Feature meterp sniffer wpcap #173
Conversation
This begins the process of removing PSSDK components and migrating meterpreter to a common PCAP based interface for host-resident network operations. Current state: 1. Remove PSSDK related functions and definitions from sniffer 2. Use directives to ensure platform-specific calls are used by the compiler when needed - thread creation being a good example. 3. Update common.h with a DEBUGTRACE_FILENAME definition and file output for real_dprintf if its defined. 4. Update CaptureJob struct for OS-specific implementation. 5. Misc cleanup 6. Operational Summary: Dispatcher commands work - start, stop, stats, interfaces. Sniffer seems to hang after 4 packets are collected in the buffer. WinPCAP needs to be in the deps submodule to compile WinPCAP must be installed on the host to run (for now) Testing done with winpcap 4.1.3 Todo: 1. Stabilize sniffer_handler and thread, document in detail. 2. Finalize sniffer functionality on winpcap with separately installed winpcap DLLs and driver. 3. Link all required DLL functions into the sniffer DLL specific to the architecture in use. 4. Extract the silent pcap installer's registry-related operations and drivers, implement registry ops and driver drop/remove in the extension itself (now with DLL components linked in). Use a flag to determine if winpcap was previously there, preferably link to the host's db notes, and clean up as appropriate (instantly once we init the driver would be ideal, post process acceptable). 5. Create a metpcap library to abstract common functionality for PCAP related ops and OS-specific abstractions. Implement things like pcap dispatch threads, callback handlers, and basic structs here for reference by whats coming next, and all community work subsequent to that. 6. Convert sniffer to use libmetpcap as test case, iron out bugs. 7. The fun part...
Convert use of POSIX LOCK to CRITICAL_SECTION under windows. Implement functional abstractions for lock_* functions to CS calls. Remove debug kill of the job's active status in the sniffer_thread loop - was causing the 4 packet capture scenarios.
Working sniffer binaries on PCAP for Win32 and Win64. Test output: ``` [*] Starting interaction with 79... meterpreter > load sniffer Loading extension sniffer...success. meterpreter > sniffer_start 1 [*] Capture started on interface 1 (50000 packet buffer) meterpreter > sniffer_stats 1 [*] Capture statistics for interface 1 packets: 4 bytes: 444 meterpreter > sniffer_stats 1 [*] Capture statistics for interface 1 packets: 9 bytes: 1112 meterpreter > sniffer_stats 1 [*] Capture statistics for interface 1 packets: 14 bytes: 1780 meterpreter > sniffer_stats 1 [*] Capture statistics for interface 1 packets: 19 bytes: 2448 meterpreter > sniffer_stop 1 [*] Capture stopped on interface 1 [*] There are 26 packets (3200 bytes) remaining [*] Download or release them using 'sniffer_dump' or ... meterpreter > sniffer_dump 1 /tmp/sniffer.pcap [*] Flushing packet capture buffer for interface 1... [*] Flushed 26 packets (3720 bytes) [*] Downloaded 100% (3720/3720)... [*] Download completed, converting to PCAP... [*] PCAP file written to /tmp/sniffer.pcap meterpreter > exit [*] Shutting down Meterpreter... ``` File output for /tmp/sniffer.pcap: ``` /tmp/sniffer.pcap: tcpdump capture file (big-endian) - version 2.4 (Ethernet, capture length 65536) ``` tshark -r shows proper traffic recorded --------------------------------------- TODO: 1. Link all DLL functionality from winpcap directly into the dlls. 2. Create in-line driver installer to work directly from sniffer. 2a. Check for presense of wpcap, set WPCAP_INSTALL flag if missing 2b. Create entries for each existing NIC in registry to be hooked 2c. Drop OS and architecture appropriate driver into windows 2d. Init the driver and NIC, if WPCAP_INSTALL is set, cleanup. 2e. Cleanup should remove any reg entries added by ext and npf.sys 3. Export functionality required to use PCAP/WinPCAP to libmetpcap. 3a. Device enumeration using PCAP interfaces + native OS info 3b. PCAPJob struct (CaptureJob today) for holding data and threads. 3c. Concurrency abstractions - MUTEX/CS pieces, threading, safety. 3d. Default PCAP thread handlers for reading and writing data 3e. Section 2 components for Windows side of the house. 3f. Convert Sniffer (and others) to use the new library interfaces. 4. Resurrect old community extensions which make use of PCAP 5. Port/build things atop the new common interface.
|
Can one of the admins verify this patch? For more information see: https://github.com/rapid7/meterpreter/wiki/CI-Testing |
|
jenkins, this is ok to test
|
|
We'll need to also incorporate winpcap's libs and headers into the windows build process I presume. That would probably mean an addition to the meterpreter-deps repo, like we do for openssl. |
|
The updated sniffer extension already expects winpcap to be here (in deps/winpcap), i'd obviously appreciate any extra testing, but i believe it should build as is on the windows side. |
|
@sempervictus it could be that the build isn't picking up the deps properly. I'll have a poke shortly. |
|
The POSIX side already has all the deps it needs, and i'm failing the build locally as well on 14.04. I can spin up a build host later, but i'm elbow deep in a stack of documentation. |
|
Ah ok mate, no worries. |
|
Hi. You would like to try Npcap: https://github.com/nmap/npcap. It's another fork of WinPcap with multiple new features. |
|
We did, I think the momentum behind opening up all extensions may have
|
|
It more-or-less got left behind, but definitely still interested if someone wants to rebase this on the new repo! |
|
cc @wwebb-r7 |
|
@bcook-r7 started seriously looking into it as of today |
|
Closing this out since this repo is dead. |
Convert sniffer to use WinPCAP instead of PSSDK. Allows community members to build their own sniffers, and more. See commit messages for details and test output.