*sigh*
Here is a lesson that I learned the hard way. When you use keyscan_start and keyscan_dump, all those keystrokes are stored in RAM on the target machine- NOT on the hard drive. I suspected as much, and upon further reading its confirmed here:
http://www.offensive-security.com/metasploit-unleashed/Keylogging
Normally this would be awesome for forensic reasons, but god damnit, if the person restarts the machine i lost everything. I'm going to start working on a keylogger that continuously sends keystrokes over the wire, just like the javascript keylogger currently does.
I find it incredibly dumb that the only way to retrieve those keystrokes is to manually run keyscan_dump when you feel like investigating the contents. That's not very modular, nor is it easy to build upon. This is me just being a little baby, but seriously, if we're going to make something lets make it awesome...
No comments:
Post a Comment