From d6f533185b18c035d50a0a64bded465766c2f941 Mon Sep 17 00:00:00 2001 From: Dallas Winger Date: Fri, 11 Nov 2022 21:51:22 -0500 Subject: [PATCH 1/3] add CrocClippy from OG KeyCroc livestreams --- payloads/library/prank/CrocClippy/README.md | 47 ++++++++++++++++++ .../library/prank/CrocClippy/crocclippy.txt | 48 +++++++++++++++++++ 2 files changed, 95 insertions(+) create mode 100644 payloads/library/prank/CrocClippy/README.md create mode 100644 payloads/library/prank/CrocClippy/crocclippy.txt diff --git a/payloads/library/prank/CrocClippy/README.md b/payloads/library/prank/CrocClippy/README.md new file mode 100644 index 0000000..201a6a6 --- /dev/null +++ b/payloads/library/prank/CrocClippy/README.md @@ -0,0 +1,47 @@ +# CrocClippy + +A very rude clippy experience in terminal, powered by the Key Croc + +## Description: + +Triggered when the user hits ENTER after a sudo or ssh command, +sends a CTRL-C to cancel their command followed by drawing an ASCII Clippy +that asks them if they want help with the command that we just blocked them from executing. +Because that's what clippy is known for. +Developed on a livestream shortly after the release of the KeyCroc + +## Authors: + +Korben, Darren, Chat + +## Version: + +1.0 + +## Category: Key Croc / Prank + +# Example: + +Where $LOOT is the command that matched and triggered the payload: + + + +
+ ________________
+ I see you wanted to run
+$LOOT
+ Can I help you with that?
+ ----------------
+ \
+  \
+     __
+    /  \
+    |  |
+    @  @
+    |  |
+    || |/
+    || ||
+    |\_/|
+    \___/
+
+
diff --git a/payloads/library/prank/CrocClippy/crocclippy.txt b/payloads/library/prank/CrocClippy/crocclippy.txt new file mode 100644 index 0000000..ce07b37 --- /dev/null +++ b/payloads/library/prank/CrocClippy/crocclippy.txt @@ -0,0 +1,48 @@ +# Title: CrocClippy +# Description: Triggered when the user hits ENTER after a sudo or ssh command, +# sends a CTRL-C to cancel their command followed by drawing an ASCII Clippy +# that asks them if they want help with the command that we just blocked them from executing. +# Because that's what clippy is known for. +# Developed on a livestream shortly after the release of the KeyCroc +# Author: Korben, Darren, Chat +# Version: 1.0 +# Category: Key Croc / Prank +# +# +MATCH sudo (.*?)\[ENTER\] +MATCH ssh (.*?)@[\d\D]*\[ENTER\] +MATCH ssh (.*?)\[ENTER\] +QUACK CONTROL c +QUACK STRING 'cat << EOF' +QUACK ENTER +QUACK STRING ' ________________' +QUACK ENTER +QUACK STRING ' I see you wanted to run' +QUACK ENTER +QUACK STRING "$LOOT" +QUACK ENTER +QUACK STRING ' Can I help you with that?' +QUACK STRING ' ----------------' +QUACK ENTER +QUACK STRING ' \' +QUACK ENTER +QUACK STRING ' \' +QUACK ENTER +QUACK STRING ' __' +QUACK ENTER +QUACK STRING ' / \' +QUACK ENTER +QUACK STRING ' | |' +QUACK ENTER +QUACK STRING ' @ @' +QUACK ENTER +QUACK STRING ' | |' +QUACK ENTER +QUACK STRING ' || |/' +QUACK ENTER +QUACK STRING ' || ||' +QUACK ENTER +QUACK STRING ' |\_/|' +QUACK ENTER +QUACK STRING ' \___/' +QUACK CONTROL-c From b4ed0a4d5e618e650d1b0fa6d18fda2c10fad6fa Mon Sep 17 00:00:00 2001 From: Dallas Winger <9642419+dallaswinger@users.noreply.github.com> Date: Sat, 12 Nov 2022 01:08:30 -0500 Subject: [PATCH 2/3] update readme --- README.md | 234 +++++++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 189 insertions(+), 45 deletions(-) diff --git a/README.md b/README.md index b91ebd4..f3ed35d 100644 --- a/README.md +++ b/README.md @@ -1,40 +1,180 @@ -# Payload Library for the Key Croc by Hak5 +# Payload Library for the [Key Croc](https://hak5.org/products/key-croc) by [Hak5](https://hak5.org) This repository contains payloads and extensions for the Hak5 Key Croc. Community developed payloads are listed and developers are encouraged to create pull requests to make changes to or submit new payloads. -## About the Key Croc +
+ +      + +
+ + +
+
+

