I Need to Make a "Keylogger" in MetaSploit/Kali That Records Application Events and Email Bodies

[whitehat]

Is this possible? I know that metasploit has the ability to write custom keyloggers but I don't know much about it and I've gotta update my boss later today.

Basically, there's some vendor we pay a ton of money to write and utilize a runtime DLL, which captures events like when a window opens/closes, gains focus or loses focus, etc. Turns outt he vendor is a evil, obstructive, insulting, and generally useless company that causes us non-stop problems. I said that it's probably possible to accomplish the same thing we a custom written keylogger from Metasploit.

Hopefully it is possible and if so, then hopefully we can output the data to SQL Server for statistical analysis and storage. If anyone knows how to do any part of that then please let me know.

I don't have to actually do all this today, I just have to say if it's possible and if so then kind of show how it would work. I'll try to actually accomplish it though.

If anyone can help you'll be my hero!!!!

UPDATE: Sorry for the garbled message. Stupid iPad.

Edited March 21, 2013 by whitehat

[digininja]

I'll say probably. There are loads of keyloggers out there, including one built into Meterpreter, you could modify any of them.

Your message is a bit mangled so not exactly sure what you trying to do with it but as a general policy you can do anything with software if you've got the time and skills.

[whitehat]

Thanks. Yea it did get mangled, sorry. Naturally they block hak5 so I had to type quick and secretly on my iPad lol

[digip]

If the vendor works locally on one of your machines, as in a contractor, then I'd say install physical keyloggers between keyboard and PC. If this is a hack, generally, thats pretty much breaking the law, but if its your own equipment, there are even Windows keyloggers that when tied with Nirsoft tools can be bat scripted to run in the background and hidden. I did this to monitor my niece for my sister since she was being bullied at school and made a set of tools that ran from windows\system32 and would load on boot and then sent me the files to a drop box upload every so often, and would rotate logs with timestamps, then upload every time the machine rebooted or she logged on. Eventually we scrapped it since they didn't want to invade her privacy, but I had made the tool based on some freeware stuff that never got picked up by AV, and if it did, you can always set it up to run with exceptions for tools you specifically want to run. I basically installed it while elevated to system, instead of admin, so it couldn't be removed, but sure there are a ton of off the shelf tools for legit work needs that don't require a metasploit exploit unless you're breaking into the vendors machine, which again, not sure how legal that is. To put on your own workstations at work, thats company policy and up to the company and local/state laws where you live.

Personally though, this is where I would start, since it gives you a non intrusive way of intercepting data and is transparent: http://acehackware.com/search?q=keylogger&x=23&y=10

[whitehat]

Hey DigiP

Thanks for the response, but as much as I *love* both those hardware keyloggers and Acehackware, these traditional keyloggers aren't going to be the tool for this job. It's my fault for not writing a more clear original post and I will go clean it up in a bit.

This one is not a hack at all, it's literally my main job for this company right now. But the reason hardware or other normal key loggers don't work is that we don't want keystrokes per se and we do want a bunch of stuff that the keylogger would miss.

What we want are "events". Events = stuff like which window you used, how long you used it, what your workflow was, what applications you run at the same time, etc, etc. Also the bodies and headers of emails in Outlook. The vendor is not local thank Mitnick. I can show you their website in a PM if you want... i hate them sooo much. Anyway, what we want is basically the info on (almost) everything EXCEPT keystrokes. It's going to be used for statistical analysis and the keystrokes wouldn't help me in that regard, at least given the (confidential) research question I'm having to answer.

Incidentally, I'm not saying that *I* own and use hardware keyloggers... but let's say that a little birdie told me that those things have been working less and less frequently over the past 2 - 4 years. They don't work on iMacs and they also don't work on any docking station I can find. Not much good for laptops either. This is an unrelated concern tho lol

Edited March 21, 2013 by whitehat

[digip]

Is the vendor using company supplied workstations though? You could install a hidden VNC view only session so you can monitor what he is doing, but there is probably off the shelf software for full on event logging and data storage, like parental control software, I'm sure they make something for corporations to monitor usage, log data, etc. The other thing is, if its emails you need access to, so long as its not sent over encrypted means, you could always MITM the traffic on that end too and capture all of that with a lan tap, or port mirror on the switch tied to his MAC address if you know his workstations info, then you have a way to see everything going in and out of this machine traffic wise, but that doesn't solve the screen flow, which the Video Ghost might help with depending on the hardware in use. Just trying to throw some ideas out there. Other thoughts are writing your own tool depending on the OS being uses, you might be able to just write something that does everything you need with a little python or such. I'm not a programmer, so don't know where to start, but I imagine checking window titles for programs, snapping screen shots and intercepting socket data would be possible, just need someone to write a tool for what you need to achive. http://acehackware.com/products/videoghost

[whitehat]

hehehehehe oh, dude i like the way you think. that would be fun as heck, but i'm really not trying to hack the vendor or anyone (also, they are on the other side of the country).

