dstruct 0.0.1

data/lib/rex/post/meterpreter/ui/console/command_dispatcher/extapi/service.rb

@@ -0,0 +1,199 @@
+# -*- coding: binary -*-
+require 'rex/post/meterpreter'
+
+module Rex
+module Post
+module Meterpreter
+module Ui
+
+###
+#
+# Extended API window management user interface.
+#
+###
+class Console::CommandDispatcher::Extapi::Service
+
+  Klass = Console::CommandDispatcher::Extapi::Service
+
+  include Console::CommandDispatcher
+
+  #
+  # List of supported commands.
+  #
+  def commands
+    {
+      "service_enum"    => "Enumerate all registered Windows services",
+      "service_query"   => "Query more detail about a specific Windows service",
+      "service_control" => "Control a single service (start/pause/resume/stop/restart)"
+    }
+  end
+
+  #
+  # Name for this dispatcher
+  #
+  def name
+    "Extapi: Service Management"
+  end
+
+  #
+  # Initialize the instance
+  #
+  def initialize(shell)
+    super
+
+    @status_map = {
+      1 => "Stopped",
+      2 => "Starting",
+      3 => "Stopping",
+      4 => "Running",
+      5 => "Continuing",
+      6 => "Pausing",
+      7 => "Paused"
+    }
+
+    @start_type_map = {
+      0 => "Boot",
+      1 => "System",
+      2 => "Automatic",
+      3 => "Manual",
+      4 => "Disabled"
+    }
+  end
+
+  #
+  # Options for the service_enum command.
+  #
+  @@service_enum_opts = Rex::Parser::Arguments.new(
+    "-h" => [ false, "Help banner" ]
+  )
+
+  #
+  # Query a single service for more detail.
+  #
+  def cmd_service_enum(*args)
+    @@service_enum_opts.parse(args) do |opt, idx, val|
+      case opt
+      when "-h"
+        print(
+          "\nUsage: service_enum [-h]\n\n" +
+          "Enumerate services installed on the target.\n\n" +
+          "Enumeration returns the Process ID, Status, and name of each installed\n" +
+          "service that was enumerated. The 'Int' value indicates if the service is\n" +
+          "able to interact with the desktop.\n\n")
+          return true
+      end
+    end
+
+    services = client.extapi.service.enumerate
+
+    table = Rex::Ui::Text::Table.new(
+      'Header'    => 'Service List',
+      'Indent'    => 0,
+      'SortIndex' => 3,
+      'Columns'   => [
+        'PID', 'Status', 'Int', 'Name (Display Name)'
+      ]
+    )
+
+    services.each do |s|
+      table << [
+        s[:pid],
+        @status_map[s[:status]],
+        s[:interactive] ? "Y" : "N",
+        "#{s[:name].downcase} (#{s[:display]})"
+      ]
+    end
+
+    print_line
+    print_line(table.to_s)
+    print_line
+    print_line("Total services: #{services.length}")
+    print_line
+
+    return true
+  end
+
+  #
+  # Options for the service_query command.
+  #
+  @@service_query_opts = Rex::Parser::Arguments.new(
+    "-h" => [ false, "Help banner" ]
+  )
+
+  #
+  # Query a single service for more detail.
+  #
+  def cmd_service_query(*args)
+    args.unshift("-h") if args.length != 1
+
+    @@service_query_opts.parse(args) do |opt, idx, val|
+      case opt
+      when "-h"
+        print(
+          "\nUsage: service_query [-h] <servicename>\n" +
+          "     <servicename>:  The name of the service to query.\n\n" +
+          "Gets details information about a particular Windows service, including\n" +
+          "binary path, DACL, load order group, start type and more.\n\n")
+          return true
+      end
+    end
+
+    service_name = args.shift
+
+    detail = client.extapi.service.query(service_name)
+
+    print_line
+    print_line("Name        : #{service_name}")
+    print_line("Display     : #{detail[:display]}")
+    print_line("Account     : #{detail[:startname]}")
+    print_line("Status      : #{@status_map[detail[:status]]}")
+    print_line("Start Type  : #{@start_type_map[detail[:starttype]]}")
+    print_line("Path        : #{detail[:path]}")
+    print_line("L.O. Group  : #{detail[:logroup]}")
+    print_line("Interactive : #{detail[:interactive] ? "Yes" : "No"}")
+    print_line("DACL        : #{detail[:dacl]}")
+    print_line
+
+  end
+
+  #
+  # Options for the service_control command.
+  #
+  @@service_control_opts = Rex::Parser::Arguments.new(
+    "-h" => [ false, "Help banner" ]
+  )
+
+  #
+  # Query a single service for more detail.
+  #
+  def cmd_service_control(*args)
+    args.unshift("-h") if args.length != 2
+
+    @@service_control_opts.parse(args) do |opt, idx, val|
+      case opt
+      when "-h"
+        print(
+          "\nUsage: service_control [-h] <servicename> <op>\n" +
+          "   <servicename> : The name of the service to control.\n" +
+          "            <op> : The operation to perform on the service.\n" +
+          "                   Valid ops: start pause resume stop restart.\n\n")
+          return true
+      end
+    end
+
+    service_name = args[0]
+    op = args[1]
+
+    client.extapi.service.control(service_name, op)
+
+    print_good("Operation #{op} succeeded.")
+  end
+
+end
+
+end
+end
+end
+end
+
+

