Metasploit: Keylogging

I was not able to do the keyscan successfully in my previous lab, now I found out the reason why.

The meterpreter is attached to svchost.exe process id 992.

meterpreter > getdesktop
Session 0\SAWinSta\Default
meterpreter >

The meterpreter is not in winsta0 and hence cannot capture the keystrokes of the victim.

explorer.exe has access to winsta0 api and hence is able to record the keystroke of the victim.

process id 2032 is explorer.exe, which has access to winsta0 api.

I will start the keylogging by using keyscan_start command

keystrokes captured.


Mr. Vivek Ramachandra rocks! He explains the theory and logic behind every lesson. Do sign up for his certification program as a form of supporting his cause for providing free and quality infosec education.


One thought on “Metasploit: Keylogging

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s