I’m not writing this in order to, or even an attempt to justify why keylogging and the related activities discussed are necessary to an extent. This is mostly to get a general idea from the community on the following topics discussed.
I’m not encouraging the use of these technologies outside of their appropriate use cases (I only endorse what is both legal and ethical). For example, keyloggers installed on work computers (for unsuspecting employees) have been determined by federal law to be wiretapping, so yeah, I’m not liable for your bad ideas.
I’m currently working on a tool, that will be open sourced, and free, well when I feel like it’s good enough to be useful.
The basic features will be of the following:
- Keylogger (options for collecting only from certain applications)
- C2 server
- It will run as a service, this will not be packaged as a payload, it is a tool
- Several different ways to exfiltrate data, over the local network, email, through the c2 server, timing based transmission. Looking into using protos like ICMP or ARP in an attempt to minimize detection.
- (potential/future) I’m looking into how to mask encrypted data as normal plaintext traffic, I have a few ideas but it’ll take a lot of time to work out the kinks, and it will probably bloat the amount of data being sent easily over 50% so probably not practical.
So this is where I ask you, the community, what you think? I’m doing this mainly because there are many perfectly good (legal) use cases, this is mostly targeted for researchers and security professionals (people who do this sort of thing for their job). One thing I’d like to reiterate is that the keylogger will have an option to “whitelist” and “blacklist” applications in order to avoid catching for example, personal emails vs. what the user does in an IRC chat room, etc.
The reason it will be free is because I have issue receiving money that will, most likely, even if I don’t want it to be, will possibly be used for nefarious purposes; that’s an ethical quandary, and another reason for why I’m making this. There are many commercial keyloggers, that take your money, and don’t ask questions. Not only that, but they are often CPU hungry, and pretty awful to use. On the other hand, something I hear often from those in InfoSec is that any time they want to log keystrokes, they usually build it themselves as most free (not predatory) alternatives are hard to use, or PoC and don’t have anything more than the most niche applications.
My two goals are:
First, to provide a good tool for those who need this sort of software (again for legal purposes, can’t stress that enough).
Second, to hopefully cripple the thriving business that is commercial keylogging. I have a big issue with taking money for something like this, it doesn’t seem honorable even if 90% of your users are legit.
So I’m curious…
What Do You Think?
- I dig it
- What? No, that’s a bad idea.
- Eh, I’m not really sure(?)
my whole reason for bringing this to you, the L1T community, is that I want to get a general idea what those outside of InfoSec feels about this sort of thing.