metasploit-framework/modules/post/windows/gather/enum_services.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##


require 'msf/core'
require 'rex'

class Metasploit3 < Msf::Post

  include Msf::Post::Windows::Services

  def initialize(info={})
    super(update_info(info,
      'Name'                 => "Windows Gather Service Info Enumeration",
      'Description'          => %q{
        This module will query the system for services and display name and
        configuration info for each returned service. It allows you to
        optionally search the credentials, path, or start type for a string
        and only return the results that match. These query operations are
        cumulative and if no query strings are specified, it just returns all
        services.  NOTE: If the script hangs, windows firewall is most likely
        on and you did not migrate to a safe process (explorer.exe for
        example).
        },
      'License'              => MSF_LICENSE,
      'Platform'             => ['win'],
      'SessionTypes'         => ['meterpreter'],
      'Author'               => ['Keith Faber', 'Kx499']
    ))
    register_options(
      [
        OptString.new('CRED', [ false, 'String to search credentials for' ]),
        OptString.new('PATH', [ false, 'String to search path for' ]),
        OptEnum.new('TYPE', [true, 'Service startup Option', 'All', ['All', 'Auto', 'Manual', 'Disabled' ]])
      ], self.class)
  end


  def run

    # set vars
    credentialCount = {}
    qcred = datastore["CRED"] || nil
    qpath = datastore["PATH"] || nil

    if datastore["TYPE"] == "All"
      qtype = nil
    else
      qtype = datastore["TYPE"].downcase
    end

    if qcred
      qcred = qcred.downcase
      print_status("Credential Filter: #{qcred}")
    end

    if qpath
      qpath = qpath.downcase
      print_status("Executable Path Filter: #{qpath}")
    end

    if qtype
      print_status("Start Type Filter: #{qtype}")
    end

    results_table = Rex::Ui::Text::Table.new(
        'Header'     => 'Services',
        'Indent'     => 1,
        'SortIndex'  => 0,
        'Columns'    => ['Name', 'Credentials', 'Command', 'Startup']
    )

    print_status("Listing Service Info for matching services, please wait...")
    service_list.each do |srv|
      srv_conf = {}

      # make sure we got a service name
      if srv[:name]
        begin
          srv_conf = service_info(srv[:name])
          if srv_conf[:startname]
            # filter service based on filters passed, the are cumulative
            if qcred && !srv_conf[:startname].downcase.include?(qcred)
              next
            end

            if qpath && !srv_conf[:path].downcase.include?(qpath)
              next
            end

            # There may not be a 'Startup', need to check nil
            if qtype && !(START_TYPE[srv_conf[:starttype]] || '').downcase.include?(qtype)
              next
            end

            # count the occurance of specific credentials services are running as
            serviceCred = srv_conf[:startname].upcase
            unless serviceCred.empty?
              if credentialCount.has_key?(serviceCred)
                credentialCount[serviceCred] += 1
              else
                credentialCount[serviceCred] = 1
                # let the user know a new service account has been detected for possible lateral
                # movement opportunities
                print_good("New service credential detected: #{srv[:name]} is running as '#{srv_conf[:startname]}'")
              end
            end

            results_table << [srv[:name],
                              srv_conf[:startname],
                              START_TYPE[srv_conf[:starttype]],
                              srv_conf[:path]]
          end

        rescue RuntimeError => e
          print_error("An error occurred enumerating service: #{srv[:name]}: #{e}")
        end
      else
        print_error("Problem enumerating service - no service name found")
      end
    end

    print_line results_table.to_s

    # store loot on completion of collection
    p = store_loot("windows.services", "text/plain", session, results_table.to_s, "windows_services.txt", "Windows Services")
    print_good("Loot file stored in: #{p.to_s}")
  end

end
Service enumeration module by Keith Faber git-svn-id: file:///home/svn/framework3/trunk@13423 4d416f70-5f16-0410-b530-b9f4589650da 2011-07-30 15:11:52 +00:00			`##`
Fix up comment splats with the correct URI See the complaint on #4039. This doesn't fix that particular issue (it's somewhat unrelated), but does solve around a file parsing problem reported by @void-in 2014-10-17 16:47:33 +00:00			`# This module requires Metasploit: http://metasploit.com/download`
Redo the boilerplate / splat [SeeRM #8496] 2013-10-15 18:50:46 +00:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Service enumeration module by Keith Faber git-svn-id: file:///home/svn/framework3/trunk@13423 4d416f70-5f16-0410-b530-b9f4589650da 2011-07-30 15:11:52 +00:00			`##`


			`require 'msf/core'`
			`require 'rex'`

			`class Metasploit3 < Msf::Post`
Fix: whitespaces, svn propset, author e-mail format git-svn-id: file:///home/svn/framework3/trunk@14175 4d416f70-5f16-0410-b530-b9f4589650da 2011-11-06 22:02:26 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`include Msf::Post::Windows::Services`
Service enumeration module by Keith Faber git-svn-id: file:///home/svn/framework3/trunk@13423 4d416f70-5f16-0410-b530-b9f4589650da 2011-07-30 15:11:52 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def initialize(info={})`
			`super(update_info(info,`
			`'Name' => "Windows Gather Service Info Enumeration",`
			`'Description' => %q{`
Add Post::Windows::Services#each_service Also cleans up some style issues and adds yardoc comments for some stuff in Post::File Note that windows/local/service_permissions is still using `service_list` because it now builds a Rex::Table, which has to have all the data up front, anyway. 2014-02-19 00:24:23 +00:00			`This module will query the system for services and display name and`
			`configuration info for each returned service. It allows you to`
			`optionally search the credentials, path, or start type for a string`
			`and only return the results that match. These query operations are`
			`cumulative and if no query strings are specified, it just returns all`
			`services. NOTE: If the script hangs, windows firewall is most likely`
			`on and you did not migrate to a safe process (explorer.exe for`
			`example).`
Retab modules 2013-08-30 21:28:54 +00:00			`},`
			`'License' => MSF_LICENSE,`
			`'Platform' => ['win'],`
			`'SessionTypes' => ['meterpreter'],`
			`'Author' => ['Keith Faber', 'Kx499']`
			`))`
			`register_options(`
			`[`
			`OptString.new('CRED', [ false, 'String to search credentials for' ]),`
			`OptString.new('PATH', [ false, 'String to search path for' ]),`
Merge in #3488 2014-07-04 19:37:09 +00:00			`OptEnum.new('TYPE', [true, 'Service startup Option', 'All', ['All', 'Auto', 'Manual', 'Disabled' ]])`
Retab modules 2013-08-30 21:28:54 +00:00			`], self.class)`
			`end`
Service enumeration module by Keith Faber git-svn-id: file:///home/svn/framework3/trunk@13423 4d416f70-5f16-0410-b530-b9f4589650da 2011-07-30 15:11:52 +00:00