data/lib/rex/post/meterpreter/ui/console/command_dispatcher/extapi/window.rb

@@ -0,0 +1,118 @@
+# -*- coding: binary -*-
+require 'rex/post/meterpreter'
+
+module Rex
+module Post
+module Meterpreter
+module Ui
+
+###
+#
+# Extended API window management user interface.
+#
+###
+class Console::CommandDispatcher::Extapi::Window
+
+  Klass = Console::CommandDispatcher::Extapi::Window
+
+  include Console::CommandDispatcher
+
+  #
+  # List of supported commands.
+  #
+  def commands
+    {
+      "window_enum" => "Enumerate all current open windows"
+    }
+  end
+
+  #
+  # Name for this dispatcher
+  #
+  def name
+    "Extapi: Window Management"
+  end
+
+  #
+  # Options for the window_enum command.
+  #
+  @@window_enum_opts = Rex::Parser::Arguments.new(
+    "-h" => [ false, "Help banner" ],
+    "-p" => [ true,  "Parent window handle, used to enumerate child windows" ],
+    "-u" => [ false, "Include unknown/untitled windows in the result set" ]
+  )
+
+  def window_enum_usage
+    print(
+      "\nUsage: window_enum [-h] [-p parent_window] [-u]\n\n" +
+      "Enumerate the windows on the target.\n\n" +
+      "Enumeration returns the Process ID and Window Handle for each window\n" +
+      "found. The Window Handle can be used for further calls to window_enum\n" +
+      "or the railgun API.\n" +
+      @@window_enum_opts.usage +
+      "Note: Not all windows can be enumerated. An attempt to enumerate\n" +
+      "      the children of such a window will result in a failure with the\n"+
+      "      message \"Operation failed: The parameter is incorrect.\"\n\n")
+  end
+
+  #
+  # Enumerate top-level windows.
+  #
+  def cmd_window_enum(*args)
+    parent_window = nil
+    include_unknown = false
+
+    @@window_enum_opts.parse(args) { |opt, idx, val|
+      case opt
+      when "-u"
+        include_unknown = true
+      when "-p"
+        parent_window = val.to_i
+        if parent_window == 0
+          window_enum_usage
+          return true
+        end
+      when "-h"
+        window_enum_usage
+        return true
+      end
+    }
+
+    windows = client.extapi.window.enumerate(include_unknown, parent_window)
+
+    header = parent_window ? "Child windows of #{parent_window}" : "Top-level windows"
+
+    table = Rex::Ui::Text::Table.new(
+      'Header'    => header,
+      'Indent'    => 0,
+      'SortIndex' => 0,
+      'Columns'   => [
+        'PID', 'Handle', 'Title'
+      ]
+    )
+
+    windows.each { |w|
+      table << [w[:pid], w[:handle], w[:title]]
+    }
+
+    print_line
+    print_line(table.to_s)
+
+    if parent_window.nil?
+      print_line("Total top-level Windows: #{windows.length}")
+    else
+      print_line("Total child Windows: #{windows.length}")
+    end
+
+    print_line
+
+    return true
+  end
+
+end
+
+end
+end
+end
+end
+

