When it comes to Metasploit, I'm an admitted novice, but it's a useful and popular tool. So while I'm far from an expert on it, I try and keep up with it's development. Today, the topic is clipboards - or more to the point - monitoring them and collecting useful information from them during pen testing.
Clipboard monitoring in Metasploit has been around for some time, but it has always been a one-off. It kept the pentester waiting for data to appear, unless they wrote their own Meterpreter script to check the clipboard constantly, something that many Metasploit users are hesitant to do.
However, developer OJ Reeves has removed the clunky aspects of the feature and created a Meterpreter script that polls the clipboard in near real-time, while making intelligent calls about the data types that are called by the clipboard. For example, it can tell the difference between text, images, and binaries. In short, explained Tod Beardsley, Metasploit's engineering manager, the new clipboard monitor acts like a streaming source of clipboard data.
Asked about the feature, when stacked against password and data managers such as KeePass, which erase the clipboard in order to boost security and prevent snooping, Wei Chen (@_sinn3r), exploit engineer at Rapid7, said it wouldn't matter.
"KeePass' ability to reset after X seconds is useless against our clipboard monitor. As soon as you copy something, we got you."
In an email to Salted, Reeves said he created the feature as a way to give back to the Metasploit community, and because he wanted to show people how easy it is to build extensions for Meterpreter for the ground up.
"Clipboard functionality is cool, and I know it mucks with my workflow, which means it'll surely muck with other people's [workflows] too. It's a bit disruptive which is exciting...
"I ran it on my own desktop while I was doing a day's work, just to test it. And what's amazing is that while passwords are gold for pentesters, it's quite amazing what other stuff makes it onto your clipboard during the working day.
"The amount of information that you can pull is huge, and even though it's just "metadata" it can provide quite a profile of the habits of the user you're watching. Stuff appears on the clipboard that you really didn't think would be valuable but is. The timestamping thing in particular is useful as you can start to get a timetable together of someone's working habits.. making it easy to target them for other things."
The new clipboard feature has been pushed to the Framework. Users of Metasploit Pro, Community, and Express editions will have it before the end of the month.