186 lines
6.0 KiB
Ruby
186 lines
6.0 KiB
Ruby
# -*- coding: binary -*-
|
|
#
|
|
|
|
module Rex
|
|
module Parser
|
|
|
|
# This is a parser for the Windows Group Policy Preferences file
|
|
# format. It's used by modules/post/windows/gather/credentials/gpp.rb
|
|
# and uses REXML (as opposed to Nokogiri) for its XML parsing.
|
|
# See: http://msdn.microsoft.com/en-gb/library/cc232587.aspx
|
|
class GPP
|
|
require 'rex'
|
|
require 'rexml/document'
|
|
|
|
def self.parse(data)
|
|
if data.nil?
|
|
return []
|
|
end
|
|
|
|
xml = REXML::Document.new(data).root
|
|
results = []
|
|
|
|
unless xml and xml.elements and xml.elements.to_a("//Properties")
|
|
return []
|
|
end
|
|
|
|
xml.elements.to_a("//Properties").each do |node|
|
|
epassword = node.attributes['cpassword']
|
|
next if epassword.to_s.empty?
|
|
password = self.decrypt(epassword)
|
|
|
|
user = node.attributes['runAs'] if node.attributes['runAs']
|
|
user = node.attributes['accountName'] if node.attributes['accountName']
|
|
user = node.attributes['username'] if node.attributes['username']
|
|
user = node.attributes['userName'] if node.attributes['userName']
|
|
user = node.attributes['newName'] unless node.attributes['newName'].nil? || node.attributes['newName'].empty?
|
|
changed = node.parent.attributes['changed']
|
|
|
|
# Printers and Shares
|
|
path = node.attributes['path']
|
|
|
|
# Datasources
|
|
dsn = node.attributes['dsn']
|
|
driver = node.attributes['driver']
|
|
|
|
# Tasks
|
|
app_name = node.attributes['appName']
|
|
|
|
# Services
|
|
service = node.attributes['serviceName']
|
|
|
|
# Groups
|
|
expires = node.attributes['expires']
|
|
never_expires = node.attributes['neverExpires']
|
|
disabled = node.attributes['acctDisabled']
|
|
|
|
result = {
|
|
:USER => user,
|
|
:PASS => password,
|
|
:CHANGED => changed
|
|
}
|
|
|
|
result.merge!({ :EXPIRES => expires }) unless expires.nil? || expires.empty?
|
|
result.merge!({ :NEVER_EXPIRES => never_expires.to_i }) unless never_expires.nil? || never_expires.empty?
|
|
result.merge!({ :DISABLED => disabled.to_i }) unless disabled.nil? || disabled.empty?
|
|
result.merge!({ :PATH => path }) unless path.nil? || path.empty?
|
|
result.merge!({ :DATASOURCE => dsn }) unless dsn.nil? || dsn.empty?
|
|
result.merge!({ :DRIVER => driver }) unless driver.nil? || driver.empty?
|
|
result.merge!({ :TASK => app_name }) unless app_name.nil? || app_name.empty?
|
|
result.merge!({ :SERVICE => service }) unless service.nil? || service.empty?
|
|
|
|
attributes = []
|
|
node.elements.each('//Attributes//Attribute') do |dsn_attribute|
|
|
attributes << {
|
|
:A_NAME => dsn_attribute.attributes['name'],
|
|
:A_VALUE => dsn_attribute.attributes['value']
|
|
}
|
|
end
|
|
|
|
result.merge!({ :ATTRIBUTES => attributes }) unless attributes.empty?
|
|
|
|
results << result
|
|
end
|
|
|
|
results
|
|
end
|
|
|
|
def self.create_tables(results, filetype, domain=nil, dc=nil)
|
|
tables = []
|
|
results.each do |result|
|
|
table = Rex::Text::Table.new(
|
|
'Header' => 'Group Policy Credential Info',
|
|
'Indent' => 1,
|
|
'SortIndex' => -1,
|
|
'Columns' =>
|
|
[
|
|
'Name',
|
|
'Value',
|
|
]
|
|
)
|
|
|
|
table << ["TYPE", filetype]
|
|
table << ["USERNAME", result[:USER]]
|
|
table << ["PASSWORD", result[:PASS]]
|
|
table << ["DOMAIN CONTROLLER", dc] unless dc.nil? || dc.empty?
