As the name suggests, keyloggers capture keystrokes from a user and feed that information back to the security tester. Volumes of documentation and books have been wriĴen about the extensive methodologies for creating, employing, and detecting keyloggers. The keylogger is an essential tool for a penetration tester and is used routinely on mission engagements. However, the use of keyloggers could violate ROE with certain companies that wish to protect the privacy of its employees, as keyloggers will capture certain information about personal authentication mechanisms such as private email and banking information. Be sure to check with the client for authorization for the use of keyloggers while conducting a penetration test. If approved, use of a keylogger should be thoroughly documented in the ROE. Any information captured by a keylogger should be kept under strict supervision and destroyed after engagement.
Keylogging is the process of capturing keystrokes from users or administrators who are logged into a system. There are many different third-party applications that boast about their ability to be installed and run undetected. While most of these claims are true to an extent, the installation and use of a keylogger usually requires hands on the system with specific applications or to physically aĴach a hardware-listening device. The third party claims also do not take in account any antivirus applications or intrusion detection systems running on the system the tester is aĴempting to use the keylogger on. Metasploit has a built-in tool with the meterpreter shell calledkeyscan. If a penetration tester has an open sessions with a victim, then the commands are incredibly straight forward.
1. keyscan_start
2a. keyscan_dump
2n . keyscan_dump (repeat as necessary)
3. keyscan_stop
