35 replies to this topic

[Irongeek]

I'm working on writing a review of the current USB hardware keyloggers on the market. So far I've contacted Keelogger, KeyGhost, KeyCarbon/KeyPhantom and KeyKatcher. Price wise, Keelogger seems the best but KeyCarbon has some really cool loggers that go inside of a laptops mini-pci slot:
http://www.keycarbon...aptop/overview/

Anyone else I should contact?

[Swerve]

Hey Irongeek

Are these all inline keyloggers that are used on USB keyboards only?

Not the PS/2 type aswell? Aren't they the more popular type?

Thanks

[LUCKY_FUCKIN_CHARMS]

yea i see more ps/2 type keyboards still but i suppose you could always get a usb to ps/2 adapter.

[Irongeek]

All the ones I plan to look at will be inline USB key loggers. I figured they are the "wave of the future". From what I was reading on the sites, not all of them will work with all PS/2 to USB converters, but I plan to test that.

[Swerve]

but I plan to test that.

Cool, because as we can't choose what the target is using, and as there not mega cheap I'd go with the one which works on the most targets.

Nice idea for a review, I was looking at some on ebay the other day here (UK) the average price is $50/$60 USD.

[xGERMx]

yea i see more ps/2 type keyboards still but i suppose you could always get a usb to ps/2 adapter.

hm? I see the exact opposite.
I've always wondered why PS/2 keyloggers where more popular; it's 2007 for Christ's Sake. UPGRADE!

This review is much needed as PS/2 is (slowly) phasing out.

BTW, those USB - PS/2 converters (the green ones from Dell especially) don't work for shit.
(I've had about 10% success rate with them)

[Irongeek]

Looks like KeyCarbon may send one too. They made the old KeyPhantom, but discontinued it. Also, they may send the mini-pci internal laptop one for me to test.

[LUCKY_FUCKIN_CHARMS]

are you also going to test these loggers with different types of wireless keyboards?

[Irongeek]

are you also going to test these loggers with different types of wireless keyboards?

I did not intend to, but I guess I could. I have just one wireless key board.

[livinded]

I don't see PS/2 keyboards dying for quite a while. Even in stores now you really don't see all that many USB keyboards, at least the cheap ones that is. I have no problem going to usb keyboards (I already use usb mice) but they aren't as cheap and it's not as easy to find them when I have gone out and bought keyboards (unless you want those ugly or nasty ones with the lights that suck). But this review should be good, I wish I got free hardware to test out

[Irongeek]

Well, I got the Keycarbon Home now and am doing some tests. Wish it had the time stamp function for me to test. I'm working to see if I can detect it in software via it's Vendor or Product id as reported by USB view.

[Irongeek]

Neat, it does not seem to log some abnormal characters like


Ω☺☻♥♦♣♠•◘○

What can I call a character set like this in my article? It not "non-printable", and not all of them are "control chracters".

[MyNameIsURL]

Damn dude you're the hardest working man in the hacking business.

[Irongeek]

Thanks, but I know that not to be the case. I did some more checking up on it's VID and PID info:

Dell SK-8135 Keyboard

External Hub: USB#Vid_0451&Pid_2046#5&30b2f72&0&1#{f18a0e88-c30c-11d0-8815-00a0c906bed8}Hub Power:               Self PowerNumber of Ports:         4Power switching:         IndividualCompound device:         NoOver-current Protection: IndividualDevice Descriptor:bcdUSB:             0x0110bDeviceClass:         0x09bDeviceSubClass:      0x00bDeviceProtocol:      0x00bMaxPacketSize0:      0x08 (8)idVendor:           0x0451 (Texas Instruments)idProduct:          0x2046bcdDevice:          0x0125iManufacturer:        0x00iProduct:             0x00iSerialNumber:        0x00bNumConfigurations:   0x01ConnectionStatus: DeviceConnectedCurrent Config Value: 0x01Device Bus Speed:     FullDevice Address:       0x01Open Pipes:              1Endpoint Descriptor:bEndpointAddress:     0x81Transfer Type:   InterruptwMaxPacketSize:     0x0001 (1)bInterval:            0xFF

IBM Model M with a PS/2 to USB Converter:

External Hub: USB#Vid_0451&Pid_2046#5&30b2f72&0&1#{f18a0e88-c30c-11d0-8815-00a0c906bed8}Hub Power:               Self PowerNumber of Ports:         4Power switching:         IndividualCompound device:         NoOver-current Protection: IndividualDevice Descriptor:bcdUSB:             0x0110bDeviceClass:         0x09bDeviceSubClass:      0x00bDeviceProtocol:      0x00bMaxPacketSize0:      0x08 (8)idVendor:           0x0451 (Texas Instruments)idProduct:          0x2046bcdDevice:          0x0125iManufacturer:        0x00iProduct:             0x00iSerialNumber:        0x00bNumConfigurations:   0x01ConnectionStatus: DeviceConnectedCurrent Config Value: 0x01Device Bus Speed:     FullDevice Address:       0x01Open Pipes:              1Endpoint Descriptor:bEndpointAddress:     0x81Transfer Type:   InterruptwMaxPacketSize:     0x0001 (1)bInterval:            0xFF

After checking out http://www.linux-usb.org/usb.ids it looks like it just shows up as a Texas Instruments USB Hub. Kind of nondescript.

[Irongeek]

Well, part one is out


http://www.irongeek....ers-1-keycarbon

edit:Fixed bad URL

Edited by Irongeek, 26 March 2007 - 08:33 PM.

[Irongeek]

Dosman gave me a cool idea. Try to overload the keylogger by sending keystrokes back up the bus. The only way I could think to do this is with the various lock keys since I know that information is sent back to the keyboard. I wronte a quick Autoit script:

[codebox]While 1=1
;send("{CAPSLOCK}")
send("{NUMLOCK}")
;send("{SCROLLLOCK}")
WEnd[/codebox]

But unfortunately, this sort of activity does not seem to be logged

[TelcoBob]

Dosman gave me a cool idea. Try to overload the keylogger

Have you tried banging your head on the keybored? heh

How would/does it interperat multiple keystrokes at once? say if all keys were to be held down at once? Also, do they log function keys and such?

/me knows nothing of keyloggers but you have gotten me interested

[Irongeek]

Well, so far it seems to work on any key I've pressed, so function keys should be no problem. Multiple keys at the same time should also works since it gets Ctrl-Alt-Del just fine. Alt+numpad is the only thing I've seen that gives it problems.

[Irongeek]

Opos, let me correct that Telcobob. Looks like if I hold down more than one letter key at the same time, or if I just hold down a key for a while to type the same letter more than once like:

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbccccccccccccccccccccccccccccccccccccccccccc

all I get in the log is:

abc

Then again, I don't think you could easily use that to obscure your password since you could not easily tell how long you have to hold down a key to get just the right number of a certain character.

[TelcoBob]

Opos, let me correct that Telcobob. Looks like if I hold down more than one letter key at the same time, or if I just hold down a key for a while to type the same letter more than once like:

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbccccccccccccccccccccccccccccccccccccccccccc

all I get in the log is:

abc

Then again, I don't think you could easily use that to obscure your password since you could not easily tell how long you have to hold down a key to get just the right number of a certain character.

how does it log deleteing a character? cause you could aaaaaaaaaaaaaaaaaa then delete until you only had the desired number