Sometimes a penetration tester may have remote access to a user’s machine, but he may not have the user’s password. Maybe the user has a very long complex password that would just take too long to crack. What could he do?
Meterpreter in the Metasploit Framework has a great utility for capturing keys pressed on a target machine. We will start with a system that we have already run an exploit on and were successful in creating a remote session with Metasploit. We connected to the session with the session command and are now sitting at a Meterpreter prompt.
We will start with a system that we have already run an exploit on and were successful in creating a remote session with Metasploit. We connected to the session with the “session -i <ID#>” command and are now sitting at a Meterpreter prompt.
As we’ve already seen that how easy is to hack the windows machine with the help of Metasploit Framework. Once you got the meterpreter session, we can easily use the inbuilt keylogger module to spy on windows users.
In last article, we’ve already explained, how to hack a windows machine with Metasploit Framework, so please refer to that if you need more help on this subject. Once you got into the meterpreter session, type “sysinfo” to view the target OS information.
After that type “ps” in your command terminal to view all the running processes in windows machine which you hacked with Metasploit.
Here in above screenshot, you can see that the the process ID of explorer.exe process is 772 which we need before to start the keylogger module.
To check your current process ID where you inject your payload, type “getpid” in same console. Now type “migrate <PID>” to migrate the process from current PID to Explorer.exe PID.
So let’s go ahead and see what it looks like when we start a remote keylogger, then we will view the captured key strokes. Simply type “keyscan_start” to start the remote logging.
Now we just need to wait until our victim types some things on the keyboard. For our example, go ahead and open your Windows browser and try to login into your Facebook Account.
Now back on the Kali system, to see what was typed simply enter “keyscan_dump”
And to stop this keylogger module, you can use “keyscan_stop” command. To view more meterpreter commands, refer to “Top 60 Meterpreter Commands” article.
Automating Key Scanning with Lockout Keylogger
Now, what would be great is if we could automate this process. I mean do you really want to just sit there and hang out until the user leaves his system?
You could force his desktop into locked mode and make him log in again, but that is pretty suspicious.
What if you could have Meterpreter automatically find and migrate to the winlogon process, then scan the computer idle time and automatically put the user’s system into locked mode?
Finally, what would be really nice too is if the script notified you when the user logs back in and gives you a text dump of his password.
Meet “Lockout_Keylogger“, an amazing script made by CG and Mubix. You need to start with an active remote session with “system” level privileges.
Now just type, “background” to back out to the session and return to the Meterpreter prompt. Type, “use post/windows/capture/lockout_keylogger“.
Set the session number to our active session (1 in our example), so “set session 1“.
And also set your PID value as per below screenshot. Then type “exploit“:
Lockout_Keylogger automatically finds the Winlogon process and migrates to it. The program then begins to monitor the remote system idle time.
At about 300 seconds of idle time, Lockout Keylogger tries to lock the user’s desktop remotely. Sometimes it fails and tries locking it again: Okay, lockout has successfully locked the workstation, and begins looking for keystrokes.
In this article we demonstrated how to use Metasploit in Kali to capture key strokes from a remote system. We also learned that login passwords will not be recorded normally in a keystroke password as the Windows Logon service uses a different keyboard buffer. But if we move our keylogger to that process we can indeed capture logon credentials.
We were also introduced to a handy program that migrates out session to the Winlogon process, watches the idle time of the system, then locks it and captures the password when the user tries to log back in.
Lockout_Keylogger automates the entire process from beginning to end. The user walks away from his PC, the script waits a certain amount of idle time and then puts the computer into locked mode.
Then, when he logs back in, it is already set to scan the keys pressed. The password could be a simple password or a complex monster, it does not matter. Lockout_Keylogger intercepts it and displays it in plain text on the penetration tester’s machine.