CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/scripts/meterpreter/netenum.rb
Views: 1904
##1# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.2# If you'd like to improve this script, please try to port it as a post3# module instead. Thank you.4##5678#Meterpreter script for ping sweeps on Windows 2003, Windows Vista9#Windows 2008 and Windows XP targets using native windows commands.10#Provided by Carlos Perez at carlos_perez[at]darkoperator.com11#Version: 0.1.212#Note:13################## Variable Declarations ##################14@@exec_opts = Rex::Parser::Arguments.new(15"-h" => [ false, "Help menu." ],16"-r" => [ true, "The target address range or CIDR identifier" ],17"-p" => [ false, "To Perform Ping Sweep on IP Range" ],18"-l" => [ false, "To Perform DNS Reverse Lookup on IP Range" ],19"-f" => [ false, "To Perform DNS Forward Lookup on host list and domain" ],20"-H" => [ true, "File with Host List for DNS Forward Lookup" ],21"-d" => [ true, "Domain Name for DNS Forward Lookup" ],22"-x" => [ false, "To Perform DNS lookup of MX and NS records for a domain" ],23"-s" => [ false, "To Perform Service Record DNS lookup for a domain" ]24)25session = client26host,port = session.session_host, session.session_port2728# Create Filename info to be appended to downloaded files29filenameinfo = "_" + ::Time.now.strftime("%Y%m%d.%M%S")3031# Create a directory for the logs32logs = ::File.join(Msf::Config.log_directory,'scripts', 'netenum', host)3334# Create the log directory35::FileUtils.mkdir_p(logs)3637#logfile name38dest = logs + "/" + host + filenameinfo3940#-------------------------------------------------------------------------------41# Function for performing regular lookup of MX and NS records42def stdlookup(session, domain, dest)43dest = dest + "-general-record-lookup.txt"44print_status("Getting MX and NS Records for domain #{domain}")45filewrt(dest,"SOA, NS and MX Records for domain #{domain}")46types = ["SOA","NS","MX"]47mxout = []48results = []49garbage = []50types.each do |t|51begin52r = session.sys.process.execute("nslookup -type=#{t} #{domain}", nil, {'Hidden' => true, 'Channelized' => true})53while(d = r.channel.read)54mxout << d55end56r.channel.close57r.close58results = mxout.join.split(/\n/)59results.each do |rec|60if rec.match(/\s*internet\saddress\s\=\s/)61garbage << rec.split(/\s*internet\saddress\s\=/)62print_status("#{garbage[0].join.sub(" "," ")} #{t} ")63filewrt(dest,garbage[0].join.sub(" "," ")+" #{t} ")64garbage.clear65end66garbage.clear67end6869rescue ::Exception => e70print_status("The following error was encountered: #{e.class} #{e}")71end72end73end7475#-------------------------------------------------------------------------------76# Function for writing results of other functions to a file77def filewrt(file2wrt, data2wrt)78output = ::File.open(file2wrt, "ab")79data2wrt.each_line do |d|80output.puts(d)81end82output.close83end8485#-------------------------------------------------------------------------------86# Function for Executing Reverse lookups87def reverselookup(session, iprange, dest)88dest = dest + "-DNS-reverse-lookup.txt"89print_status("Performing DNS reverse lookup for IP range #{iprange}")90filewrt(dest,"DNS reverse lookup for IP range #{iprange}")91iplst =[]92i, a = 0, []93begin94ipadd = Rex::Socket::RangeWalker.new(iprange)95numip = ipadd.num_ips96while (iplst.length < numip)97ipa = ipadd.next_ip98if (not ipa)99break100end101iplst << ipa102end103begin104iplst.each do |ip|105if i < 10106a.push(::Thread.new {107r = session.sys.process.execute("nslookup #{ip}", nil, {'Hidden' => true, 'Channelized' => true})108while(d = r.channel.read)109if d =~ /(Name)/110d.scan(/Name:\s*\S*\s/) do |n|111hostname = n.split(": ")112print_status "\t #{ip} is #{hostname[1].chomp("\n")}"113filewrt(dest,"#{ip} is #{hostname[1].chomp("\n")}")114end115break116117end118119end120121r.channel.close122r.close123124})125i += 1126else127sleep(0.05) and a.delete_if {|x| not x.alive?} while not a.empty?128i = 0129end130end131a.delete_if {|x| not x.alive?} while not a.empty?132end133rescue ::Exception => e134print_status("The following error was encountered: #{e.class} #{e}")135end136end137138#-------------------------------------------------------------------------------139#Function for Executing Forward Lookups140def frwdlp(session, hostlst, domain, dest)141dest = dest + "-DNS-forward-lookup.txt"142print_status("Performing DNS forward lookup for hosts in #{hostlst} for domain #{domain}")143filewrt(dest,"DNS forward lookup for hosts in #{hostlst} for domain #{domain}")144result = []145threads = []146tmpout = []147begin148if ::File.exist?(hostlst)149::File.open(hostlst).each {|line|150threads << ::Thread.new(line) { |h|151#print_status("checking #{h.chomp}")152r = session.sys.process.execute("nslookup #{h.chomp}.#{domain}", nil, {'Hidden' => true, 'Channelized' => true})153while(d = r.channel.read)154if d =~ /(Name)/155d.scan(/Name:\s*\S*\s*Address\w*:\s*.*?.*?.