation below

https://docs.hak5.org/hc/en-us/articles/360047380574-Key-Croc-Basics

 

https://docs.hak5.org/hc/en-us/articles/360048015093-Getting-the-Key-Croc-Online

So you need to boot in arming mode to edit the config file which is at the root of the disk... Then if for example you enter a ssid, a password, and enable ssh, all you need is to reboot in arming mode and it will connect to that access point and you will be able to ssh into it.

 

You can see what other options are there for in the above documentation

 

I hope it answered your questions

 

I know how to edit the config file as seen here https://github.com/rootjunky/keycroc-payloads/blob/master/library/examples/wifispot.txt that is not what i am asking.  I want to know what these do.  Framework helpers https://docs.hak5.org/hc/en-us/articles/360048190473-Helpful-Payload-Snippets  Run GET_HELPERS on your keycroc. 

Link to comment
Share on other sites

  • 1 year later...

@Darren Kitchen It has been 2 years since the last update and many (known) issues are not fixed. 

In August 2021 you wrote me, that you guys are working on a release. Nothing has happened since then... which is a little disappointing and reduces the value of the product.

If no update is in sight, please make the source code in  /usr/local/croc/bin public at least, please.

  • Like 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...