In this tutorial, we’ll attempt to remotely install a keylogger. This one is actually quite basic, so without further ado, let’s begin.
Fire up Metasploit and let’s get started. Like before, we’re assuming that the system has already been broken into and we have the meterpreter session.
Step 1: Find a program.
The way the keylogger in Meterpreter works is, you have to attach it to a running program. Say for example, we find that the victim’s computer is running an internet browser, a game and MS Word. Clearly there’s two items of interest in there. We can attach the keylogger to the browser or MS Word to get whatever’s being typed in these two applications. So, first we check what all processes are running on the target system using the following command:
Usually you’ll get a very long list of items. The two columns we’re interested in are PID (Process ID) and process name. For this step you may want to google up the names of some processes to see which programs they belong to or if you find the ones you know of, like chrome.exe (Google Chrome) or notepad.exe then you can use these. We need to migrate meterpreter to the corresponding PID. Suppose we found wordpad.exe at PID=1440
meterpreter > migrate 1440
You should see a message “Migration completed successfully”.
Step 2: Start the Keylogger
Now we can embed the keylogger into the program.The Meterpreter keylogger is a built-in feature called keyscan. We can start it up by the following command:
This should successfully attach the keylogger to our preferred program and the keylogging will start immediately.
Step 3: Dump the logged Keystrokes
So, in the previous step we hooked up a keylogger to the WordPad application running on our victim’s computer. It’ll keep running until we tell it to stop (or the victim shuts down the computer). We can recover whatever the keylogger has logged by the following command. You might want to wait a while, maybe grab a snack while the keylogger is running on the system just to give it enough time to log something. It’s pretty much hit and trial since we don’t know when the victim is going to choose the application we’re keylogging and type something in it. They could be typing in it just as we hooked up the keylogger or they may not use the application for hours.
If all went great and the victim actually typed something in our chosen application meterpreter will print out everything in our command shell. You could try using different applications to get different results. Obviously you’ll not get anyone’s passwords by keylogging WordPad whereas chrome.exe and firefox.exe are much more likely to give us something of more interest.