Key Croc by Hak5 is a discreet USB device that at first glance looks like an ordinary adapter between a keyboard and a computer, but in reality, it is a state-of-the-art keylogger and next-generation pentesting tool. Once inserted between the keyboard and the computer, Key Croc can quietly record every keystroke while remaining fully pass-through — the user usually won’t notice anything. What’s even more interesting is that Key Croc can react to specific keystroke sequences (so-called pattern matching), so after a particular text or password is typed, it automatically executes a pre-configured script. This is what sets Key Croc apart from regular keyloggers—it’s not just a passive “listener,” but an active part of a pentesting attack.
Operating the Key Croc is designed to be very simple. As soon as you plug the device between the computer and the keyboard, it immediately starts logging all keystrokes in its default mode. If you want to manage the device, all you need to do is press the hidden button on its underside, which switches it into so-called “arming mode.” In this mode, Key Croc acts as a USB flash drive, letting you review logs, upload your own scripts, and adjust settings including WiFi connectivity, SSH, or keyboard language mapping. Beyond that, Key Croc also offers the possibility to connect to the internet and be managed remotely — for example via the Hak5 Cloud C2 server, where you can monitor logs in real time, trigger payloads, or exfiltrate data.
The heart of attacks with Key Croc are so-called payloads, which combine the simple Ducky Script language with the option to use advanced Bash scripts. The scripts can wait for a particular word or key combination (such as “sudo” or “CTRL-ALT-DELETE”), and at that moment trigger further actions — saving an entered password, injecting keystrokes, enabling network card emulation, or even signaling with a colored LED. The modern version of Ducky Script on the Key Croc adds the ability to use complex regular expressions, conditions, or file handling. A typical scenario might look like this: the device detects the entry of an administrator command, saves the following password to a special log, and immediately sends it to the cloud.
The configuration itself is very straightforward. The key setting is the keyboard language map to avoid mistakes in the recorded data; everything else is optional — WiFi, SSH, DNS, and various security features such as a password to access arming mode. In addition to logging keystrokes, Key Croc also enables other attack techniques — for example, emulating USB devices, gaining access to an internal network, exfiltrating files, triggering scripts based on user presence (detection of keyboard activity), or working with multi-stage payloads that can be easily enabled and disabled.
Payload development is very flexible thanks to the combination of Ducky Script and Bash, and is accessible to anyone who has ever written a simple shell script. There’s also a large library of community-contributed sample payloads, which can be easily used or modified. All records, loot, and logs are clearly stored in the “loot” folder, from where they can be downloaded at any time or sent automatically.
Key Croc by Hak5 thus represents a universal and extremely inconspicuous tool not only for professional penetration testers, but for anyone who wants to test the physical security of their devices. It utilizes modern concepts of scripting, automated attacks, and remote management, yet its use is surprisingly simple — in principle, it really is “plug and log.” Detailed tutorials, documentation, and more examples can be found at docs.hak5.org and in the GitHub repository. Key Croc by Hak5 is available zde.