I'm trying to make my own version of the vendor's software (which is a DLL) so that we don't have to hire them anymore. I'm just trying to write a piece of software that captures in a log file the events on a user's computer, such as what programs they launch, when they open or close a window, and that type of thing. It's not for hacking (seriously). We just need the data on those type of events so that we can do research based on the statistics.

The people who have the DLL installed on their computers are volunteers. I know I probably say something like that even when I actually am hacking someone, but in this case it's literally true LOL. Eventually all employees in the company will have some version of this logger on their computer.

The only reason I'm asking this question in the context of a "keylogger" and metasploit is that it seemed to me that what a keylogger does is highly similar to what the vendor's DLL does. In fact, I know I've seen some of the same types of events recorded when I've key logged in the past, but I've used so many different keyloggers since I was a kid that I have no idea which one it was. Even if I did remember, I will want to customize this one myself anyway. I just kind of need some help getting started though, because I don't know how to call the information on those types of events.

I almost suggested logging screenshots to my boss too, but then I remembered that I can't exactly do statistics on screenshots. The problem is that you and I both have our brains stuck in hacker mode lol

Edited March 21, 2013 by whitehat

[digip]

If everything is windows based,(and this may sound funny) you can do it in VB6(thats as far as I went with windows programming and never moved to .net and C# - but it would work). I used to have one written in the win98 days, logged titles of every window opened, with time stamps, keylogged(which you don't need) but could also read files they opened, like emails, text docs, etc and if say you looked for key titles like, every windows form has a name/title like Internet Explorer, if in the title it said MySpace + Internet Explorer, I would take screen shots, so if say they opened Outlook, you log the event, time and take a screen shot, and when an email is opened, screen shot, etc.

Need an in house .net or c# dev guy to write you one that can work around UAC too, or just reverse engineer the one the vendor made since its a DLL, you might be able to debug the file to make your own executable. I am by no means a programmer, just throwing out ideas...

Most of the keylogger code I used back in the day, I got off http://www.planetsourcecode.com/ and since it was all written in VB6, using dll's and such, it always looked like a legit program and never set off any AV either. That was one of the things I always found weird was that windows has built in capabilities, to basically send all data to the clipboard and the write/dump it to file, and AV ignores that most of the time.

http://www.planetsourcecode.com/vb/scripts/BrowseCategoryOrSearchResults.asp?lngWId=3&txtCriteria=key+logger

http://www.planetsourcecode.com/vb/scripts/BrowseCategoryOrSearchResults.asp?lngWId=1&txtCriteria=key+logger

Edited March 21, 2013 by digip

[whitehat]

aaaaaaaaaaah ha! That's hella useful information, thank you. That was just what I needed to hear.

If anyone knows a metasploit way for fun and for the dual purpose of learning metasploit then please lemme know. For now though I'm going to pursue doing it your way. Moreover, that website in general just looks like an amazing resource and you're right -- there seems to be lots of relevant info there.

I'm tempted to say that I will provide the source if I'm successful, but I suppose I can't in this case. Maybe I'll make a separate open-source version afterwards if I'm successful.

Anyway, thanks again. Btw despite my prior statements it would be kinda funny to hack the vendor, but that was just not related to this more important quest. My contact with the vendor (one very junior, very assholic person) did ask for a hacking and I have d0xed him a bit, but if I ever get this logger made then let's come back to hacking him.

Edited March 21, 2013 by whitehat

[telot]

Planetsourcecode is pure awesomeness. I too would like to thank you for the link digip! Thats the second time one of your links has changed my life (the other being securitytube.net, years ago).

whitehat: I'd love to see a public version of your code when your done - if you know ruby at all, you could even add it to metasploit! Knowing what the user is up to without doing screengrabs could be a very useful tool for meterpreter.

telot

[whitehat]

DigiP: Both of my bosses really liked an event logger I found through Planet Open Source. I let them know how I found it (without being specific about which forum). I owe you!

telot: Right on, thanks for the encouragement --> I will try to come back in a couple weeks with an opensauce 'terpreter script then :)

Edited March 23, 2013 by whitehat