Keyboard sniffing

Kurt Seifried, [email protected]


Keyboard is a useful techniques for computer investigators, forensics specialists and people who are overly curious in their surroundings. Many modern security practices, such as encryption, are virtually impossible to brute force, and if the defender is using a good passphrase then it is virtually impossible to hit the right combination unless you are very lucky. The answer to this, and other password protected services is of course to use a keyboard sniffer, in effect tricking the subject into revealing their password.

There are two approaches to keyboard sniffing, the first being hardware based and the second being software based. The advantage of hardware sniffing is that it is unlikely that any software will be able to detect it, and installation does not require access to the operating system on the machine. The majority of hardware sniffing devices are external, with items like the keyghost consisting of a PS/2 extensions cable. Other devices include an IOGear USB hub that is capable of logging keystrokes. The downside is that any users who is security conscious and regularly checks their machine for anomalous pieces of hardware may find it. The other downside is you must physically visit the machine in most cases to retrieve the data that has been logged which can add additional risk. Hardware devices also tend to work poorly with laptops as few people use external keyboards.

The other choice is software based. These require access to the operating system as you must install software with administrative privileges (which you may not have if doing an investigation/etc). The upside of these is that few users will detect it, and many software packages can be configured to automatically send out the keystrokes, reducing the risk associated with retrieving the data.There are numerous "legitimate" packages for Windows that will allow you to sniff keyboard activity and some even include features such as taking screen snapshots to monitor activity. For Unix systems you will generally need to find a kernel modules, or a patch for the user's login shell (which can usually be changed), generally speaking the kernel option is more reliable. Several rootkits exist for Windows and Unix that have keyboard sniffing capabilities, a few are listed below and the rest can be discovered on google.


Reference links:




Last updated 1/26/2002

Copyright Kurt Seifried 2002