+ +
+View Featured Key Croc Payloads and Leaderboard +
Get your payload in front of thousands. Enter to win over $2,000 in prizes in the Hak5 Payload Awards! +

+ + +
+ +      + +      + +      + +

+ +
+ +# Shop +- [Purchase the Key Croc - the world's smartest keylogger](https://hak5.org/products/key-croc "Purchase the Key Croc - the world's smartest keylogger") +- [PayloadStudio Pro](https://hak5.org/products/payload-studio-pro "Purchase PayloadStudio Pro") +- [Shop All Hak5 Tools](https://shop.hak5.org "Shop All Hak5 Tools") + +## Getting Started +- [Build Payloads with PayloadStudio](#build-your-payloads-with-payloadstudio) | [QUICK START GUIDE](https://docs.hak5.org/key-croc/getting-started/basics "QUICK START GUIDE") + +## Documentation / Learn More +- [Documentation](https://docs.hak5.org/key-croc "Documentation") + +## Community +*Got Questions? Need some help? Reach out:* +- [Discord](https://hak5.org/discord/ "Discord") | [Forums](https://forums.hak5.org/forum/106-key-croc/ "Forums") + +## Additional Links + Follow the creators
+

+ Korben's Twitter | + Korben's Instagram +
+ Darren's Twitter | + Darren's Instagram +

+ +
+

About the Key Croc

+The Key Croc by Hak5 is a keylogger armed with pentest tools, remote access and payloads that trigger multi-vector attacks when chosen keywords are typed. It's the ultimate key-logging pentest implant. + +
+Launch Video +
+
+ +

+ +
Hak5 Key Croc Hardware Features +

+
The Key Croc by Hak5 is a keylogger armed with pentest tools, remote access and payloads that trigger multi-vector attacks when chosen keywords are typed. It's the ultimate key-logging pentest implant. -- [Purchase at Hak5](https://hak5.org/products/key-croc "Purchase at Hak5") -- [Documentation](https://docs.hak5.org/hc/en-us/categories/360003797793-Key-Croc "Documentation") -- [Forums](https://forums.hak5.org/forum/106-key-croc/ "Forums") -- [Discord](https://hak5.org/discord "Discord") +More than just recording and streaming keystrokes online, it exploits the target with payloads that trigger when keywords of interest are typed. -![Key Croc](https://cdn.shopify.com/s/files/1/0068/2142/products/keycroc1b_300x.png.jpg) +By emulating trusted devices like serial, storage, HID and Ethernet, it opens multiple attack vectors – from keystroke injection to network hijacking. -## Disclaimer -Generally, payloads may execute commands on your device. As such, it is possible for a payload to damage your device. Payloads from this repository are provided AS-IS without warranty. While Hak5 makes a best effort to review payloads, there are no guarantees as to their effectiveness. As with any script, you are advised to proceed with caution. +Imagine capturing credentials and systematically using them to exfiltrate data. Or pentest from anywhere, live in a web browser with [Cloud C2](https://shop.hak5.org/products/c2 "Cloud C2"). + +It's simple too. A hidden button turns it into a flash drive, where changing settings is just editing a text file. And with a root shell your favorite pentest tools like nmap, responder, impacket and metasploit are at the ready. + + +

+ Hak5 Key Croc Pattern Matching Payloads
+
+ Hak5 Key Croc Configuration - simply edit config.txt
+ +
+

+ +# About DuckyScript™ + +## Legacy DuckyScript (1.0) +Hak5 introduced Keystroke Injection in 2010 with the USB Rubber Ducky™. This technique, developed by Hak5 founder Darren Kitchen, was his weapon of choice for automating mundane tasks at his IT job — fixing printers, network shares and the like. +Today the USB Rubber Ducky is a hacker culture icon, synonymous with the keystroke injection technique it pioneered. It’s found its way into the hearts and toolkits of Cybersecurity and IT pros the world over — including many movies and TV shows! +Core to its success is its simple language, DuckyScript™. Originally just three commands, it could be learned by anyone—regardless of experience—in minutes. + + With the Key Croc in 2020, DuckyScript 2.0 has been introduced. +## DuckyScript 2.0 + +While many of the Hak5 Tools run various versions of DuckyScript; like the [Bash Bunny](https://shop.hak5.org/products/bash-bunny) and even the [officially licenced DuckyScript compatible devices from O.MG](https://shop.hak5.org/collections/mischief-gadgets/ "O.MG") - the Key Croc uses an `INTERPRETED` version of DuckyScript + +_Interpreted DuckyScript means the payload runs on the device straight from `source code` (the code you write e.g. `QUACK STRING test`)._ + +_Compiled DuckyScript means that there is both `source code` and an `inject.bin` generated from the source code. (DuckyScript 1.0 for the USB Rubber Ducky was "encoded" rather than "compiled" - references to either mean the same)_ + +The files in this repository are _the source code_ for your payloads and run _directly on the Key Croc_ no compilation required - simply place your `payload.txt` in the appropriate directory and you're ready to go! + +

Build your payloads with PayloadStudio

+

+Take your DuckyScript™ payloads to the next level with this full-featured, web-based (entirely client side) development environment. +
+ +
+Payload studio features all of the conveniences of a modern IDE, right from your browser. From syntax highlighting and auto-completion to live error-checking and repo synchronization - building payloads for Hak5 hotplug tools has never been easier! +

+Supports your favorite Hak5 gear - USB Rubber Ducky, Bash Bunny, Key Croc, Shark Jack, Packet Squirrel & LAN Turtle! +


+Become a PayloadStudio Pro and Unleash your hacking creativity! +
+OR +
+ Try Community Edition FREE +

+ +
+ Payload Studio Themes Preview GIF +

+ +
+ Payload Studio Autocomplete Preview GIF +

+ + +## DuckyScript Ecosystem + +

Languages

+ +Support for different keyboard layouts can be found, modified or contributed to in the languages/ directory of this repository. + +Unlike devices such as the Bash Bunny and USB Rubber Ducky - the Key Croc's language files are *just a bit different*. +Due to the nature of supporting **real time decoding** and **real time MATCH payloads** the Croc has a bit more on it's plate in regards to what it means to support a keyboard language layout. + +For example, while performing Keystroke Injection - you may only ever require the `1` from the number row, or the right `GUI` key. The Key Croc on the other hand needs to not only know how to interpret _the entire keyboard_ but also a large variety of keyboard combinations to make matching and triggering on payloads work as you would expect it to; accurately and without delay. For these reasons, the Key Croc's language files are monolithic, statically and programatically generated to provide the absolute best possible experience. + +The default language is US (languages/us.json) + +

