Packet sniffing from Meterpreter

Following with the post chain about Meterpreter extensions, I’m going to show you how “sniffer” extension works. This module let’s you capture traffic from one network interface of the victim host and dump it to a “pcap” file on the attacker box.

The “sniffer” module can store up to 200000 packets in a ring buffer and exports them in a “pcap” file without ever touching the disk.

Let’s see a demo with a Windows 8 64 bit target host.

We start with a Meterpreter session.

sniffer1

As usual we migrate the process to avoid session hangs in case the original Meterpreter process was killed on the target box.

sniffer2

We need to access system resources to sniff packets, so we need to elevate privileges to “SYSTEM”. As this is a Windows 8 box, we need to “bypassuac”.

sniffer3

Again we migrate the process to other system process to hide or meterpreter session from system administrators and load the “sniffer” extension.

sniffer4

The extension add 6 new commands to meterpreter. With “sniffer_interfaces” we can see the box network interfaces to choose which one capture from. Commands “sniffer_start” and “sniffer_stop” starts and stop the traffic capture, “sniffer_dump” dumps the queue in the local file specified (local to attacker box) and clean the queue, “sniffer_stats” show statistics of an active capture and “sniffer_release” clean the queue without downloading the content.

If you want to capture from more than one interface, just call “sniffer_start” for every interface you want to capture from.

Let’s see how it works.

sniffer5

Like you can see in the image above, we capture traffic from interface 3 and dump it to “/tmp/demo.pcap”. We stopped the capture before we dumped it. That is not required, we can dump while the sniffing is working.

By default buffer size is 50000 packets, but we can change it passing a second argument to “sniffer_start” with a size between 1 and 200000 (ex: sniffer_start 3 200000).

The downloaded “pcap” file can be processed later using “Wireshark”, “Tshark”, etc.

sniffer6

This time captured traffic are ICMP packets corresponding a self generated traffic by making “pings”. In a real scenario, you can find http traffic, FTP traffic, Telnet, etc, where you can extract lot’s of information.

Another way of packet sniffing with Meterpreter is using the script “packetrecorder” developed by Carlos Perez (Darkoperator), but this is out of the scope of this post. The command “run packetrecorder” will give you the required help screen to use it.

You can find more information about packet sniffing from Meterpreter on Metasploit Unleashed.

I hope you like it.

Regards

Posted in Metasploit, Meterpreter, Post-Exploitation, Sniffer
4 comments on “Packet sniffing from Meterpreter
  1. Tom Updegrove says:

    I really liked your tutorial, especially the “bypassuac”. Curious about the initial exploit. How did you get the exploit on W8?

    • Ignacio Sorribas says:

      For the demo, I just create an executable file with a meterpreter payload and then execute it on the Windows 8 box. On a real scenario, you could send that payload to a victim hidden in another file, or exploit some other SW vulnerability (like adobe acrobat). There is a post in the spanish version of the blog (sorry for not having the translation) named “mi primera shell” where I explain a method to achieve this.

      Regards.

  2. I do agree with all the ideas you’ve offered on your post.
    They’re very convincing and will certainly work. Still, the posts are too short for beginners.

    May you please extend them a little from next
    time? Thanks for the post.

  3. PumaRachel says:

    Thanks for the useful information. Need to add your blog to bookmarks

Leave a Reply

Your email address will not be published. Required fields are marked *

*