Intro to RailGun: WIN API for Meterpreter
Back on June 13th, “Patrick HVE” released RAILGUN:
And it was merged into the the Metasploit trunk with 9709, 9710, 9711 and 9712: http://www.metasploit.com/redmine/projects/framework/repository/revisions/9712
Basically what this allows you to do is make Windows API calls from Meterpreter without compiling your own DLL. It currently supports a number of Windows API dlls:
(You can find out exactly what functions are available by default in the api.rb file)
It’s also very extensible, it doesn’t have a DLL or function you need? But you can read all about in the manual:
Here are two examples where this comes in very handy:
The problem that I’ve had on a number of pentests is that you get shell, but from CMD or Meterpreter there is no good way to find all of the volumes (drives) attached.
- net use - Shows you what Network drives are connected, but not physical ones
- fsutil fsinfo drives - You must be an administrator to ride this train
- fdisk /status - Only on OLD versions of DOS, not sure when this disappeared
But railgun solves this problem with a really short script:
Drives Available = ["A", "C", "D", "P", "X"]
Save this as a meterpreter script and it’ll print every logical drive attached to the system even as a limited user (that the user can see).
Logical drives include: (hdd, network, mass storage, optical, etc). This opens up the doors to infecting USB sticks and network drives…
One of the problems with keylogging is you never know when that person will log in, and if you’re using a client side, they have probably already logged in and you’re hoping they log into a portal or some other password protected site.
Railgun to the rescue again:
Set up “tail -f” going on the log file for the keylogger and then kill the keylogger when you’ve gotten what you came for.
Hope you have fun with railgun and shoot me an email firstname.lastname@example.org or leave a comment if you have any other crazy uses for railgun.