search

rapid7 / metasploit-framework

Metasploit Framework
https://www.metasploit.com/
Other
33.42k stars 13.82k forks source link

Sniffer not compatible with Meterpreter type (x64/linux) #19320

Closed ffe4 closed 1 week ago

ffe4 commented 2 weeks ago

Steps to reproduce

How'd you do it?

  1. generated payload using linux/x64/meterpreter/reverse_tcp and -f elf
  2. used it to establish a session on a container inside kubernetes running Debian 10.13 (Linux 6.1.0-22-amd64)
  3. load sniffer
  4. sniffer_interfaces
  5. got [-] sniffer_interfaces: Operation failed: The command is not supported by this Meterpreter type (x64/linux)

Note that I had to use the current nightly build for sniffer to load in the first place, presumably because of #19305

Were you following a specific guide/tutorial or reading documentation?

https://www.offsec.com/metasploit-unleashed/packet-sniffing/

Expected behavior

I should be able to user sniffer's functionality. If none of its functionality is compatible with the meterpreter type, the extension probably should not load in the first place. Some relevant documentation would be helpful in that case, or a pointer to where to find it if it already exists.

Current behavior

Metasploit complains that sniffer's command are not supported by Meterpreter type (x64/linux) in which it is loaded. This has been reported in the past in #16155 but was never commented on.

msf6 payload(linux/x64/meterpreter/reverse_tcp) > version
Framework: 6.4.17-dev-7ad7b959ece5065e7d92baf95dc451e42b4b8956
Console  : 6.4.17-dev-7ad7b959ece5065e7d92baf95dc451e42b4b8956
msf6 payload(linux/x64/meterpreter/reverse_tcp) > sessions 3
[*] Starting interaction with 3...

meterpreter > sysinfo
Computer     : 10.1.245.233
OS           : Debian 10.13 (Linux 6.1.0-22-amd64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > load sniffer
Loading extension sniffer...Success.
meterpreter > sniffer_interfaces
[-] sniffer_interfaces: Operation failed: The command is not supported by this Meterpreter type (x64/linux)
meterpreter > sniffer_start 3
[-] sniffer_capture_start: Operation failed: The command is not supported by this Meterpreter type (x64/linux)

Metasploit version

Framework: 6.4.17-dev-7ad7b959ece5065e7d92baf95dc451e42b4b8956 Console : 6.4.17-dev-7ad7b959ece5065e7d92baf95dc451e42b4b8956

Additional Information

Module/Datastore

The following global/module datastore, and database setup was configured before the issue occurred:

Collapse ``` [framework/core] loglevel=3 [framework/ui/console] ActiveModule=payload/linux/x64/meterpreter/reverse_tcp [linux/x64/meterpreter/reverse_tcp] LHOST=x.x.x.x LPORT=8888 WORKSPACE= VERBOSE=false ReverseListenerBindPort= ReverseAllowProxy=false ReverseListenerComm= ReverseListenerBindAddress= ReverseListenerThreaded=false StagerRetryCount=10 StagerRetryWait=5 AutoLoadStdapi=true AutoVerifySessionTimeout=30 InitialAutoRunScript= AutoRunScript= AutoSystemInfo=true EnableUnicodeEncoding=false HandlerSSLCert= SessionRetryTotal=3600 SessionRetryWait=10 SessionExpirationTimeout=604800 SessionCommunicationTimeout=300 PayloadProcessCommandLine= AutoUnhookProcess=false MeterpreterDebugBuild=false MeterpreterDebugLogging= PingbackRetries=0 PingbackSleep=30 PayloadUUIDSeed= PayloadUUIDRaw= PayloadUUIDName= PayloadUUIDTracking=false EnableStageEncoding=false StageEncoder= StageEncoderSaveRegisters= StageEncodingFallback=true PrependFork=false PrependSetresuid=false PrependSetreuid=false PrependSetuid=false PrependSetresgid=false PrependSetregid=false PrependSetgid=false PrependChrootBreak=false AppendExit=false MeterpreterTryToFork=false ```

Database Configuration

The database contains the following information:

Collapse ``` Session Type: Connected to msf. Connection type: postgresql. ``` | ID | Hosts | Vulnerabilities | Notes | Services | |-:|-:|-:|-:|-:| | 1 **(Current)** | 3 | 2 | 4 | 0 | | **Total (1)** | **3** | **2** | **4** | **0** |

Framework Configuration

The features are configured as follows:

Collapse | name | enabled | |-:|-:| | wrapped_tables | true | | fully_interactive_shells | false | | manager_commands | false | | datastore_fallbacks | true | | metasploit_payload_warnings | true | | defer_module_loads | false | | smb_session_type | true | | postgresql_session_type | true | | mysql_session_type | true | | mssql_session_type | true | | ldap_session_type | false | | show_successful_logins | false | | dns | true | | hierarchical_search_table | true |

History

The following commands were ran during the session and before this issue occurred:

Collapse ``` 369 set loglevel 3 370 use payload/linux/x64/meterpreter/reverse_tcp 371 set LHOST eth0 372 set LPORT 8888 373 to_handler 374 sessions 1 375 debug ```

Framework Errors

The following framework errors occurred before the issue occurred:

Collapse ``` [07/10/2024 22:41:38] [e(0)] meterpreter: sniffer_capture_start: Operation failed: The command is not supported by this Meterpreter type (x64/linux) [07/10/2024 22:46:00] [e(0)] meterpreter: sniffer_interfaces: Operation failed: The command is not supported by this Meterpreter type (x64/linux) [07/10/2024 22:50:27] [e(0)] meterpreter: sniffer_interfaces: Operation failed: The command is not supported by this Meterpreter type (x64/linux) [07/10/2024 22:51:01] [e(0)] meterpreter: sniffer_capture_start: Operation failed: The command is not supported by this Meterpreter type (x64/linux) [07/10/2024 23:03:50] [e(0)] meterpreter: sniffer_interfaces: Operation failed: The command is not supported by this Meterpreter type (aarch64/linux) [07/10/2024 23:21:17] [e(0)] meterpreter: sniffer_interfaces: Operation failed: The command is not supported by this Meterpreter type (x64/linux) [07/10/2024 23:22:00] [e(0)] core: /opt/metasploit-framework/embedded/framework/modules/auxiliary/scanner/msmail/host_id.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment. [07/10/2024 23:22:00] [e(0)] core: /opt/metasploit-framework/embedded/framework/modules/auxiliary/scanner/msmail/onprem_enum.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment. [07/10/2024 23:22:00] [e(0)] core: /opt/metasploit-framework/embedded/framework/modules/auxiliary/scanner/msmail/exchange_enum.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment. [07/10/2024 23:23:03] [e(0)] meterpreter: sniffer_interfaces: Operation failed: The command is not supported by this Meterpreter type (x64/linux) ```

Web Service Errors

The following web service errors occurred before the issue occurred:

Collapse ``` msf-ws.log does not exist. ```

Framework Logs

The following framework logs were recorded before the issue occurred:

Collapse ``` [07/10/2024 23:22:45] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_uuid with multi/handler]: noconn to reverse [07/10/2024 23:22:45] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_uuid with multi/handler]: none to reverse [07/10/2024 23:22:45] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_uuid with multi/handler]: tunnel to reverse [07/10/2024 23:22:45] [d(1)] core: Module windows/x64/vncinject/reverse_tcp_uuid is compatible with multi/handler [07/10/2024 23:22:45] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttp with multi/handler]: reverse to tunnel [07/10/2024 23:22:45] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttp with multi/handler]: bind to tunnel [07/10/2024 23:22:45] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttp with multi/handler]: noconn to tunnel [07/10/2024 23:22:45] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttp with multi/handler]: none to tunnel [07/10/2024 23:22:45] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttp with multi/handler]: tunnel to tunnel [07/10/2024 23:22:45] [d(1)] core: Module windows/x64/vncinject/reverse_winhttp is compatible with multi/handler [07/10/2024 23:22:45] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttps with multi/handler]: reverse to tunnel [07/10/2024 23:22:45] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttps with multi/handler]: bind to tunnel [07/10/2024 23:22:45] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttps with multi/handler]: noconn to tunnel [07/10/2024 23:22:45] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttps with multi/handler]: none to tunnel [07/10/2024 23:22:45] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttps with multi/handler]: tunnel to tunnel [07/10/2024 23:22:45] [d(1)] core: Module windows/x64/vncinject/reverse_winhttps is compatible with multi/handler [07/10/2024 23:22:50] [w(0)] core: Warning: trying to report a session_event for a session with no db_record (1) [07/10/2024 23:23:03] [e(0)] meterpreter: sniffer_interfaces: Operation failed: The command is not supported by this Meterpreter type (x64/linux) [07/10/2024 23:23:03] [d(0)] meterpreter: Call stack: /opt/metasploit-framework/embedded/framework/lib/rex/post/meterpreter/packet_dispatcher.rb:213:in `send_packet_wait_response' /opt/metasploit-framework/embedded/framework/lib/rex/post/meterpreter/packet_dispatcher.rb:176:in `send_request' /opt/metasploit-framework/embedded/framework/lib/rex/post/meterpreter/extensions/sniffer/sniffer.rb:41:in `interfaces' /opt/metasploit-framework/embedded/framework/lib/rex/post/meterpreter/ui/console/command_dispatcher/sniffer.rb:57:in `cmd_sniffer_interfaces' /opt/metasploit-framework/embedded/framework/lib/rex/ui/text/dispatcher_shell.rb:582:in `run_command' /opt/metasploit-framework/embedded/framework/lib/rex/post/meterpreter/ui/console.rb:102:in `run_command' /opt/metasploit-framework/embedded/framework/lib/rex/ui/text/dispatcher_shell.rb:531:in `block in run_single' /opt/metasploit-framework/embedded/framework/lib/rex/ui/text/dispatcher_shell.rb:525:in `each' /opt/metasploit-framework/embedded/framework/lib/rex/ui/text/dispatcher_shell.rb:525:in `run_single' /opt/metasploit-framework/embedded/framework/lib/rex/post/meterpreter/ui/console.rb:64:in `block in interact' /opt/metasploit-framework/embedded/framework/lib/rex/ui/text/shell.rb:160:in `block in run' /opt/metasploit-framework/embedded/framework/lib/rex/ui/text/shell.rb:309:in `block in with_history_manager_context' /opt/metasploit-framework/embedded/framework/lib/rex/ui/text/shell/history_manager.rb:35:in `with_context' /opt/metasploit-framework/embedded/framework/lib/rex/ui/text/shell.rb:306:in `with_history_manager_context' /opt/metasploit-framework/embedded/framework/lib/rex/ui/text/shell.rb:133:in `run' /opt/metasploit-framework/embedded/framework/lib/rex/post/meterpreter/ui/console.rb:62:in `interact' /opt/metasploit-framework/embedded/framework/lib/msf/base/sessions/meterpreter.rb:582:in `_interact' /opt/metasploit-framework/embedded/framework/lib/rex/ui/interactive.rb:53:in `interact' /opt/metasploit-framework/embedded/framework/lib/msf/ui/console/command_dispatcher/core.rb:1749:in `cmd_sessions' /opt/metasploit-framework/embedded/framework/lib/rex/ui/text/dispatcher_shell.rb:582:in `run_command' /opt/metasploit-framework/embedded/framework/lib/rex/ui/text/dispatcher_shell.rb:531:in `block in run_single' /opt/metasploit-framework/embedded/framework/lib/rex/ui/text/dispatcher_shell.rb:525:in `each' /opt/metasploit-framework/embedded/framework/lib/rex/ui/text/dispatcher_shell.rb:525:in `run_single' /opt/metasploit-framework/embedded/framework/lib/rex/ui/text/shell.rb:165:in `block in run' /opt/metasploit-framework/embedded/framework/lib/rex/ui/text/shell.rb:309:in `block in with_history_manager_context' /opt/metasploit-framework/embedded/framework/lib/rex/ui/text/shell/history_manager.rb:35:in `with_context' /opt/metasploit-framework/embedded/framework/lib/rex/ui/text/shell.rb:306:in `with_history_manager_context' /opt/metasploit-framework/embedded/framework/lib/rex/ui/text/shell.rb:133:in `run' /opt/metasploit-framework/embedded/framework/lib/metasploit/framework/command/console.rb:54:in `start' /opt/metasploit-framework/embedded/framework/lib/metasploit/framework/command/base.rb:82:in `start' /opt/metasploit-framework/bin/../embedded/framework/msfconsole:23:in `
' ```

Web Service Logs

The following web service logs were recorded before the issue occurred:

Collapse ``` msf-ws.log does not exist. ```

Version/Install

The versions and install method of your Metasploit setup:

Collapse ``` Framework: 6.4.17-dev-7ad7b959ece5065e7d92baf95dc451e42b4b8956 Ruby: ruby 3.1.5p252 (2024-04-23 revision 1945f8dc0e) [aarch64-linux] OpenSSL: OpenSSL 1.1.1t 7 Feb 2023 Install Root: /opt/metasploit-framework/embedded/framework Session Type: Connected to msf. Connection type: postgresql. Install Method: Omnibus Installer ```
adfoster-r7 commented 2 weeks ago

Hi there - thanks for raising a report; I believe this is a duplicate of this issue: https://github.com/rapid7/mettle/issues/262

smcintyre-r7 commented 1 week ago

Fixed by #19327