Contributing

+ +

+ +
+View Featured Payloads and Leaderboard +

-## Legal -Payloads from this repository are provided for educational purposes only. Hak5 gear is intended for authorized auditing and security analysis purposes only where permitted subject to local and international laws where applicable. Users are solely responsible for compliance with all laws of their locality. Hak5 LLC and affiliates claim no responsibility for unauthorized or unlawful use. -## Contributing Once you have developed your payload, you are encouraged to contribute to this repository by submitting a Pull Request. Reviewed and Approved pull requests will add your payload to this repository, where they may be publically available. -Please adhere to the following best practices and style guide when submitting a payload. +# Please adhere to the following best practices and style guides when submitting a payload. +### Purely Desctructive payloads will not be accepted. No, it's not "just a prank". + +Payloads should be submitted to the most appropriate category directory. These include credentials, exfiltration, phishing, prank, recon, etc. -### Naming Conventions +Subject to change. Please ensure any submissions meet the [latest version](https://github.com/hak5/keycroc-payloads/blob/master/README.md) of these standards before submitting a Pull Request. -Payloads should be submitted to the most approporiate category directory. These include credentials, exfiltration, phishing, prank, recon, etc. +## Naming Conventions +Please give your payload a unique, descriptive and appropriate name. Do not use spaces in payload, directory or file names. Each payload should be submit into its own directory, with `-` or `_` used in place of spaces, to one of the categories such as exfiltration, phishing, remote_access or recon. Do not create your own category. Each payload should have a unique, descriptive directory and filename, e.g., `WIN_powershell_SMB_exfiltration.txt` The directory name for the payload should match the payload file name. -If the payload is OS specific (I.e., a Windows powershell attack), the filename should be prefixed with that OS. Prefixes include: +If the payload is OS specific (I.e., a Windows Powershell attack), the filename should be prefixed with that OS. Prefixes include: * `WIN_` for Windows * `MAC_` for MacOS * `LINUX_` for all Linux flavors @@ -44,39 +184,29 @@ If the payload is OS agnostic (I.e., it substitutes text or otherwise make no in If multiple individual OS specific payloads are included, the directory name should be prefixed with `MULTI_` while each payload file name therein should be prefixed with the specific OS. -Please give your payload a unique and descriptive name. Do not use spaces in payload names. Each payload should be submit into its own directory, with `-` or `_` used in place of spaces, to one of the categories such as exfiltration, phishing, remote_access or recon. Do not create your own category. - -### Comments - -Each payload should begin with a comment block containing at least: - -``` -Title: -Description: -Author: -``` - -Optionally, authors are encouraged to include these additional parameters: -``` -# Version: -# Props: -# Target: +Example: + BEGINNING OF PAYLOAD -``` -CMD_OBFUSCATION=1 -CLOUDC2=1 -``` + # Title: Example Payload + # Author: Korben Dallas + # Description: Opens hidden powershell and + # Target: Windows 10 + # Props: Hak5, Darren Kitchen, Korben + # Version: 1.0 + # Category: General + -### Payload Documentation If a payload requires additional documentation for use, such as requiring special dependency installation or use of the LED, it should be documented in the code block. In the case of LED for status, use the following: @@ -89,6 +219,20 @@ If a payload requires additional documentation for use, such as requiring specia # LED FINISH: Attack complete ``` -If custom color/patterns are used instead of standard LED states, designate these status indications accordingly. +If custom color/patterns are used instead of standard LED states, designate these status indications accordingly. Payloads may optionally include a `readme.md` file for documentation. + +

Legal

+ +Payloads from this repository are provided for educational purposes only. Hak5 gear is intended for authorized auditing and security analysis purposes only where permitted subject to local and international laws where applicable. Users are solely responsible for compliance with all laws of their locality. Hak5 LLC and affiliates claim no responsibility for unauthorized or unlawful use. + +DuckyScript is a trademark of Hak5 LLC. Copyright © 2010 Hak5 LLC. All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means without prior written permission from the copyright owner. +Key Croc and DuckyScript are subject to the Hak5 license agreement (https://hak5.org/license) +DuckyScript is the intellectual property of Hak5 LLC for the sole benefit of Hak5 LLC and its licensees. To inquire about obtaining a license to use this material in your own project, contact us. Please report counterfeits and brand abuse to legal@hak5.org. +This material is for education, authorized auditing and analysis purposes where permitted subject to local and international laws. Users are solely responsible for compliance. Hak5 LLC claims no responsibility for unauthorized or unlawful use. +Hak5 LLC products and technology are only available to BIS recognized license exception ENC favorable treatment countries pursuant to US 15 CFR Supplement No 3 to Part 740. + +# Disclaimer +Generally, payloads may execute commands on your device. As such, it is possible for a payload to damage your device. Payloads from this repository are provided AS-IS without warranty. While Hak5 makes a best effort to review payloads, there are no guarantees as to their effectiveness. As with any script, you are advised to proceed with caution. + From d9802daa878a5a1e0669081f22aab8621cf0a324 Mon Sep 17 00:00:00 2001 From: Dallas Winger <9642419+dallaswinger@users.noreply.github.com> Date: Sat, 12 Nov 2022 01:35:22 -0500 Subject: [PATCH 3/3] update --- README.md | 54 +++++++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 43 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index f3ed35d..d739d00 100644 --- a/README.md +++ b/README.md @@ -79,7 +79,7 @@ More than just recording and streaming keystrokes online, it exploits the target By emulating trusted devices like serial, storage, HID and Ethernet, it opens multiple attack vectors – from keystroke injection to network hijacking. -Imagine capturing credentials and systematically using them to exfiltrate data. Or pentest from anywhere, live in a web browser with [Cloud C2](https://shop.hak5.org/products/c2 "Cloud C2"). +Imagine capturing credentials and systematically using them to exfiltrate data. Or pentest from anywhere, live in a web browser with [Hak5 Cloud C²](https://shop.hak5.org/products/c2 "Hak5 Cloud C²"). It's simple too. A hidden button turns it into a flash drive, where changing settings is just editing a text file. And with a root shell your favorite pentest tools like nmap, responder, impacket and metasploit are at the ready. @@ -93,22 +93,13 @@ It's simple too. A hidden button turns it into a flash drive, where changing set

