From c021bdf6f3e4d3ff6ae2d20d6a6cc87de92786cb Mon Sep 17 00:00:00 2001
From: Harmj0y <will@harmj0y.net>
Date: Sat, 29 Aug 2015 20:34:23 -0400
Subject: [PATCH] Credentials from collection/prompt now scraped into the creds
 db

---
 lib/common/agents.py  | 17 +++++++++++++++--
 lib/common/helpers.py | 36 ++++++++++++++++++++++++++++++++++++
 2 files changed, 51 insertions(+), 2 deletions(-)

diff --git a/lib/common/agents.py b/lib/common/agents.py
index b5b24d9..d9305b7 100644
--- a/lib/common/agents.py
+++ b/lib/common/agents.py
@@ -892,6 +892,19 @@ class Agents:
 
             # dynamic script output -> blocking
             self.update_agent_results(sessionID, data)
+
+            # see if there are any credentials to parse
+            time = helpers.get_datetime()
+            creds = helpers.parse_credentials(data)
+            for cred in creds:
+
+                hostname = cred[4]
+                
+                if hostname == "":
+                    hostname = self.get_agent_hostname(sessionID)
+
+                self.mainMenu.credentials.add_credential(cred[0], cred[1], cred[2], cred[3], hostname, cred[5], time)
+
             # update the agent log
             self.save_agent_log(sessionID, data)
 
@@ -938,8 +951,8 @@ class Agents:
                         hostname = cred[4]
                         
                         if hostname == "":
-                            hostname = self.get_agent_hostname(sessionID
-                                )
+                            hostname = self.get_agent_hostname(sessionID)
+
                         self.mainMenu.credentials.add_credential(cred[0], cred[1], cred[2], cred[3], hostname, cred[5], time)
 
 
diff --git a/lib/common/helpers.py b/lib/common/helpers.py
index ce906c6..5c8d516 100644
--- a/lib/common/helpers.py
+++ b/lib/common/helpers.py
@@ -203,6 +203,42 @@ def strip_powershell_comments(data):
 #
 ###############################################################
 
+def parse_credentials(data):
+    """
+    Parse module output, looking for any parseable sections.
+    """
+
+    parts = data.split("\n")
+
+    # tag for Invoke-Mimikatz output
+    if parts[0].startswith("Hostname:"):
+        return parse_mimikatz(data)
+
+    # collection/prompt output
+    elif parts[0].startswith("[+] Prompted credentials:"):
+        
+        parts = parts[0].split("->")
+        if len(parts) == 2:
+            
+            username = parts[1].split(":",1)[0].strip()
+            password = parts[1].split(":",1)[1].strip()
+
+            if "\\" in username:
+                domain = username.split("\\")[0].strip()
+                username = username.split("\\")[1].strip()
+            else:
+                domain = ""
+            
+            return [("plaintext", domain, username, password, "", "")]
+
+        else:
+            print helpers.color("[!] Error in parsing prompted credential output.")
+            return None
+    
+    else:
+        return None
+
+
 def parse_mimikatz(data):
     """
     Parse the output from Invoke-Mimikatz to return credential sets.