| Professional Keylogging : Exclusives : Blog : Home | ||
  |
Professional Keylogging I used to say that the easiest way to break in to an organization was through submitting an outstanding CV. Nowadays I’d be inclined to say giving away free USB memory-sticks to a targeted organization’s staff as they were about to begin their working day. With USB sticks containing a stealthily disguised keylogger, you’re practically guaranteed that someone will plug it in… Of all the nefarious techniques that can be used to gain access to a hosts’ data, the keylogger continues to be a perennial favorite. Whether it’s deployed in hardware or software formats, for as long as people rely upon password protected authentication processes, the keylogger will continue to be a reliable hacking tool. Over the years, I’ve personally only had cause to make use of hardware keyloggers a handful of times – mainly due to the fact that very few penetration tests have required surreptitious social engineering techniques, and those that did had objectives focused upon gaining entry to a specific hosting environment (rather than a user account). Software-based keyloggers – particularly those associated with spyware and banking Trojans – have hogged the limelight for quite some time. That said, hardware keyloggers seem to be an oft-forgotten aspect to hacking (for fun and profit). Consequently, whenever I publicly present on the hacking trends and include state-of-art hardware keyloggers, there’s always a lot of startled faces and expressions of “you’re kidding, it’s that easy?” Why use a hardware keylogger? With so many software keyloggers, spyware and malware out there offering the ability to silently install and operate stealthily, why would anyone opt for a hardware keylogger? Lots of reasons - depending on who you are, and what you’re trying to achieve. While it is certainly true that hardware keyloggers are undetectable by any existing anti-virus solution or software based malware detection, and that they are operating system and language independent, the main reason why an attacker will opt for a hardware keylogger is because it may be substantially easier to plug one in rather than trying to install a piece of software. To install a hardware keylogger you just need to have physical access to the host for a few seconds and it doesn’t involve any technical skills. Consider two scenarios, the office receptionist’s computer and the cash registers used by major retailers. As you walk in to almost any commercial office, you’ll typically be confronted with the receptionist. He’ll have a PC which he uses to keep track of visitors, manage door access keycards, respond to email and interact with other internal systems – with the monitor turned away from visitors. It only takes a couple of seconds for the attacker to reach down behind the screen, pull out the keyboard cable, insert the keylogger, and plug back the keyboard while the receptionist is temporarily distracted in a conversation. Meanwhile, at a store - since just about all modern cash registers are based around a standard desktop PC configuration - the attacker can insert cheap keyloggers in to any cash registers not currently in use. Thereafter capturing login credentials, customer address details and manually keyed credit card details whenever that register gets used. To retrieve the captured data the attacker merely returns to the premises when convenient, unplugs the keylogger(s) and exits the building. To top it all off, how many people check the back of their PC’s for extra cables or dongles each time they sit down to use it? How many people even know what a keylogger looks like? Hardware Keylogger Types For all intents and purposes, there are four types of keylogger: the PS2 barrel connector, the USB dongle, the keyboard embedded logger, and the laptop keylogger. PS2 Barrel Connector
When installed, their relatively small size makes it difficult to spot. For example, check out the before and after shots below:
USB Dongles
When installed, they are similarly difficult to spot – unless you know what you are looking for (remember, there’ll likely be a whole mess of other tangled wires at the back of the host). For example, check out the before and after shots below:
Keyboard Embedded Logger A typical commercial keylogger module looks like the following:
And may look like the following if you were to open up the
keyboard to look for it:
(A detailed walk through on how to install a keylogger module can
be found
here)
How much does a keylogger cost? Typing “hardware keylogger” in to Google will yield several
hundred thousand results, and dozens upon dozens of keylogger
manufacturers and resellers. The prices and specifications of the
keyloggers vary widely, and it can quickly become quite confusing. Hardware keyloggers are typically priced on four factors:
Buying a bare-bones 64kB PS2-based hardware keylogger is going to
cost you something between $30-$40, while a USB-based version will
set you back $50-80. Meanwhile, a 1MB PS2-based keylogger
complete with a hardware accelerator, encryption, timestamping and
advanced software analysis tools, will likely come to $200-$400.