# About DuckyScript™ - -## Legacy DuckyScript (1.0) -Hak5 introduced Keystroke Injection in 2010 with the USB Rubber Ducky™. This technique, developed by Hak5 founder Darren Kitchen, was his weapon of choice for automating mundane tasks at his IT job — fixing printers, network shares and the like. -Today the USB Rubber Ducky is a hacker culture icon, synonymous with the keystroke injection technique it pioneered. It’s found its way into the hearts and toolkits of Cybersecurity and IT pros the world over — including many movies and TV shows! -Core to its success is its simple language, DuckyScript™. Originally just three commands, it could be learned by anyone—regardless of experience—in minutes. - With the Key Croc in 2020, DuckyScript 2.0 has been introduced. -## DuckyScript 2.0 While many of the Hak5 Tools run various versions of DuckyScript; like the [Bash Bunny](https://shop.hak5.org/products/bash-bunny) and even the [officially licenced DuckyScript compatible devices from O.MG](https://shop.hak5.org/collections/mischief-gadgets/ "O.MG") - the Key Croc uses an `INTERPRETED` version of DuckyScript _Interpreted DuckyScript means the payload runs on the device straight from `source code` (the code you write e.g. `QUACK STRING test`)._ -_Compiled DuckyScript means that there is both `source code` and an `inject.bin` generated from the source code. (DuckyScript 1.0 for the USB Rubber Ducky was "encoded" rather than "compiled" - references to either mean the same)_ - -The files in this repository are _the source code_ for your payloads and run _directly on the Key Croc_ no compilation required - simply place your `payload.txt` in the appropriate directory and you're ready to go! +The files in this repository are _the source code_ for your payloads and run _directly on the device_ **no compilation required** - simply place your `payload.txt` in the appropriate directory and you're ready to go!

Build your payloads with PayloadStudio

@@ -149,6 +140,43 @@ For example, while performing Keystroke Injection - you may only ever require th The default language is US (languages/us.json) + +

Hak5 Cloud C²

+Cloud C² makes it easy for pen testers and IT security teams to deploy and manage fleets of Hak5 gear from a simple cloud dashboard. + +Cloud C² is available as an instant download. **A free license for Community Edition is available which is not for commercial use and comes with community support.** +The **Professional** and **Teams Editions** are for commercial use with standard support. +

+ +
+ Hak5 Cloud C² Web Interface +

+ + +Cloud C² is a **self-hosted** web-based command and control suite for networked Hak5 gear that lets you **pentest from anywhere.** + +Linux, Mac and Windows computers can host the Cloud C² server while Hak5 gear such as the WiFi Pineapple, LAN Turtle and Packet Squirrel can be provisioned as clients. + +Once you have the Cloud C² server running on a public-facing machine (such as a VPS) and the Hak5 devices are provisioned and deployed, you can login to the Cloud C² web interface to manage these devices as if you were directly connected. + +With multiple Hak5 devices deployed at a client site, aggregated data provides a big picture view of the wired and wireless environments. + + +

+ +
+ Hak5 Cloud C² Web Interface - Teams Edition - Sites +

+ +Hak5 Cloud C² Teams edition comes full of features designed to help you manage **all** of your remote Hak5 devices with ease: + - Multi-User + - Multi-Site + - Role-Based Access Control + - Advanced Auditing + - Tunneling Services including web Terminal and WiFi Pineapple web interface proxy + +Learn More +

Contributing

@@ -236,3 +264,7 @@ Hak5 LLC products and technology are only available to BIS recognized license ex # Disclaimer Generally, payloads may execute commands on your device. As such, it is possible for a payload to damage your device. Payloads from this repository are provided AS-IS without warranty. While Hak5 makes a best effort to review payloads, there are no guarantees as to their effectiveness. As with any script, you are advised to proceed with caution. + + + +