A new keylogging server and client tool have been released on GitHub for pentesters. The tool utilizes DNS tunneling to transmit keystrokes through firewalls, potentially evading detection covertly.
The tool, DNS-Tunnel-Keylogger, was designed for post-exploitation activities for pentesters and emphasizes lightweight exfiltration and persistence to minimize the chances of being discovered by security systems.
The server component of the tool is written in Python 3 and requires the installation of dependencies via pip.
It operates by default on UDP port 53, but users can specify a different port using the -p flag. The server’s IP address is used in SOA and NS records to enable other nameservers to locate the server.
Users are instructed to set their domain’s namespace to custom DNS and point it to the exfiltration server’s IP address, effectively setting glue records.
DNS tunneling is a technique for encoding the data of other programs or protocols in DNS queries and responses.
This can be particularly useful for post-exploitation data extraction while avoiding detection and firewall restrictions.
On the client side, the Linux keylogger consists of two bash scripts. The connection.sh script is responsible for sending the captured keystrokes to the server, while the logger.sh script is used to start the keylogging process.
The keylogger can be started silently, and the shell can be closed upon exit to avoid returning to a non-keylogger state.
Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .
The developers note that the keylogger will not run in non-interactive shells and that the Windows Dns_Query_A function tends to send duplicate requests, although the server is designed to handle this by discarding repeated packets[
First, you need to clone the DNS-Tunnel-Keylogger repository from GitHub:
Navigate to the cloned directory and install the required Python dependencies:
To start the server, use the following command:
Replace <ip> with the IP address of the server and <domain> with the domain that the server is authoritative for.
Ensure that logger.sh and connection.sh are in the same directory. These scripts will capture and send the keystrokes to the server.
To start the keylogger, execute the following command:
Replace <domain> with the domain to send data to. The && exit will close the shell upon exit to prevent returning to a non-keylogged shell.
If you wish to send data, such as a file, manually, you can pipe the data to the connection.sh script, which will establish a connection and send the data.
If used without proper authorization, a keylogger and DNS tunneling can be considered malicious and illegal in many jurisdictions. Ensure you can use these tools in your environment and comply with all relevant laws and ethical guidelines.
This guide provides the steps to set up a DNS tunneling keylogger for covert keystroke exfiltration. Remember to use this tool responsibly and within the law.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.
About The Author
More Stories
Community-Centered Connectivity Initiatives Earn Viddy Awards Recognition
Zombie IXPs: The Four Types of Exchanges That Refuse to Die, but Fail to Live
The Shift in Peering Threatening the Internet’s Foundations