Netstat Post Module for Meterpreter

Friday, July 20, 2012

Rob Fuller


I promised this one a while ago, sorry for the delay.

This only does TCP, it'd be trivial to do UDP as well but never really found anything interesting and actively going on on the UDP side.

It's real simple, first we've gotta add the GetTcpTable function to Railgun:

session.railgun.add_function('iphlpapi', 'GetTcpTable', 'DWORD', [

['PBLOB', 'pTcpTable', 'out'],

['PDWORD', 'pdwSize', 'inout'],

['BOOL', 'bOrder', 'in']


Then gauge the size of the table:

getsize = session.railgun.iphlpapi.GetTcpTable(4,4,true)

buffersize = getsize['pdwSize']

Run the call again with the correct buffer size:

tcptable = session.railgun.iphlpapi.GetTcpTable(buffersize,buffersize,true)

Then it's all just parsing the result. Also pretty straight forward. First we get the number of entries which is held in the first 4 bytes, then just parse the MIB_TCPTABLE one MIB_TCPROW at a time (translating the state to something readable):

def parse_tcptable(buffer)

  entries = buffer[0,4].unpack("V*")[0]

  print_status("Total TCP Entries: #{entries}")

  rtable =

    'Header' => 'Routing Table',

    'Indent' => 2,

    'Columns' => ['STATE', 'LHOST', 'LPORT', 'RHOST', 'RPORT']


  offset = 4

  (1..entries).each do

    x = {}

    x[:state] = case buffer[(offset + 0), 4].unpack("V*")[0]

      when 1


      when 2


      when 3


      when 4


      when 5


      when 6


      when 7


      when 8


      when 9


      when 10


      when 11


      when 12





    x[:lhost] = Rex::Socket.addr_itoa(buffer[(offset + 4), 4].unpack("N")[0])

    x[:lport] = buffer[(offset + 8), 4].unpack("n")[0]

    x[:rhost] = Rex::Socket.addr_itoa(buffer[(offset + 12), 4].unpack("N")[0])

    if x[:state] == "LISTEN"

      x[:rport] = "_"


    x[:rport] = buffer[(offset + 16), 4].unpack("n")[0]


  offset = offset + 20

  rtable << [x[:state], x[:lhost], x[:lport], x[:rhost], x[:rport]]




Cross-posted from Room362

Possibly Related Articles:
Information Security
Tools Penetration Testing Network Security Meterpreter TCP Railgun Pentesting Tutorial
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.