How Fast Can Your Password Be Cracked? Instantly...

Monday, July 02, 2012



How Fast Can Your Password Be Cracked? Instantly with a JavaScript keylogger.

Okay, so we aren't actually going to crack your password. In this brief tutorial, we show you how we can use the Metasploit JavaScript Keylogger auxiliary module in a penetration testing phishing campaign or user awareness training.

First, we need a couple of items before we get some passwords:

  • A webserver (example below)
  • A webpage with a password form
  • JavaScript hook.
  • Metasploit

You could launch this attack via cross site scripting however, here we will use a page based on to lure a person to checking how strong their password is.

(click image to enlarge)

step one

In the screenshot above we can see a couple of social engineering tricks at work. Key items to note are “help users”, “never sent” and the list of helpful tips. These items reinforce trust in the victim.

Next the user will most likely test the password field to see how the website responds, and we have a fully functional password checking system.

(click image to enlarge)


The site responds with approximately how long it would take to crack this password on a standard desktop PC without GPU cracking. But we don’t need to wait 5 million years or even 5 seconds. As you can see below each keystroke was captured by the keylogger.

(click image to enlarge)

step 4

How did we do it?

Simple we use a small python webserver:

import SimpleHTTPServer

import SocketServer

handler = SimpleHTTPServer.SimpleHTTPRequestHandler

httpd = SocketServer.TCPServer(('', 80), handler)

print "Server Started."


Now our victim can connect to our “helpful” website. Then we need a webpage to put our JavaScript keylogger into(find or make your own). Next we put the javascript in the source code of our html like so:.  

Finally, we start the Metasploit auxiliary module. The options in the module depend on your environment setup.

(click image to enlarge)

metasploit setup

That’s it! It’s your job to get the victim to the site.

This is intended for informational and/or educational purposes only; I am not responsible for your actions.

Cross-posted from

Possibly Related Articles:
Network Access Control
Information Security
Passwords cracking Javascript Social Engineering Access Control Hacking Penetration Testing Metasploit keylogger
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.