|
|
table << ["DOMAIN", domain] unless domain.nil? || domain.empty?
|
|
table << ["CHANGED", result[:CHANGED]]
|
|
table << ["EXPIRES", result[:EXPIRES]] unless result[:EXPIRES].nil? || result[:EXPIRES].empty?
|
|
table << ["NEVER_EXPIRES?", result[:NEVER_EXPIRES]] unless result[:NEVER_EXPIRES].nil?
|
|
table << ["DISABLED", result[:DISABLED]] unless result[:DISABLED].nil?
|
|
table << ["PATH", result[:PATH]] unless result[:PATH].nil? || result[:PATH].empty?
|
|
table << ["DATASOURCE", result[:DSN]] unless result[:DSN].nil? || result[:DSN].empty?
|
|
table << ["DRIVER", result[:DRIVER]] unless result[:DRIVER].nil? || result[:DRIVER].empty?
|
|
table << ["TASK", result[:TASK]] unless result[:TASK].nil? || result[:TASK].empty?
|
|
table << ["SERVICE", result[:SERVICE]] unless result[:SERVICE].nil? || result[:SERVICE].empty?
|
|
|
|
unless result[:ATTRIBUTES].nil? || result[:ATTRIBUTES].empty?
|
|
result[:ATTRIBUTES].each do |dsn_attribute|
|
|
table << ["ATTRIBUTE", "#{dsn_attribute[:A_NAME]} - #{dsn_attribute[:A_VALUE]}"]
|
|
end
|
|
end
|
|
|
|
tables << table
|
|
end
|
|
|
|
tables
|
|
end
|
|
|
|
# Decrypts passwords using Microsoft's published key:
|
|
# http://msdn.microsoft.com/en-us/library/cc422924.aspx
|
|
def self.decrypt(encrypted_data)
|
|
password = ""
|
|
return password unless encrypted_data
|
|
|
|
password = ""
|
|
retries = 0
|
|
original_data = encrypted_data.dup
|
|
|
|
begin
|
|
mod = encrypted_data.length % 4
|
|
|
|
# PowerSploit code strips the last character, unsure why...
|
|
case mod
|
|
when 1
|
|
encrypted_data = encrypted_data[0..-2]
|
|
when 2, 3
|
|
padding = '=' * (4 - mod)
|
|
encrypted_data = "#{encrypted_data}#{padding}"
|
|
end
|
|
|
|
# Strict base64 decoding used here
|
|
decoded = encrypted_data.unpack('m0').first
|
|
rescue ::ArgumentError => e
|
|
# Appears to be some junk UTF-8 Padding appended at times in
|
|
# Win2k8 (not in Win2k8R2)
|
|
# Lets try stripping junk and see if we can decrypt
|
|
if retries < 8
|
|
retries += 1
|
|
original_data = original_data[0..-2]
|
|
encrypted_data = original_data
|
|
retry
|
|
else
|
|
return password
|
|
end
|
|
end
|
|
|
|
key = "\x4e\x99\x06\xe8\xfc\xb6\x6c\xc9\xfa\xf4\x93\x10\x62\x0f\xfe\xe8\xf4\x96\xe8\x06\xcc\x05\x79\x90\x20\x9b\x09\xa4\x33\xb6\x6c\x1b"
|
|
aes = OpenSSL::Cipher::Cipher.new("AES-256-CBC")
|
|
begin
|
|
aes.decrypt
|
|
aes.key = key
|
|
plaintext = aes.update(decoded)
|
|
plaintext << aes.final
|
|
password = plaintext.unpack('v*').pack('C*') # UNICODE conversion
|
|
rescue OpenSSL::Cipher::CipherError => e
|
|
puts "Unable to decode: \"#{encrypted_data}\" Exception: #{e}"
|
|
end
|
|
|
|
password
|
|
end
|
|
|
|
end
|
|
end
|
|
end
|
|
|