Keystrokes and Screenshots

Beacon’s tools to log keystrokes and take screenshots are designed to inject into another process and report their results to your Beacon.

To start the keystroke logger, use keylogger pid x86 to inject into an x86 process. Use keylogger pid x64 to inject into an x64 process. Use keylogger by itself to inject the keystroke logger into a temporary process. The keystroke logger will monitor keystrokes from the injected process and report them to Beacon until the process terminates or you kill the keystroke logger post- exploitation job.

Be aware that multiple keystroke loggers may conflict with each other. Use only one keystroke logger per desktop session.

To take a screenshot, use screenshot pid x86 to inject the screenshot tool into an x86 process. Use screenshot pid x64 to inject into an x64 process. This variant of the screenshot command will take one screenshot and exit. screenshot, by itself, will inject the screenshot tool into a temporary process.

The screenwatch command (with options to use a temporary process or inject into an explicit process) will continuously take screenshots until you stop the screenwatch post-exploitation job.

Use the printscreen command (also with temporary process and inject options) to take a screenshot by a different method. This command uses a PrintScr keypress to place the screenshot onto the user's clipboard. This feature recovers the screenshot from the clipboard and reports it back to you.

When Beacon receives new screenshots or keystrokes, it will post a message to the Beacon console. The screenshot and keystroke information is not available through the Beacon console though. Go to View -> Keystrokes to see logged keystrokes across all of your Beacon sessions. Go to View -> Screenshots to browse through screenshots from all of your Beacon sessions. Both of these dialogs update as new information comes in. These dialogs make it easy for one operator to monitor keystrokes and screenshots on all of your Beacon sessions.

 

Related Topics