Automating Post Modules and Meterpreter Across Sessions
Wednesday, July 13, 2011 at 7:33PM
Carlos Perez

I wrote a couple of weeks ago a Metasploit plugin for automating running Metasploit post modules across several sessions while writing and testing the post exploitation mixin for Linux since there are so many distros I had a large number of sessions including some to Solaris and Windows host and testing one by one of the sessions was a bit of a pain. I tried using sessions –s command like I used to for Meterpreter scripts but I would had to modify and fix the the sessions command for it and since I had not found any bug reports or even people asking for the feature I decided that I would do it as a plugin to practice. Once the plugin was done I shared it with several people who found it useful and gave great feedback. Yesterday on twitter a person asked for the same thing but as modules and I do have to say it made sense so I turned the plugin and improved on the code and came out with 4 modules of auxiliary type and placed those modules in my Git Hub Repo under the BSD License at https://github.com/darkoperator/Meterpreter-Scripts/tree/master/post the modules are:

I recommend that you put the modules in your home directory .msf3 folder so as to not mess with your current Metasploit install and you are able to use it with multiple copies of Metasploit. On a Linux or OSX system you just need to create the folder where the module will reside and that they conform to the structure found in Metasploit. In my case even do the modules are auxiliary one I placed mine under post since they serve for the purpose of post exploitation.

You can download the modules I have written using Git or by hand. I recommend you use Git since it will allow you to keep them updated and add any additional modules I work on in a very easy manner. First navigate to the folder when you want to have the Git Repository to be and run

git clone git://github.com/darkoperator/Meterpreter-Scripts.git

Once you have the repo you link the post folder with your own .msf3 folder and use git pull command to keep it updated.

mkdir -p ~/.msf3/modules

Once we made sure we have the proper folder to keep our own copy of the modules we can link this folder to the Git Repository

ln -s ~/<git repo>/post ~/.msf3/modules/post

The modules are now ready to use.

For the examples I have several sessions on my box so as to show you how the modules behave:

msf exploit(handler) > sessions 
Active sessions
===============
  Id  Type                   Information                                      Connection
  --  ----                   -----------                                      ----------
  1   meterpreter x86/win32  WIN-YR4V852V71Y\Administrator @ WIN-YR4V852V71Y  192.168.1.100:4444 -> 192.168.1.114:49160
  2   meterpreter x86/win32  CARLOS-192FCD91\Administrator @ CARLOS-192FCD91  192.168.1.100:4444 -> 192.168.1.119:1122
  3   shell linux                                                             192.168.1.100:4448 -> 192.168.1.123:46113
  4   shell linux                                                             192.168.1.100:4448 -> 192.168.1.115:52949
  5   shell linux                                                             192.168.1.100:4448 -> 192.168.1.118:34272

Lets start by loading the multi_post module and looking at the options we have:

msf exploit(handler) > use post/multi/manage/multi_post
msf auxiliary(multi_post) > show options 
Module options (auxiliary/multi/manage/multi_post):
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   MODULE                     yes       Post Module to run
   OPTIONS                    no        Commans Separated list of Options for post module
   SESSIONS                   yes       Specify either ALL for all sessions or a comman separated list of sessions.

Lets use the checkvm module for Meterpreter and make it run against all current sessions we could have also given it a list of session in a comma separated list

msf auxiliary(multi_post) > set SESSIONS all
SESSIONS => all
msf auxiliary(multi_post) > set MODULE windows/gather/checkvm
MODULE => windows/gather/checkvm

To execute we use the run command:

msf auxiliary(multi_post) > run
[*] Loading windows/gather/checkvm
[*] Running Against 1
[*] Checking if WIN-YR4V852V71Y is a Virtual Machine .....
[*] This is a VMware Virtual Machine
[*] Running Against 2
[*] Checking if CARLOS-192FCD91 is a Virtual Machine .....
[*] This is a VMware Virtual Machine
[*] Auxiliary module execution completed
Now lets say we want to execute only against sessions 1 and 5, look at the output you will see the module identified the session 5 as not compatible and skipped execution against it:
msf auxiliary(multi_post) > set SESSIONS 1,5
SESSIONS => 1,5
msf auxiliary(multi_post) > run
[*] Loading windows/gather/checkvm
[*] Running Against 1
[*] Checking if WIN-YR4V852V71Y is a Virtual Machine .....
[*] This is a VMware Virtual Machine
[-] Session 5 is not compatible with windows/gather/checkvm
[*] Auxiliary module execution completed

