## Capture Plugin
![Metasploit Weekly Wrap-Up](https://blog.rapid7.com/content/images/2022/03/metasploit-fence-2.png)
Capturing credentials is a critical and early phase in the playbook of many offensive security testers. Metasploit has facilitated this for years with protocol-specific modules all under the auxiliary/server/capture. Users can start and configure each of these modules individually, but now the capture plugin can streamline the process. The capture plugin can easily start 13 different services (17 including SSL enabled versions) on the same listening IP address including remote interfaces via Meterpreter. A configuration file can be used to select individual services to start and once finished, all services can easily be stopped using a single command.
To use the plugin, it must first be loaded. That will provide the `captureg` command (for Capture-Global) which then offers `start` and `stop` subcommands. In the following example, the plugin is loaded, and then all default services are started on the 192.168.159.128 interface.
msf6 > load capture
[*] Successfully loaded plugin: Credential Capture
msf6 > captureg start –ip 192.168.159.128
Logging results to /home/smcintyre/.msf4/logs/captures/capture_local_20220325104416_589275.txt
Hash results stored in /home/smcintyre/.msf4/loot/captures/capture_local_20220325104416_612808
[+] Authentication Capture: DRDA (DB2, Informix, Derby) started
[+] Authentication Capture: FTP started
[+] HTTP Client MS Credential Catcher started
[+] HTTP Client MS Credential Catcher started
[+] Authentication Capture: IMAP started
[+] Authentication Capture: MSSQL started
[+] Authentication Capture: MySQL started
[+] Authentication Capture: POP3 started
[+] Authentication Capture: PostgreSQL started
[+] Printjob Capture Service started
[+] Authentication Capture: SIP started
[+] Authentication Capture: SMB started
[+] Authentication Capture: SMTP started
[+] Authentication Capture: Telnet started
[+] Authentication Capture: VNC started
[+] Authentication Capture: FTP started
[+] Authentication Capture: IMAP started
[+] Authentication Capture: POP3 started
[+] Authentication Capture: SMTP started
[+] NetBIOS Name Service Spoofer started
[+] LLMNR Spoofer started
[+] mDNS Spoofer started
[+] Started capture jobs
msf6 >
## NATed Services
This week Metasploit [added features]() to libraries that provide listening services like HTTP, FTP, LDAP, etc. that allow them to be bound to an explicit IP address and port combination that is independent of what is typically the SRVHOST option. This is particularly useful for modules to be used in scenarios where the target needs to connect to Metasploit through either a NAT or port-forward configuration. The use of this feature mimics the existing functionality thats provided by the reverse_tcp and reverse_http(s) payload stagers.
When a user needs the target to connect to 10.2.3.4, the Metasploit user would set that as the SRVHOST. If, however, that IP address is the external interface of a router with a port forward, Metasploit wont be able to bind to it. To fix that, users can now set the ListernBindAddress option to one that Metasploit can listen on. In this case, the IP address that the router will forward the incoming connection to.
For example, with the network configuration:
Private IP: 172.31.21.26 (where Metasploit can bind to)
External IP: 10.2.3.4 (where the target connects to Metasploit)
The Metasploit module commands would be:
set srvhost 10.2.3.4
set ListenerBindAddress 172.31.21.26
set lhost 10.2.3.4
set ReverseListenerBindAddress 172.31.21.26
## Enhancements and features (4)
* [#16249]() from [gwillcox-r7]() – This expands on the work done in and adds in a new library named Msf::Exploit::Remote::HTTP::Exchange which will allow for future Exchange library functions.
* [#16250]() from [zeroSteiner]() – Adds new `ListenerBindPort` and `ListenerBindAddress` options on modules which expose services such as HTTP, SMB, LDAP, FTP, etc. This allows users to specify a separate IP/Port to bind to, in addition to providing `SRVHOST`/`SRVPORT` values. These additional options are useful if Metasploit is running in a network behind a NAT, or when pivoting through a compromised target. The naming convention is similar to the payload options `ReverseListenerBindAddress` and `ReverseListenerBindPort`
* [#16298]() from [smashery]() – This adds the new “capture” plugin which can be used to easily start and stop credential-capturing services.
* [#16352]() from [adfoster-r7]() – The `discussion` tag has been added to allow for more long term discussions. This will replace the existing Discussions tab, and issues marked as such will not be automatically closed.
## Bugs fixed (12)
* [#16207]() from [h00die]() – The VNC libraries and associated modules have been updated to support more modern versions of VNC and to fix a few bugs so that they will work correctly with new VNC versions.
* [#16309]() from [HynekPetrak]() – This fixes an issue where the ssh_login module would crash when the channel used to execute the commands to gather the platform information reported that they failed.
* [#16317]() from [smashery]() – This fixes an issue with multiple modules that listen on UDP sockets where the modules were not closing and freeing the socket when their respective services were stopped.
* [#16325]() from [sjanusz-r7]() – This PR replaces `IO.read` with `File.binread`, in scenarios where it’s obvious that we’re reading from binaries, to prevent an issue where not all of the file has been read correctly due to an additional EOL<->CRLF conversion that happens on Windows.
* [#16340]() from [bcoles]() – This fixes the APK injection behavior to use aapt2 if msfvenom is unable to rebuild the APK with apktool, allows more APKs to be compatible with msfvenom, and fixes a bug.
* [#16341]() from [h00die]() – This fixes a bug where the `auxiliary/server/capture/vnc` module would not output hashes in a format compatible with John The Ripper and a bug that was causing crashes due to assuming hashes always had an associated username. Additionally, support has been added for exporting VNC hashes into a JTR compatible format for later cracking and the `hash_identify` function has been updated to properly identify VNC hashes allowing for better hash detection.
* [#16353]() from [jmartin-r7]() – A bug has been fixed in the Anemone library and in the HTTP crawler libraries and related module to allow pulling and setting of `ssl_version` from standardized options. This permits fine-grained user control and avoids issues related to missing or depreciated SSL versions in newer Ruby versions, which were at times preventing Metasploit from making successful connections to targets.
* [#16358]() from [bcoles]() – This change fixes a bug in the msfvenom APK injection code, where in some situations a suitable hook point could not be found.
* [#16367]() from [zeroSteiner]() – A bug was found in the way character escaping was done in `apache_apisix_api_default_token_rce` which has now been fixed. In addition, several updates have been made to better handle error cases that may occur when sending HTTP requests to the target.
* [#16368]() from [zeroSteiner]() – This improves response time when a cache miss occurs for commands not provided by `msfconsole`.
* [#16369]() from [sjanusz-r7]() – This change fixes shell_to_meterpreter module to allow upgrading (or duplicating) Meterpreter sessions.
* [#16371]() from [AlanFoster]() – This fixes a crash in the WebSocket library used by the Kubernetes modules that would occur when a socket method was being called that’s only provided by the Rex version.
* [#16361]() from [bcoles]() – Thisadds docs for the `adb_server_exec` module.
## Get it
As always, you can update to the latest Metasploit Framework with `msfupdate`
and you can get more details on the changes since the last blog post from
GitHub:
* [Pull Requests 6.1.34…6.1.35]()
* [Full diff 6.1.34…6.1.35]()
If you are a `git` user, you can clone the [Metasploit Framework repo]() (master branch) for the latest.
To install fresh without using git, you can use the open-source-only [Nightly Installers]() or the
[binary installers]() (which also include the commercial edition).Read More