Professional Documents
Culture Documents
Meterpreter
Mar 22, 2009
1 min read
Rapid7
payload. One of the key restrictions of this feature is that it can only sniff while running
inside of a process with interactive access to the desktop. In the case of the MS08-067
exploit, we had to migrate into Explorer.exe in order to capture the logged-on user's
keystrokes.
While testing the keystroke sniffer, it occurred to me to migrate into the Winlogon.exe
process instead. This process should have interactive access to the desktop, however
when I tried to sniff the active user's keystrokes this way, it was not successful. Although
Winlogon could not access the logged-on desktop using GetAsyncKeyState, it can
capture the username and password of anyone logging into the target's console. The
meterpreter > ps
Process list
============
[ snip ]