Great blog post from the Metasploit blog that explains how to use a keylogger to capture the Windows Logon credentials.

Smartlocker is a script meant to capture the Windows credentials used to unlock the session.

Behavior:

  • Migrates to winlogon.exe
  • Waits for the session to be locked (the session is idle).
  • Starts the keylogger until the session is unlocked (by typing the username and the password)
  • Stops the keylogger
  • The credentials are stored in a text file located in /home/{user}/.msf3/logs/scripts/smartlocker/