1
# -*- coding: binary -*-
2

3
require 'rexml/document'
4
require 'metasploit/framework/password_crackers/hashcat/formatter'
5
require 'metasploit/framework/password_crackers/jtr/formatter'
6

7
module Msf
8
module Ui
9
module Console
10
module CommandDispatcher
11

12
class Creds
13
  require 'tempfile'
14

15
  include Msf::Ui::Console::CommandDispatcher
16
  include Metasploit::Credential::Creation
17
  include Msf::Ui::Console::CommandDispatcher::Common
18

19
  #
20
  # The dispatcher's name.
21
  #
22
  def name
23
    "Credentials Backend"
24
  end
25

26
  #
27
  # Returns the hash of commands supported by this dispatcher.
28
  #
29
  def commands
30
    {
31
      "creds" => "List all credentials in the database"
32
    }
33
  end
34

35
  def allowed_cred_types
36
    %w(password ntlm hash KrbEncKey) + Metasploit::Credential::NonreplayableHash::VALID_JTR_FORMATS
37
  end
38

39
  #
40
  # Returns true if the db is connected, prints an error and returns
41
  # false if not.
42
  #
43
  # All commands that require an active database should call this before
44
  # doing anything.
45
  # TODO: abstract the db methods to a mixin that can be used by both dispatchers
46
  #
47
  def active?
48
    if not framework.db.active
49
      print_error("Database not connected")
50
      return false
51
    end
52
    true
53
  end
54

55
  #
56
  # Miscellaneous option helpers
57
  #
58

59
  #
60
  # Can return return active or all, on a certain host or range, on a
61
  # certain port or range, and/or on a service name.
62
  #
63
  def cmd_creds(*args)
64
    return unless active?
65

66
    # Short-circuit help
67
    if args.delete("-h") || args.delete("--help")
68
      cmd_creds_help
69
      return
70
    end
71

72
    subcommand = args.shift
73

74
    case subcommand
75
    when 'help'
76
      cmd_creds_help
77
    when 'add'
78
      creds_add(*args)
79
    else
80
      # then it's not actually a subcommand
81
      args.unshift(subcommand) if subcommand
82
      creds_search(*args)
83
    end
84

85
  end
86

87
  #
88
  # TODO: this needs to be cleaned up to use the new syntax
89
  #
90
  def cmd_creds_help
91
    print_line
92
    print_line "With no sub-command, list credentials. If an address range is"
93
    print_line "given, show only credentials with logins on hosts within that"
94
    print_line "range."
95

96
    print_line
97
    print_line "Usage - Listing credentials:"
98
    print_line "  creds [filter options] [address range]"
99
    print_line
100
    print_line "Usage - Adding credentials:"
101
    print_line "  creds add uses the following named parameters."
102
    {
103
      user:                'Public, usually a username',
104
      password:            'Private, private_type Password.',
105
      ntlm:                'Private, private_type NTLM Hash.',
106
      postgres:            'Private, private_type postgres MD5',
107
      pkcs12:              'Private, private_type pkcs12 archive file, must be a file path.',
108
      'ssh-key'         => 'Private, private_type SSH key, must be a file path.',
109
      hash:                'Private, private_type Nonreplayable hash',
110
      jtr:                 'Private, private_type John the Ripper hash type.',
111
      realm:               'Realm, ',
112
      'realm-type'      => "Realm, realm_type (#{Metasploit::Model::Realm::Key::SHORT_NAMES.keys.join(' ')}), defaults to domain.",
113
      'adcs-ca'         => 'CA, Certificate Authority that issued the pkcs12 certificate',
114
      'adcs-template'   => 'ADCS Template, template used to issue the pkcs12 certificate',
115
      'pkcs12-password' => 'The password to decrypt the Pkcs12, defaults to an empty password'
116
    }.each_pair do |keyword, description|
117
      print_line "    #{keyword.to_s.ljust 10}:  #{description}"
118
    end
119
    print_line
120
    print_line "Examples: Adding"
121
    print_line "   # Add a user, password and realm"
122
    print_line "   creds add user:admin password:notpassword realm:workgroup"
123
    print_line "   # Add a user and password"
124
    print_line "   creds add user:guest password:'guest password'"
125
    print_line "   # Add a password"
126
    print_line "   creds add password:'password without username'"
127
    print_line "   # Add a user with an NTLMHash"
128
    print_line "   creds add user:admin ntlm:E2FC15074BF7751DD408E6B105741864:A1074A69B1BDE45403AB680504BBDD1A"
129
    print_line "   # Add a NTLMHash"
130
    print_line "   creds add ntlm:E2FC15074BF7751DD408E6B105741864:A1074A69B1BDE45403AB680504BBDD1A"
131
    print_line "   # Add a Postgres MD5"
132
    print_line "   creds add user:postgres postgres:md5be86a79bf2043622d58d5453c47d4860"
133
    print_line "   # Add a user with a PKCS12 file archive"
134
    print_line "   creds add user:alice pkcs12:/path/to/certificate.pfx"
135
    print_line "   # Add a user with an SSH key"
136
    print_line "   creds add user:sshadmin ssh-key:/path/to/id_rsa"
137
    print_line "   # Add a user and a NonReplayableHash"
138
    print_line "   creds add user:other hash:d19c32489b870735b5f587d76b934283 jtr:md5"
139
    print_line "   # Add a NonReplayableHash"
140
    print_line "   creds add hash:d19c32489b870735b5f587d76b934283"
141

