Land rapid7#3488 - loot storage into the enum_services post module

wchen-r7 · wchen-r7 · commit f1b7a9f421f9 · 2014-07-03T14:18:16.000-05:00
diff --git a/modules/post/windows/gather/enum_services.rb b/modules/post/windows/gather/enum_services.rb
@@ -16,8 +16,8 @@ def initialize(info={})
       'Name'                 => "Windows Gather Service Info Enumeration",
       'Description'          => %q{
         This module will query the system for services and display name and configuration
-        info for each returned service. It allows you to optionally search the credentials, path, or start
-        type for a string and only return the results that match. These query operations
+        info for each returned service. It allows you to optionally search the credentials, path,
+        or start type for a string and only return the results that match. These query operations
         are cumulative and if no query strings are specified, it just returns all services.
         NOTE: If the script hangs, windows firewall is most likely on and you did not
         migrate to a safe process (explorer.exe for example).
@@ -36,9 +36,12 @@ def initialize(info={})
   end
 
 
+
   def run
 
     # set vars
+    lootString = ""
+    credentialCount = {}
     qcred = datastore["CRED"] || nil
     qpath = datastore["PATH"] || nil
     if datastore["TYPE"] == "All"
@@ -47,24 +50,29 @@ def run
       qtype = datastore["TYPE"]
     end
     if qcred
-      print_status("Credential Filter: " + qcred)
+      print_status("Credential Filter: #{qcred}")
     end
     if qpath
-      print_status("Executable Path Filter: " + qpath)
+      print_status("Executable Path Filter: #{qpath}")
     end
     if qtype
-      print_status("Start Type Filter: " + qtype)
+      print_status("Start Type Filter: #{qtype}")
+    end
+
+    if datastore['VERBOSE']
+      print_status("Listing Service Info for matching services:")
+    else
+      print_status("Detailed output is only printed when VERBOSE is set to True. Running this module can take some time.\n")
     end
 
-    print_status("Listing Service Info for matching services:")
     service_list.each do |sname|
       srv_conf = {}
       isgood = true
-      #make sure we got a service name
+      # make sure we got a service name
       if sname
         begin
           srv_conf = service_info(sname)
-          #filter service based on filters passed, the are cumulative
+          # filter service based on filters passed, the are cumulative
           if qcred and ! srv_conf['Credentials'].downcase.include? qcred.downcase
             isgood = false
           end
@@ -75,22 +83,45 @@ def run
           if qtype and ! (srv_conf['Startup'] || '').downcase.include? qtype.downcase
             isgood = false
           end
+          # count the occurance of specific credentials services are running as
+          serviceCred = srv_conf['Credentials'].upcase
+          unless serviceCred.empty?
+            if credentialCount.has_key?(serviceCred)
+              credentialCount[serviceCred] += 1
+            else
+              credentialCount[serviceCred] = 1
+              # let the user know a new service account has been detected for possible lateral
+              # movement opportunities
+              print_good("New service credential detected: #{sname} is running as '#{srv_conf['Credentials']}'")
+            end
+          end
 
-          #if we are still good return the info
+          # if we are still good return the info
           if isgood
-            vprint_status("\tName: #{sname}")
-            vprint_good("\t\tStartup: #{srv_conf['Startup']}")
-            vprint_good("\t\tCommand: #{srv_conf['Command']}")
-            vprint_good("\t\tCredentials: #{srv_conf['Credentials']}")
+            msgString = "\tName: #{sname}"
+            msgString << "\n\t\tStartup: #{srv_conf['Startup']}"
+            #remove invalid char at the end
+            commandString = srv_conf['Command']
+            commandString.gsub!(/[\x00-\x08\x0b\x0c\x0e-\x19\x7f-\xff]+/n,"")
+            msgString << "\n\t\t#{commandString}"
+            msgString << "\n\t\tCredentials: #{srv_conf['Credentials']}\n"
+            vprint_good(msgString)
+            lootString << msgString
           end
-        rescue
+        rescue ::Exception => e
+          # July 3rd 2014 wchen-r7: Not very sure what exceptions this method is trying to rescue,
+          # probably the typical shut-everything-up coding habit. We'll have to fix this later,
+          # but for now let's at least print the error for debugging purposes
           print_error("An error occured enumerating service: #{sname}")
+          print_error(e.to_s)
         end
       else
-        print_error("Problem enumerating services")
+        print_error("Problem enumerating services (no service name found)")
       end
-
     end
+      # store loot on completion of collection
+      p = store_loot("windows.services", "text/plain", session, lootString, "windows_services.txt", "Windows Services")
+      print_good("Loot file stored in: #{p.to_s}")
   end
 
 end
