Metasploit mailing list archives
Re: defences from incognito
From: "Sherif Eldeeb" <archeldeeb () gmail com>
Date: Mon, 10 May 2010 09:15:57 +0300
Meterpreter keylogging: Actually meterpreter has two flavors of keylogging available out of the box: 1 - On a meterpreter prompt, type "keyscan_start", this will start keylogging, to see the keystrokes, type "keyscan_dump", to stop the whole thing "keyscan_stop". 2 - On a meterpreter prompt, Type "run keylogrecorder -h" to take a look at the available options. WARNING: - The second method, even though it's better IMHO, it will migrate to another process before logging "explorer.exe or winlogon.exe", which in my case, was triggering behavioral based antivirus defenses on many systems "ThreatFire, Symantec SONAR...etc.", so, even if your payload has not been caught by its signature, the possibility of being caught by its behavior will increase. Last words: Go to http://www.offensive-security.com/metasploit-unleashed/, go through it and you'll find that 99% of your questions are already answered, in details, and also try a google search before posting to the mail list, not that people here are not willing to help, but I think it's faster for you to just get the answers from where it has already been answered instead of waiting for someone to write a specific one for you. REQUEST FOR ADVISE: - Beside not doing anything stupid, any advises evading behavioral based antiviruses? For example, an encoded payload gets past Symantec and runs just fine, but after five minutes or so, even without doing ANYTHING with the payload "not even ps, ls or whatever", it gets caught and killed by the behavioral part of the suite "SONAR". - How to send "window-L" ? Regards, Sherif -----Original Message----- From: framework-bounces () spool metasploit com [mailto:framework-bounces () spool metasploit com] On Behalf Of 5.K1dd Sent: Monday, May 10, 2010 1:34 AM To: HD Moore Cc: framework () spool metasploit com Subject: Re: [framework] defences from incognito
There isn't really a defense if you have system access to a machine with a logged in administrative user. I have heard that enabling kerberos can help in terms of session lifetime, but since you can just sniff the user's clear-text keystrokes when they authenticate, its not a real solution. A fun trick us injecting into winlogon, start the keystroke monitor, then locking the user's screen. When they authenticate to get back to their desktop, you have the clear-text password.
That does sound like a fun trick! Is there a keylogger built into metasploit or would you need to upload a 3rd party tool? -Brian _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- defences from incognito Robin Wood (May 09)
- Re: defences from incognito HD Moore (May 09)
- Re: defences from incognito Robin Wood (May 09)
- Re: defences from incognito HD Moore (May 09)
- Re: defences from incognito Robin Wood (May 09)
- Re: defences from incognito Robin Wood (May 09)
- Re: defences from incognito 5.K1dd (May 09)
- Re: defences from incognito HD Moore (May 09)
- <Possible follow-ups>
- Re: defences from incognito Sherif Eldeeb (May 09)