I wrote a couple of weeks ago a Metasploit plugin for automating running Metasploit post modules across several sessions while writing and testing the post exploitation mixin for Linux since there are so many distros I had a large number of sessions including some to Solaris and Windows host and testing one by one of the sessions was a bit of a pain. I tried using sessions –s command like I used to for Meterpreter scripts but I would had to modify and fix the the sessions command for it and since I had not found any bug reports or even people asking for the feature I decided that I would do it as a plugin to practice. Once the plugin was done I shared it with several people who found it useful and gave great feedback. Yesterday on twitter a person asked for the same thing but as modules and I do have to say it made sense so I turned the plugin and improved on the code and came out with 4 modules of auxiliary type and placed those modules in my Git Hub Repo under the BSD License at https://github.com/darkoperator/Meterpreter-Scripts/tree/master/post the modules are:
I recommend that you put the modules in your home directory .msf3 folder so as to not mess with your current Metasploit install and you are able to use it with multiple copies of Metasploit. On a Linux or OSX system you just need to create the folder where the module will reside and that they conform to the structure found in Metasploit. In my case even do the modules are auxiliary one I placed mine under post since they serve for the purpose of post exploitation.
You can download the modules I have written using Git or by hand. I recommend you use Git since it will allow you to keep them updated and add any additional modules I work on in a very easy manner. First navigate to the folder when you want to have the Git Repository to be and run
git clone git://github.com/darkoperator/Meterpreter-Scripts.git
Once you have the repo you link the post folder with your own .msf3 folder and use git pull command to keep it updated.
mkdir -p ~/.msf3/modules
Once we made sure we have the proper folder to keep our own copy of the modules we can link this folder to the Git Repository
ln -s ~/<git repo>/post ~/.msf3/modules/post
The modules are now ready to use.
For the examples I have several sessions on my box so as to show you how the modules behave:
msf exploit(handler) > sessionsActive sessions===============Id Type Information Connection-- ---- ----------- ----------1 meterpreter x86/win32 WIN-YR4V852V71Y\Administrator @ WIN-YR4V852V71Y 192.168.1.100:4444 -> 192.168.1.114:491602 meterpreter x86/win32 CARLOS-192FCD91\Administrator @ CARLOS-192FCD91 192.168.1.100:4444 -> 192.168.1.119:11223 shell linux 192.168.1.100:4448 -> 192.168.1.123:461134 shell linux 192.168.1.100:4448 -> 192.168.1.115:529495 shell linux 192.168.1.100:4448 -> 192.168.1.118:34272
Lets start by loading the multi_post module and looking at the options we have:
msf exploit(handler) > use post/multi/manage/multi_postmsf auxiliary(multi_post) > show optionsModule options (auxiliary/multi/manage/multi_post):Name Current Setting Required Description---- --------------- -------- -----------MODULE yes Post Module to runOPTIONS no Commans Separated list of Options for post module
SESSIONS yes Specify either ALL for all sessions or a comman separated list of sessions.
Lets use the checkvm module for Meterpreter and make it run against all current sessions we could have also given it a list of session in a comma separated list
msf auxiliary(multi_post) > set SESSIONS all
SESSIONS => allmsf auxiliary(multi_post) > set MODULE windows/gather/checkvmMODULE => windows/gather/checkvm
To execute we use the run command:
Now lets say we want to execute only against sessions 1 and 5, look at the output you will see the module identified the session 5 as not compatible and skipped execution against it:msf auxiliary(multi_post) > run[*] Loading windows/gather/checkvm[*] Running Against 1[*] Checking if WIN-YR4V852V71Y is a Virtual Machine .....[*] This is a VMware Virtual Machine
[*] Running Against 2[*] Checking if CARLOS-192FCD91 is a Virtual Machine .....[*] This is a VMware Virtual Machine
[*] Auxiliary module execution completed
msf auxiliary(multi_post) > set SESSIONS 1,5
SESSIONS => 1,5msf auxiliary(multi_post) > run[*] Loading windows/gather/checkvm[*] Running Against 1[*] Checking if WIN-YR4V852V71Y is a Virtual Machine .....[*] This is a VMware Virtual Machine
[-] Session 5 is not compatible with windows/gather/checkvm[*] Auxiliary module execution completed
Now lets take a look at the multi_post_resource module, it performs the same tasks as multi_post but using a resource file, an example one is provided in the Git Repository
Sample Resource file:
all linux/gather/checkvm1,2 windows/gather/enum_logged_on_users CURRENT=true,RECENT=false
Lets load the module and look at the options:
msf auxiliary(multi_post) > use post/multi/manage/multi_post_resourcemsf auxiliary(multi_post_resource) > show optionsModule options (auxiliary/multi/manage/multi_post_resource):Name Current Setting Required Description---- --------------- -------- -----------RESOURCE yes Resource file with space separate values <session> <module> <options>, per line.
Lets set the resource file and execute:
msf auxiliary(multi_post_resource) > set RESOURCE /tmp/postrc.rcRESOURCE => /tmp/postrc.rcmsf auxiliary(multi_post_resource) > run[*] Loading linux/gather/checkvm[*] Running Against 3[*] Gathering System info ....[+] This appears to be a VMware Virtual Machine[*] Running Against 4[*] Gathering System info ....[+] This appears to be a VMware Virtual Machine[*] Running Against 5[*] Gathering System info ....[+] This appears to be a VMware Virtual Machine[*] Loading windows/gather/enum_logged_on_users[*] Running Against 1[*] Setting Option CURRENT to true[*] Setting Option RECENT to false[*] Running against session 1Current Logged Users====================SID User--- ----S-1-5-21-2757829322-3393694802-1237719419-500 WIN-YR4V852V71Y\Administrator[*] Running Against 2[*] Setting Option CURRENT to true[*] Setting Option RECENT to false[*] Running against session 2Current Logged Users====================SID User--- ----S-1-5-21-1292428093-706699826-725345543-500 CARLOS-192FCD91\Administrator[*] Auxiliary module execution completed
Lets take a look at the multi_meter_command module and its options:
msf auxiliary(multi_post_resource) > use post/multi/manage/multi_meter_commandmsf auxiliary(multi_meter_command) > show optionsModule options (auxiliary/multi/manage/multi_meter_command):Name Current Setting Required Description---- --------------- -------- -----------COMMAND yes Meterpreter Console command.SESSIONS yes Specify either ALL for all sessions or a comman separated list of sessions.
Now lets set the sysinfo command to run against all sessions and execute it you will see that it will identify the none Meterpreter sessions and skip those:
The other module is just the same but using a resource file. I think this modules will be useful to some of the users of the framework specially those not using Express or Pro and need to automate running modules or command against several sessions from the console.msf auxiliary(multi_meter_command) > set SESSIONS allSESSIONS => allmsf auxiliary(multi_meter_command) > set COMMAND sysinfoCOMMAND => sysinfomsf auxiliary(multi_meter_command) > run[+] Running command sysinfo against sessions 1System Language : en_USOS : Windows 2008 (Build 6001, Service Pack 1).Computer : WIN-YR4V852V71YArchitecture : x86Meterpreter : x86/win32[+] Running command sysinfo against sessions 2System Language : en_USOS : Windows XP (Build 2600, Service Pack 2).Computer : CARLOS-192FCD91Architecture : x86Meterpreter : x86/win32[-] Sessions 3 is not a Meterpreter Sessions![-] Sessions 4 is not a Meterpreter Sessions![-] Sessions 5 is not a Meterpreter Sessions![*] Auxiliary module execution completed