I recently conducted a penetration test for a client that has rich *NIX environment. After obtaining user access to several workstations, it was apparent that access to the interesting areas of the network required retrieving clear text passwords from users password database files.
The compromised systems did not have any misconfigurations or service vulnerabilities, so privilege escalation opportunities were few and far between. This makes executing most readily available *NIX keylogger binaries ineffective.
I spent some time researching alternative ways to obtain keystrokes and discovered that it is possible to capture users typing directly to the keyboard using xinput. The best part is that this can be achieved with regular user privileges and with native tools.
Here is a video as well as some textual steps.
I like to create a new screen in situations like this, so the first step is:
I then sorted out some X11 display pre-requisites and grabbed the keycode to character legend. This is so that strokes can be translated from a keycode integer value to alphabetical character.
Next step was to identify the input ID for the keyboard and use script to capture the real time strokes to file.
My co-worker Tom Porter and I are working on putting together a parser that shifts correctly to account for lowercase and uppercase characters. Some other thoughts are real-time parsing, or slightly delayed parsing so that post-processing is avoided all together.
Update: Here is a link to the parser Tom put together.