This repository contains payloads and extensions for the Hak5 Key Croc. Community developed payloads are listed and developers are encouraged to create pull requests to make changes to or submit new payloads.
View Featured Key Croc Payloads and Leaderboard
Get your payload in front of thousands. Enter to win over $2,000 in prizes in the Hak5 Payload Awards!
Got Questions? Need some help? Reach out:
Follow the creators
Korben's Twitter |
Korben's Instagram
Darren's Twitter |
Darren's Instagram
The Key Croc by Hak5 is a keylogger armed with pentest tools, remote access and payloads that trigger multi-vector attacks when chosen keywords are typed. It's the ultimate key-logging pentest implant.
Hak5 Key Croc Hardware Features
The Key Croc by Hak5 is a keylogger armed with pentest tools, remote access and payloads that trigger multi-vector attacks when chosen keywords are typed. It's the ultimate key-logging pentest implant.
More than just recording and streaming keystrokes online, it exploits the target with payloads that trigger when keywords of interest are typed.
By emulating trusted devices like serial, storage, HID and Ethernet, it opens multiple attack vectors – from keystroke injection to network hijacking.
Imagine capturing credentials and systematically using them to exfiltrate data. Or pentest from anywhere, live in a web browser with Hak5 Cloud C².
It's simple too. A hidden button turns it into a flash drive, where changing settings is just editing a text file. And with a root shell your favorite pentest tools like nmap, responder, impacket and metasploit are at the ready.
Hak5 Key Croc Pattern Matching Payloads
Hak5 Key Croc Configuration - simply edit config.txt
With the Key Croc in 2020, DuckyScript 2.0 has been introduced.
While many of the Hak5 Tools run various versions of DuckyScript; like the Bash Bunny and even the officially licenced DuckyScript compatible devices from O.MG - the Key Croc uses an INTERPRETED
version of DuckyScript
Interpreted DuckyScript means the payload runs on the device straight from source code
(the code you write e.g. QUACK STRING test
).
The files in this repository are the source code for your payloads and run directly on the device no compilation required - simply place your payload.txt
in the appropriate directory and you're ready to go!
Take your DuckyScript™ payloads to the next level with this full-featured, web-based (entirely client side) development environment.
Payload studio features all of the conveniences of a modern IDE, right from your browser. From syntax highlighting and auto-completion to live error-checking and repo synchronization - building payloads for Hak5 hotplug tools has never been easier!
Supports your favorite Hak5 gear - USB Rubber Ducky, Bash Bunny, Key Croc, Shark Jack, Packet Squirrel & LAN Turtle!
Become a PayloadStudio Pro and Unleash your hacking creativity!
OR
Try Community Edition FREE
Payload Studio Themes Preview GIF
Payload Studio Autocomplete Preview GIF
Support for different keyboard layouts can be found, modified or contributed to in the languages/ directory of this repository.
Unlike devices such as the Bash Bunny and USB Rubber Ducky - the Key Croc's language files are just a bit different. Due to the nature of supporting real time decoding and real time MATCH payloads the Croc has a bit more on it's plate in regards to what it means to support a keyboard language layout.
For example, while performing Keystroke Injection - you may only ever require the 1
from the number row, or the right GUI
key. The Key Croc on the other hand needs to not only know how to interpret the entire keyboard but also a large variety of keyboard combinations to make matching and triggering on payloads work as you would expect it to; accurately and without delay. For these reasons, the Key Croc's language files are monolithic, statically and programatically generated to provide the absolute best possible experience.
The default language is US (languages/us.json)
Cloud C² makes it easy for pen testers and IT security teams to deploy and manage fleets of Hak5 gear from a simple cloud dashboard.Cloud C² is available as an instant download. A free license for Community Edition is available which is not for commercial use and comes with community support. The Professional and Teams Editions are for commercial use with standard support.
Cloud C² is a self-hosted web-based command and control suite for networked Hak5 gear that lets you pentest from anywhere.
Linux, Mac and Windows computers can host the Cloud C² server while Hak5 gear such as the WiFi Pineapple, LAN Turtle and Packet Squirrel can be provisioned as clients.
Once you have the Cloud C² server running on a public-facing machine (such as a VPS) and the Hak5 devices are provisioned and deployed, you can login to the Cloud C² web interface to manage these devices as if you were directly connected.
