Sign in to follow this  
Followers 0
lucidnightmare

Key logger running from a u3 flash drive

26 posts in this topic

I'm a newb, I've read previous posts, but I still can't get a keylogger to auto run of my thumb drive. Like I said its a u3 enabled, cruzer micro 1gb drive. I'm confused about the scripts, finding a free keylogging program to run from the script, and saving the script to the u3 file system. If someone could post step by step instructions that would be great! Thanks!

P.s. when I try to modify the auto run script in u3 it says read access only, does anybody know how to get write access as well?

Edit-- In case your wondering the reason, we're having a problem with kids using the media laptop to check myspace at school and its really annoying and hard to catch them. I'm only in the room maybe 1 or 2 periods a day so its really hard to keep any eye on it. It is the only laptop in the entire school that has admin privledges on the network firewall. On occasion we use a clip or two from youtube or myspace in the monthly video we produce. This is not mallicious in any way!!! (I just read the forum rules).

Edited by lucidnightmare
0

Share this post


Link to post
Share on other sites

There's a certain procedure you need to go through to modify the read-only "CDROM" division of a U3 drive. I picked one up cheap last year and managed to figure out how to convince the update utility to write an arbitrary ISO to that division:

http://mcgrewsecurity.com/research/hackingU3/

It set off a good bit of interest in U3 drives for penetration testing. The hak5 show and forums have taken it pretty far from there.

0

Share this post


Link to post
Share on other sites
There's a certain procedure you need to go through to modify the read-only "CDROM" division of a U3 drive. I picked one up cheap last year and managed to figure out how to convince the update utility to write an arbitrary ISO to that division:

<a href="http://mcgrewsecurity.com/research/hackingU3/" target="_blank">http://mcgrewsecurity.com/research/hackingU3/</a>

It set off a good bit of interest in U3 drives for penetration testing. The hak5 show and forums have taken it pretty far from there.

Thanks for the link (for anyone else doing this the Sandisk cruzer is at the bottom of the page).

-This takes care of the read only problem, but I still need a free keylogger, and maybe a script to run it. Does it need a script or can I use the auto run already in u3?

Edited by lucidnightmare
0

Share this post


Link to post
Share on other sites

Another question. The u3 hacking site (prevously mentioned) under step "The Sting" says..........

"Make your own ISO, keeping within size limitations. Regarding this, although the ISO I downloaded from the SanDisk site was 5,752,832 bytes, the size of the CDROM images I get when I use dd straight from the block device is always 6,291,456 bytes. It appears the ISO is written into this 6,291,456 byte chunk, with the remainder padded out with zeros.

Double-plus-make-sure that the ISO you create is a bit less than 6,291,456 bytes. I don't know what will happen if you go over that amount, but there's a very good chance that it isn't pleasant. "

So, if I'm reading this right it is telling me to make a smaller iso file. How can this be done?

Also my previous question about free keyloggers and scripts still stands.

Edited by lucidnightmare
0

Share this post


Link to post
Share on other sites

Look over at Irongeek's site, he has a open source keylogger than you could use.

So, if I'm reading this right it is telling me to make a smaller iso file. How can this be done?

I never remember having any trouble with my ISO being too large either, so I don't know what they are talking about.

As for a script to run it, just make a simple autorun file for when you insert the flash drive.

Edited by Perf-149
0

Share this post


Link to post
Share on other sites
Look over at Irongeek's site, he has a open source keylogger than you could use.
So, if I'm reading this right it is telling me to make a smaller iso file. How can this be done?

I never remember having any trouble with my ISO being too large either, so I don't know what they are talking about.

As for a script to run it, just make a simple autorun file for when you insert the flash drive.

Thanks. Does anyone know how to get the iso file? I'm having trouble getting it.

0

Share this post


Link to post
Share on other sites

I wrote that a while back. I didn't want to chance "bricking" the drive, so I kept my ISOs under the size of the one that came with the drive, and just had a small autorun payload that would find and run things from the writable division.

Since then, others have written larger ISOs to the "CD" division, and it works for them just fine.

0

Share this post


Link to post
Share on other sites

I still don't know where to find an Iso file. Could some one please put this in simple terms. This is the Newb section isn't it? Its very confusing for me.

0

Share this post


Link to post
Share on other sites

I would gladly contribute my own keylogger to help!

It installs itself silently and will be loaded automatically on bootup. You can set it to create logs locally in text files, or send it through the internet to a server you can easily set up, which will also create logs in text files. Please PM me and I will make a custom build just for you, with everything ready to be used. In order to use it, you'll need to follow the instructions other gave to automatically launch the keylogger from your U3 flash drive, and you'll also need a computer as server. The server may be your home computer, any computer that is connected to the internet and powered permanently. You will need to forward a port (port 21, or if you want a custom port you also can) if you are behind a router.