data/lib/rex/post/meterpreter/ui/console/command_dispatcher/extapi/wmi.rb

@@ -0,0 +1,108 @@
+# -*- coding: binary -*-
+require 'rex/post/meterpreter'
+
+module Rex
+module Post
+module Meterpreter
+module Ui
+
+###
+#
+# Extended API WMI Querying interface.
+#
+###
+class Console::CommandDispatcher::Extapi::Wmi
+
+  Klass = Console::CommandDispatcher::Extapi::Wmi
+
+  include Console::CommandDispatcher
+
+  # Zero indicates "no limit"
+  DEFAULT_MAX_RESULTS = 0
+  DEFAULT_PAGE_SIZE   = 0
+
+  #
+  # List of supported commands.
+  #
+  def commands
+    {
+      "wmi_query" => "Perform a generic WMI query and return the results"
+    }
+  end
+
+  #
+  # Name for this dispatcher
+  #
+  def name
+    "Extapi: WMI Querying"
+  end
+
+  #
+  # Options for the wmi_query command.
+  #
+  @@wmi_query_opts = Rex::Parser::Arguments.new(
+    "-h" => [ false, "Help banner" ],
+    "-r" => [ true, "Specify a different root object (defaults to 'root\\CIMV2')" ]
+  )
+
+  def wmi_query_usage
+    print(
+      "\nUsage: wmi_query <query string> [-r root]\n\n" +
+      "Query the target and display the results.\n\n" +
+      @@wmi_query_opts.usage)
+  end
+
+  #
+  # Enumerate WMI objects.
+  #
+  def cmd_wmi_query(*args)
+    args.unshift("-h") if args.length < 1
+
+    root = nil
+
+    @@wmi_query_opts.parse(args) { |opt, idx, val|
+      case opt
+      when "-r"
+        root = val
+      when "-h"
+        wmi_query_usage
+        return true
+      end
+    }
+
+    query = args.shift
+
+    objects = client.extapi.wmi.query(query, root)
+
+    if objects
+      table = Rex::Ui::Text::Table.new(
+        'Header'    => query,
+        'Indent'    => 0,
+        'SortIndex' => 0,
+        'Columns'   => objects[:fields]
+      )
+
+      objects[:values].each do |c|
+        table << c
+      end
+
+      print_line
+      print_line(table.to_s)
+
+      print_line("Total objects: #{objects[:values].length}")
+    else
+      print_status("The WMI query yielded no results.")
+    end
+
+    print_line
+
+    return true
+  end
+
+end
+
+end
+end
+end
+end
+

