Metasploit Pentest Plugin Part 1
With the move from Rapid7 to make the framework a repository of modules and have the majority of the automation in the Community and paid versions of metasploit I started several month ago to write a plugin called pentest to cover some of my personal needs and those of friends who have requested them in to a single plugin (Will break in to individual plugins in the future and have master one that will load all) for use from msfconsole.
The main areas I have coded so far in my free time have been:
Project - For managing of projects inside workspaces for saving data and exporting data from different tables from the Metasploit database.
Post Automation - To automate post exploitation tasks.
- Discovery - For performing network discovery of hosts and services. (Will add discovery thru pivot in the future.)
The plugin can be found in my Github account https://github.com/darkoperator/Metasploit-Plugins/blob/master/pentest.rb as time passes I will keep adding new features to it as I need them and as friends coerce me in to adding new stuff for them.
Best way to add the plugin to your framework copy is to save it in your metasploit setting folder in your home directory:
mkdir -p ~/.msf4/plugins
cd ~/.msf4/plugins
curl -O https://raw.github.com/darkoperator/Metasploit-Plugins/master/ pentest.rb
Once it is downloaded there any instance of the framework you start will have access to it. To load it is is as simple as using the load command and using the help or ? command to see the additional commands that where added by the plugin:
msf exploit(handler) > load pentest postauto plugin loaded. [*] Successfully loaded plugin: pentest msf exploit(handler) > ? Discovery Commands ================== Command Description ------- ----------- network_discover Performs a portscan and enumeration of services found for non pivot networks. Project Commands ================ Command Description ------- ----------- project Command for managing projects. Postauto Commands ================= Command Description ------- ----------- app_creds Run application password collection modules against specified sessions. multi_cmd Run shell command against several sessions multi_meter_cmd Run a Meterpreter Console Command against specified sessions. multi_meter_cmd_rc Run resource file with Meterpreter Console Commands against specified sessions. multi_post Run a post module against specified sessions. multi_post_rc Run resource file with post modules and options against specified sessions. sys_creds Run system password collection modules against specified sessions.
Projects
Many times I find my self experimenting with different datasets as I develop scripts, resource files, modules ..etc and other times I have data of personal clients, I tended to create workspaces inside the framework for this and run several commands and resource scripts to set capture and exporting of data per project, so I added this command to help me manage all of that:
msf exploit(handler) > project -h
OPTIONS:
-a Export all history and DB and archive it in to a zip file for current project.
-c Create a new Metasploit project and sets logging for it.
-d Delete a project created by the plugin.
-h Command Help
-l List projects created by plugin.
-p <opt> Path to save archive, if none provide default ~/.msf4/archives will be used.
-ph Generate resource files for sessions and console. Generate time stamped session logs for current project.
-r Create time stamped RC files of Meterpreter Sessions and console history for current project.
-s Switch to a project created by the plugin.
Creating a new project
To create a new project is as simple as:
msf exploit(handler) > project -c pauldotcom
Creating DB Workspace named pauldotcom
Added workspace: pauldotcom
Spooling to file /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_spool.log...
msf exploit(handler) > > project -l
List of projects:
* pauldotcom
msf exploit(handler) > >
As you can see the command created the workspace called pauldotcom and started logging using spool to *~/.msf4/logs/projects/* one can use the -l switch to list them. You might see a extra “>” added when you manipulate projects, this is do to a bug with the spool command that has been open for a while, hope it gets fixed soon.
