Credentials from collection/prompt now scraped into the creds db

2015-08-29 20:34:23 -04:00 · 2015-08-29 20:34:23 -04:00 · c021bdf6f3
parent a669c85824
commit c021bdf6f3
2 changed files with 51 additions and 2 deletions
--- a/lib/common/agents.py
+++ b/lib/common/agents.py
@ -892,6 +892,19 @@ class Agents:

            # dynamic script output -> blocking
            self.update_agent_results(sessionID, data)
+
+            # see if there are any credentials to parse
+            time = helpers.get_datetime()
+            creds = helpers.parse_credentials(data)
+            for cred in creds:
+
+                hostname = cred[4]
+                
+                if hostname == "":
+                    hostname = self.get_agent_hostname(sessionID)
+
+                self.mainMenu.credentials.add_credential(cred[0], cred[1], cred[2], cred[3], hostname, cred[5], time)
+
            # update the agent log
            self.save_agent_log(sessionID, data)

@ -938,8 +951,8 @@ class Agents:
                        hostname = cred[4]
                        
                        if hostname == "":
-                            hostname = self.get_agent_hostname(sessionID
-                                )
+                            hostname = self.get_agent_hostname(sessionID)
+
                        self.mainMenu.credentials.add_credential(cred[0], cred[1], cred[2], cred[3], hostname, cred[5], time)


--- a/lib/common/helpers.py
+++ b/lib/common/helpers.py
@ -203,6 +203,42 @@ def strip_powershell_comments(data):
 #
 ###############################################################

+def parse_credentials(data):
+    """
+    Parse module output, looking for any parseable sections.
+    """
+
+    parts = data.split("\n")
+
+    # tag for Invoke-Mimikatz output
+    if parts[0].startswith("Hostname:"):
+        return parse_mimikatz(data)
+
+    # collection/prompt output
+    elif parts[0].startswith("[+] Prompted credentials:"):
+        
+        parts = parts[0].split("->")
+        if len(parts) == 2:
+            
+            username = parts[1].split(":",1)[0].strip()
+            password = parts[1].split(":",1)[1].strip()
+
+            if "\\" in username:
+                domain = username.split("\\")[0].strip()
+                username = username.split("\\")[1].strip()
+            else:
+                domain = ""
+            
+            return [("plaintext", domain, username, password, "", "")]
+
+        else:
+            print helpers.color("[!] Error in parsing prompted credential output.")
+            return None
+    
+    else:
+        return None
+
+
 def parse_mimikatz(data):
    """
    Parse the output from Invoke-Mimikatz to return credential sets.