Now lets take a look at the multi_post_resource module, it performs the same tasks as multi_post but using a resource file, an example one is provided in the Git Repository

Sample Resource file:

all linux/gather/checkvm
1,2 windows/gather/enum_logged_on_users CURRENT=true,RECENT=false

Lets load the module and look at the options:

msf auxiliary(multi_post) > use post/multi/manage/multi_post_resource 
msf auxiliary(multi_post_resource) > show options 
Module options (auxiliary/multi/manage/multi_post_resource):
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   RESOURCE                   yes       Resource file with space separate values <session> <module> <options>, per line.

Lets set the resource file and execute:

msf auxiliary(multi_post_resource) > set RESOURCE /tmp/postrc.rc
RESOURCE => /tmp/postrc.rc
msf auxiliary(multi_post_resource) > run
[*] Loading linux/gather/checkvm
[*] Running Against 3
[*] Gathering System info ....
[+] This appears to be a VMware Virtual Machine
[*] Running Against 4
[*] Gathering System info ....
[+] This appears to be a VMware Virtual Machine
[*] Running Against 5
[*] Gathering System info ....
[+] This appears to be a VMware Virtual Machine
[*] Loading windows/gather/enum_logged_on_users
[*] Running Against 1
[*] 	Setting Option CURRENT to true
[*] 	Setting Option RECENT to false
[*] Running against session 1
Current Logged Users
====================
 SID                                            User
 ---                                            ----
 S-1-5-21-2757829322-3393694802-1237719419-500  WIN-YR4V852V71Y\Administrator
[*] Running Against 2
[*] 	Setting Option CURRENT to true
[*] 	Setting Option RECENT to false
[*] Running against session 2
Current Logged Users
====================
 SID                                          User
 ---                                          ----
 S-1-5-21-1292428093-706699826-725345543-500  CARLOS-192FCD91\Administrator
[*] Auxiliary module execution completed

Lets take a look at the multi_meter_command module and its options:

msf auxiliary(multi_post_resource) > use post/multi/manage/multi_meter_command 
msf auxiliary(multi_meter_command) > show options 
Module options (auxiliary/multi/manage/multi_meter_command):
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   COMMAND                    yes       Meterpreter Console command.
   SESSIONS                   yes       Specify either ALL for all sessions or a comman separated list of sessions.

Now lets set the sysinfo command to run against all sessions and execute it you will see that it will identify the none Meterpreter sessions and skip those:

msf auxiliary(multi_meter_command) > set SESSIONS all 
SESSIONS => all
msf auxiliary(multi_meter_command) > set COMMAND sysinfo
COMMAND => sysinfo
msf auxiliary(multi_meter_command) > run
[+] Running command sysinfo against sessions 1
System Language : en_US
OS              : Windows 2008 (Build 6001, Service Pack 1).
Computer        : WIN-YR4V852V71Y
Architecture    : x86
Meterpreter     : x86/win32
[+] Running command sysinfo against sessions 2
System Language : en_US
OS              : Windows XP (Build 2600, Service Pack 2).
Computer        : CARLOS-192FCD91
Architecture    : x86
Meterpreter     : x86/win32
[-] Sessions 3 is not a Meterpreter Sessions!
[-] Sessions 4 is not a Meterpreter Sessions!
[-] Sessions 5 is not a Meterpreter Sessions!
[*] Auxiliary module execution completed
The other module is just the same but using a resource file. I think this modules will be useful to some of the users of the framework specially those not using Express or Pro and need to automate running modules or command against several sessions from the console.
Article originally appeared on Security and Networking (http://darkoperator.squarespace.com/).
See website for complete article licensing information.