One of the features I like the most is the ability to create a time stamped resource file that will show all the command I have entered in a session and show the command ran, this can prove quite useful when showing a client what actions where taken and when. Here is an example if I only want to show the commands ran in the console, if we had some meterpreter sessions it would had generated timestamped resource files for those also:
msf exploit(handler) > > project -r
Writing Console RC file to /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_20111215.3913.rc
RC file written
List of projects:
* pauldotcom
msf exploit(handler) > > cat /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_20111215.3913.rc
[*] exec: cat /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_20111215.3913.rc
# command executed at 2011-12-15 14:06:52 UTC
project -l
# command executed at 2011-12-15 14:38:13 UTC
project -r
If we want a full project history that covers:
- Timestamped session Commands resource file
- Timestamped Meterpreter session log of commands and output
- Timestamped console commands resource file
Then the -ph would have been used:
msf exploit(handler) > > project -ph Writing Console RC file to /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_20111215.0735.rc RC file written Creating RC file for Session 1 Saving RC file to /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_session_1_20111215.0735.rc RC file written Exporting Session 1 history Saving log file to /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_session_1_20111215.0735.log Log file written msf exploit(handler) > > cat /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_session_1_20111215.0735.log [*] exec: cat /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_session_1_20111215.0735.log # Info: uuid: 8chmctur type: meterpreter id: 1 info: 2011-12-15 15:02:57 UTC load stdapi 2011-12-15 15:03:00 UTC load priv 2011-12-15 15:04:24 UTC run checkvm 2011-12-15 15:04:36 UTC run post/windows/gather/win_privs 2011-12-15 15:04:56 UTC run priv 2011-12-15 15:05:08 UTC background 2011-12-15 15:07:20 UTC ls 2011-12-15 15:07:21 UTC Listing: C:\Documents and Settings\Administrator\Desktop ======================================================== Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 100777/rwxrwxrwx 37888 fil 2010-01-25 18:49:24 -0400 macmet.exe 40777/rwxrwxrwx 0 dir 2010-01-17 08:59:54 -0400 .. 40777/rwxrwxrwx 0 dir 2010-02-20 14:48:26 -0400 . 2011-12-15 15:07:25 UTC getuid 2011-12-15 15:07:25 UTC Server username: TESTACCN-X6V582\Administrator 2011-12-15 15:07:28 UTC sysinfo 2011-12-15 15:07:28 UTC Computer : TESTACCN-X6V582 2011-12-15 15:07:28 UTC OS : Windows XP (Build 2600). 2011-12-15 15:07:28 UTC Architecture : x86 2011-12-15 15:07:28 UTC System Language : en_US 2011-12-15 15:07:28 UTC Meterpreter : x86/win32 2011-12-15 15:07:30 UTC background
Lets say we finished with a project and are going to share the info with the project manager, other team member or client one can create a single zip file:
- Spool file of the project
- Resource files for console and session commands
- Session history
- Exported database in xml format
To do this we use the -a command for archiving:
msf exploit(handler) > > project -a Exporting DB Workspace pauldotcom >> Starting export of report >> Starting export of hosts >> Starting export of events >> Starting export of services >> Starting export of credentials >> Starting export of web sites >> Starting export of web pages >> Starting export of web forms >> Starting export of web vulns >> Finished export of report Finished export of workspace pauldotcom to /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_20111215.1942.xml [ xml ]... Disabling spooling for pauldotcom Spooling disabled for archiving Writing Console RC file to /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_20111215.1942.rc RC file written Creating RC file for Session 1 Saving RC file to /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_session_1_20111215.1942.rc RC file written Exporting Session 1 history Saving log file to /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_session_1_20111215.1942.log Log file written Adding /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_20111215.0514.rc to archive Adding /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_20111215.0735.rc to archive Adding /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_20111215.1942.rc to archive Adding /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_20111215.1942.xml to archive Adding /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_20111215.3813.rc to archive Adding /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_20111215.3833.rc to archive Adding /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_20111215.3840.rc to archive Adding /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_20111215.3913.rc to archive Adding /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_session_1_20111215.0514.log to archive Adding /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_session_1_20111215.0514.rc to archive Adding /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_session_1_20111215.0735.log to archive Adding /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_session_1_20111215.0735.rc to archive Adding /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_session_1_20111215.1942.log to archive Adding /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_session_1_20111215.1942.rc to archive Adding /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_spool.log to archive All files saved to /Users/carlos/.msf4/logs/archives/pauldotcom_20111215.1942.zip MD5 for archive is 97638701e10d9ca8a4f7684bfc1f5d73 Spooling re-enabled Spooling to file /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_spool.log... msf exploit(handler) > > >