Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add version detection for newer Windows #687

Merged
merged 2 commits into from
Dec 5, 2023

Conversation

zeroSteiner
Copy link
Contributor

@zeroSteiner zeroSteiner commented Nov 28, 2023

Add version detection by checking the build number for Server 2019, Server 2022 and Windows 11. Server versions also now have the word "Server" in their OS string which more closely resembles the string shown in "System Information" app. The OS Name is typically "Microsoft Windows (?p) (Server)? \d+ (?p)" if written as a regex. The exception is Windows .NET Server instead of Windows Server 2003 which I've never understood but remains the same. Build numbers were taken from Metasploit to ensure consistency.

Testing:

  • Obtain a Meterpreter session on a Server 2019, Server 2022 or Windows 11 system
  • See the correct OS information in the output of sysinfo instead of "Windows 10" (in place of Windows 11) or "Windows 2016+" (in place of Windows Server 2019 or Windows Server 2022)

Add version detection by checking the build number for Server 2019,
Server 2022 and Windows 11.
@bwatters-r7
Copy link
Contributor

Old:

msf6 payload(windows/x64/meterpreter/reverse_tcp) > 
[*] Sending stage (200774 bytes) to 10.5.132.126
[*] Meterpreter session 2 opened (10.5.135.201:4585 -> 10.5.132.126:49844) at 2023-12-04 11:53:58 -0600

msf6 payload(windows/x64/meterpreter/reverse_tcp) > sessions -i -1
[*] Starting interaction with 2...

meterpreter > sysinfo
Computer        : WIN-2E6BPFGP9F7
OS              : Windows 2016+ (10.0 Build 17763).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
msf6 payload(windows/x64/meterpreter/reverse_tcp) > 
[*] Sending stage (200774 bytes) to 10.5.132.136
[*] Meterpreter session 1 opened (10.5.135.201:4585 -> 10.5.132.136:51626) at 2023-12-04 16:11:58 -0600

msf6 payload(windows/x64/meterpreter/reverse_tcp) > sessions -i -1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : DESKTOP-7M0LC28
OS              : Windows 10 (10.0 Build 22000).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows

New:

[*] Sending stage (224326 bytes) to 10.5.132.126
WARNING: Local file /home/tmoose/rapid7/metasploit-framework/data/meterpreter/ext_server_stdapi.x64.dll is being used
WARNING: Local file /home/tmoose/rapid7/metasploit-framework/data/meterpreter/ext_server_priv.x64.dll is being used
[*] Meterpreter session 3 opened (10.5.135.201:4585 -> 10.5.132.126:50094) at 2023-12-05 09:23:16 -0600

meterpreter > background
[*] Backgrounding session 2...
msf6 payload(windows/x64/meterpreter/reverse_tcp) > sessions -i -1
[*] Starting interaction with 3...

meterpreter > sysinfo
Computer        : WIN-2E6BPFGP9F7
OS              : Windows Server 2019 (10.0 Build 17763).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > 

msf6 payload(windows/x64/meterpreter/reverse_tcp) > WARNING: Local file /home/tmoose/rapid7/metasploit-framework/data/meterpreter/metsrv.x64.dll is being used
[*] Sending stage (224326 bytes) to 10.5.132.154
WARNING: Local file /home/tmoose/rapid7/metasploit-framework/data/meterpreter/ext_server_stdapi.x64.dll is being used
WARNING: Local file /home/tmoose/rapid7/metasploit-framework/data/meterpreter/ext_server_priv.x64.dll is being used
[*] Meterpreter session 2 opened (10.5.135.201:4568 -> 10.5.132.154:53796) at 2023-12-05 09:21:21 -0600

msf6 payload(windows/x64/meterpreter/reverse_tcp) > sessions -i -1
[*] Starting interaction with 2...

meterpreter > sysinfo
Computer        : WIN-ED9OLD6JEO6
OS              : Windows Server 2022 (10.0 Build 20348).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > 

msf6 payload(windows/x64/meterpreter/reverse_tcp) > 
[*] Started reverse TCP handler on 10.5.135.201:4585 
WARNING: Local file /home/tmoose/rapid7/metasploit-framework/data/meterpreter/metsrv.x64.dll is being used
WARNING: Local files may be incompatible with the Metasploit Framework
[*] Sending stage (224326 bytes) to 10.5.132.136
WARNING: Local file /home/tmoose/rapid7/metasploit-framework/data/meterpreter/ext_server_stdapi.x64.dll is being used
WARNING: Local file /home/tmoose/rapid7/metasploit-framework/data/meterpreter/ext_server_priv.x64.dll is being used
[*] Meterpreter session 1 opened (10.5.135.201:4585 -> 10.5.132.136:49990) at 2023-12-05 09:18:59 -0600

msf6 payload(windows/x64/meterpreter/reverse_tcp) > sessions -i -1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : DESKTOP-7M0LC28
OS              : Windows 11 (10.0 Build 22000).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > 

@bwatters-r7 bwatters-r7 merged commit 4810c5c into rapid7:master Dec 5, 2023
3 checks passed
@bwatters-r7
Copy link
Contributor

Release Notes

This PR adds the ability to give the pretty OS name based on the build version since Microsoft has changed the historic behavior by retaining the major build version as 10 through all Windows 10 and 11 releases, and all Windows server versions from 2016 up to 2022.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants