IIntroduction
Sometimes, during a penetration test, an attacker may have remote access to a user’s machine but lacks the user’s password. If the password is too complex to crack quickly, the attacker can use the Meterpreter tool within the Metasploit Framework to log keystrokes from the compromised machine. This article walks through the process of keylogging with Meterpreter, assuming a session is already established via Metasploit.
Keylogging with Meterpreter
For this example, let’s assume an exploit has been successfully executed, and we have remote access to the system through Metasploit, with the Meterpreter prompt active.
To view available commands at the Meterpreter prompt, type:
help
This will display a list of commands, but we will focus on the keyscan commands for keylogging.
Starting the Keylogger
Here’s how to start the keylogger and capture keystrokes:
Step 1: Start the Keylogger
At the Meterpreter prompt, run the following command to start keylogging:
keyscan_start
Step 2: Wait for User Input
Wait for the user to type something. You could ask the user to perform a web search, for example, by opening a browser on the target machine and entering a search query.
Step 3: View Captured Keystrokes
After some keystrokes have been logged, you can view them by running:
keyscan_dump
An example of captured keystrokes might look like this:
google.com
will Dallas go 8 and 8 again this year?
Here, the user has searched Google with that query, giving us insight into their activities.
Handling Special Keys and Password Logging
Now, let’s see what happens if the user locks their machine using Windows + L and then logs back in using their password.
- The user presses Windows + L to lock the system.
- They re-enter their password to log back in.
- On the Meterpreter session, run
keyscan_dumpagain.
Although special keys like <LWin> and L are captured, the password won’t be recorded. This happens because Windows uses separate keyboard buffers for the active session and login process (winlogon).
Migrating to the Correct Process
To capture the password, you need to migrate the keylogger to the winlogon process. Follow these steps:
Step 1: List Running Processes
At the Meterpreter prompt, list running processes using:
codeps
Step 2: Identify winlogon.exe Process
Locate the winlogon.exe process and note its Process ID (PID). For instance, let’s assume the PID is 432.
Step 3: Migrate to the winlogon.exe Process
To migrate the session to winlogon, run:
migrate 432
(If you get an “insufficient privileges” error, elevate your privileges by using the Bypass UAC module. Check the “Bypass UAC” section for more details.)
Step 4: Restart the Keylogger
After migrating to the winlogon process, restart the keylogger by running:
keyscan_start
Step 5: Dump the Keystrokes Again
Now, when the user logs in with their password, run:
keyscan_dump
This time, you’ll capture the password entered during the login process.
Conclusion
By migrating the Meterpreter session to the winlogon process, we can capture sensitive information such as login passwords. The technique works because Windows uses separate keyboard buffers for active sessions and the login process. In this example, we successfully captured the password when the user locked their machine and re-entered their credentials. This demonstrates how effective the keyscan feature in Meterpreter can be during penetration testing.
Recent Comments