HD Moore and the Metasploit team rock. That’s all there is to it. This week HD and company released a sniffer module to the meterpreter payload, already the most versatile attack vector in open source penetration testing. We used it to capture credentials for an FTP login in the video below, laz3r is relentless with that ms08_067_netapi exploit!
Exploit, setup the sniffing interface, capture, review cleartext protocols in wireshark, viola!
Adding a sniffer to an already powerful pivoting tool like meterpreter bridges a gap in post exploitation. If we can capture traffic who’s to say soon we wont be able to modify it? You know all those scary things you can do via ARP/DNS/DHCP spoofing/poisoning? Did you ever watch Jay Beale’s Middler talk (https to http redirects, cookie stealing, injectable java script, I-frames, etc)? We know its not there yet, at least not the way we want it to be but the meterpreter, metasploit, and this module bring us closer to those tools. Like Carlos says “root is only the beginning.”
Carlos “Darkoperator” Perez (of pauldotcom.com) did an awesome writeup of the sniffer here with all its setup commands: http://www.darkoperator.com/blog/2009/7/12/meterpreter-sniffer-module.html