142
    print_line
143
    print_line "General options"
144
    print_line "  -h,--help             Show this help information"
145
    print_line "  -o <file>             Send output to a file in csv/jtr (john the ripper) format."
146
    print_line "                        If file name ends in '.jtr', that format will be used."
147
    print_line "                        If file name ends in '.hcat', the hashcat format will be used."
148
    print_line "                        csv by default."
149
    print_line "  -d,--delete           Delete one or more credentials"
150
    print_line
151
    print_line "Filter options for listing"
152
    print_line "  -P,--password <text>  List passwords that match this text"
153
    print_line "  -p,--port <portspec>  List creds with logins on services matching this port spec"
154
    print_line "  -s <svc names>        List creds matching comma-separated service names"
155
    print_line "  -u,--user <text>      List users that match this text"
156
    print_line "  -t,--type <type>      List creds of the specified type: password, ntlm, hash or any valid JtR format"
157
    print_line "  -O,--origins <IP>     List creds that match these origins"
158
    print_line "  -r,--realm <realm>    List creds that match this realm"
159
    print_line "  -R,--rhosts           Set RHOSTS from the results of the search"
160
    print_line "  -v,--verbose          Don't truncate long password hashes"
161

162
    print_line
163
    print_line "Examples, John the Ripper hash types:"
164
    print_line "  Operating Systems (starts with)"
165
    print_line "    Blowfish ($2a$)   : bf"
166
    print_line "    BSDi     (_)      : bsdi"
167
    print_line "    DES               : des,crypt"
168
    print_line "    MD5      ($1$)    : md5"
169
    print_line "    SHA256   ($5$)    : sha256,crypt"
170
    print_line "    SHA512   ($6$)    : sha512,crypt"
171
    print_line "  Databases"
172
    print_line "    MSSQL             : mssql"
173
    print_line "    MSSQL 2005        : mssql05"
174
    print_line "    MSSQL 2012/2014   : mssql12"
175
    print_line "    MySQL < 4.1       : mysql"
176
    print_line "    MySQL >= 4.1      : mysql-sha1"
177
    print_line "    Oracle            : des,oracle"
178
    print_line "    Oracle 11         : raw-sha1,oracle11"
179
    print_line "    Oracle 11 (H type): dynamic_1506"
180
    print_line "    Oracle 12c        : oracle12c"
181
    print_line "    Postgres          : postgres,raw-md5"
182

183
    print_line
184
    print_line "Examples, listing:"
185
    print_line "  creds               # Default, returns all credentials"
186
    print_line "  creds 1.2.3.4/24    # Return credentials with logins in this range"
187
    print_line "  creds -O 1.2.3.4/24 # Return credentials with origins in this range"
188
    print_line "  creds -p 22-25,445  # nmap port specification"
189
    print_line "  creds -s ssh,smb    # All creds associated with a login on SSH or SMB services"
190
    print_line "  creds -t ntlm       # All NTLM creds"
191
    print_line
192

