payload WinKeylog

VincBreaker · April 25, 2017

Hi there,

I just finished the first version of my BB keylogger. It basicly launches a powershell which keylogs to the loot folder of the BB.

Features:

Fast launching (thanks to USB Exfil for the one line launcher)
Leaves no traces when cleanup is enabled.
(Insert feature?)

Link:

https://github.com/Vinc0682/bashbunny-payloads/tree/master/payloads/library/phishing/WinKeylogger

VincBreaker

PS: I will create a push request upon positive feedback and improve the payload in the other case.

Edited April 25, 2017 by VincBreaker

LowValueTarget · April 26, 2017

Great idea -- good stuff.

PoSHMagiC0de · April 27, 2017

Nice simple keylogger.

A cool addition I can think of is have an optional parameter for a remote location in case you have to disconnect the BB. When it detects it cannot save to the BB anymore it can start saving to the remote location if it is set. If that vanishes then it can quit or quit if there is no optional remote and BB disconnects. I always consider the BB as a tool not to be left for too long (especially with the heat it builds up).

jafahulo · April 27, 2017

Great idea, but I think I have a few improvements.

I cut everything down to l.ps1 and payload.txt, and made it so that only one window is opened.

I did change the parameter for CLEANUP to be 0 if you don't want it to run, and anything else if you do want it to run.

Also I noticed some general weirdness going on when I was testing, mainly when I was typing quickly it would log some of my keystrokes out of order, but 98% of the time it worked great!

An interesting feature would be to implement a SMB server instead of mass storage so that it was less obvious what was going on. I think BashBunny listed in the drives list is a bit of a dead give away, but an extra network connection would probably go unnoticed for a larger portion of the time.

Good job with this one!

payload.txt

l.ps1

jafahulo · April 27, 2017

55 minutes ago, PoSHMagiC0de said:

Nice simple keylogger.

A cool addition I can think of is have an optional parameter for a remote location in case you have to disconnect the BB. When it detects it cannot save to the BB anymore it can start saving to the remote location if it is set. If that vanishes then it can quit or quit if there is no optional remote and BB disconnects. I always consider the BB as a tool not to be left for too long (especially with the heat it builds up).

Yeah, I totally agree. There should be an optional remote location. Again agreed on the idea that the bb is a tool, not something to be left in the computer. My bb had a defect and ended up melting b/c of the heat, but I doubt that would happen to other bash bunnies.

PoSHMagiC0de · April 27, 2017

That one melting you had was enough for me to consolidate the tool approach hehe.

I had to install mini heat sinks and fans in my raspberry pi rats I have because if I work them those chips heat would skyrocket. I assume if you put a load on this thing, it would probably melt any of them over time. I think you said you had your just chilling there. hehe

VincBreaker · April 27, 2017

9 hours ago, jafahulo said:

Great idea, but I think I have a few improvements.

I cut everything down to l.ps1 and payload.txt, and made it so that only one window is opened.

I did change the parameter for CLEANUP to be 0 if you don't want it to run, and anything else if you do want it to run.

Also I noticed some general weirdness going on when I was testing, mainly when I was typing quickly it would log some of my keystrokes out of order, but 98% of the time it worked great!

An interesting feature would be to implement a SMB server instead of mass storage so that it was less obvious what was going on. I think BashBunny listed in the drives list is a bit of a dead give away, but an extra network connection would probably go unnoticed for a larger portion of the time.

Good job with this one!

payload.txt

l.ps1

Thanks, your approach to clean up lead me to an idea to make the payload even faster. Also, I'm gonna try to make the payload exfil via web and / or smb :)

The BB in general can become pretty hot and then behave strangely, one more reason to have an exfil method which doesn't depend on the BB.

Edited April 27, 2017 by VincBreaker

jafahulo · April 27, 2017

10 hours ago, PoSHMagiC0de said:

That one melting you had was enough for me to consolidate the tool approach hehe.

I had to install mini heat sinks and fans in my raspberry pi rats I have because if I work them those chips heat would skyrocket. I assume if you put a load on this thing, it would probably melt any of them over time. I think you said you had your just chilling there. hehe

Hahaha, yeah same. I don't think this thing'll melt unless it's working hard for an extended period of time, while plugged into a computer that's pumping some heat into it as well.

