Netstat Post Module for Meterpreter

Friday, July 20, 2012

Rob Fuller

D8853ae281be8cfdfa18ab73608e8c3f

I promised this one a while ago, sorry for the delay.

This only does TCP, it'd be trivial to do UDP as well but never really found anything interesting and actively going on on the UDP side.

It's real simple, first we've gotta add the GetTcpTable function to Railgun:

session.railgun.add_function('iphlpapi', 'GetTcpTable', 'DWORD', [

['PBLOB', 'pTcpTable', 'out'],

['PDWORD', 'pdwSize', 'inout'],

['BOOL', 'bOrder', 'in']

])


Then gauge the size of the table:

getsize = session.railgun.iphlpapi.GetTcpTable(4,4,true)

buffersize = getsize['pdwSize']

Run the call again with the correct buffer size:

tcptable = session.railgun.iphlpapi.GetTcpTable(buffersize,buffersize,true)


Then it's all just parsing the result. Also pretty straight forward. First we get the number of entries which is held in the first 4 bytes, then just parse the MIB_TCPTABLE one MIB_TCPROW at a time (translating the state to something readable):

def parse_tcptable(buffer)

  entries = buffer[0,4].unpack("V*")[0]

  print_status("Total TCP Entries: #{entries}")

  rtable = Rex::Ui::Text::Table.new(

    'Header' => 'Routing Table',

    'Indent' => 2,

    'Columns' => ['STATE', 'LHOST', 'LPORT', 'RHOST', 'RPORT']

  )

  offset = 4

  (1..entries).each do

    x = {}

    x[:state] = case buffer[(offset + 0), 4].unpack("V*")[0]

      when 1

        'CLOSED'

      when 2

        'LISTEN'

      when 3

        'SYN_SENT'

      when 4

        'SYN_RCVD'

      when 5

        'ESTABLISHED'

      when 6

        'FIN_WAIT1'

      when 7

        'FIN_WAIT2'

      when 8

        'CLOSE_WAIT'

      when 9

        'CLOSING'

      when 10

        'LAST_ACK'

      when 11

        'TIME_WAIT'

      when 12

        'DELETE_TCB'

      else

        'UNDEFINED'

      end

    x[:lhost] = Rex::Socket.addr_itoa(buffer[(offset + 4), 4].unpack("N")[0])

    x[:lport] = buffer[(offset + 8), 4].unpack("n")[0]

    x[:rhost] = Rex::Socket.addr_itoa(buffer[(offset + 12), 4].unpack("N")[0])

    if x[:state] == "LISTEN"

      x[:rport] = "_"

    else

    x[:rport] = buffer[(offset + 16), 4].unpack("n")[0]

    end

  offset = offset + 20

  rtable << [x[:state], x[:lhost], x[:lport], x[:rhost], x[:rport]]

  end

  print_status(rtable.to_s)

end

Cross-posted from Room362

Possibly Related Articles:
10617
Network->General
Information Security
Tools Penetration Testing Network Security Meterpreter TCP Railgun Pentesting Tutorial
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.