*/) do |n|156tmpout << n.split157end158break159end160end161162r.channel.close163r.close164}165}166threads.each { |aThread| aThread.join }167tmpout.uniq.each do |t|168print_status("\t#{t.join.sub(/Address\w*:/, "\t")}")169filewrt(dest,"#{t.join.sub(/Address\w*:/, "\t")}")170end171172else173print_status("File #{hostlst} doesn't exists!")174exit175end176rescue ::Exception => e177print_status("The following error was encountered: #{e.class} #{e}")178end179end180181#-------------------------------------------------------------------------------182#Function for Executing Ping Sweep183def pingsweep(session, iprange, dest)184dest = dest + "-pingsweep.txt"185print_status("Performing ping sweep for IP range #{iprange}")186filewrt(dest,"Ping sweep for IP range #{iprange}")187iplst = []188begin189i, a = 0, []190ipadd = Rex::Socket::RangeWalker.new(iprange)191numip = ipadd.num_ips192while (iplst.length < numip)193ipa = ipadd.next_ip194if (not ipa)195break196end197iplst << ipa198end199begin200iplst.each do |ip|201if i < 10202a.push(::Thread.new {203r = session.sys.process.execute("ping #{ip} -n 1", nil, {'Hidden' => true, 'Channelized' => true})204while(d = r.channel.read)205if d =~ /(Reply)/206print_status "\t#{ip} host found"207filewrt(dest,"#{ip} host found")208r.channel.close209elsif d =~ /(Antwort)/210print_status "\t#{ip} host found"211filewrt(dest,"#{ip} host found")212r.channel.close213end214end215r.channel.close216r.close217218})219i += 1220else221sleep(0.05) and a.delete_if {|x| not x.alive?} while not a.empty?222i = 0223end224end225a.delete_if {|x| not x.alive?} while not a.empty?226end227rescue ::Exception => e228print_status("The following error was encountered: #{e.class} #{e}")229end230end231#-------------------------------------------------------------------------------232#Function for enumerating srv records233def srvreclkp(session, domain, dest)234dest = dest + "-srvenum.txt"235srout = []236garbage = []237srvrcd = [238"_gc._tcp.","_kerberos._tcp.", "_kerberos._udp.","_ldap._tcp.","_test._tcp.",239"_sips._tcp.","_sip._udp.","_sip._tcp.","_aix._tcp.","_aix._tcp.","_finger._tcp.",240"_ftp._tcp.","_http._tcp.","_nntp._tcp.","_telnet._tcp.","_whois._tcp."241]242print_status("Performing SRV record enumeration for #{domain}")243filewrt(dest,"SRV record enumeration for #{domain}")244srvrcd.each do |srv|245r = session.sys.process.execute("nslookup -query=srv #{srv}#{domain}", nil, {'Hidden' => true, 'Channelized' => true})246while(d = r.channel.read)247srout << d248end249r.channel.close250r.close251results = srout.join.split(/\n/)252results.each do |rec|253if rec.match(/\s*internet\saddress\s\=\s/)254garbage << rec.split(/\s*internet\saddress\s\=/)255print_status("\tfor #{srv}#{domain} #{garbage[0].join.sub(" "," ")}")256filewrt(dest,"for #{srv}#{domain} #{garbage[0].join.sub(" "," ")}")257garbage.clear258end259garbage.clear260srout.clear261end262end263264end265#-------------------------------------------------------------------------------266#Function to print message during run267def message(dest)268print_status "Network Enumerator Meterpreter Script "269print_status "Log file being saved in #{dest}"270end271272################## MAIN ##################273# Variables for Options274stdlkp = nil275range = nil276pngsp = nil277rvrslkp = nil278frdlkp = nil279dom = nil280hostlist = nil281helpcall = nil282srvrc = nil283284# Parsing of Options285@@exec_opts.parse(args) { |opt, idx, val|286case opt287when "-s"288srvrc = 1289when "-l"290rvrslkp = 1291when "-f"292frdlkp = 1293when "-p"294pngsp = 1295when "-x"296stdlkp = 1297when "-d"298dom = val299when "-H"300hostlist = val301when "-r"302range = val303when "-h"304print(305"Network Enumerator Meterpreter Script\n" +306"Usage:\n" +307@@exec_opts.usage308)309helpcall = 1310end311}312313if client.platform == 'windows'314if pngsp == 1315if range != nil316message(logs)317pingsweep(session, range, dest)318else319print_error("Please add a range to scan: -r <value>")320end321elsif rvrslkp == 1322if range != nil323message(logs)324reverselookup(session, range, dest)325else326print_error("Please add a range to scan: -r <value>")327end328elsif frdlkp == 1329if dom != nil && hostlist!= nil &&330message(logs)331frwdlp(session, hostlist, dom, dest)332elsif dom == nil333print_error("Please add a domain name for DNS forward lookup: -d <value>")334elsif hostlist == nil335print_error("Please add a file with host list for DNS forward lookup: -hl <value>")336else337print_error("Something went wrong")338end339elsif stdlkp == 1340if dom != nil341message(logs)342stdlookup(session, dom, dest)343else344print_error("Please add a domain name for DNS forward lookup: -d <value>")345end346elsif srvrc == 1347if dom != nil348message(logs)349srvreclkp(session, dom, dest)350else351print_error("Please add a domain name for DNS forward lookup: -d <value>")352end353else354print("Network Enumerator Meterpreter Script\n" +355"Usage:\n" +356"\tnetenum -r <value> (-p | -l)\n" +357"\tnetenum -d <value> (-x | -s)\n" +358"\tnetenum -d <value> -H <value> -fl\n" +359@@exec_opts.usage)360end361else362print_error("This version of Meterpreter is not supported with this script!")363raise Rex::Script::Completed364end365366367