You'll need to insert the flash drive once, and the program will copy itself and add registry keys to be loaded on startup of the machine. it will then attempt to connect to the server you'll set up. The server will receive the info and create text files containing what was typed.

P.S.: Please note that if there is some program that rewrites registry keys on startup, we're screwed,. the keylogger won't be loaded.

Please check my thread here about my keylogger.

Edited by Aghaster
0

Share this post


Link to post
Share on other sites
I would gladly contribute my own keylogger to help!

It installs itself silently and will be loaded automatically on bootup. You can set it to create logs locally in text files, or send it through the internet to a server you can easily set up, which will also create logs in text files. Please PM me and I will make a custom build just for you, with everything ready to be used. In order to use it, you'll need to follow the instructions other gave to automatically launch the keylogger from your U3 flash drive, and you'll also need a computer as server. The server may be your home computer, any computer that is connected to the internet and powered permanently. You will need to forward a port (port 21, or if you want a custom port you also can) if you are behind a router.

You'll need to insert the flash drive once, and the program will copy itself and add registry keys to be loaded on startup of the machine. it will then attempt to connect to the server you'll set up. The server will receive the info and create text files containing what was typed.

P.S.: Please note that if there is some program that rewrites registry keys on startup, we're screwed,. the keylogger won't be loaded.

Please check my thread here about my keylogger.

Thanks a lot! Is there a way to save it loacally on the thumb drive? I don't know if I.T has that port blocked or not, but saving it of the flash drive is what I had in mind. Also if I use this keylogger would any thing be left on the laptop? Like I said its the schools not mine and the last thing I want to do is infect it with keylogging sowftware.

Edited by lucidnightmare
0

Share this post


Link to post
Share on other sites
I would gladly contribute my own keylogger to help!

It installs itself silently and will be loaded automatically on bootup. You can set it to create logs locally in text files, or send it through the internet to a server you can easily set up, which will also create logs in text files. Please PM me and I will make a custom build just for you, with everything ready to be used. In order to use it, you'll need to follow the instructions other gave to automatically launch the keylogger from your U3 flash drive, and you'll also need a computer as server. The server may be your home computer, any computer that is connected to the internet and powered permanently. You will need to forward a port (port 21, or if you want a custom port you also can) if you are behind a router.

You'll need to insert the flash drive once, and the program will copy itself and add registry keys to be loaded on startup of the machine. it will then attempt to connect to the server you'll set up. The server will receive the info and create text files containing what was typed.

P.S.: Please note that if there is some program that rewrites registry keys on startup, we're screwed,. the keylogger won't be loaded.

Please check my thread here about my keylogger.

Thanks a lot! Is there a way to save it loacally on the thumb drive? I don't know if I.T has that port blocked or not, but saving it of the flash drive is what I had in mind. Also if I use this keylogger would any thing be left on the laptop? Like I said its the schools not mine and the last thing I want to do is infect it with keylogging sowftware.

If you want the program to save it locally on the thumb drive, it will need to stay plugged in when you'll be away (or when those kids will look at myspace). However, something that would be better for you I think, would be to make the program save the logs on the laptop (no need for a server in this case) at a location you would know (and that kids wouldn't figure out easily). After they're gone, you plug in your thumbdrive and copy the logs. You could read them from the laptop or bring them home and read them. Basically what will be left on the laptop: the keylogger itself, and the logs if you choose to make it create the logs locally. The keylogger copies itself in two locations (C:\Windows and C:\Windows\System32), adds some registry keys, and makes two shorcuts in the startup folder. You would only need to delete the two copies of the program (k.exe) to disable it. If you want to remove all traces of it, it shouldn't be that hard: delete the two k.exe, the registry keys, and the shortcuts in the startup folder. I could also remove some of these features to the minimum (1 copy, one registry key) if you want. Please tell me what you want and I'll make the proper modifications to my program and send it to you.

0

Share this post


Link to post
Share on other sites

Leaving the drive plugged in was my original idea. Someone's drive is always plugged in. (Usuall mine). The laptop is situated on a table in the back of the room and is always plugged in for power. None of the kids ever look behind it, or move it.Can the logger be installed and run from the drive? If it can't, I'll do what you said.

I still need help hacking the flash drive to begin with. How can I set up a temporary apache server to update the bios from?

The apache stuff is in this turtorial, but dosnt tell me how to set a server up. <a href="http://mcgrewsecurity.com/research/hackingU3/" target="_blank">http://mcgrewsecurity.com/research/hackingU3/</a>

Edited by lucidnightmare
0

Share this post


Link to post
Share on other sites
Leaving the drive plugged in was my original idea. Someone's drive is always plugged in. (Usuall mine). The laptop is situated on a table in the back of the room and is always plugged in for power. None of the kids ever look behind it, or move it.Can the logger be installed and run from the drive? If it can't, I'll do what you said.

