You can find more information about packet sniffing from Meterpreter on Metasploit Unleashed. The command “run packetrecorder” will give you the required help screen to use it. In a real scenario, you can find http traffic, FTP traffic, Telnet, etc, where you can extract lot’s of information.Īnother way of packet sniffing with Meterpreter is using the script “packetrecorder” developed by Carlos Perez (Darkoperator), but this is out of the scope of this post. This time captured traffic are ICMP packets corresponding a self generated traffic by making “pings”. The downloaded “pcap” file can be processed later using “Wireshark”, “Tshark”, etc. That is not required, we can dump while the sniffing is working.īy default buffer size is 50000 packets, but we can change it passing a second argument to “sniffer_start” with a size between 00 (ex: sniffer_start 3 200000). We stopped the capture before we dumped it. Like you can see in the image above, we capture traffic from interface 3 and dump it to “/tmp/demo.pcap”. If you want to capture from more than one interface, just call “sniffer_start” for every interface you want to capture from. Commands “sniffer_start” and “sniffer_stop” starts and stop the traffic capture, “sniffer_dump” dumps the queue in the local file specified (local to attacker box) and clean the queue, “sniffer_stats” show statistics of an active capture and “sniffer_release” clean the queue without downloading the content. With “sniffer_interfaces” we can see the box network interfaces to choose which one capture from. The extension add 6 new commands to meterpreter. As this is a Windows 8 box, we need to “bypassuac”.Īgain we migrate the process to other system process to hide or meterpreter session from system administrators and load the “sniffer” extension. We need to access system resources to sniff packets, so we need to elevate privileges to “SYSTEM”. This document describes about Packet Sniffing Tool, that is used to monitor network traffic on any specified port. Let’s see a demo with a Windows 8 64 bit target host.Īs usual we migrate the process to avoid session hangs in case the original Meterpreter process was killed on the target box. The “sniffer” module can store up to 200000 packets in a ring buffer and exports them in a “pcap” file without ever touching the disk. Download HTTPNetworkSniffer 1. This module let’s you capture traffic from one network interface of the victim host and dump it to a “pcap” file on the attacker box. Following with the post chain about Meterpreter extensions, I’m going to show you how “sniffer” extension works.
0 Comments
Leave a Reply. |