Metasploit Pentest Plugin Part 1

With the move from Rapid7 to make the framework a repository of modules and have the majority of the automation in the Community and paid versions of metasploit I started several month ago to write a plugin called pentest to cover some of my personal needs and those of friends who have requested them in to a single plugin (Will break in to individual plugins in the future and have master one that will load all) for use from msfconsole.

The main areas I have coded so far in my free time have been:

  • Project - For managing of projects inside workspaces for saving data and exporting data from different tables from the Metasploit database.

  • Post Automation - To automate post exploitation tasks.

  • Discovery - For performing network discovery of hosts and services. (Will add discovery thru pivot in the future.)

The plugin can be found in my Github account https://github.com/darkoperator/Metasploit-Plugins/blob/master/pentest.rb as time passes I will keep adding new features to it as I need them and as friends coerce me in to adding new stuff for them.

Best way to add the plugin to your framework copy is to save it in your metasploit setting folder in your home directory:

mkdir -p ~/.msf4/plugins
cd ~/.msf4/plugins
curl -O https://raw.github.com/darkoperator/Metasploit-Plugins/master/ pentest.rb

Once it is downloaded there any instance of the framework you start will have access to it. To load it is is as simple as using the load command and using the help or ? command to see the additional commands that where added by the plugin:

msf  exploit(handler) > load pentest 
postauto plugin loaded.
[*] Successfully loaded plugin: pentest
msf  exploit(handler) > ?

Discovery Commands
==================

    Command           Description
    -------           -----------
    network_discover  Performs a portscan and enumeration of services found for non pivot networks.


Project Commands
================

    Command       Description
    -------       -----------
    project       Command for managing projects.


Postauto Commands
=================

    Command             Description
    -------             -----------
    app_creds           Run application password collection modules against specified sessions.
    multi_cmd           Run shell command against several sessions
    multi_meter_cmd     Run a Meterpreter Console Command against specified sessions.
    multi_meter_cmd_rc  Run resource file with Meterpreter Console Commands against specified sessions.
    multi_post          Run a post module against specified sessions.
    multi_post_rc       Run resource file with post modules and options against specified sessions.
    sys_creds           Run system password collection modules against specified sessions.

Projects

Many times I find my self experimenting with different datasets as I develop scripts, resource files, modules ..etc and other times I have data of personal clients, I tended to create workspaces inside the framework for this and run several commands and resource scripts to set capture and exporting of data per project, so I added this command to help me manage all of that:

msf  exploit(handler) > project -h

OPTIONS:

    -a         Export all history and DB and archive it in to a zip file for current project.
    -c         Create a new Metasploit project and sets logging for it.
    -d         Delete a project created by the plugin.
    -h         Command Help
    -l         List projects created by plugin.
    -p  <opt>  Path to save archive, if none provide default ~/.msf4/archives will be used.
    -ph        Generate resource files for sessions and console. Generate time stamped session logs for current project.
    -r         Create time stamped RC files of Meterpreter Sessions and console history for current project.
    -s         Switch to a project created by the plugin.

Creating a new project

To create a new project is as simple as:

msf  exploit(handler) > project -c pauldotcom
Creating DB Workspace named pauldotcom
Added workspace: pauldotcom
Spooling to file /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_spool.log...
msf  exploit(handler) >  > project -l
List of projects:
    * pauldotcom
msf  exploit(handler) >  >

As you can see the command created the workspace called pauldotcom and started logging using spool to *~/.msf4/logs/projects/* one can use the -l switch to list them. You might see a extra “>” added when you manipulate projects, this is do to a bug with the spool command that has been open for a while, hope it gets fixed soon.

One of the features I like the most is the ability to create a time stamped resource file that will show all the command I have entered in a session and show the command ran, this can prove quite useful when showing a client what actions where taken and when. Here is an example if I only want to show the commands ran in the console, if we had some meterpreter sessions it would had generated timestamped resource files for those also:

msf  exploit(handler) >  > project -r 
Writing Console RC file to /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_20111215.3913.rc
RC file written
List of projects:
    * pauldotcom
msf  exploit(handler) >  > cat /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_20111215.3913.rc
[*] exec: cat /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_20111215.3913.rc

# command executed at 2011-12-15 14:06:52 UTC
project -l
# command executed at 2011-12-15 14:38:13 UTC
project -r

If we want a full project history that covers:

