Jump to content

HID Syntax / RNDIS ETHERNET Gadget issues


D4rkm4n

Recommended Posts

Posted

Every time I connect the Key Croc to a target machine, Windows 10 identifies it as "RNDIS/Ethernet Gadget". It key logs fine, but shows a notification of the new device.

I have tried multiple keyboards and target machines, but always the same result.

I've tried overriding the details in Config.txt with:

HID VID_0X0A5C PID_0X3025 MAN_LITE-ON SN_0 PROD_Keyboard

or

# VID [VID_0X<vid hex>]
VID VID_0x413c
#
# PID [PID_0X<pid hex>]
PID PID_0x2106
#
# MAN [MAN_label]
MAN MAN_Hak5
PROD PROD_KeyCroc
SN SN_1337

 

But nothing changes within Windows. Is there a way to make the device show as something else within the Devices (not Device Manager) within Win10?
I'd be happy for it to reflect anything like "USB Keyboard"

  • 5 months later...
Posted

The only place in the Croc file system where I can find any reference to the string "RNDIS/Ethernet Gadget" is in the croc_gadget.ko file. Since there is no other logic that would present this string as model/identifier (such as some immediate VID/PID upon boot), then I guess this is where this originates from. It's the same for the Bunny that shares a lot with the Croc (just another file/filename). It's not just to edit using a hex editor either as it seems since it's a kernel module file.

Also, if edited to be named something else, it needs to be very generic since the name is used both in Settings > Devices and in the Control Panel under "Hardware and Sound" > "Devices and Printers" regardless what attackmode that is used (i.e. if ATTACKMODE HID is used, then it shows with a keyboard icon, if using ATTACKMODE STORAGE a storage icon is showing, however, the same RNDIS label is used despite the attackmode). So, if it's related to the mentioned ko file, the kernel module perhaps needs to be recompiled to show something else than "RNDIS/Ethernet Gadget".

In Device Manager or using tools such as NirSoft USBDeview or USBLogView, it shows up with the VID/PID that is set though (either the default values linked to the attackmode chosen or set in the payload).

Posted

Is there a way to have the KeyCroc imitate the keyboard as it is meant to? I feel like the notification banner of "RNDIS/Ethernet Gadget" connection status makes the purpose and function of the KeyCroc somewhat obsolete.

Posted

If you connect a keyboard to the Croc, it will use the VID/PID of the keyboard and pass it on to the target.
https://docs.hak5.org/key-croc/writing-payloads/hardware-id-cloning

I don't really agree that the Croc would be considered obsolete just because it adverts itself with an "RNDIS/Ethernet Gadget" popup when first plugged in to the target. In most engagement scenarios, it's something that no one would see since it will be you (or someone in the red team) that will plant the Croc on the target site. The Croc isn't a type of device that you would let someone at the target site plug in themselves. It would be rather sus to try to fool someone doing that. "Hey, could you please plug this thing in between your computer and your keyboard!?" Even the most tech novice individuals wouldn't do that on most of the attempts. However, what the original thread poster mentioned could be more of an issue. I.e. the fact that the Croc looks kinda odd when it's listed among connected devices. That of course depends on what is monitored in endpoints on the target site.

  • 2 weeks later...

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...