Prices vary considerably, and most sites can offer big discounts
for buying in bulk. For example, if you’re prepared to buy one
thousand 16kB PS2-based keyloggers (such as the ones often given out
at security trade shows as gifts) you can pick them up for $3-$5
each. Meanwhile, commercial keylogger modules are pretty cheap – often
retailing for about 50% off the price of an equivalent capacity PS2
keylogger. Failing that, if you’re prepared to break out the soldering iron and do a little DIY, you can make one yourself for only the cost of the components. Checkout Keelog.com for details.
Retrieving Keystrokes Retrieving the keystrokes from the keylogger is an extremely simple process. In most cases with PS2-based barrel connectors, all that is required is the typing of a particular password while the barrel is connected to a keyboard and PC. Once the password is typed (e.g. “Open Sesame”), the keylogger will reply all the keystrokes it recorded – usually in to an open document – just as if a ghost were at the keyboard (with control and non-printable characters converted in to something readable). Obviously, the person who installed the keylogger would want to choose a password that is unlikely to be inadvertently typed by the monitored victim.
The process is just as simple for most USB-based keyloggers. The person extracting the data plugs in the device, types the password, and the computer then registers the presence of a flash media drive. A folder pops-up, and the person just copies a file from the “USB Drive” to wherever they want.
It’s all very well pretending that a ghost is repeating all those collected keystrokes serially, but 2MB of keystrokes done this way can take a VERY long time. As such, USB accelerators are available for PS2 barrel-type keyloggers which greatly speeds up the extraction of the collected keystrokes. An example is pictured below:
In the case of hardware keyloggers that offer encrypted data storage, there may be some additional passwords or software-aided extraction tools necessary for decrypting the keystrokes. Keyboard Language One thing to remember when using hardware keyloggers is that the data collected is bound to the language of the keyboard in use and (to a lesser degree) the language of the operating system. The arrangement of keys and the alphabet presented on the keyboard is typically country specific. In order to correctly retrieve the captured keystrokes and understand their meaning, the analyzer needs to know what country keyboard was used. For example, [SHIFT]-3 on a UK keyboard is the £ symbol, while on a US keyboard it is the # symbol – and the keys for “ and the @ symbol are transposed. Things get a little more complex with double-byte languages such as Chinese and Japanese, but many of the better commercial keyloggers come with extraction software that can easily handle them. For example, the screenshot below of the KeyGhost software shows the correct rendering keystrokes obtained from an Arabic keyboard.
Combating a Physical Keylogger The nature of hardware-based keyloggers means that they will always elude software-based detection systems. Protecting against their unwanted use really comes down to a handful of methods:
While not particularly glamorous, method (3) is the most reliable method of detecting unwanted keyloggers. What does the future hold? I think that the future for hardware-based keyloggers as a significant hacker technology is strong - much stronger than the future of their software-based cousins. Their lowering purchase cost, increased miniaturization and absence of any kind of necessary technical knowhow, means to me that they will become more popular with organized criminal teams seeking to steal confidential or personal information from retailers and other large organizations. Their proven track record at stealing login credentials and other “keys” critical to accessing valuable data and penetrating deeper in to an organization, means that they will always be useful in the first stages of an organized attack. These keyloggers may even become simpler too. At the moment
the commercially available keyloggers require their installer to
physically break the keyboard-to-PC connection in order to install
the keylogger. Already there is talk of more advanced
“strap-on” keyloggers that wrap around the keyboard cable and record
keystrokes – designed to look like every-day ferrite cores (commonly
used to reduce electromagnetic or radio frequency interference).
Hardware Keylogger Reference Sites: |
|