193
    print_line "Example, deleting:"
194
    print_line "  # Delete all SMB credentials"
195
    print_line "  creds -d -s smb"
196
    print_line
197
  end
198

199
  # @param private_type [Symbol] See `Metasploit::Credential::Creation#create_credential`
200
  # @param username [String]
201
  # @param password [String]
202
  # @param realm [String]
203
  # @param realm_type [String] A key in `Metasploit::Model::Realm::Key::SHORT_NAMES`
204
  def creds_add(*args)
205
    params = args.inject({}) do |hsh, n|
206
      opt = n.split(':') # Splitting the string on colons.
207
      hsh[opt[0]] = opt[1..-1].join(':') # everything before the first : is the key, reasembling everything after the colon. why ntlm hashes
208
      hsh
209
    end
210

211
    begin
212
      params.assert_valid_keys('user','password','realm','realm-type','ntlm','ssh-key','hash','address','port','protocol', 'service-name', 'jtr', 'pkcs12', 'postgres', 'adcs-ca', 'adcs-template', 'pkcs12-password')
213
    rescue ArgumentError => e
214
      print_error(e.message)
215
    end
216

217
    # Verify we only have one type of private
218
    if params.slice('password','ntlm','ssh-key','hash', 'pkcs12', 'postgres').length > 1
219
      private_keys = params.slice('password','ntlm','ssh-key','hash', 'pkcs12', 'postgres').keys
220
      print_error("You can only specify a single Private type. Private types given: #{private_keys.join(', ')}")
221
      return
222
    end
223

224
    login_keys = params.slice('address','port','protocol','service-name')
225
    if login_keys.any? and login_keys.length < 3
226
      missing_login_keys = ['host','port','proto','service-name'] - login_keys.keys
227
      print_error("Creating a login requires a address, a port, and a protocol. Missing params: #{missing_login_keys}")
228
      return
229
    end
230

231
    data = {
232
      workspace_id: framework.db.workspace.id,
233
      origin_type: :import,
234
      filename: 'msfconsole'
235
    }
236

237
    data[:username] = params['user'] if params.key? 'user'
238

239
    if params.key? 'realm'
240
      if params.key? 'realm-type'
241
        if Metasploit::Model::Realm::Key::SHORT_NAMES.key? params['realm-type']
242
          data[:realm_key] = Metasploit::Model::Realm::Key::SHORT_NAMES[params['realm-type']]
243
        else
244
          valid = Metasploit::Model::Realm::Key::SHORT_NAMES.keys.map{|n|"'#{n}'"}.join(", ")
245
          print_error("Invalid realm type: #{params['realm_type']}. Valid Values: #{valid}")
246
        end
247
      else
248
        data[:realm_key] = Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN
249
      end
250
      data[:realm_value] = params['realm']
251
    end
252

253
    if params.key? 'password'
254
      data[:private_type] = :password
255
      data[:private_data] = params['password']
256
    end
257

258
    if params.key? 'ntlm'
259
      data[:private_type] = :ntlm_hash
260
      data[:private_data] = params['ntlm']
261
    end
262

263
    if params.key? 'ssh-key'
264
      begin
265
        key_data = File.read(params['ssh-key'])
266
      rescue ::Errno::EACCES, ::Errno::ENOENT => e
267
        print_error("Failed to add ssh key: #{e}")
268
      end
269
      data[:private_type] = :ssh_key
270
      data[:private_data] = key_data
271
    end
272

273
    if params.key? 'pkcs12'
274
      begin
275
        # pkcs12 is a binary format, but for persisting we Base64 encode it
276
        pkcs12_data = Base64.strict_encode64(File.binread(params['pkcs12']))
277
      rescue ::Errno::EACCES, ::Errno::ENOENT => e
278
        print_error("Failed to add pkcs12 archive: #{e}")
279
      end
280
      data[:private_type] = :pkcs12
281
      data[:private_data] = pkcs12_data
282
      data[:private_metadata] = {}
283
      data[:private_metadata][:adcs_ca] =  params['adcs-ca'] if params['adcs-ca']
284
      data[:private_metadata][:adcs_template] =  params['adcs-template'] if params['adcs-template']
285
      data[:private_metadata][:pkcs12_password] =  params['pkcs12-password'] if params['pkcs12-password']
286
    end
287

