Skip to content

working with meterpeter Builtin keylogger

Jump to bottom
pedro ubuntu edited this page Mar 8, 2020 · 45 revisions

Description

This Module allows attackers to 'capture remote keystrokes' beeing online (connected to Client)
or offline (disconnected from Client) because this keylogger will work on 'ram' until reboot or if is 'child proccess' (PSv2) its stoped (using meterpeter to stop keylogger). The keylogger will record
all keystrokes into remote-host '$env:tmp\KBlogger.txt' folder for later review ..

Remark

  • For keylogger perfect working its necessary to execute Client in '$env:tmp' Remote-Host folder
  • IF the Client its executed with administrator privs, then 'PS -v2' will be used to trigger exec.
  • This keylogger will 'not' send the LogFile to any 'online services' because its for demos only

Article Quick Jump List


Install remote keylogger

1º - Sellect meterpeter 'keylogger' Module key1

2º - Sellect meterpeter 'Install' Module
This Module will 'Upload keylooger.ps1' from 'meterpeter\mimiRatz' Local Folder to target machine '$env:tmp' trusted location, with the intent of evading Windows Defender Exploit Guard, It also Builds in '$env:tmp' the script 'KB4524147.vbs' thats going to silent execute keylooger.ps1 in background. key2

Remark

  • Its 'recomended' to exec the 'Client' as Admin to trigger 'amsistream bypass' (if available).

  • AmsiStream Bypass its written inside '$env:tmp\KB4524147.vbs' if Available on target machine.

  • Jump To Top


Start remote keylogger

1º - Sellect meterpeter 'keylogger' Module key1

2º - Sellect meterpeter 'StartK' Module
This Module will execute Remote-Host '$env:tmp\KB4524147.vbs' thats going to silent execute our keylogger in background child proccess (PSv2 if available) to start recording remote keystrokes. key3


Read keylogger logfile

1º - Sellect meterpeter 'keylogger' Module key1

2º - Sellect meterpeter 'ReadLog' Module
This Module will Read the contents of Remote-Host '$env:tmp\KBLogger.txt' (keystrokes). key4

Remark

  • If keylogger its 'stoped' or we 'lose the connection' the logfile still remains and it can be review in any point in time (another day, another week, another month).

  • If the contents of remote '$env:tmp' folder are deleted, keylogger will build a new LogFile with 'recent' captures (while working).

  • Jump To Top


Stop keylogger proccesses

1º - Sellect meterpeter 'keylogger' Module key1

2º - Sellect meterpeter 'StopKp' Module
This Module will Restart 'ALL' PowerShell Processes (and child) of Remote-Host ('Stoping keylogger and Client processes'). But it will not delete the keylogger logfile for obvious reasons ... key5

Remark

  • This Module will 'not' Delete from Remote-Host the follow files: '$env:tmp\keylooger.ps1','$env:tmp\KBlogger.txt','$env:tmp\KB4524147.vbs' keylogger related scripts .. so.. If we want to be paranoic (clean tracks) we need to manualy delete them..

  • The Client '$env:tmp working dir' its not an inocent choise, its to prevent things from becaming 'very persistence' because system cleaners tend to clean this locations.

  • Jump To Top

Clone this wiki locally