From 431dc31eacdb5899a9d5a50be45094e1eb19e605 Mon Sep 17 00:00:00 2001 From: Rob Fuller Date: Sat, 20 Oct 2012 23:25:40 -0400 Subject: [PATCH 1/2] proxy parsing post module --- modules/post/windows/gather/enum_proxy.rb | 96 +++++++++++++++++++++++ 1 file changed, 96 insertions(+) create mode 100644 modules/post/windows/gather/enum_proxy.rb diff --git a/modules/post/windows/gather/enum_proxy.rb b/modules/post/windows/gather/enum_proxy.rb new file mode 100644 index 0000000000..1013545d01 --- /dev/null +++ b/modules/post/windows/gather/enum_proxy.rb @@ -0,0 +1,96 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Post + + def initialize + super( + 'Name' => 'Windows Gather Proxy Setting', + 'Version' => '$Revision$', + 'Description' => %q{ + This module pulls a user's proxy settings. If neither RHOST or SID + are set it pulls the current user, else it will pull the user's settings + specified SID and target host. + }, + 'Author' => [ 'mubix ' ], + 'License' => MSF_LICENSE, + 'Platform' => [ 'windows' ], + 'SessionTypes' => [ 'meterpreter' ] + ) + + register_options( + [ + OptAddress.new('RHOST', [ false, 'Remote host to clone settings to, defaults to local' ]), + OptString.new('SID', [ false, 'SID of user to clone settings to (SYSTEM is S-1-5-18)' ]) + ], self.class) + end + + def run + + if datastore['SID'] + root_key, base_key = session.sys.registry.splitkey("HKU\\#{datastore['SID']}\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections") + else + root_key, base_key = session.sys.registry.splitkey("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections") + end + + # print_status "#{root_key}" + # print_status "#{base_key}" + + if datastore['RHOST'] + key = session.sys.registry.open_remote_key(datastore['RHOST'], root_key) + open_key = key.open_key(base_key) + else + open_key = session.sys.registry.open_key(root_key, base_key) + end + + values = open_key.query_value('DefaultConnectionSettings') + + data = values.data + + print_status "Proxy Counter = #{(data[4,1].unpack('C*'))[0]}" + case (data[8,1].unpack('C*'))[0] + when 1 + print_status "Setting: No proxy settings" + when 3 + print_status "Setting: Proxy server" + when 5 + print_status "Setting: Set proxy via AutoConfigure script" + when 7 + print_status "Setting: Proxy server and AutoConfigure script" + when 9 + print_status "Setting: WPAD" + when 11 + print_status "Setting: WPAD and Proxy server" + when 13 + print_status "Setting: WPAD and AutoConfigure script" + when 15 + print_status "Setting: WPAD, Proxy server and AutoConfigure script" + else + print_status "Setting: Unknown proxy setting found" + end + + cursor = 12 + proxyserver = data[cursor+4, (data[cursor,1].unpack('C*'))[0]] + print_status "Proxy Server: #{proxyserver}" if proxyserver != "" + + cursor = cursor + 4 + (data[cursor].unpack('C*'))[0] + additionalinfo = data[cursor+4, (data[cursor,1].unpack('C*'))[0]] + print_status "Additional Info: #{additionalinfo}" if additionalinfo != "" + + cursor = cursor + 4 + (data[cursor].unpack('C*'))[0] + autoconfigurl = data[cursor+4, (data[cursor,1].unpack('C*'))[0]] + print_status "AutoConfigURL: #{autoconfigurl}" if autoconfigurl != "" + + end + +end \ No newline at end of file From 86c73e92d487e72259c6a42d954e5db787354b9c Mon Sep 17 00:00:00 2001 From: Rob Fuller Date: Sun, 21 Oct 2012 01:34:34 -0400 Subject: [PATCH 2/2] Add ability to remotely start registry for read --- modules/post/windows/gather/enum_proxy.rb | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/modules/post/windows/gather/enum_proxy.rb b/modules/post/windows/gather/enum_proxy.rb index 1013545d01..44867f13e2 100644 --- a/modules/post/windows/gather/enum_proxy.rb +++ b/modules/post/windows/gather/enum_proxy.rb @@ -13,6 +13,8 @@ require 'msf/core' class Metasploit3 < Msf::Post + include Post::Windows::WindowsServices + def initialize super( 'Name' => 'Windows Gather Proxy Setting', @@ -43,11 +45,21 @@ class Metasploit3 < Msf::Post root_key, base_key = session.sys.registry.splitkey("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections") end - # print_status "#{root_key}" - # print_status "#{base_key}" - if datastore['RHOST'] - key = session.sys.registry.open_remote_key(datastore['RHOST'], root_key) + begin + key = session.sys.registry.open_remote_key(datastore['RHOST'], root_key) + rescue ::Rex::Post::Meterpreter::RequestError + print_error("Unable to contact remote registry service on #{datastore['RHOST']}") + print_status("Attempting to start service remotely...") + begin + service_start('RemoteRegistry',datastore['RHOST']) + rescue + print_error('Unable to read registry or start the service, exiting...') + return + end + startedreg = true + key = session.sys.registry.open_remote_key(datastore['RHOST'], root_key) + end open_key = key.open_key(base_key) else open_key = session.sys.registry.open_key(root_key, base_key) @@ -55,6 +67,9 @@ class Metasploit3 < Msf::Post values = open_key.query_value('DefaultConnectionSettings') + #If we started the service we need to stop it. + service_stop('RemoteRegistry',datastore['RHOST']) if startedreg + data = values.data print_status "Proxy Counter = #{(data[4,1].unpack('C*'))[0]}"