(Preamble: this post applies to Windows operating system only. Linux has tcpdump, Solaris has snoop, etc.)
Sometimes sniffing the network from a compromised remote target might become handy.
For instance, it proved useful to me in the following pentest cases:
- Recovering POP/IMAP/SMTP passwords, when classical tools are blocked by antivirus software (use of POPS/IMAPS/SMTPS is still not widespread, especially on enterprise LANs).
- Gathering HTTP session cookies or even passwords.
But sometimes you have only command-line access to the remote target (through PSEXEC, Metasploit and such).
Getting access to the GUI (through VNC, Remote Desktop or DameWare Mini Remote Control) is not practical, since the targetted user is actively working on the console (there are workarounds for this situation, but I am not going to discuss them right now).
Installing network sniffing software, such as WireShark/Winpcap, is not practical because you have to setup the software (which makes change to the target system configuration) and you might end up in rebooting the system. Not to mention the x64 case, which requires signed drivers (latest x64 Winpcap drivers are signed, though).
A lot of people are pretending to offer "rebootless command line sniffers", but they are often unmaintained proof-of-concept tools, and professional pentesters cannot afford to crash a remote target.
The most reliable and lightweight tool I know is ... the one made by Microsoft, a.k.a. Microsoft Network Monitor. It relies on Windows built-in packet capture features, therefore leaving minimal footprint on the target system. It can run without install. It works on all Microsoft-supported Windows versions, in x86, x64 and even IA64 flavors.
How to use it ?
- Download and install Microsoft Network Monitor on a standalone computer.
- Upload nmconfig.exe and nmcap.exe on the target computer.
- Enable the Microsoft Network Monitor Driver: nmconfig /install
- Test: nmcap /displaynetworks
- Sniff all TCP traffic on every local interface: nmcap /network * /capture tcp /File tcp.cap
- Disable the Microsoft Network Monitor Driver: nmconfig /uninstall
(Caveat: the capture file format is not Winpcap-compatible. However, Wireshark (and others) know how to read it.)