Sunday, August 28, 2011

Enumerating microsoft keys on remote hosts using metasploit

I wrote a new module for metasploit that can (theoretically) enumerate any Microsoft product key stored as a DigitalProductId (most microsoft products).

I only have tested against windows 7 ultimate as I don't have a SQL server, exchange server, or MS office stuffs lying around to test with. Any testing with these apps would be a appreciated and feedback is even more appreciated.


The metasploit ticket is here.

Tuesday, August 23, 2011

Inverting ebooks for better reading

I like ebooks. I don't like staring at lightbulbs. Hopefully, this one-liner will help others with the same problems I have with black-on-white text ebooks.


pdf2ps foo.pdf - | convert - -negate bar.pdf

Enumerating hardware on remote systems running Windows with Metasploit

At Arlington Computer Care where I work, I needed (really, just wanted) a way to enumerate the hardware drivers on an arbitrary host on the shops network. The reason is two-fold: We can pinpoint old drivers to the customer and we know what drivers to look for specifically when reloading a machine. Metasploit already has a rich API for gathering information from remote hosts, and since I wanted to perform this check from a Linux box, it was the most obvious choice for me. Plus, I have a lot of experience with it already.

Metasploit, however, did not have the functionality I wanted. To gather the hardware information from a remote host was going to entail writing a new post module, which I hadn't done before. I have written exploits in the past for, but no post modules. I found it was very fun and rewarding. It has been accepted into trunk for a week or two now, and here are the details on it.


msf post(enum_devices) > info

Name: Windows Hardware Enumeration
Module: post/windows/gather/enum_devices
Version: 13559
Platform: Windows
Arch:
Rank: Normal

Provided by:
Brandon Perry

Description:
Enumerate PCI hardware information from the registry. Please note
this script will run through registry subkeys such as: 'PCI',
'ACPI', 'ACPI_HAL', 'FDC', 'HID', 'HTREE', 'IDE', 'ISAPNP',
'LEGACY'', LPTENUM', 'PCIIDE', 'SCSI', 'STORAGE', 'SW', and 'USB';
it will take time to finish. It is recommended to run this module as
a background job.


msf post(enum_devices) >



Some example output:


msf exploit(handler) > use post/windows/gather/enum_devices
msf post(enum_devices) > set SESSION 1
SESSION => 1
msf post(enum_devices) > run

[*] Enumerating hardware on WIN-684G41EV82S
^C[-] Post interrupted by the console user
[*] Post module execution completed
msf post(enum_devices) > set VERBOSE true
VERBOSE => true
msf post(enum_devices) > run

[*] Enumerating hardware on WIN-684G41EV82S
[*] Enumerating VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01
[*] Enumerating VEN_1274&DEV_1371&SUBSYS_13711274&REV_02
[*] Enumerating VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00
...snip for brevity...
[*] Enumerating VID_0E0F&PID_0003&MI_01