Retab modules 2013-08-30 21:28:54 +00:00			`def run`
Service enumeration module by Keith Faber git-svn-id: file:///home/svn/framework3/trunk@13423 4d416f70-5f16-0410-b530-b9f4589650da 2011-07-30 15:11:52 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`# set vars`
Add loot storage into the enum_service post module 2014-07-02 16:48:48 +00:00			`credentialCount = {}`
Retab modules 2013-08-30 21:28:54 +00:00			`qcred = datastore["CRED"] \|\| nil`
			`qpath = datastore["PATH"] \|\| nil`
Merge in #3488 2014-07-04 19:37:09 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`if datastore["TYPE"] == "All"`
			`qtype = nil`
			`else`
Merge in #3488 2014-07-04 19:37:09 +00:00			`qtype = datastore["TYPE"].downcase`
Retab modules 2013-08-30 21:28:54 +00:00			`end`
Add Post::Windows::Services#each_service Also cleans up some style issues and adds yardoc comments for some stuff in Post::File Note that windows/local/service_permissions is still using `service_list` because it now builds a Rex::Table, which has to have all the data up front, anyway. 2014-02-19 00:24:23 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`if qcred`
Add Post::Windows::Services#each_service Also cleans up some style issues and adds yardoc comments for some stuff in Post::File Note that windows/local/service_permissions is still using `service_list` because it now builds a Rex::Table, which has to have all the data up front, anyway. 2014-02-19 00:24:23 +00:00			`qcred = qcred.downcase`
string interpolation is preferred over concatenation Please refer to https://github.com/bbatsov/ruby-style-guide 2014-07-03 17:46:56 +00:00			`print_status("Credential Filter: #{qcred}")`
Retab modules 2013-08-30 21:28:54 +00:00			`end`
Add Post::Windows::Services#each_service Also cleans up some style issues and adds yardoc comments for some stuff in Post::File Note that windows/local/service_permissions is still using `service_list` because it now builds a Rex::Table, which has to have all the data up front, anyway. 2014-02-19 00:24:23 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`if qpath`
Add Post::Windows::Services#each_service Also cleans up some style issues and adds yardoc comments for some stuff in Post::File Note that windows/local/service_permissions is still using `service_list` because it now builds a Rex::Table, which has to have all the data up front, anyway. 2014-02-19 00:24:23 +00:00			`qpath = qpath.downcase`
string interpolation is preferred over concatenation Please refer to https://github.com/bbatsov/ruby-style-guide 2014-07-03 17:46:56 +00:00			`print_status("Executable Path Filter: #{qpath}")`
Retab modules 2013-08-30 21:28:54 +00:00			`end`
Add Post::Windows::Services#each_service Also cleans up some style issues and adds yardoc comments for some stuff in Post::File Note that windows/local/service_permissions is still using `service_list` because it now builds a Rex::Table, which has to have all the data up front, anyway. 2014-02-19 00:24:23 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`if qtype`
string interpolation is preferred over concatenation Please refer to https://github.com/bbatsov/ruby-style-guide 2014-07-03 17:46:56 +00:00			`print_status("Start Type Filter: #{qtype}")`
Retab modules 2013-08-30 21:28:54 +00:00			`end`
Fix: whitespaces, svn propset, author e-mail format git-svn-id: file:///home/svn/framework3/trunk@14175 4d416f70-5f16-0410-b530-b9f4589650da 2011-11-06 22:02:26 +00:00
Refactor service_list to return array of hashes Update trusted_service_path, service_permissions, net_runtime_modify and enum_services to handle change. Refactor enum_services to tidy it up a bit 2013-12-15 03:00:29 +00:00			`results_table = Rex::Ui::Text::Table.new(`
			`'Header' => 'Services',`
			`'Indent' => 1,`
			`'SortIndex' => 0,`
			`'Columns' => ['Name', 'Credentials', 'Command', 'Startup']`
			`)`

Fix bugs 2014-07-04 19:46:50 +00:00			`print_status("Listing Service Info for matching services, please wait...")`
Refactor service_list to return array of hashes Update trusted_service_path, service_permissions, net_runtime_modify and enum_services to handle change. Refactor enum_services to tidy it up a bit 2013-12-15 03:00:29 +00:00			`service_list.each do \|srv\|`
Retab modules 2013-08-30 21:28:54 +00:00			`srv_conf = {}`
Refactor service_list to return array of hashes Update trusted_service_path, service_permissions, net_runtime_modify and enum_services to handle change. Refactor enum_services to tidy it up a bit 2013-12-15 03:00:29 +00:00
Add Post::Windows::Services#each_service Also cleans up some style issues and adds yardoc comments for some stuff in Post::File Note that windows/local/service_permissions is still using `service_list` because it now builds a Rex::Table, which has to have all the data up front, anyway. 2014-02-19 00:24:23 +00:00			`# make sure we got a service name`
Refactor service_list to return array of hashes Update trusted_service_path, service_permissions, net_runtime_modify and enum_services to handle change. Refactor enum_services to tidy it up a bit 2013-12-15 03:00:29 +00:00			`if srv[:name]`
Retab modules 2013-08-30 21:28:54 +00:00			`begin`
Refactor service_list to return array of hashes Update trusted_service_path, service_permissions, net_runtime_modify and enum_services to handle change. Refactor enum_services to tidy it up a bit 2013-12-15 03:00:29 +00:00			`srv_conf = service_info(srv[:name])`
Check for nil values 2013-12-18 11:15:52 +00:00			`if srv_conf[:startname]`
Add Post::Windows::Services#each_service Also cleans up some style issues and adds yardoc comments for some stuff in Post::File Note that windows/local/service_permissions is still using `service_list` because it now builds a Rex::Table, which has to have all the data up front, anyway. 2014-02-19 00:24:23 +00:00			`# filter service based on filters passed, the are cumulative`
			`if qcred && !srv_conf[:startname].downcase.include?(qcred)`
Check for nil values 2013-12-18 11:15:52 +00:00			`next`
			`end`

