Using Problem Steps Recorder (PSR) Remotely with Metasploit

Windows includes a built in program that captures screenshots and text descriptions of what a user is doing on their system. This program could be accessed remotely by a hacker. In this article we will see how to run the program from a remote shell using Metasploit.

Introduction

Windows includes a great support program that you have probably never heard of called “Problem Steps Recorder” (psr.exe). Microsoft made this program to help troubleshooters see step-by-step what a user is doing. If a user is having a computer problem that they either can’t articulate well or tech support just can’t visualize the issue, all the support personnel needs to do is have the user run psr.exe.

When PSR runs it automatically begins capturing screen captures of everything that the user clicks on, it also keeps a running dialog of what the user is doing in a text log. When done, the data is saved into an HTML format and zipped so all the user needs to do is e-mail this to the tech support department.

I have honestly never heard of PSR before yesterday when Mark Burnett (@m8urnett) mentioned it on Twitter:

PSR Metasploit 1

Creepy indeed, but I thought that if you could run it remotely, it would be a great tool for a penetration tester. Well, you can! Though running PSR as an attack tool isn’t a new idea. I did some searching and it is mentioned multiple times over the last several years in this manner. Pipefish even mentions using it with Metasploit back in this 2012 article (http://pipefish.me/tag/psr-exe/).

To use Steps Recorder normally, all you need to do is click the start button in Windows and type “psr” into the search box. Then click on “Steps Recorder”.

A small user interface opens up:

PSR Metasploit 2

Just click “Start Record” to start. It then immediately begins grabbing screenshots. It displays a red globe around the pointer whenever a screenshot is taken. Then press “Stop Recording” when done. You will then be presented with a very impressive looking report of everything that you did. You then have the option of saving the report.

PSR can be run from the command prompt. Below is a listing of command switches from Microsoft :

psr.exe [/start |/stop][/output <fullfilepath>] [/sc (0|1)] [/maxsc <value>]
[/sketch (0|1)] [/slides (0|1)] [/gui (0|1)]
[/arcetl (0|1)] [/arcxml (0|1)] [/arcmht (0|1)]
[/stopevent <eventname>] [/maxlogsize <value>] [/recordpid <pid>]

/start Start Recording. (Outputpath flag SHOULD be specified)
/stop Stop Recording.
/sc Capture screenshots for recorded steps.
/maxsc Maximum number of recent screen captures.
/maxlogsize Maximum log file size (in MB) before wrapping occurs.
/gui Display control GUI.
/arcetl Include raw ETW file in archive output.
/arcxml Include MHT file in archive output.
/recordpid Record all actions associated with given PID.
/sketch Sketch UI if no screenshot was saved.
/slides Create slide show HTML pages.
/output Store output of record session in given path.
/stopevent Event to signal after output files are generated.

Using PSR remotely with Metasploit

Using the command line options, PSR works very nicely with Metasploit in a penetration testing scenario. I will start with an active remote Meterpreter session between a test Windows 7 system and Kali Linux. There are many ways that you could do this, but I simply made a short text file as seen below:

  • psr.exe /start /gui 0 /output C:\Users\Dan\Desktop\cool.zip;
  • Start-Sleep -s 20;
  • psr.exe /stop;

The commands above start PSR, turns off that pesky Gui window that pops up when running and turns off the red pointer glow when recording pages. It then saves the file to the desktop.

The script waits 20 seconds and then stops recording.

I then encoded the command and ran it in a command shell:

PSR Metasploit 3
After 20 seconds a new “cool.zip” file popped up on the Windows 7 desktop:

PSR Metasploit 4
This file contained a complete step by step list of everything the user did during the 20 second window. At the top of the file are the screenshots:

PSR Metasploit 5
And at the bottom was the step by step text log:

PSR Metasploit 6
I actually like using PSR now better than Metasploit’s built in screenshot capability, especially with the blow by blow text log that is included. The script also worked well against Windows 10 with some minor tweaks.

Defending against this attack

Problem Steps Recorder can be disabled in group policy. Though I did not see anywhere on how to completely uninstall PSR.

The best defense is to block the remote connection from being created, so standard security practices apply. Keep your operating systems and AV up to date. Don’t open unsolicited, unexpected or questionable e-mail attachments. Avoid questionable links, be leery of shortened URLs and always surf safely.

If you want to learn more about computer security testing using Metasploit and Kali Linux, check out my latest book, “Intermediate Computer Security Testing with Kali Linux 2”.

Network Reconnaissance with Recon-NG – Basic Usage

I am working on a major update for my first book, “Basic Security Testing with Kali Linux”. Since it was published, the Recon-NG tool has changed a bit. I figured I would post a series of articles on how to use the newer Recon-NG.

The Recon-NG Framework is a powerful tool that allows you to perform automated information gathering and network reconnaissance. Recon-NG automates a lot of the steps that are taken in the initial process of a penetration test. You can automatically hit numerous websites to gather passive information on your target and even actively probe the target itself for data. It has numerous features that allow you to collect user information for social engineering attacks, and network information for network mapping and much more.

Think of it as Metasploit for information collection. Anyone who is familiar with Metasploit will feel right at home as the interface was made to have the same look and feel. The command use and process flow are very similar. Basically you can use Recon-NG to gather info on your target, and then attack it with Metasploit.

