How to set up your own VPN for free. #privacyRead More
In my last post I gave a brief introduction to what a keylogger is. In summary a Keylogger is a piece of Hardware or Software that records your keystrokes (usually against your permission). This post is going to look explicitly at Software keyloggers.
In this post I'm also not going to cover any of the free keylogger software available out there for three reasons:
- Most of it is old.
- Most of it is very clunky.
- Its easily detected by Antivirus.
Instead I'm going to focus on Keylogger code.
What is a Software Keylogger?
A Software keylogger is different from the Hardware keyloggers we covered here. Software keyloggers essentially perform the same functions as Hardware keyloggers in that they log keystrokes however where as Hardware keyloggers require a dedicated device, software keyloggers only need to be written to run on a victims operating system. Software keyloggers also usually have more features builtin than hardware keyloggers, for example its quite common for software keyloggers to also take screenshots or in some cases even record video on periodic intervals and send them back to a remote server this would be quite difficult to do with a Hardware keylogger.
As fields like virtualisation and now containerisation have advanced in the last decade there has been an increase in the complexity and also functionality of software keyloggers there are now kinds of keyloggers which run explicitly from virtual machines or can detected when they have infected a virtual machine and act accordingly.
Keyloggers are actually quite easy to find on the internet. Just doing a quick google serach provides a goldmine of information you can user to create your own keylogger. Most of these examples are in Python or C++ heres a few of the best ones:
GitHub is an absolute treasure trove for keyloggers I have listed a few examples below but its also good to look at botnet code or trojans to see how they do keylogging as in some cases they might have a more efficient system than some of the ones below:
A few months ago i modified a C++ Keylogger and installed it on a virtual machine. heres some sample output:
In a nutshell one started all keys are logged to a file in C:\WINDOWS called KeyboardServices.txt to get the whole thing running from looking at some code samples and chopping and changing some bits the whole operation took an hour.
Im still fixing up some issues where it logs special characters as "Unknown Character" but it make deciphering text that little bit easier but it could get in the way if your trying to sniff passwords and all the special Characters are coming up as "Unknown Character".
If I ever setup GitHub I'll be sure to upload it and make a reference to it here.
Protecting Yourself from Software Keyloggers
Just like protecting yourself from hardware keyloggers many of the same rules/tips apply but I have included a few extra here:
- Always check any computer you are using for any strange peripheral devices.
- Make sure you thoroughly check any PC's or devices you purchase online to make sure you haven't received any "Bonus extras".
- Regularly audit your PC for peripheral devices.
- Use air gapped machines for any business or sensitive admin tasks.
- If you have to use a machine with a level of security you don't trust enter sensitive information out of order use the mouse cursor to help.
- Use a Key Scrambler program.
- Use Antivirus regularly. most Antivirus products detect keyloggers quite easily.
- Use additional Anti-malware / keylogger detection software.
- Periodically audit system locations for any suspicious files. The keylogger I wrote stores the keystrokes in the Windows Folder many may do the same or similar.
- Use a Password manager App to avoid keying in your password repeatedly.
As always please let me know if found this article useful or if you didn't, Don’t forget to like this post or leave a comment below to let me know another area you would be interested in reading about. Thanks for your continued support! Until next time!
One of my favourite TV shows is Person of interest. I was just finishing up my Computer science degree when the show first started airing I was amazed at how the Reese and Finch managed to so easily bluejack unsuspecting “numbers”. In High school I has a range of Bluetooth sniffers installed on my trusty and highly customizable Sony Ericsson. Unfortunately by the time person of interest started airing everyone had either moved to android or the iPhone and Bluetooth sniffing was never the same.
Recently I purchased the Ubertooth One to see how much Bluetooth sniffing has changed since my high school days, this post documents my first attempts at Bluetooth sniffing / cracking with the Ubertooth One.
What you will need
In order to be able to successfully set-up a Bluetooth sniffing system you will need the following:
- An Ubertooth One device.
- An additional Bluetooth dongle or Bluetooth adapter.
- A PC which runs Windows, Mac, OSX or Linux.
- A bootable USB running Kali Linux (this one is optional)
You can perform these activities on just about every major desktop operating system but for this tutorial we focussed on running this with Kali Linux.
The most difficult part of Bluetooth sniffing – installing all of the tools
I caution you – there are a number of resources on the internet dedicated to setting up the Ubertooth One, this post included. After spending a day and a half attempting to get bluetooth sniffing working with absolutely zero background on the subject, my perseverance and can do attitude kicked in and I had the Ubertooth and associated scanning commands working like a charm. In order to save everybody the trouble here are the golden rules of getting the Ubertooth running on your machine:
- Ignore all of the blog posts and websites which tell you how to install / configure the Ubertooth One (most of them are no longer relevant).
- Only follow the installation guide at this location
- Update your Ubertooth firmware asap.
One final tip make sure you have a range of additional Bluetooth tools you can use for Bluetooth debugging / sniffing if you’re having trouble with the install its good to have an arsenal of other tools you can use to verify if the issue you are experiencing is a configuration issue or a hardware issue.
Learning to walk before you can run, viewing the Wi-Fi spectrum with the Ubertooth On
Getting the Ubertooth One setup for Bluetooth sniffing isn’t the easiest activity to get up and running so I recommend before you go into any sniffing you walk through some of the Ubertooth Ones other capabilities i.e. spectrum analysis.
