Home — benIT's notebook

Python keylogger

Python keylogger package

The job is already done and packaged with that Python package.

Installation

Python 3

This package works with Python 3, make sure you are using it:

python --version

If python2 is set by default:

sudo apt-get install python3-pip

Package

pip install keylogger

If python2 is set by default:

sudo -E pip3 install keylogger

Set up log file

sudo touch /var/log/keylogger.log

Group & ownership for log file

sudo groupadd spy
sudo usermod -a -G spy vagrant    
sudo chown root:spy /var/log/keylogger.log
sudo chmod 660 /var/log/keylogger.log

Usage

/home/vagrant/.local/bin/keylogger --log-file /var/log/keylogger.log --clean-file &

Watch log

tail -f /var/log/keylogger.log

Below the log generated by typing in firefox: gmail.com ang logging with thisismymail@gmail.com/mypassword:

g
m
a
i
l
Shift_L
period
c
o
m
Return
t
h
i
s
i
s
m
y
m
a
i
l
Shift_L
Shift_L
Shift_L
[65027]
agrave
g
m
a
i
l
Shift_L
period
c
o
m
m
y
p
a
s
s
w
o
r
d

RIP linux user password with John the Ripper

Add a new user

sudo useradd -r foo
sudo passwd foo
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully

Password hash file

Linux user password hash are stored here: /etc/shadow

Rip it!

sudo john /etc/shadow
Created directory: /root/.john
Using default input encoding: UTF-8
Loaded 3 password hashes with 3 different salts (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 5 OpenMP threads
Proceeding with single, rules:Wordlist
Press 'q' or Ctrl-C to abort, almost any other key for status
vagrant          (vagrant)
Warning: Only 3 candidates buffered for the current salt, minimum 20
needed for performance.
toor             (root)
Warning: Only 14 candidates buffered for the current salt, minimum 20
needed for performance.
Warning: Only 6 candidates buffered for the current salt, minimum 20
needed for performance.
Warning: Only 16 candidates buffered for the current salt, minimum 20
needed for performance.
Warning: Only 17 candidates buffered for the current salt, minimum 20
needed for performance.
Warning: Only 3 candidates buffered for the current salt, minimum 20
needed for performance.
Almost done: Processing the remaining buffered candidate passwords, if any
Warning: Only 15 candidates buffered for the current salt, minimum 20
needed for performance.
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
foobar           (foo)
3g 0:00:00:01 DONE 2/3 (2019-05-06 10:39) 1.570g/s 1806p/s 1808c/s 1808C/s 1234qwer..ford
Use the "--show" option to display all of the cracked passwords reliably
Session completed

And user password is...

foobar           (foo)

RIP a password protected archive with John the Ripper

Install KALI

First, intall a kali headless VM with vagrant.

Grant large CPUs and RAM resources to the VM. For instance, in Vagrantfile:

# Create a forwarded port
config.vm.network "forwarded_port", guest: 80, host: 8080

# Create a private network. In VirtualBox, this is a Host-Only network
config.vm.network "private_network", ip: "192.168.33.101"

# VirtualBox specific settings
config.vm.provider "virtualbox" do |vb|
# Hide the VirtualBox GUI when booting the machine
vb.gui = false

# Customize the amount of memory on the VM:
vb.memory = "8192"
vb.cpus= "5"
end

# Provision the machine with a shell script
config.vm.provision "shell", inline: <<-SHELL
apt-get update
apt-get install -y crowbar
SHELL
end

Generate a test archive

echo "foo bar" > file.txt
zip -P pass archive.zip file.txt

Thus, our archive is protected with the password: pass

Test password protection:

unzip archive.zip 
Archive:  archive.zip
[archive.zip] file.txt password:

RIP archive.zip

Get password hash with zip2john

zip2john archive.zip > hash.txt

Prints :

ver 1.0 efh 5455 efh 7875 archive.zip/file.txt PKZIP Encr: 2b chk, TS_chk, cmplen=20, decmplen=8, crc=13DDB427

RIP hash

john hash.txt

Prints:

Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Proceeding with single, rules:Wordlist
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 4 candidates buffered for the current salt, minimum 8
needed for performance.
Warning: Only 5 candidates buffered for the current salt, minimum 8
needed for performance.
Warning: Only 6 candidates buffered for the current salt, minimum 8
needed for performance.
Warning: Only 4 candidates buffered for the current salt, minimum 8
needed for performance.
Almost done: Processing the remaining buffered candidate passwords, if any
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
pass             (archive.zip/file.txt)
1g 0:00:00:00 DONE 2/3 (2019-05-06 09:53) 50.00g/s 2109Kp/s 2109Kc/s 2109KC/s 123456..Peter
Use the "--show" option to display all of the cracked passwords reliably
Session completed

And archive password is...

pass             (archive.zip/file.txt)

Tips

If you run john again, you will get:

john hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
No password hashes left to crack (see FAQ)

This means that the password has already been ripped, to print password check .john/john.pot file or use --show option:

john hash.txt --show
archive.zip/file.txt:pass:file.txt:archive.zip::archive.zip

1 password hash cracked, 0 left