Using Recon-NG

You can start Recon-NG by selecting it from the ‘Applications > Information Gathering’ menu, or from the command line:

  • Open a terminal window by clicking on the “Terminal” icon on the quick start bar
  • Type, “recon-ng”:

Basic Recon-ng 1

Type, “help” to bring up a list of commands:

Basic Recon-ng 2

Now type, “show modules” to display a list of available modules:

Basic Recon-ng 3

Modules are used to actually perform the recon process. As you can see there are several different ones available. Go ahead and read down through the module list. Some are passive; they never touch the target network, while some directly probe and can even attack the system you are interested in. If you are familiar with the older version of Recon-NG you will notice that the module names look slightly different. Kali 2 includes the latest version of Recon-NG, and the module name layout has changed from previous versions.

The basic layout is:

Basic Recon-ng 4

1. Module Type: Recon – This is a reconnaissance module.
2. Conversion Action: Domains-hosts – Converts data from “Domains” to “hostnames”.
3. Vehicle used to perform Action: Google _Site_Web – Google is used to perform the search.

So from this module name we can see that it is a recon module that uses Google’s web site search to convert Domain Names to individual Hosts attached to that domain.
When you have found a module that you would like to try the process is fairly straight forward.

  • Type, “use [Modulename]” to use the module
  • Type, “show info” to view information about the module
  • And then, “show options” to see what variables can be set
  • Set the option variables with “set [variable]”
  • Finally, type “run” to execute the module

Stay tuned for additional Recon-NG articles and my re-vamped Basic Kali book. Also, check out my latest book, “Intermediate Security Testing with Kali Linux 2” which contains almost 500 pages packed full of step-by-step tutorials using the latest penetration testing tools!

Mana Tutorial: The Intelligent Rogue Wi-Fi Router

“Mana” by Dominic White (singe) & Ian de Villiers at Sensepost, is an amazing full feature evil access point that does, well, just about everything. Just install and run it and you will in essence receive Wi-Fi credentials or “Mana” from heaven!

Here is a link to the creator’s Defcon 22 presentation:

Not sure where to start with this one. Like other rogue Wi-Fi AP programs Mana creates a rogue AP device, but Mana does so much more.

It listens for computers and mobile devices to beacon for preferred Wi-Fi networks, and then it can impersonate that device.

Once someone connects to the rogue device, it automatically runs SSLstrip to downgrade secure communications to regular HTTP requests, can bypass/redirect HSTS, allows you to perform MitM attacks, cracks Wi-Fi passwords, grabs cookies and lets you impersonate sessions with Firelamb.

But that is not all; it can also impersonate a captive portal and simulate internet access in places where there is no access.

Mana is very effective and, well, pretty scary!

Before we get started, for best success use Kali Linux v.1.08.

And as always, this article is for educational purposes only, never try to intercept someone else’s wireless communications. Doing so is illegal in most places and you could end up in jail.

Mana Tutorial

** UPDATE ** – 10/21 – You can now install Mana in Kali by simply typing “apt-get install mana-toolkit”!

1. Download and unzip Mana from https://github.com/sensepost/mana.
2. Run the install script kali-install.sh.

Mana will then install libraries and other dependencies to work properly.

Once completed the install places the Mana program in the /usr/share/mana-toolkit directory, config files in /etc/mana-toolkit, and log files and captured creds in /var/lib/mana-toolkit.

3. Open the main config file /etc/mana-toolkit/hostapd-karma.conf

Here you can set several of the options including the default Router SSID which by default is “Internet”. Something like “Public Wi-Fi” may be more interesting. The other main setting here is “karma_loud” which sets whether mana impersonates all AP’s that it detects or not.

Lastly, all we need to do is run one of Mana’s program scripts located in usr/share/mana-toolkit/run-mana. The scripts are:

  • start-nat-simple.sh
  • start-noupstream.sh
  • start-nat-full.sh
  • start-noupstream-eap.sh

Mana Scripts

For this tutorial let’s just run Mana’s main “full” attack script.

4. Attach your USB Wi-Fi card (TL-WN722N works great).
5. Type “iwconfig” to be sure Kali sees it.

iwconfig

6. Type, “./start-nat-full.sh” to start Mana.

Mana then starts the evil AP, SSLstrip and all the other needed tools and begins listening for traffic:

Mana running

Once someone connects, Mana will display and store any creds and cookies detected as the victim surfs the web.

7. When done, press “Enter” to stop Mana

To check what you have captured run firelamb-view.sh to view captured cookie sessions:

Mana firelamb

This asks which session you want to try from the captured cookie sessions. It then tries to open the session in Firefox. If the user is still logged in you could take over their session.

You can also review the log files manually in /var/lib/mana-toolkit.

Mana works equally well against laptops and mobile devices. And the inherent trust of “preferred Wi-Fi networks” that most systems use makes this tool very effective at intercepting and impersonating wireless routers.

To defend against this type of attack turn off your wi-fi when not in use. Be very careful of using free or public Wi-Fi networks. Also, it would be best to perform any secure transactions over a wired LAN instead of using Wi-Fi!

If you enjoyed this tutorial and want to learn more about computer security testing, check out my new book, “Basic Security Testing with Kali Linux 2“.