Rarely does a week go by without a friend or family member getting their login credentials compromised, then reused for malicious purposes. My wife is always on the lookout on Facebook, warning relatives and friends to change their passwords. Many people don't understand how their credentials get compromised. Password reuse on several websites is usually the culprit. Password reuse is a problem even if the website encrypts the passwords in their databases. An attacker only needs to insert some evil code, and allow it to do the work for them.
This is one of the many reasons how the Internet is a like a field of mines, where malicious code is around every turn. If an attacker can insert code on a website they don't need to crack any passwords. Keyloggers can be included on most websites with one line of code. The activity that ensues is pretty awesome from an attacker's perspective, they can sit back and watch credentials magically appear. It reminds me of the fisherman tales of fishes jumping into their boats.
Step 1: Module setup:
Step 2: Demo page URL
Step 3 (Optional) : To embed the keylogger into any webpage, use a reachable URL along with HTML <script> tag appended with "/[whatever].js".
Screen Capture 1: Module setup and run
Screen Capture 2: Demo page
Screen Capture 3: Keystrokes captured and stored to loot
As always hack responsibly. Let me know if you have any question in the comments.
If you haven't looked at Metasploit Community Edition, you should definitely give it a try.
You can also hit me on Twitter @threatagent.