Friday, August 14, 2009

Pentester trick #8: command-line sniffing made easy

(Preamble: this post applies to Windows operating system only. Linux has tcpdump, Solaris has snoop, etc.)

Sometimes sniffing the network from a compromised remote target might become handy.

For instance, it proved useful to me in the following pentest cases:
  • Recovering POP/IMAP/SMTP passwords, when classical tools are blocked by antivirus software (use of POPS/IMAPS/SMTPS is still not widespread, especially on enterprise LANs).
  • Gathering HTTP session cookies or even passwords.
But sometimes you have only command-line access to the remote target (through PSEXEC, Metasploit and such).

Getting access to the GUI (through VNC, Remote Desktop or DameWare Mini Remote Control) is not practical, since the targetted user is actively working on the console (there are workarounds for this situation, but I am not going to discuss them right now).

Installing network sniffing software, such as WireShark/Winpcap, is not practical because you have to setup the software (which makes change to the target system configuration) and you might end up in rebooting the system. Not to mention the x64 case, which requires signed drivers (latest x64 Winpcap drivers are signed, though).

A lot of people are pretending to offer "rebootless command line sniffers", but they are often unmaintained proof-of-concept tools, and professional pentesters cannot afford to crash a remote target.

The most reliable and lightweight tool I know is ... the one made by Microsoft, a.k.a. Microsoft Network Monitor. It relies on Windows built-in packet capture features, therefore leaving minimal footprint on the target system. It can run without install. It works on all Microsoft-supported Windows versions, in x86, x64 and even IA64 flavors.

How to use it ?
  1. Download and install Microsoft Network Monitor on a standalone computer.
  2. Upload nmconfig.exe and nmcap.exe on the target computer.
  3. Enable the Microsoft Network Monitor Driver: nmconfig /install
  4. Test: nmcap /displaynetworks
  5. Sniff all TCP traffic on every local interface: nmcap /network * /capture tcp /File tcp.cap
  6. Disable the Microsoft Network Monitor Driver: nmconfig /uninstall
(Caveat: the capture file format is not Winpcap-compatible. However, Wireshark (and others) know how to read it.)


Seb said...


I've tested NM3 as a standalone tool on a Windows XP SP2 workstation (on VirtualBox). It returns an error when any filter is given to /capture.

C:\>nmcap.exe /network * /capture tcp /file tst.cap
Netmon Command Line Capture (nmcap) 3.3.1641.0
Loading Parsers ...
[INFO] sparser.npb:001.000 Successfully unserialized NPL parser 'C:\Documents and Settings\*****\Local Settings
etwork Monitor 3\sparser.npb. (0x83008006)
[ERROR] Unrecognized function or variable 'tcp'. (0x8100601C)
Error: '/Capture' - Invalid parameter 'tcp'

However, it's only working if you don't provide any filter.

Note : The "nmconfig /install" and "nmconfig /uninstall" commands do not return any output message.

On the Windows XP SP3 'real' (not virtualized) workstation, i've installed the tool to get the two EXE files, everything is working well (filters as well).

Do you have any idea what the problem is ?


newsoft said...

Sorry, no idea ...

Things to try:
- Specify the network interface (hint: "nmcap /DisplayNetwork"). You might try to sniff on a non-TCP/IP interface.
- Check if the VirtualBox network driver allows you to enter promiscuous mode.

Good luck!

Seb said...


Thank you for your answer.
- Specifying the network interface did not make it work any better
- I tried the same "standalone test" on a real Windows workstation without anymore success, making the Virtualbox hypothesis irrelevant.

I will continue to search, but thanks anyway for your ideas :)