Packet sniffing from Meterpreter
Following with the post chain about Meterpreter extensions, I’m going to show you how “sniffer” extension works. This module let’s you capture traffic from one network interface of the victim host and dump it to a “pcap” file on the attacker box.
The “sniffer” module can store up to 200000 packets in a ring buffer and exports them in a “pcap” file without ever touching the disk.
Let’s see a demo with a Windows 8 64 bit target host.
We start with a Meterpreter session.
As usual we migrate the process to avoid session hangs in case the original Meterpreter process was killed on the target box.
We need to access system resources to sniff packets, so we need to elevate privileges to “SYSTEM”. As this is a Windows 8 box, we need to “bypassuac”.
Again we migrate the process to other system process to hide or meterpreter session from system administrators and load the “sniffer” extension.
The extension add 6 new commands to meterpreter. With “sniffer_interfaces” we can see the box network interfaces to choose which one capture from. Commands “sniffer_start” and “sniffer_stop” starts and stop the traffic capture, “sniffer_dump” dumps the queue in the local file specified (local to attacker box) and clean the queue, “sniffer_stats” show statistics of an active capture and “sniffer_release” clean the queue without downloading the content.
If you want to capture from more than one interface, just call “sniffer_start” for every interface you want to capture from.
Let’s see how it works.
Like you can see in the image above, we capture traffic from interface 3 and dump it to “/tmp/demo.pcap”. We stopped the capture before we dumped it. That is not required, we can dump while the sniffing is working.
By default buffer size is 50000 packets, but we can change it passing a second argument to “sniffer_start” with a size between 1 and 200000 (ex: sniffer_start 3 200000).
The downloaded “pcap” file can be processed later using “Wireshark”, “Tshark”, etc.
This time captured traffic are ICMP packets corresponding a self generated traffic by making “pings”. In a real scenario, you can find http traffic, FTP traffic, Telnet, etc, where you can extract lot’s of information.
Another way of packet sniffing with Meterpreter is using the script “packetrecorder” developed by Carlos Perez (Darkoperator), but this is out of the scope of this post. The command “run packetrecorder” will give you the required help screen to use it.
You can find more information about packet sniffing from Meterpreter on Metasploit Unleashed.
I hope you like it.