288
    if params.key? 'hash'
289
      data[:private_type] = :nonreplayable_hash
290
      data[:private_data] = params['hash']
291
      data[:jtr_format] = params['jtr'] if params.key? 'jtr'
292
    end
293

294
    if params.key? 'postgres'
295
      data[:private_type] = :postgres_md5
296
      if params['postgres'].downcase.start_with?('md5')
297
        data[:private_data] = params['postgres']
298
        data[:jtr_format] = 'postgres'
299
      else
300
        print_error("Postgres MD5 hashes should start with 'md5'")
301
      end
302
    end
303

304
    begin
305
      if login_keys.any?
306
        data[:address] = params['address']
307
        data[:port] = params['port']
308
        data[:protocol] = params['protocol']
309
        data[:service_name] = params['service-name']
310
        framework.db.create_credential_and_login(data)
311
      else
312
        framework.db.create_credential(data)
313
      end
314
    rescue ActiveRecord::RecordInvalid => e
315
      print_error("Failed to add #{data[:private_type]}: #{e}")
316
    end
317
  end
318

319
  def service_from_origin(core)
320
    # Depending on the origin of the cred, there may or may not be a way to retrieve the associated service
321
    case core.origin
322
    when Metasploit::Credential::Origin::Service
323
      return core.origin.service
324
    end
325
  end
326

327
  def build_service_info(service)
328
    if service.name.present?
329
      info = "#{service.port}/#{service.proto} (#{service.name})"
330
    else
331
      info = "#{service.port}/#{service.proto}"
332
    end
333
    info
334
  end
335

336
  def creds_search(*args)
337
    host_ranges   = []
338
    origin_ranges = []
339
    port_ranges   = []
340
    svcs          = []
341
    rhosts        = []
342
    opts          = {}
343

344
    set_rhosts = false
345
    truncate = true
346

347
    cred_table_columns = [ 'host', 'origin' , 'service', 'public', 'private', 'realm', 'private_type', 'JtR Format', 'cracked_password' ]
348
    delete_count = 0
349
    search_term = nil
350

351
    while (arg = args.shift)
352
      case arg
353
      when '-o'
354
        output_file = args.shift
355
        if (!output_file)
356
          print_error('Invalid output filename')
357
          return
358
        end
359
        output_file = ::File.expand_path(output_file)
360
        truncate = false
361
      when '-p', '--port'
362
        unless (arg_port_range(args.shift, port_ranges, true))
363
          return
364
        end
365
      when '-t', '--type'
366
        ptype = args.shift
367
        opts[:ptype] = ptype
368
        if (!ptype)
369
          print_error('Argument required for -t')
370
          return
371
        end
372
      when '-s', '--service'
373
        service = args.shift
374
        if (!service)
375
          print_error('Argument required for -s')
376
          return
377
        end
378
        svcs = service.split(/[\s]*,[\s]*/)
379
        opts[:svcs] = svcs
380
      when '-P', '--password'
381
        if !(opts[:pass] = args.shift)
382
          print_error('Argument required for -P')
383
          return
384
        end
385
      when '-u', '--user'
386
        if !(opts[:user] = args.shift)
387
          print_error('Argument required for -u')
388
          return
389
        end
390
      when '-d', '--delete'
391
        mode = :delete
392
      when '-R', '--rhosts'
393
        set_rhosts = true
394
      when '-O', '--origins'
395
        hosts = args.shift
396
        opts[:hosts] = hosts
397
        if !hosts
398
          print_error('Argument required for -O')
399
          return
400
        end
401
        arg_host_range(hosts, origin_ranges)
402
      when '-S', '--search-term'
403
        search_term = args.shift
404
        opts[:search_term] = search_term
405
      when '-v', '--verbose'
406
        truncate = false
407
      when '-r', '--realm'
408
        opts[:realm] = args.shift
409
      else
410
        # Anything that wasn't an option is a host to search for
411
        unless (arg_host_range(arg, host_ranges))
412
          return
413
        end
414
      end
415
    end
416