Edited April 27, 2017 by jafahulo

RazerBlade · April 27, 2017

Instead of a smb server, just use a simple python HTTP webserver which is able to receive POST requests

VincBreaker · April 27, 2017

5 minutes ago, RazerBlade said:

Instead of a smb server, just use a simple python HTTP webserver which is able to receive POST requests

I am currently coding a little PHP script which then should run on an external server so the keylogger no longer depends on the BB. (I hate PHP)

RazerBlade · April 27, 2017

A improvement to this would be to add

-windowstyle hidden

During the attack phase so it looks like this

RUN WIN powershell -windowstyle hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\b.cmd')"

This way the powershell script is hidden. To improve the keylogger, I think you should look into powersploits keylogger: https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-Keystrokes.ps1

As it's able to capture the programs title (says a lot about what website a user logs in to for instance) and adds timestamps to. Maybe incorparate it? Overall your key logger is very simple and does the job very good. Impressed!

jafahulo · April 27, 2017

3 hours ago, RazerBlade said:
A improvement to this would be to add
-windowstyle hidden
During the attack phase so it looks like this
RUN WIN powershell -windowstyle hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\b.cmd')"
This way the powershell script is hidden. To improve the keylogger, I think you should look into powersploits keylogger: https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-Keystrokes.ps1

As it's able to capture the programs title (says a lot about what website a user logs in to for instance) and adds timestamps to. Maybe incorparate it? Overall your key logger is very simple and does the job very good. Impressed!

In regards to hiding the window, it does that already.

Edited April 27, 2017 by jafahulo

jafahulo · April 27, 2017

3 hours ago, RazerBlade said:

Instead of a smb server, just use a simple python HTTP webserver which is able to receive POST requests

I have no experience with either, though I'm wanting to do a project that involves them. What are the advantages of an http webserver vs a smb server?

VincBreaker · April 28, 2017

18 hours ago, RazerBlade said:
A improvement to this would be to add
-windowstyle hidden
During the attack phase so it looks like this
RUN WIN powershell -windowstyle hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\b.cmd')"
This way the powershell script is hidden. To improve the keylogger, I think you should look into powersploits keylogger: https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-Keystrokes.ps1

As it's able to capture the programs title (says a lot about what website a user logs in to for instance) and adds timestamps to. Maybe incorparate it? Overall your key logger is very simple and does the job very good. Impressed!

The current online version already hides the powershell window, but since @jafahulo reworked the launching, it isn't needed anymore. Your window tracking idea is really interesting, I'm gonna try it after I implemented the web (and maybe the SMB) exfil method.

VincBreaker · April 28, 2017

UPDATE: https://github.com/Vinc0682/bashbunny-payloads/tree/master/payloads/library/phishing/WinKeylogger

The payload:

Is now faster (thanks to @jafahulo)
Now supports exfil via a webserver, just copy the backend.php to a server supporting PHP and copy the URI into the powershell script
Also, the've been some major changes to the keylogger to make adding future exfil methods (like the wip SMB exfil) easier.

jafahulo · April 28, 2017

9 minutes ago, VincBreaker said:

UPDATE: https://github.com/Vinc0682/bashbunny-payloads/tree/master/payloads/library/phishing/WinKeylogger

The payload:

Is now faster (thanks to @jafahulo)

Now supports exfil via a webserver, just copy the backend.php to a server supporting PHP and copy the URI into the powershell script

Also, the've been some major changes to the keylogger to make adding future exfil methods (like the wip SMB exfil) easier.

I'm pumped to try it out! As an fyi, I'm going to work in my spare time on completely hiding the PowerShell window so the target will only see the Win + R box.

PoSHMagiC0de · April 28, 2017

7 hours ago, VincBreaker said:

UPDATE: https://github.com/Vinc0682/bashbunny-payloads/tree/master/payloads/library/phishing/WinKeylogger

The payload:

Is now faster (thanks to @jafahulo)

Now supports exfil via a webserver, just copy the backend.php to a server supporting PHP and copy the URI into the powershell script

Also, the've been some major changes to the keylogger to make adding future exfil methods (like the wip SMB exfil) easier.

Hmm, interesting. Liked you built your own keylogger. FYI, you could have snaked PowershellEmpire's keylogger and reformed it to your needs. :-)

I like this though. If you do not mind, if I have time this weekend I would like to fork this and make some "adjustments"? It is fine but I can make it more modular where it is transportable, even make it where you only have to make config changes in 1 file to affect the whole thing. Idea popped in my head when I was going through your source.

Well, i will just tell you the ideas and you can implement them if you like. :-P

I wanted to encapsulate your script as a solid function rather than a script file. That way will need you to actually call the function with parameters to start it up.

I was going to add a mandatory parameter for path to bunny smb server. (This can be changed to be another passwordless SMB server as well but primary is for BB).

An optional parameter for the PHP server url will be added after the top 2.

I was going to turn the CLEANUP parameter to a switch type so if it is present it is true else it is false, at the end of the parameter list.

Inside your script I was going to make it always default to the SMB path but there will be a test for presence before each attempt to write to it. If it fails and there is a PHP path then it will try the PHP path. The script will always try the bunny path first, failing over to the PHP path. If both are non existent then the script ends and cleans up if set. I like to add a:

[GC]::Collect()

after all your other cleanup to force garbage collection.