To get started make sure you have installed Kismet and spectools for spectrum analysis. To install kismet and spectools follow the commands below:
root@kali:~# git clone https://www.kismetwireless.net/spectools.git Cloning into 'spectools' root@kali:~# cd spectools root@kali:~/spectools# ./configure root@kali:~/spectools# make root@kali:~/spectools# make install
Now to run Spectools simply type:
Below are some screen caps of some of the Spectrum analysis I performed:
How does one listen in on Bluetooth?
Once your Ubertooth is setup and configured you can run the following commands to analyse Bluetooth traffic.
hcitool is one of the default linux Bluetooth utilities when running it will return the MAC address and name of any Bluetooth devices in range:
root@kali:~# hcitool scan
One of the Ubertooth utilities is ubertooth-scan also allows you to passively monitor Bluetooth traffic – below is the command line usage:
root@kali:~# ubertooth-scan –s
The majority of the scanning work I undertook was with using ubertooth-btle. This allows you to capture Bluetooth traffic between Bluetooth low energy compatible devices this is becoming one of the preferred methods of Bluetooth communication between new devices, next time you’re in a store just look at the Bluetooth devices most of them should say Bluetooth-low energy compatible.
To run ubertooth-btle in promiscuous mode and output the contents int a pcap file simply run the command:
root@kali:~# ubertooth-btle –p –f -c capture.pcap
Below is a sample of what the btle packets look like when your run ubertooth-btle in promiscuous mode:
systime=1441512979 freq=2440 addr=8d651b4d delta_t=3.599 ms 86 9e d1 00 65 92 86 01 5d 3e 0e 5e 65 e0 61 9a 7d f7 04 c8 9f f5 45 00 ce f5 cc c8 8f 67 02 f5 4f a7 f5 Data / AA 8d651b4d (valid) / 30 bytes Channel Index: 17 LLID: 2 / LL Data PDU / L2CAP start NESN: 1 SN: 0 MD: 0 Data: d1 00 65 92 86 01 5d 3e 0e 5e 65 e0 61 9a 7d f7 04 c8 9f f5 45 00 ce f5 cc c8 8f 67 02 f5 CRC: 4f a7 f5 systime=1441512979 freq=2440 addr=72f844df delta_t=146.421 ms 01 00 9b 72 68 Data / AA 72f844df (valid) / 0 bytes Channel Index: 17 LLID: 1 / LL Data PDU / empty or L2CAP continuation NESN: 0 SN: 0 MD: 0 Data: CRC: 9b 72 68
If you want to follow a specific device you can use the command below where “00000000” would be the devices MAC address:
root@kali:~# ubertooth-btle –a 00000000
Using crackle to decrypt Bluetooth packets
Crackle is an easy to use brute force cracking utility. Since most Bluetooth pairing codes which encrypt traffic between two devices are only 4-6 digits long they can be easily decrypted if the pairing between two devices is captured and this also allows you to listen in on future interactions between the two devices as we will show shortly, but fist lets walk through installing crackle which can be done by following the commands below:
root@kali:~# tar xf crackle-0.1.tgz root@kali:~# cd crackle-0.1 root@kali:~/crackle-0.1# ls aes.c aes-enc.c aes_i.h COPYING crackle.h README aes-ccm.c aes.h AUTHORS crackle.c Makefile test.c root@kali:~/crackle-0.1# make cc -Wall -Werror -g -c -o crackle.o crackle.c cc -Wall -Werror -g -c -o aes.o aes.c cc -Wall -Werror -g -c -o aes-ccm.o aes-ccm.c cc -Wall -Werror -g -c -o aes-enc.o aes-enc.c cc -Wall -Werror -g -c -o test.o test.c cc -o crackle crackle.o aes.o aes-ccm.o aes-enc.o test.o -lpcap root@kali:~/crackle-0.1# make install
Once crackle is installed we can begin walking through using crackle to decrypt pcap files with Bluetooth data on them. To do this simply run the following command on your desired pcap file:
root@kali:~/crackle-sample# crackle -i ltk_exchange.pcap -o decrypted.pcap TK found: 000000 ding ding ding, using a TK of 0! Just Cracks(tm) Warning: packet is too short to be encrypted (1), skipping LTK found: 7f62c053f104a5bbe68b1d896a2ed49c Done, processed 712 total packets, decrypted 3
Now to listen in on future communications between the two devices run the following command on a pcap file and supply the LTK value you discovered earlier:
root@kali:~/crackle-sample# crackle -i encrypted_known_ltk.pcap -o decrypted2.pcap -l 7f62c053f104a5bbe68b1d896a2ed49c Warning: packet is too short to be encrypted (1), skipping Warning: packet is too short to be encrypted (2), skipping Warning: could not decrypt packet! Copying as is.. Warning: could not decrypt packet! Copying as is.. Warning: could not decrypt packet! Copying as is.. Warning: invalid packet (length to long), skipping Done, processed 297 total packets, decrypted 7
With some of my own BLE captures there wasn’t enough packet info to run crackle successfully so I ran crackle with some sample files to give an overview of how the tool works.
Here are a few good resources you should check out:
Bluetooth, hopefully this article packages it up into a nice and easy digestible format as the process to get it to this level wasn’t that straight forward or error free.
As always please let me know if found this article useful or if you didn't, Don’t forget to like this post or leave a comment below to let me know another area you would be interested in reading about. Thanks for your continued support! Until next time!.