data/lib/rex/post/meterpreter/ui/console/command_dispatcher/incognito.rb

@@ -0,0 +1,242 @@
+# -*- coding: binary -*-
+require 'rex/post/meterpreter'
+
+module Rex
+module Post
+module Meterpreter
+module Ui
+
+###
+#
+# Privilege escalation extension user interface.
+#
+###
+class Console::CommandDispatcher::Incognito
+
+  Klass = Console::CommandDispatcher::Incognito
+
+  include Console::CommandDispatcher
+
+  #
+  # Initializes an instance of the priv command interaction.
+  #
+  def initialize(shell)
+    super
+  end
+
+  #
+  # List of supported commands.
+  #
+  def commands
+    {
+      "add_user" => "Attempt to add a user with all tokens",
+      "add_localgroup_user" => "Attempt to add a user to a local group with all tokens",
+      "add_group_user" => "Attempt to add a user to a global group with all tokens",
+      "list_tokens" => "List tokens available under current user context",
+      "impersonate_token" => "Impersonate specified token",
+      "snarf_hashes" => "Snarf challenge/response hashes for every token"
+    }
+  end
+
+
+  @@add_user_opts = Rex::Parser::Arguments.new(
+    "-h" => [ true,  "Add user to remote host" ])
+
+  @@add_localgroup_user_opts = Rex::Parser::Arguments.new(
+    "-h" => [ true,  "Add user to local group on remote host" ])
+
+  @@add_group_user_opts = Rex::Parser::Arguments.new(
+    "-h" => [ true,  "Add user to global group on remote host" ])
+
+  @@list_tokens_opts = Rex::Parser::Arguments.new(
+    "-u" => [ false,  "List tokens by unique username" ],
+    "-g" => [ false, "List tokens by unique groupname" ])
+
+  def cmd_list_tokens(*args)
+    token_order = -1
+
+    @@list_tokens_opts.parse(args) { |opt, idx, val|
+      case opt
+        when "-u"
+          token_order = 0
+        when "-g"
+          token_order = 1
+      end
+    }
+
+    if (token_order == -1)
+      print_line("Usage: list_tokens <list_order_option>\n")
+      print_line("Lists all accessible tokens and their privilege level")
+      print_line(@@list_tokens_opts.usage)
+      return
+    end
+
+    system_privilege_check
+
+    tokens = client.incognito.incognito_list_tokens(token_order)
+
+    print_line()
+    print_line("Delegation Tokens Available")
+    print_line("========================================")
+
+    tokens['delegation'].each_line { |string|
+      print(string)
+    }
+
+    print_line()
+    print_line("Impersonation Tokens Available")
+    print_line("========================================")
+
+    tokens['impersonation'].each_line { |string|
+      print(string)
+    }
+
+    print_line()
+
+    return true
+  end
+
+  def cmd_impersonate_token(*args)
+    if (args.length < 1)
+      print_line("Usage: impersonate_token <token>\n")
+      print_line("Instructs the meterpreter thread to impersonate the specified token. All other actions will then be made in the context of that token.\n")
+      print_line("Hint: Double backslash DOMAIN\\\\name (meterpreter quirk)")
+      print_line("Hint: Enclose with quotation marks if name contains a space\n")
+      return
+    end
+
+    system_privilege_check
+    username = args[0]
+    client.incognito.incognito_impersonate_token(username).each_line { |string|
+      print(string)
+    }
+
+    return true
+  end
+
+  def cmd_add_user(*args)
+    # Default to localhost
+    host = "127.0.0.1"
+
+    @@add_user_opts.parse(args) { |opt, idx, val|
+      case opt
+        when "-h"
+          host = val
+      end
+    }
+
+    if (args.length < 2)
+      print_line("Usage: add_user <username> <password> [options]\n")
+      print_line("Attempts to add a user to a host with all accessible tokens. Terminates when successful, an error that is not access denied occurs (e.g. password does not meet complexity requirements) or when all tokens are exhausted")
+      print_line(@@add_user_opts.usage)
+      return
+    end
+
+    system_privilege_check
+
+    username = args[0]
+    password = args[1]
+
+    client.incognito.incognito_add_user(host, username, password).each_line { |string|
+      print(string)
+    }
+
+    return true
+  end
+
+  def cmd_add_localgroup_user(*args)
+    # Default to localhost
+    host = "127.0.0.1"
+
+    @@add_localgroup_user_opts.parse(args) { |opt, idx, val|
+      case opt
+        when "-h"
+          host = val
+      end
+    }
+
+    if (args.length < 2)
+      print_line("Usage: add_localgroup_user <groupname> <username> [options]\n")
+      print_line("Attempts to add a user to a local group on a host with all accessible tokens. Terminates when successful, an error that is not access denied occurs (e.g. user not found) or when all tokens are exhausted")
+      print_line(@@add_localgroup_user_opts.usage)
+      return
+    end
+
+    system_privilege_check
+
+    groupname = args[0]
+    username = args[1]
+
+    client.incognito.incognito_add_localgroup_user(host, groupname, username).each_line { |string|
+      print(string)
+    }
+
+    return true
+  end
+
+  def cmd_add_group_user(*args)
+    # Default to localhost
+    host = "127.0.0.1"
+
+    @@add_group_user_opts.parse(args) { |opt, idx, val|
+      case opt
+        when "-h"
+          host = val
+      end
+    }
+
+    if (args.length < 2)
+      print_line("Usage: add_group_user <groupname> <username> [options]\n")
+      print_line("Attempts to add a user to a global group on a host with all accessible tokens. Terminates when successful, an error that is not access denied occurs (e.g. user not found) or when all tokens are exhausted")
+      print_line(@@add_group_user_opts.usage)
+      return
+    end
+
+    system_privilege_check
+
+    groupname = args[0]
+    username = args[1]
+
+    client.incognito.incognito_add_group_user(host, groupname, username).each_line { |string|
+      print(string)
+    }
+
+    return true
+  end
+
+  def cmd_snarf_hashes(*args)
+    if (args.length < 1)
+      print_line("Usage: snarf_hashes <sniffer_host>\n")
+      print_line("Captures LANMAN/NTLM challenge response hashes by making SMB requests to the supplied sniffing host with every accessible token.\n")
+      return
+    end
+
+    system_privilege_check
+
+    print_line("[*] Snarfing token hashes...")
+    client.incognito.incognito_snarf_hashes(args[0])
+    print_line("[*] Done. Check sniffer logs")
+
+    return true
+  end
+
+  def system_privilege_check
+    if (client.sys.config.getuid != "NT AUTHORITY\\SYSTEM")
+      print_line("[-] Warning: Not currently running as SYSTEM, not all tokens will be available")
+      print_line("             Call rev2self if primary process token is SYSTEM")
+    end
+  end
+
+  #
+  # Name for this dispatcher
+  #
+  def name
+    "Incognito"
+  end
+
+end
+
+end
+end
+end
+end