During a penetration test, you might be unable to find an existing script that matches what you need in order to perform a required task. If you understand the basic concepts of programming, it should be relatively easy for you to pick up the Ruby syntax and use it to write additional scripts.
Let’s start off with a basic print statement that uses the interactive Ruby shell, also known as irb. From the Meterpreter console, issue the irb command and begin typing commands:
meterpreter > irb
[*] Starting IRB shell
[*] The 'client' variable holds the meterpreter client
>>After you are inside the interactive shell, you can use it to test the different API calls from Meterpreter.
Let’s start with the print_line() call, which will print the output and add a carriage return at the end:
>> print_line("you have been pwnd!")
you have been pwnd!
=> nilThe next call is print_status() and is used most often in the scripting language. This call will provide a carriage return and print the status of whatever is executing, with a [*] prefixed at the beginning:
>> print_status("you have been pwnd!")
[*] you have been pwnd!
=> nilThe next call is print_good(), which is used to provide the results of an action or to indicate that the action was successful:
>> print_good("you have been pwnd")
[+] you have been pwnd
=> nilThe next call is print_error(), which is used to provide an error message or to indicate that an action was not possible:
>> print_error("you have been pwnd!")
[-] you have been pwnd!
=> nilMeterpreter includes many API calls that you can use in your scripts to provide additional functionality or customization. You can use several reference points for these API calls. The one most often used by scripting newbies looks at how the Meterpreter console user interface (UI) uses the calls; these can be used as a base to continue writing scripts. To access this code, read the files under /opt/framework3/msf3/lib/rex/post/meterpreter/ui/console/command_dispatcher/ in Back|Track. If you create a listing of the folder contents, you can see the files that contain various commands that you can use:
root@bt:˜#ls -F /opt/framework3/msf3/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb espia.rb incognito.rb networkpug.rb priv/ priv.rb sniffer.rb stdapi/ stdapi.rb
Within these scripts are the various Meterpreter core, desktop interaction, privileged operations, and many more commands. Review these scripts to become intimately familiar with how Meterpreter operates within a compromised system.
The Meterpreter mixins are a series of calls that represent the most common tasks undertaken in a Meterpreter script. These calls are not available in irb and can be used only when creating a script for Meterpreter. Following is a list of some of the most notable calls:
cmd_exec(cmd) Executes the given command as hidden and channelized. The output of the command is provided as a multiline string. |
eventlog_clear(evt = "") Clears a given event log or all event logs if none is given. Returns an array of event logs that were cleared. |
eventlog_list() Enumerates the event logs and returns an array containing the names of the event logs. |
file_local_digestmd5(file2md5) Returns a string with the MD5 checksum of a given local file. |
file_local_digestsha1(file2sha1) Returns a string with the SHA1 checksum of a given local file. |
file_local_digestsha2(file2sha2) Returns a string with the SHA256 checksum of a given local file. |
file_local_write(file2wrt, data2wrt) Writes a given string to a specified file. |
is_admin?() Identifies whether or not the user is an admin. Returns true if the user is an admin and false if not. |
is_uac_enabled?() Determines whether User Account Control (UAC) is enabled on the system. |
registry_createkey(key) Creates a given registry key and returns true if successful. |
registry_deleteval(key,valname) Deletes a registry value given the key and value name. Returns true if successful. |
registry_delkey(key) Deletes a given registry key and returns true if successful. |
registry_enumkeys(key) Enumerates the subkeys of a given registry key and returns an array of subkeys. |
registry_enumvals(key) Enumerates the values of a given registry key and returns an array of value names. |
registry_getvaldata(key,valname) Returns the data of a given registry key and its value. |
registry_getvalinfo(key,valname) Returns the data and type of a given registry key and its value. |
registry_setvaldata(key,valname,data,type) Sets the data for a given value and type of data on the target registry. Returns true if successful. |
service_change_startup(name,mode) Changes a given service startup mode. The name and the mode must be provided. The mode is a string set with either a corresponding auto, manual, or disable setting. The service name is case sensitive. |
service_create(name, display_name, executable_on_host,startup=2) Function for the creation of a service that runs its own process. Its parameters are the service name as a string, the display name as a string, the path of the executable on the host that will execute at startup as a string, and the startup type as an integer: 2 for Auto, 3 for Manual, or 4 for Disable (default is Auto). |
service_delete(name) Function for deleting a service by deleting the key in the registry. |
service_info(name) Gets Windows service information. The information is returned in a hash with display name, startup mode, and command executed by the service. The service name is case sensitive. Hash keys are Name, Start, Command, and Credentials. |
service_list() Lists all Windows services present. Returns an array containing the services’ names. |
service_start(name) Function for service startup. Returns 0 if the service is started, 1 if the service is already started, and 2 if service is disabled. |
service_stop(name) Function for stopping a service. Returns 0 if the service is stopped successfully, 1 if the service is already stopped or disabled, and 2 if the service cannot be stopped. |
You should understand the basics regarding the Meterpreter mixin calls that you can use to add functionality to your custom script.