Now the keylogger will be a function that can be called once loaded into memory with parameters. If the bunny is removed, it will try the server. If the server dies and no bunny then it will exit.

Why make it like this. Well....

Now in your payload.txt you can export variable for the SMB path, PHP path and cleanup option.

Now when you run your powershell script, you can include these variables in place of the parameters for the keylogger's function when you call it with QUACK.

I have been researching ways to make it so people who use payloads do not have to do edit the source in the scripts or programs but mainly can do it from the payload.txt, 1 place to change, less chance of user oppses. This also makes your script dynamic so if you setup the bunny to log for some time but have to pull it but have the server up then it can capture the rest. :-)

Makes it so others can import into their projects too.

VincBreaker · April 29, 2017

19 hours ago, jafahulo said:

I'm pumped to try it out! As an fyi, I'm going to work in my spare time on completely hiding the PowerShell window so the target will only see the Win + R box.

Thanks a lot, supressing the powershell popup would make the keylogger so stealthy that it would probably won't get noticed even when somebody sits in front of the monitor :)

@PoSHMagiC0de

I didn't quote you since your post is really long.

However, I don't see the need to turn the payload into a powershell function since you already can pass parameters to script using the param statement. That method is already used and doesn't require you to specify any method name so the Win+R box can run faster and we don't scratch the char limit that fast, which is the reason I decided to not transfer the backend's URL via a parameter. (Even though most URL's should fit within the 130 chars left)

Another possible solution would be to write the parameters into a file which then would be read by the PowerShell script, but this will lead to issues once script is downloaded and the BB no longer registeres itself as storage device.

// EDIT: SMB shouldn't work yet since I'm still working on it.

// EDIT Nr.2: I'm not a PowerShell expert, but I used C# for two years and PowerShell seems to somehow be based on .Net. My experience is to don't force garbage collect at the end of a programm since that one of the first thinks the runtime does after the programm has exited AND it's way more effective after the exit. It's just not worth locking the exit for garabe collection just to run into a way more effective garbage collection.

// EDIT Nr.3: I like that exfil-method fallback concept.

Edited April 29, 2017 by VincBreaker

PoSHMagiC0de · April 29, 2017

No prob.

For the pulling parameters from the bunny, you could do this when the script initializes, once it is in memory and pulled the config on initialization you do not need to pull it again.

Reason I was going to wrap it so it would be easier to fire off from the BBTPS and keep it dynamic so it is interchangeable. Though, when I think about it, I would have to build a launcher for it to use in the BBTPS so it fires off as a separate process and not hold up the agent since the job may never die thus the agent will never die and the bunny server will not get the agent end command which will signal you could pull the BB at any time cause all jobs have been ran.

I was planning on doing a separate project and making the existing payloads on the repo into formats ideal for the BBTPS to be used with it. Since their launcher will be ran in the agent as a job instead of from the command prompt, the length of the parameters no longer serve a concern. So, I can suck it into that repo. :-)

Yeah, if it is working and you can fire it directly off from the run line then it is good on its own. Fallback would be a good addition.

I started a thread to see if anyone was interested in injecting their scripts into other processes to hide too. I use the psinject module from Empire with the unmanaged dlls to do my own PoSH injections. Was thinking of building a stand alone template with it so others can just add their launcher to pull their script once the launcher is injected and run it inside process of choice or auto target explorer if they like. Mentioned this keylogger would be a good candidate for that. Injection is not good for the bbtps agent since it is designed to just launch all queued jobs, return values and end.

I am a C# coder too :-). I got in PoSH when it was 2.0 because when I found out I could do .NET stuff with it, it made it easier to learn and do tools at the org I was at without compiling code each time. Having access to .NET and even natives made it even better.

New Idea...

On the other hand. Your script is a scriptfile with parameters. I could add the option to the bbAgent and jobs format to use the arguments parameters in PSJobs and could make it dynamic to use function script with function call and open scripts with parameters. Hmm.

Edited April 29, 2017 by PoSHMagiC0de
new idea

VincBreaker · April 30, 2017

Making the Keylogger BBTPS-Compatible is an awesome idea, injecting the keylogger into other process is even greater, but may trigger some AV's so it should be optional (and I don't think the average user would rate a process called "Windows PowerShell" suspicious). I'm also thinking about a feature to automaticly obfuscate the powershell script because I love obfuscation, but we have to keep in mind that AV's may or maynot detect the obfuscation instead of the keylogger.

Finally, I'll continue developing my java obfuscator since I had some great ideas while developing the keylogger (it's one of my "I need to think about something else than obfuscation" projects), but I'll surely will be continueing the keylogger soon :)

Sign In

payload WinKeylog

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Join the conversation

Recently Browsing 0 members