Pauldotcom.com had a very interesting show this week citing two newish meterpreter scripts that i might have assumed existed already… but they didn’t! kudos to the developers who wrote them. Very good stuff.
meterpreter > run keylogrecorder
[*] Migrating process...
[*] explorer.exe Process found, migrating..
[*] Migration Successful!!
[*] Grabbing Desktop Keyboard Input....
[*] Starting the keystroke sniffer...
[*] Keystrokes being saved in to /home/carlos/.msf3/logs/keylogrecorder/192.168.1.104_20090323.1950/192.168.1.104_
[*] Recording ..^C[*] Error: Interrupt
Thanks to the suggestion from Paul of PaulDotCom, I’ve gone ahead and updated the screenshot Meterpreter script to ScreenCap, which does pretty much the same thing, except with a video of the remote console. This is just a proof of concept, and does not do the key-stroke capture that was part of the suggestion. Much like screenshot, ScreenCap will create files based on the Unix epoch date of when the script is run. The captured video will be zipped and dropped off in the logs directory for MSF. All remote files should be cleaned up. I’ve found the videos to compress very well.
I’ve split some of the basic functions off in to a library I’m currently calling MS(f)hell (Meterpreter Scripting HELper Library). The name will likely change in the future. I’ve got some real basic functionality in the library: upload, download, executeRemote and zipFile. This mostly just wraps the native API, but adds built in verbosity for detailed reporting of activity. It also makes the new ScreenCap script only 15 lines or so.
In order to use ScreenCap, you need to have the open-source command line driven screen capture program camstudio-cl. Place the camstudio-cl.exe binary in your Metasploit data directory. You also require both screencap.rb and msfhell.rb in your Meterpreter scripts directory. Amazingly, camstudio-cl is actually smaller than the stock boxcutter executable used in screenshot.
Where I’d like to go with MS(f)hell is to have it provide some automatic clean up. By keeping track of created files, it could perform some post-exploit maintenance to make sure the system is restored to its original condition. I’d also like to add more VBS functions for performing activities that are monotonous on the command line. I don’t want to have any real complex functionality in the library, just basic reusable components for other scripts.