Home page logo

metasploit logo Metasploit mailing list archives

Re: defences from incognito
From: "Sherif Eldeeb" <archeldeeb () gmail com>
Date: Mon, 10 May 2010 09:15:57 +0300

Meterpreter keylogging:
Actually meterpreter has two flavors of keylogging available out of the box:
1 - On a meterpreter prompt, type "keyscan_start", this will start
keylogging, to see the keystrokes, type "keyscan_dump", to stop the whole
thing "keyscan_stop".
2 - On a meterpreter prompt, Type "run keylogrecorder -h" to take a look at
the available options.

- The second method, even though it's better IMHO, it will migrate to
another process before logging "explorer.exe or winlogon.exe", which in my
case, was triggering behavioral based antivirus defenses on many systems
"ThreatFire, Symantec SONAR...etc.", so, even if your payload has not been
caught by its signature, the possibility of being caught by its behavior
will increase.

Last words: 
Go to http://www.offensive-security.com/metasploit-unleashed/, go through it
and you'll find that 99% of your questions are already answered, in details,
and also try a google search before posting to the mail list, not that
people here are not willing to help, but I think it's faster for you to just
get the answers from where it has already been answered instead of waiting
for someone to write a specific one for you.

- Beside not doing anything stupid, any advises evading behavioral based
antiviruses? For example, an encoded payload gets past Symantec and runs
just fine, but after five minutes or so, even without doing ANYTHING with
the payload "not even ps, ls or whatever", it gets caught and killed by the
behavioral part of the suite "SONAR".
- How to send "window-L" ?


-----Original Message-----
From: framework-bounces () spool metasploit com
[mailto:framework-bounces () spool metasploit com] On Behalf Of 5.K1dd
Sent: Monday, May 10, 2010 1:34 AM
To: HD Moore
Cc: framework () spool metasploit com
Subject: Re: [framework] defences from incognito

There isn't really a defense if you have system access to a machine with
a logged in administrative user. I have heard that enabling kerberos can
help in terms of session lifetime, but since you can just sniff the
user's clear-text keystrokes when they authenticate, its not a real

A fun trick us injecting into winlogon, start the keystroke monitor,
then locking the user's screen. When they authenticate to get back to
their desktop, you have the clear-text password.

That does sound like a fun trick!  Is there a keylogger built into
metasploit or would you need to upload a 3rd party tool?



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]