With multiple Hak5 devices deployed at a client site, aggregated data provides a big picture view of the wired and wireless environments.
Hak5 Cloud C² Web Interface - Teams Edition - Sites
Hak5 Cloud C² Teams edition comes full of features designed to help you manage all of your remote Hak5 devices with ease:
- Multi-User
- Multi-Site
- Role-Based Access Control
- Advanced Auditing
- Tunneling Services including web Terminal and WiFi Pineapple web interface proxy
View Featured Payloads and Leaderboard
Once you have developed your payload, you are encouraged to contribute to this repository by submitting a Pull Request. Reviewed and Approved pull requests will add your payload to this repository, where they may be publically available.
Payloads should be submitted to the most appropriate category directory. These include credentials, exfiltration, phishing, prank, recon, etc.
Subject to change. Please ensure any submissions meet the latest version of these standards before submitting a Pull Request.
Please give your payload a unique, descriptive and appropriate name. Do not use spaces in payload, directory or file names. Each payload should be submit into its own directory, with -
or _
used in place of spaces, to one of the categories such as exfiltration, phishing, remote_access or recon. Do not create your own category.
Each payload should have a unique, descriptive directory and filename, e.g., WIN_powershell_SMB_exfiltration.txt
The directory name for the payload should match the payload file name.
If the payload is OS specific (I.e., a Windows Powershell attack), the filename should be prefixed with that OS. Prefixes include:
WIN_
for WindowsMAC_
for MacOSLINUX_
for all Linux flavorsMULTI_
for multi-OS payloads
If the payload is OS agnostic (I.e., it substitutes text or otherwise make no interaction with the target OS), the filename should not include an OS prefix.
If multiple individual OS specific payloads are included, the directory name should be prefixed with MULTI_
while each payload file name therein should be prefixed with the specific OS.
In many cases, payloads will require some level of configuration by the end payload user. Be sure to take the following into careful consideration to ensure your payload is easily tested, used and maintained.
- Remember to use PLACEHOLDERS for configurable portions of your payload - do not share your personal URLs, API keys, Passphrases, etc...
- Make note of both required and optional configuration(s) in your payload using comments at the top of your payload or "inline" where applicable
Payloads should begin with #
comments specifying the title of the payload, the author, the target, and a brief description.
Example: BEGINNING OF PAYLOAD # Title: Example Payload # Author: Korben Dallas # Description: Opens hidden powershell and # Target: Windows 10 # Props: Hak5, Darren Kitchen, Korben # Version: 1.0 # Category: General
If a payload requires additional documentation for use, such as requiring special dependency installation or use of the LED, it should be documented in the code block. In the case of LED for status, use the following:
# LED ERROR: Dependency not found
# LED SETUP: Starting services
# LED ATTACK: Performing attack
# LED SPECIAL: Exfiltrating loot
# LED CLEANUP: Removing temp files
# LED FINISH: Attack complete
If custom color/patterns are used instead of standard LED states, designate these status indications accordingly.
Payloads may optionally include a readme.md
file for documentation.
Payloads from this repository are provided for educational purposes only. Hak5 gear is intended for authorized auditing and security analysis purposes only where permitted subject to local and international laws where applicable. Users are solely responsible for compliance with all laws of their locality. Hak5 LLC and affiliates claim no responsibility for unauthorized or unlawful use.
DuckyScript is a trademark of Hak5 LLC. Copyright © 2010 Hak5 LLC. All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means without prior written permission from the copyright owner. Key Croc and DuckyScript are subject to the Hak5 license agreement (https://hak5.org/license) DuckyScript is the intellectual property of Hak5 LLC for the sole benefit of Hak5 LLC and its licensees. To inquire about obtaining a license to use this material in your own project, contact us. Please report counterfeits and brand abuse to legal@hak5.org. This material is for education, authorized auditing and analysis purposes where permitted subject to local and international laws. Users are solely responsible for compliance. Hak5 LLC claims no responsibility for unauthorized or unlawful use. Hak5 LLC products and technology are only available to BIS recognized license exception ENC favorable treatment countries pursuant to US 15 CFR Supplement No 3 to Part 740.
Generally, payloads may execute commands on your device. As such, it is possible for a payload to damage your device. Payloads from this repository are provided AS-IS without warranty. While Hak5 makes a best effort to review payloads, there are no guarantees as to their effectiveness. As with any script, you are advised to proceed with caution.