Sign upLogin

rapid7/metasploit-framework

View on GitHub
Star
lib/rex/post/meterpreter/ui/console/command_dispatcher/sniffer.rb

Summary

Maintainability
B
5 hrs
Test Coverage
# -*- coding: binary -*-
require 'rex/post/meterpreter'
require 'rex/post/meterpreter/extensions/sniffer/command_ids'

module Rex
module Post
module Meterpreter
module Ui

###
#
# Packet sniffer extension user interface.
#
###
class Console::CommandDispatcher::Sniffer

  Klass = Console::CommandDispatcher::Sniffer

  include Console::CommandDispatcher
  include Rex::Post::Meterpreter::Extensions::Sniffer

  #
  # Initializes an instance of the sniffer command interaction.
  #
  def initialize(shell)
    super
  end

  #
  # List of supported commands.
  #
  def commands
    {
      'sniffer_interfaces' => 'Enumerate all sniffable network interfaces',
      'sniffer_start'      => 'Start packet capture on a specific interface',
      'sniffer_stop'       => 'Stop packet capture on a specific interface',
      'sniffer_stats'      => 'View statistics of an active capture',
      'sniffer_dump'       => 'Retrieve captured packet data to PCAP file',
      'sniffer_release'    => 'Free captured packets on a specific interface instead of downloading them',
    }

    #reqs = {
    #  'sniffer_interfaces' => [COMMAND_ID_SNIFFER_INTERFACES],
    #  'sniffer_start'      => [COMMAND_ID_SNIFFER_CAPTURE_START],
    #  'sniffer_stop'       => [COMMAND_ID_SNIFFER_CAPTURE_STOP],
    #  'sniffer_stats'      => [COMMAND_ID_SNIFFER_CAPTURE_STATS],
    #  'sniffer_dump'       => [COMMAND_ID_SNIFFER_CAPTURE_DUMP],
    #  'sniffer_release'    => [COMMAND_ID_SNIFFER_CAPTURE_RELEASE],
    #}

    #filter_commands(all, reqs)
  end


  def cmd_sniffer_interfaces(*args)

    ifaces = client.sniffer.interfaces()

    print_line()

    ifaces.each do |i|
      if i.length == 8
        # Windows
        print_line(sprintf("%d - '%s' ( type:%d mtu:%d usable:%s dhcp:%s wifi:%s )",
          i['idx'], i['description'],
          i['type'], i['mtu'], i['usable'], i['dhcp'], i['wireless'])
        )
      else
        # Mettle
        print_line(sprintf("%d - '%s' ( usable:%s )",
          i['idx'], i['description'], i['usable'])
        )
      end
    end

    print_line()

    return true
  end

  def cmd_sniffer_start(*args)
    intf = args.shift.to_i
    if (intf == 0)
      print_error("Usage: sniffer_start [interface-id] [packet-buffer (1-200000)] [bpf filter (posix meterpreter only)]")
      return
    end
    maxp = (args.shift || 50000).to_i
    bpf  = args.join(" ")

    client.sniffer.capture_start(intf, maxp, bpf)
    print_status("Capture started on interface #{intf} (#{maxp} packet buffer)")
    return true
  end

  def cmd_sniffer_stop(*args)
    intf = args[0].to_i
    if (intf == 0)
      print_error("Usage: sniffer_stop [interface-id]")
      return
    end

    res = client.sniffer.capture_stop(intf)
    print_status("Capture stopped on interface #{intf}")
    print_status("There are #{res[:packets]} packets (#{res[:bytes]} bytes) remaining")
    print_status("Download or release them using 'sniffer_dump' or 'sniffer_release'")
    return true
  end

  def cmd_sniffer_stats(*args)
    intf = args[0].to_i
    if (intf == 0)
      print_error("Usage: sniffer_stats [interface-id]")
      return
    end

    stats = client.sniffer.capture_stats(intf)
    print_status("Capture statistics for interface #{intf}")
    stats.each_key do |k|
      print_line("\t#{k}: #{stats[k]}")
    end

    return true
  end

  def cmd_sniffer_release(*args)
    intf = args[0].to_i
    if (intf == 0)
      print_error("Usage: sniffer_release [interface-id]")
      return
    end

    res = client.sniffer.capture_release(intf)
    print_status("Flushed #{res[:packets]} packets (#{res[:bytes]} bytes) from interface #{intf}")

    return true
  end

  def cmd_sniffer_dump(*args)
    intf = args[0].to_i
    if (intf == 0 or not args[1])
      print_error("Usage: sniffer_dump [interface-id] [pcap-file]")
      return
    end

    path_cap = args[1]
    path_raw = args[1] + '.raw'

    fd = ::File.new(path_raw, 'wb+')

    print_status("Flushing packet capture buffer for interface #{intf}...")
    res = client.sniffer.capture_dump(intf)
    print_status("Flushed #{res[:packets]} packets (#{res[:bytes]} bytes)")

    bytes_all = res[:bytes] || 0
    bytes_got = 0
    bytes_pct = 0
    linktype = res[:linktype]
    while (bytes_all > 0)
      res = client.sniffer.capture_dump_read(intf,1024*512)

      bytes_got += res[:bytes]

      pct = ((bytes_got.to_f / bytes_all.to_f) * 100).to_i
      if(pct > bytes_pct)
        print_status("Downloaded #{"%.3d" % pct}% (#{bytes_got}/#{bytes_all})...")
        bytes_pct = pct
      end
      break if res[:bytes] == 0
      fd.write(res[:data])
    end

    fd.close

    print_status("Download completed, converting to PCAP...")

    fd = nil
    if(::File.exist?(path_cap))
      fd = ::File.new(path_cap, 'ab+')
    else
      fd = ::File.new(path_cap, 'wb+')
      fd.write([0xa1b2c3d4, 2, 4, 0, 0, 65536, linktype].pack('NnnNNNN'))
    end

    pkts = {}
    od = ::File.new(path_raw, 'rb')


    # TODO: reorder packets based on the ID (only an issue if the buffer wraps)
    while(true)
      buf = od.read(20)
      break unless buf

      idh,idl,thi,tlo,len = buf.unpack('N5')
      break unless len
      if(len > 10000)
        print_error("Corrupted packet data (length:#{len})")
        break
      end

      pkt_id = (idh << 32) +idl
      pkt_ts = Rex::Proto::SMB::Utils.time_smb_to_unix(thi,tlo)
      pkt    = od.read(len)

      fd.write([pkt_ts,0,len,len].pack('NNNN')+pkt)
    end
    od.close
    fd.close

    ::File.unlink(path_raw)
    print_status("PCAP file written to #{path_cap}")
  end

  #
  # Name for this dispatcher
  # sni
  def name
    "Sniffer"
  end

end

end
end
end
end