I still need help hacking the flash drive to begin with. How can I set up a temporary apache server to update the bios from?

The apache stuff is in this turtorial, but dosnt tell me how to set a server up. <a href="http://mcgrewsecurity.com/research/hackingU3/" target="_blank">http://mcgrewsecurity.com/research/hackingU3/</a>

I took the time to make a stripped-down version of my keylogger for you. All you'll need to do is copy the executable (k.exe) somewhere on your flash drive. The log will be created in the same directory as the executable, and will be called log.txt. It won't install itself on the machine or create registry keys. All it'd do is run from the flash drive and create the logs on the flash drive itself. Notepad will let you read the logs while the keylogger is still running, but for some reason wordpad will complain that the file it already in use. If you want to stop keylogging, just launch the task manager and kill the process "k.exe". As for automatic launch of the keylogger, I haven't took the time to get through McGrew's guide and I also do not own a U3 drive. However, just launching the keylogger manually after plugging the drive would be fine, but just a bit annoying to do each time. I've included the executable and source code in the zip file, along with a side note in k.c if you wanna see.

McGrew: Is it possible to copy the files from a U3 flash drive to a generic flash drive in order to get the same benefits? If so, would you be kind enough to zip them and send me a copy? Or if you know of other ways to automatic launch stuff from a generic flash drive, let me know. thanks

k.zip

Edited by Aghaster
0

Share this post


Link to post
Share on other sites

Aghaster, you are my hero! I wish the world was full of people as helpful as you!!!

It will work I'll figure out the auto launch part and post it soon.

I think this is what he is talking about. http://wiki.hak5.org/wiki/USB_Hacks

A friend just told me about this. It seems I'm not the only one interested about this.

Thanks again Aghaster!!!!!!!

0

Share this post


Link to post
Share on other sites
McGrew: Is it possible to copy the files from a U3 flash drive to a generic flash drive in order to get the same benefits? If so, would you be kind enough to zip them and send me a copy? Or if you know of other ways to automatic launch stuff from a generic flash drive, let me know. thanks

No. Normally, Windows will only auto-run things on CD's and drives with the "non-removable" bit set (this isn't something you can just toggle on most flash drives). An interesting side note here, is that every iPod I've ever seen is marked "non-removable", and therefore can be used to auto-run.

The U3 drives do their auto-running by emulating two completely separate drives (note that these aren't "partitions" in the usual sense, although a lot of people use that terminology talking about this). This is accomplished with specific hardware on the U3 drives that allow for dividing up the flash memory into segments that are presented to the host as different devices. The part that auto-runs emulates a USB CD-ROM drive.

Some folks have had luck with taking "normal" USB drives and using U3 update tools to "convert" them over, but it's not what it seems. The drives that this works on already have the hardware in them, and it's unlikely that you are going to run into many drives that have that in them that aren't marketed as U3 drives. I personally haven't seen one, but I have seen mention of them on the hak5 forums.

0

Share this post


Link to post
Share on other sites

A good site that has lots of information about how to implement auto run programs in U3 is http://www.usbhacks.com/ they also have some quick how-to on how to use the auto run feature in u3 to run your program.

0

Share this post


Link to post
Share on other sites
A good site that has lots of information about how to implement auto run programs in U3 is <a href="http://www.usbhacks.com/" target="_blank">http://www.usbhacks.com/</a> they also have some quick how-to on how to use the auto run feature in u3 to run your program.

Thanks, but most of that stuff is already in the hak5 forum.

Now for step two of this project, Can someone show me how to create an iso to flash my sandisk cruzer micro with?

What do I need to learn? What programming language is necessary?

Edited by lucidnightmare
0

Share this post


Link to post
Share on other sites

Ok, I used the u3 custom installer, created the iso, and installed it. Now when I plug my flash drive the file the keylogger is stored in opens and thats it (you can see the keylogger and the log it stores to). How do I change it so the window does not open and the keylogger runs?

I'll post a youtube link when it is available.

Edited by lucidnightmare
0

Share this post


Link to post
Share on other sites

Thanks to Dex who told me about the u3 custon installer!!!!!!

I used the u3 custom installer, created the iso, and installed it. Now when I plug my flash drive the file the program is stored in opens and thats it. How do I change it so nothing happens and the keylogger runs?

Heres whats happening. http://www.youtube.com/watch?v=q8zE2D2x0do

How can I get it to launch silently?

0

Share this post


Link to post
Share on other sites

Did I do something wrong?

Edited by lucidnightmare
0

Share this post


Link to post
Share on other sites

Wouldn't it just be easier to add an autorun to any normal pendrive and make it run the keylogger?

0

Share this post


Link to post
Share on other sites
Wouldn't it just be easier to add an autorun to any normal pendrive and make it run the keylogger?

I think he figured out the problem otherwise he would have posted more.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0