Capturing Windows Login Passwords with Keyscan & Lockout_Keylogger
Sometimes a penetration tester may have remote access to a user’s machine, but he may not have the user’s password. Maybe the user has a very long complex password that would just take too long to crack. What could he do?
Backtrack 5’s Metasploit Framework has a great utility for capturing keys pressed on a target machine. Once you have established a remote session, simply typing: Keyscan_start will start the built in key scanner. After a while, if you want to see what was typed simply enter “keyscan_dump”:
Here you can see from this demo key log dump that the user went to “google.com” and did a search for “Dallas Cowboys Stats”.
Now, if you look at the next key dump in the picture above, you see something odd. Looks like the <LWin> (Windows Key) and an “l” was pressed. When you press these keys on a Windows system, the computer goes into a locked mode and prompts you for your password to log back in.
The user must have locked his desktop, and went to get a cup of coffee. Everyone knows that you can’t read football stats without a good cup of joe. The user returned and logged back in. What luck, we have captured a login!
But wait a minute, why is there no password listed?
The problem is the way Windows security is laid out. Simply put, the active session (desktop) and winlogon (Login process) use different keyboard buffers. If you are sniffing the active session, you can not capture keys entered for a login, or vice versa.
You need to move your key logger to the session that you want to monitor. So in this case, simply migrating our meterpreter shell to the winlogon process puts us in the correct mode to look for passwords. Then start keyscan again:
In the picture above, the first key dump shows all of the keys pressed while the user was logged in. Which, because we are now monitoring the winlogon session key buffer, nothing is displayed. But since our target needed another cup of coffee to get through his busy day of web surfing, he locked his desktop and then logged in again. If you look at the second key dump in the picture above, you will see his full 27 character password.
Now, what would be great is if we could automate this process. I mean do you really want to just sit there and hang out until the user leaves his system? You could force his desktop into locked mode and make him log in again, but this is pretty suspicious. What if you could have meterpreter automatically find and migrate to the winlogon process, then scan the computer idle time and automatically put the user’s system into locked mode? Finally, what would be really nice is if the script notified you when the user logs back in and gives you a text dump of his password.
Meet “Lockout_Keylogger” (formerly called “smartlocker”) an amazing script made by CG and Mubix:
Lockout_Keylogger automates the entire process from beginning to end. The user walks away from his PC, the script waits a certain amount of idle time and then puts the computer into locked mode. Then, when he logs back in, it is already set to scan the keys pressed.
The password could be a simple 4 character password or a complex 30 character monster, it does not matter. Lockout_Keylogger intercepts it and displays it in plain text on the penetration tester’s machine.
~ by D. Dieterle on September 16, 2011.