Hak5 Key Croc

From Embedded Lab Vienna for IoT & Security
Revision as of 18:22, 4 January 2022 by ABohl (talk | contribs) (→‎References)
Jump to navigation Jump to search

Summary

This article describes the Hak5 Key Croc, a smart hardware keylogging device. Keycroc photo.png

Key Croc Basics

Keycroc specs.png

The Key Croc contains a Quad Core ARM processor, 512 MB RAM, and an 8 GB SSD. It can be connected to the internet by entering a Wi-Fi name and password into its config file. The Key Croc has to be connected to the target device via USB. Once it is installed between a PC and its keyboard, it starts its booting process, indicated by the LED changing its color. After it has booted, the LED is turned off and the Key Croc is now in Attack Mode.

Attack Mode

Attack Mode is visible from the outside by the LED being turned off. In this mode, the Key Croc clones the hardware identifier of the keyboard connected to it and poses as this keyboard. Thus, each keystroke entered via the keyboard is sent to the PC, but also recorded in the Key Croc’s loot file. Payloads may be triggered by typing the required keyword. Pressing the hidden button on the back of the Key Croc will cause it to enter Arming Mode.

Arming Mode

Arming Mode is visible from the outside by the LED blinking blue. In Arming Mode, no further keystrokes are recorded and payloads can’t be activated anymore. Instead, the Key Croc emulates a USB flash disk and a serial device, allowing the user to access it via the device’s file manager. A password and timeout to enter the Arming Mode can be configured in the Key Croc’s config file, if they aren’t configured the Key Croc will enter Arming Mode as soon as the button is pressed.

Key Croc's File System

  • config.txt – configuration file
  • upgrade.html – shortcut to software update documentation
  • version.txt – current version
  • docs/ – license and quick start guide
  • languages/ – hosts keymap files used for recording and injection
  • library/ – hosts inactive payloads
  • loot/ – hosts captured keystrokes and other logs
  • payloads/ – hosts active payloads
  • tools/ – used to install additional packages

LED Colors

  • Green – Booting up
  • Red – Error
  • Cyan – Configuring Wi-Fi per config.txt
  • Magenta – Configuring Keylogger
  • Blue – Arming Mode
  • Yellow – Disk Full
  • White – No Keyboard Detected

Payloads

The Key Croc offers the possibility to execute payloads on the targeted device. To be able to get activated, the payloads have to exist as either .txt or .sh files in the payloads/ directory on the Key Croc. Payloads that aren’t currently used can be stored in the library/ directory. Most payloads activate on MATCH, meaning that if a certain string is typed, the payload will be triggered. The date and time of activation of a payload is logged in the associated log file in the loot/ folder. The language used in the payloads is Ducky Script 2.0, or QUACK. Payloads can be written by the pentester themselves, or downloaded from the Hak5 GitHub repository.

Keycroc payload.png

Tools

Additional pentesting tools like Metasploit might be installed on the Key Croc. Installation requires an active WiFi connection (which can be configured in the config.txt) and can be done via SSH, Cloud C2, or serial connection. After installation, these tools can be found in the tools/ directory.

Accessing Key Croc

The Key Croc can be accessed via its USB flash disk, using any device's file manager. This enables the user to configure the Key Croc, check its loot files and change its active payloads. If a WiFi network and password is entered into the Key Croc's configuration file and it is configured to connect to a Cloud C2 server, captured keystrokes may also be streamed to this server. The Cloud C2 server also offers the possibility for a user to send payloads remotely to the Key Croc. Another way to remotely access the Key Croc is per SSH connection, which also has to be configured in the config.txt first. Finally, having a serial console connection to the Key Croc enables the user to access its Linux shell. Additional pentesting tools like Metasploit may be installed via Cloud C2, SSH, or serial console connection using the INSTALL_EXTRAS command.

References

Cite error: <ref> tag defined in <references> has group attribute "" which does not appear in prior text.
Cite error: <ref> tag defined in <references> has group attribute "" which does not appear in prior text.
Cite error: <ref> tag defined in <references> has group attribute "" which does not appear in prior text.

Retrieved from "https://wiki.elvis.science/index.php?title=Hak5_Key_Croc&oldid=9178"