  • Timestamped session Commands resource file
  • Timestamped Meterpreter session log of commands and output
  • Timestamped console commands resource file

Then the -ph would have been used:

msf  exploit(handler) >  > project -ph
Writing Console RC file to /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_20111215.0735.rc
RC file written
Creating RC file for Session 1
Saving RC file to /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_session_1_20111215.0735.rc
RC file written
Exporting Session 1 history
Saving log file to /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_session_1_20111215.0735.log
Log file written
msf  exploit(handler) >  > cat /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_session_1_20111215.0735.log
[*] exec: cat /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_session_1_20111215.0735.log

# Info: uuid: 8chmctur type: meterpreter id: 1 info:  
2011-12-15 15:02:57 UTC
load stdapi
2011-12-15 15:03:00 UTC
load priv
2011-12-15 15:04:24 UTC
run checkvm
2011-12-15 15:04:36 UTC
run post/windows/gather/win_privs
2011-12-15 15:04:56 UTC
run priv
2011-12-15 15:05:08 UTC
background
2011-12-15 15:07:20 UTC
ls
2011-12-15 15:07:21 UTC

Listing: C:\Documents and Settings\Administrator\Desktop
========================================================

Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
100777/rwxrwxrwx  37888  fil   2010-01-25 18:49:24 -0400  macmet.exe
40777/rwxrwxrwx   0      dir   2010-01-17 08:59:54 -0400  ..
40777/rwxrwxrwx   0      dir   2010-02-20 14:48:26 -0400  .


2011-12-15 15:07:25 UTC
getuid
2011-12-15 15:07:25 UTC
Server username: TESTACCN-X6V582\Administrator
2011-12-15 15:07:28 UTC
sysinfo
2011-12-15 15:07:28 UTC
Computer        : TESTACCN-X6V582
2011-12-15 15:07:28 UTC
OS              : Windows XP (Build 2600).
2011-12-15 15:07:28 UTC
Architecture    : x86
2011-12-15 15:07:28 UTC
System Language : en_US
2011-12-15 15:07:28 UTC
Meterpreter     : x86/win32
2011-12-15 15:07:30 UTC
background

Lets say we finished with a project and are going to share the info with the project manager, other team member or client one can create a single zip file:

  • Spool file of the project
  • Resource files for console and session commands
  • Session history
  • Exported database in xml format

To do this we use the -a command for archiving:

msf  exploit(handler) >  > project -a
Exporting DB Workspace pauldotcom
    >> Starting export of report
    >> Starting export of hosts
    >> Starting export of events
    >> Starting export of services
    >> Starting export of credentials
    >> Starting export of web sites
    >> Starting export of web pages
    >> Starting export of web forms
    >> Starting export of web vulns
    >> Finished export of report
Finished export of workspace pauldotcom to /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_20111215.1942.xml [ xml ]...
Disabling spooling for pauldotcom
Spooling disabled for archiving
Writing Console RC file to /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_20111215.1942.rc
RC file written
Creating RC file for Session 1
Saving RC file to /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_session_1_20111215.1942.rc
RC file written
Exporting Session 1 history
Saving log file to /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_session_1_20111215.1942.log
Log file written
Adding /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_20111215.0514.rc to archive
Adding /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_20111215.0735.rc to archive
Adding /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_20111215.1942.rc to archive
Adding /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_20111215.1942.xml to archive
Adding /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_20111215.3813.rc to archive
Adding /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_20111215.3833.rc to archive
Adding /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_20111215.3840.rc to archive
Adding /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_20111215.3913.rc to archive
Adding /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_session_1_20111215.0514.log to archive
Adding /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_session_1_20111215.0514.rc to archive
Adding /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_session_1_20111215.0735.log to archive
Adding /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_session_1_20111215.0735.rc to archive
Adding /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_session_1_20111215.1942.log to archive
Adding /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_session_1_20111215.1942.rc to archive
Adding /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_spool.log to archive
All files saved to /Users/carlos/.msf4/logs/archives/pauldotcom_20111215.1942.zip
MD5 for archive is 97638701e10d9ca8a4f7684bfc1f5d73
Spooling re-enabled
Spooling to file /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_spool.log...
msf  exploit(handler) >  >  >