Device Information
==================

Device Description Driver Version Class Manufacturer Extra
------------------ -------------- ----- ------------ -----
LSI Adapter, SAS 3000 series, 8-port with 1068 1.28.3.52 SCSIAdapter LSI
VMware VMaudio (VMAUDIO) (WDM) 5.10.0.3506 MEDIA VMware, Inc.
VMware SVGA 3D (Microsoft Corporation - WDDM) 7.14.1.42 Display VMware, Inc.
VMware VMCI Bus Device System VMware, Inc.
Standard Enhanced PCI to USB Host Controller 6.1.7601.17586 USB (Standard USB Host Controller)
PCI standard PCI-to-PCI bridge 6.1.7601.17514 System (Standard system devices)
PCI Express standard Root Port 6.1.7601.17514 System (Standard system devices)
PCI Express standard Root Port System (Standard system devices)
Intel(R) PRO/1000 MT Network Connection 8.4.1.1 Net Intel
Intel 82371AB/EB PCI to ISA bridge (ISA mode) 6.1.7601.17514 System Intel
Intel(R) 82371AB/EB PCI to USB Universal Host Controller 6.1.7601.17586 USB Intel
Intel 82443BX Pentium(R) II Processor to PCI Bridge 6.1.7601.17514 System Intel
Intel 82443BX Pentium(R) II Processor to AGP Controller 6.1.7601.17514 System Intel
Microsoft AC Adapter 6.1.7600.16385 Battery Microsoft
AMD Processor 6.1.7600.16385 Processor Advanced Micro Devices AMD Phenom(tm) 9850 Quad-Core Processor
ACPI Fixed Feature Button 6.1.7601.17514 System (Standard system devices)
EISA programmable interrupt controller 6.1.7601.17514 System (Standard system devices)
System timer 6.1.7601.17514 System (Standard system devices)
Direct memory access controller 6.1.7601.17514 System (Standard system devices)
Standard PS/2 Keyboard 6.1.7601.17514 Keyboard (Standard keyboards)
Printer Port 6.1.7600.16385 Ports (Standard port types) Printer Port (LPT1)
Communications Port 6.1.7600.16385 Ports (Standard port types) Communications Port (COM1)
Communications Port 6.1.7600.16385 Ports (Standard port types) Communications Port (COM2)
Standard floppy disk controller 6.1.7600.16385 fdc (Standard floppy disk controllers)
System speaker 6.1.7601.17514 System (Standard system devices)
PCI bus 6.1.7601.17514 System (Standard system devices)
Generic Bus 6.1.7601.17514 System (Standard system devices)
System CMOS/real time clock 6.1.7601.17514 System (Standard system devices)
Motherboard resources 6.1.7601.17514 System (Standard system devices)
VMware Pointing Device 12.4.0.6 Mouse VMware, Inc.
Microsoft ACPI-Compliant System 6.1.7601.17514 System Microsoft
Floppy disk drive 6.1.7600.16385 FloppyDisk (Standard floppy disk drives)
HID-compliant mouse 6.1.7600.16385 Mouse Microsoft
CD-ROM Drive 6.1.7601.17514 CDROM (Standard CD-ROM drives) HL-DT-ST DVD-RAM GSA-H55N ATA Device
Printer Port Logical Interface 6.1.7601.17514 System (Standard system devices) LPT1
IDE Channel 6.1.7601.17514 hdc (Standard IDE ATA/ATAPI controllers)
Microsoft ISATAP Adapter 6.1.7600.16385 Net Microsoft
Microsoft Teredo Tunneling Adapter 6.1.7600.16385 Net Microsoft
ACPI x86-based PC 6.1.7600.16385 Computer (Standard computers)
File as Volume Driver 6.1.7600.16385 System Microsoft
Composite Bus Enumerator 6.1.7601.17514 System Microsoft
Microsoft Composite Battery 6.1.7600.16385 Battery Microsoft
Beep LegacyDriver
CNG LegacyDriver
LDDM Graphics Subsystem LegacyDriver
FAT12/16/32 File System Driver
Fs_Rec LegacyDriver
KSecDD LegacyDriver
KSecPkg LegacyDriver
Link-Layer Topology Discovery Mapper I/O Driver LegacyDriver
Msfs LegacyDriver
msisadrv LegacyDriver
NDProxy LegacyDriver
NetBIOS Interface LegacyDriver
Npfs LegacyDriver
Ntfs LegacyDriver
Parvdm LegacyDriver
Performance Counters for Windows Driver LegacyDriver
PEAUTH LegacyDriver
Link-Layer Topology Discovery Responder LegacyDriver
Security Driver LegacyDriver
Security Processor Loader Driver LegacyDriver
srvnet LegacyDriver
TCP/IP Registry Compatibility LegacyDriver
udfs LegacyDriver
VgaSave LegacyDriver
vmhgfs LegacyDriver
Memory Control Driver LegacyDriver
VMware Vista Physical Disk Helper LegacyDriver
Storage volumes LegacyDriver
Kernel Mode Driver Frameworks service LegacyDriver
WFP Lightweight Filter LegacyDriver
Windows Socket 2.0 Non-IFS Service Provider Support Environment LegacyDriver
Microsoft System Management BIOS Driver 6.1.7601.17514 System (Standard system devices)
WAN Miniport (IKEv2) 6.1.7601.17514 Net Microsoft
WAN Miniport (L2TP) 6.1.7600.16385 Net Microsoft
WAN Miniport (Network Monitor) 6.1.7600.16385 Net Microsoft
WAN Miniport (IP) 6.1.7600.16385 Net Microsoft
WAN Miniport (IPv6) 6.1.7600.16385 Net Microsoft
WAN Miniport (PPPOE) 6.1.7600.16385 Net Microsoft
WAN Miniport (PPTP) 6.1.7600.16385 Net Microsoft
WAN Miniport (SSTP) 6.1.7600.16385 Net Microsoft
Remote Desktop Device Redirector Bus 6.1.7600.16385 System Microsoft
Terminal Server Keyboard Driver 6.1.7601.17514 System (Standard system devices)
Terminal Server Mouse Driver 6.1.7601.17514 System (Standard system devices)
Plug and Play Software Device Enumerator 6.1.7601.17514 System (Standard system devices)
UMBus Root Bus Enumerator 6.1.7601.17514 System Microsoft
Microsoft Virtual Drive Enumerator Driver 6.1.7601.17514 System (Standard system devices)
Volume Manager 6.1.7601.17514 System (Standard system devices)
Disk drive 6.1.7600.16385 DiskDrive (Standard disk drives) VMware, VMware Virtual S SCSI Disk Device
Generic volume 6.1.7601.17514 Volume Microsoft
Generic volume shadow copy 6.1.7600.16385 VolumeSnapshot Microsoft
Microsoft Streaming Service Proxy 6.1.7600.16385 MEDIA Microsoft
Microsoft Streaming Clock Proxy 6.1.7600.16385 MEDIA Microsoft
Microsoft Streaming Tee/Sink-to-Sink Converter 6.1.7600.16385 MEDIA Microsoft
Microsoft Streaming Quality Manager Proxy 6.1.7600.16385 MEDIA Microsoft
RAS Async Adapter 6.1.7600.16385 Net Microsoft
Microsoft Trusted Audio Drivers 6.1.7600.16385 MEDIA Microsoft
USB Root Hub 6.1.7601.17586 USB (Standard USB Host Controller)
Generic USB Hub 6.1.7601.17586 USB (Generic USB Hub) Port_#0002.Hub_#0001
USB Composite Device 6.1.7601.17586 USB (Standard USB Host Controller) Port_#0001.Hub_#0001
USB Input Device 6.1.7601.17514 HIDClass (Standard system devices) 0002.0000.0000.001.000.000.000.000.000

[*] Results saved in: /root/.msf4/loot/20110823151419_default_192.168.1.146_host.hardware_345918.txt
[*] Post module execution completed
msf post(enum_devices) >



I am also working on a post module which enumerates popular software keys (office and windows keys atm).