Add Post::Windows::Services#each_service Also cleans up some style issues and adds yardoc comments for some stuff in Post::File Note that windows/local/service_permissions is still using `service_list` because it now builds a Rex::Table, which has to have all the data up front, anyway. 2014-02-19 00:24:23 +00:00			`if qpath && !srv_conf[:path].downcase.include?(qpath)`
Check for nil values 2013-12-18 11:15:52 +00:00			`next`
			`end`

			`# There may not be a 'Startup', need to check nil`
Add Post::Windows::Services#each_service Also cleans up some style issues and adds yardoc comments for some stuff in Post::File Note that windows/local/service_permissions is still using `service_list` because it now builds a Rex::Table, which has to have all the data up front, anyway. 2014-02-19 00:24:23 +00:00			`if qtype && !(START_TYPE[srv_conf[:starttype]] \|\| '').downcase.include?(qtype)`
Check for nil values 2013-12-18 11:15:52 +00:00			`next`
			`end`

Merge in #3488 2014-07-04 19:37:09 +00:00			`# count the occurance of specific credentials services are running as`
Fix bugs 2014-07-04 19:46:50 +00:00			`serviceCred = srv_conf[:startname].upcase`
Merge in #3488 2014-07-04 19:37:09 +00:00			`unless serviceCred.empty?`
			`if credentialCount.has_key?(serviceCred)`
			`credentialCount[serviceCred] += 1`
			`else`
			`credentialCount[serviceCred] = 1`
			`# let the user know a new service account has been detected for possible lateral`
			`# movement opportunities`
Fix bugs 2014-07-04 19:46:50 +00:00			`print_good("New service credential detected: #{srv[:name]} is running as '#{srv_conf[:startname]}'")`
Merge in #3488 2014-07-04 19:37:09 +00:00			`end`
			`end`

Check for nil values 2013-12-18 11:15:52 +00:00			`results_table << [srv[:name],`
			`srv_conf[:startname],`
			`START_TYPE[srv_conf[:starttype]],`
			`srv_conf[:path]]`
Retab modules 2013-08-30 21:28:54 +00:00			`end`
Refactor service_list to return array of hashes Update trusted_service_path, service_permissions, net_runtime_modify and enum_services to handle change. Refactor enum_services to tidy it up a bit 2013-12-15 03:00:29 +00:00
Fixup modules 2013-12-15 18:43:55 +00:00			`rescue RuntimeError => e`
Add Post::Windows::Services#each_service Also cleans up some style issues and adds yardoc comments for some stuff in Post::File Note that windows/local/service_permissions is still using `service_list` because it now builds a Rex::Table, which has to have all the data up front, anyway. 2014-02-19 00:24:23 +00:00			`print_error("An error occurred enumerating service: #{srv[:name]}: #{e}")`
Retab modules 2013-08-30 21:28:54 +00:00			`end`
			`else`
Fix bugs 2014-07-04 19:46:50 +00:00			`print_error("Problem enumerating service - no service name found")`
Retab modules 2013-08-30 21:28:54 +00:00			`end`
			`end`
Refactor service_list to return array of hashes Update trusted_service_path, service_permissions, net_runtime_modify and enum_services to handle change. Refactor enum_services to tidy it up a bit 2013-12-15 03:00:29 +00:00
			`print_line results_table.to_s`
Merge in #3488 2014-07-04 19:37:09 +00:00
			`# store loot on completion of collection`
			`p = store_loot("windows.services", "text/plain", session, results_table.to_s, "windows_services.txt", "Windows Services")`
			`print_good("Loot file stored in: #{p.to_s}")`
Retab modules 2013-08-30 21:28:54 +00:00			`end`
Service enumeration module by Keith Faber git-svn-id: file:///home/svn/framework3/trunk@13423 4d416f70-5f16-0410-b530-b9f4589650da 2011-07-30 15:11:52 +00:00
			`end`