Easy Website Keylogging with Metasploit

May 25, 2012 by Rupesh Hankare

Hello all, you all know how to create phishing pages. Here is a little preview about creating fake pages.

The History of Phishing:

The Phishing Method was established in 1987, and it was first disclosed in 1995.

Phishing is the technique where an attacker gathers all information from the victim’s machine, like his Username, Passwords and Credit Card details, etc.

Phishing technique allows a user to enter his credentials on a fake site which looks like a real website with a login page like gmail.com, yahoo.com and Facebook.com

Procedure to create phishing page:

  1. For creating a phishing page of the website, you will need:
    • Login Fake Page of the website
  • Write.php file
  • ftp account for web page hosting
  • Creating the write.php file:- code as shown below and save it as write.php:
  • Creating phishing page of the website:
    • First you need to go to login URL and view the source code of the page.
    • Search for “Action =”
    • Then add “write.php id=” after “Action =” and method = GET.
    • Refer to the figure below as highlighted:

  • After that, save page as “login.html”.
  • Creating FTP Account: Visit www.my3gb.com , www.110mb.com or one of the many sites available on the internet that allow for free web hosting.
  • After registering on free web hosting site. Upload two files ie “login.html” and write.php file.
  • Attacker uses various techniques to send the fake url to victim like email, chat and other techniques.
  • When a victim accesses your fake site link, it actually looks like a real login page and if he/she enters their credentials, then it will be coming out in our ftp account.
  • All of the above steps are needed to create phishing pages.Now rapid7 introduced the new JavaScript keylogger auxiliary function on April 11, 2012, where it is used by an attacker to create the page and send URL to victims. As a victim enters his credentials, automatically, it comes to Metasploit msfconsole.The Metasploit JavaScript Keylogger sets up a HTTP/HTTPS listener, which serves the JavaScript keylogger code and captures the keystrokes over the network

    The advantages of using JavaScript keylogger are that it does not require an ftp account to upload the fake pages, and there is no need to write code for write.php and fake page. It is a time saving method.

    Easy Website Key logging with Metasploit

    This is a much easier technique, which was introduced by the rapid7 Team on April 11, 2012. Here in this case an attacker creates a fake page.

    Requirement:Latest/ updated Metasploit framework version.


    In order to create the phishing page, you require JavaScript keylogger.js file which will be uploaded by rapid7 very soon. Here I am going to show you the demo which was sponsored by the Rapid7 Team.

      1. Let’s start with msfconsole:


  • Let’s search for Keylogger by typing “search Keylogger“.
  • Make a use of “Use auxiliary/server/capture/http_javascript_keylogger”
  • If you want to check the information about it then type: “Info auxiliary/server/capture/http_javascript_keylogger”
  • Type show options commands to check available options.
  • Note: – Now in this case we do not have any fake page available to show you but rapid7 team made the feature to set demo here.
    I am going to show you that demo that rapid7 introduced in the webinar.
  • Now set demo to true “set demo true”.
  • After that set uripath as keylogger “Set uripath keylogger”
  • After setting all the required options let’s start the server by typing run command.
  • Once run command gets executed, run server and generate the link as shown in screen shot above:
  • In this case, we are going to show you demo and we already set demo as true to access the demo page, just append “/demo” to the URL provided
  • An attacker uses many techniques to send the above URL to a victim like sending a link via email or using social engineering techniques etc.
  • Victim sidesteps:-
  • When the victim gets the fake link, he/she might be unaware of this type of attack and enter the links shown above.
    Demo Page:-
  • Here in the demo page keylogger JavaScript was embedded in source code so whatever the victim will type in the login box that keystroke will be getting typed in the msfconsole of the attacker.
  • If you observe the view source of the demo page. It looks like the below screen shot.
  • Whatever information the victim will type in the credentials, it will be captured by JavaScript.
  • Keystrokes captured and stored to loot. And same towards the attacker console.
  • And the typed credentials going back to attacker and in this way the attacker hacks the credentials.
  • This is the same way that an attacker can hack credit card information. He just clones the login page URL of the website which he wants to hack and diverts the victim using various techniques.

    • Emails:-Do not trust emails requesting for personal and financial information.
    • Never fill any forms from email messages which ask you to fill in personal- financial information.
    • Always ensure that you are using a secure website while submitting credit card, or other sensitive information via your browsers. This means that you should always be sure to use https://www. Connection instead of http://www. This indicates that you are using a secure website.
    • Ensure your browser is up to date and security patches applied.
Posted: May 25, 2012
Rupesh Hankare
View Profile

Rupesh S. Hankare is an Information Security Professional having experience in Information Security/ Ethical Hacking/Network Security/ SIEM Technology/ Vulnerability Assessment & Penetration Testing/Threat Management/APT Process. Having working experience on multiple SIEM platform like RSA Envision,RSA SA,Symantec SSIM, Intel Nitro, Splunk(hands on). also he is article contributor at InfoSec Institute. He is a Blogger. Blackhattrick.blogspot.in rsaenvision.blogspot.in Youtuber:https://www.youtube.com/channel/UCrVeKO2EXupPFLjMxaH5Vzw"