Keylogger

[digininja]

Update:

I think I've found the problems but need help with an iptables problem. If any of you know iptables the question is here:

The module is running and serving files, there are a few tweaks and I think once this rule is sorted it should start working.

For anyone interested in how it works, when all is working I'm planning to do a write up on it and how to run it on a PC as well as the Pineapple so you can set it up and play with it in an easier to play with environment.

[Whistle Master]

I will investigate the iptables issue. The module already installs all the necessary requirements to run correctly on the pineapple.

EDIT: After discussions with Digininja, he found that to have the proxy working on bridged interfaces we need ebtables not iptables. He asked Seb to build a package.

Edited December 28, 2012 by Whistle Master

[digininja]

Quick update, I'll admit I've barely touched a computer over the holiday but working on stuff again from Monday so will try to get back to it then.

[velkrosmaak]

Is it possible to make the v 1.1 available again until the release of v 2?

I think v 2 will become pineapple's top module

I second that question. Came a bit late to this party, by the time I'd read up on it the old version was taken down.

[digininja]

Quick update....

I've got ebtables installed and working on the device and it is intercepting traffic. Nearly there but the one small problem is that the proxy is making the request to the real site but that request is being captured and served by the local server rather than being allowed out to the real world.

I'm not sure why it is doing this as everything I've read says it shouldn't but I'll keep looking into it.

[gantarone]

There are any news?

[Whistle Master]

Yes: it will be released when it will be ready :P

[digininja]

Between sick 2yr old, wife due with number 2 next week, work coming out of my ears and trying to have at least a bit of a social life I am still working on it.

I keep posting little bits of info whenever I've done anything, or made a step forward, just to keep the thread alive and keep people informed that things are moving, however slowly.

[airman_dopey]

Congrats to you and the missus digi!

[gantarone]

Thanks for your answer and your hard work :) :) :)

[digininja]

After 4 hours of banging my head against sockets and one pile of baby puke cleaned up I think I've got it working!

I've not had chance to test the injection properly but the proxying is fully working in bridge mode and traffic is flowing well enough to browse through. I've only got a phone as a test client at the moment so no view source to check things are going in to the write places.

Tomorrow night (actually tonight, its 1AM) I'll get a second laptop out and prove things are working. Remove the reams of debug code, optimize whats left and, if everything is working as I hope, I'll get it packaged up.

[deviney]

Cant wait to see this!

I am a bit gutted tho because i spent the last 2 days making a few phishing pages (i know it would probably take you guys ten minuets, you probably have software to make the page for you) now there all ready you bring this to the table haha.

GOOD STUFF THO!

[digininja]

You can still use them, but even if you don't you've probably learnt something from doing it so it wasn't time wasted

[digininja]

And it works!!!

Tidying up and then passing to WM to sort out the module.

I'm going to write up exactly how it works on my blog sometime next week. I've also got ideas on how to make this better so there will be a version 2 along some time in the near future.

[digininja]

While I remember I'm going to post this link here:

https://dev.openwrt.org/ticket/9873

With the Ruby install that comes on the Pineapple you will get the following error making HTTP requests:

ruby: can't resolve symbol 'getipnodebyname'

The link above has the solution, basically you grab the file socket.so from the 1.9.1 build of ruby-core and overwrite the one that is on the Pineapple.

[digininja]

For those who are interested, and can't wait for WM to put all this into a module you can grab the files directly from my site: www.digininja.org/files/working_keylogger.tar.bz2

This isn't a working module, it is a bunch of files that you have to manually work with but if you are interested then here are some instructions:

Install ruby, ruby-core, libruby and all associated dependencies

Follow the instructions in the link on my last post to patch ruby. Basically copy the socket.so file into the right directory

Put k.php and k.js into the /www directory and make a directory called capture. Check you can browse to them

The script start_ruby sets up a few environment variables, run this or ruby won't work

The script start_tables does the interception magic and hijacks all traffic on port 80, redirecting it to localhost 8008

Start the proxy. It has various command line options, run with -h to see them. I'd suggest running it to start with with -v to see what is going on.

That should get you a running keylogger. Captured keys are dumped into files in /www/capture

I might have missed something here but if you are considering trying this then you probably know enough to be able to debug things. It isn't really that hard now I've got it working.

I'll do a full write up later.

[Shark3y]

Awesome! I had been attempting this myself the other day and I had a functioning keylogger, however I was running into issues properly injecting it into pages without messing up the pages (or taking FOREVER). lulz. Great work.

[Whistle Master]

I'm packaging the changes into the module right now :P

[digininja]

Update...

WM created the module but had problems getting it working so I've been working with Seb tonight and we are nearly there. We've fixed a few bugs in the proxy and found a technical problem but one that should be easy to fix.

We will keep working on it and let you know when done.

[digininja]

For those who haven't spotted it, the module is now live.

Please post all questions and bugs to the new thread.

http://forums.hak5.org/index.php?/topic/28666-keylogger-module-release/