417
    # If we get here, we're searching.  Delete implies search
418

419
    if ptype
420
      type = case ptype.downcase
421
             when 'password'
422
               Metasploit::Credential::Password
423
             when 'hash'
424
               Metasploit::Credential::NonreplayableHash
425
             when 'ntlm'
426
               Metasploit::Credential::NTLMHash
427
             when 'KrbEncKey'.downcase
428
               Metasploit::Credential::KrbEncKey
429
             when 'pkcs12'
430
               Metasploit::Credential::Pkcs12
431
             when *Metasploit::Credential::NonreplayableHash::VALID_JTR_FORMATS
432
               opts[:jtr_format] = ptype
433
               Metasploit::Credential::NonreplayableHash
434
             else
435
               print_error("Unrecognized credential type #{ptype} -- must be one of #{allowed_cred_types.join(',')}")
436
               return
437
             end
438
    end
439

440
    opts[:type] = type if type
441

442
    # normalize
443
    ports = port_ranges.flatten.uniq
444
    opts[:ports] = ports unless ports.empty?
445
    svcs.flatten!
446
    tbl_opts = {
447
      'Header'  => "Credentials",
448
      # For now, don't perform any word wrapping on the cred table as it breaks the workflow of
449
      # copying credentials and pasting them into applications
450
      'WordWrap' => false,
451
      'Columns' => cred_table_columns,
452
      'SearchTerm' => search_term
453
    }
454

455
    opts[:workspace] = framework.db.workspace
456
    cred_cores = framework.db.creds(opts).to_a
457
    cred_cores.sort_by!(&:id)
458
    matched_cred_ids = []
459
    cracked_cred_ids = []
460

461
    if output_file&.ends_with?('.hcat')
462
      output_file = ::File.open(output_file, 'wb')
463
      output_formatter = Metasploit::Framework::PasswordCracker::Hashcat::Formatter.method(:hash_to_hashcat)
464
    elsif output_file&.ends_with?('.jtr')
465
      output_file = ::File.open(output_file, 'wb')
466
      output_formatter = Metasploit::Framework::PasswordCracker::JtR::Formatter.method(:hash_to_jtr)
467
    else
468
      output_file = ::File.open(output_file, 'wb') unless output_file.blank?
469
      tbl = Rex::Text::Table.new(tbl_opts)
470
    end
471

472
    filter_cred_cores(cred_cores, opts, origin_ranges, host_ranges) do |core, service, origin, cracked_password_core|
473
      matched_cred_ids << core.id
474
      cracked_cred_ids << cracked_password_core.id if cracked_password_core.present?
475

476
      if output_file && output_formatter
477
        formatted = output_formatter.call(core)
478
        output_file.puts(formatted) unless formatted.blank?
479
      end
480

481
      unless tbl.nil?
482
        public_val = core.public ? core.public.username : ''
483
        if core.private
484
          # Show the human readable description by default, unless the user ran with `--verbose` and wants to see the cred data
485
          private_val = truncate ? core.private.to_s : core.private.data
486
        else
487
          private_val = ''
488
        end
489
        if truncate && private_val.to_s.length > 88
490
          private_val = "#{private_val[0,76]} (TRUNCATED)"
491
        end
492
        realm_val = core.realm ? core.realm.value : ''
493
        human_val = core.private ? core.private.class.model_name.human : ''
494
        if human_val == ''
495
          jtr_val = '' #11433, private can be nil
496
        else
497
          jtr_val = core.private.jtr_format ? core.private.jtr_format : ''
498
        end
499

500
        if service.nil?
501
          host = ''
502
          service_info = ''
503
        else
504
          host = service.host.address
505
          rhosts << host unless host.blank?
506
          service_info = build_service_info(service)
507
        end
508
        cracked_password_val = cracked_password_core&.private&.data.to_s
509
        tbl << [
510
          host,
511
          origin,
512
          service_info,
513
          public_val,
514
          private_val,
515
          realm_val,
516
          human_val, #private type
517
          jtr_val,
518
          cracked_password_val
519
        ]
520
      end
521
    end
522

523
    if output_file.nil?
524
      print_line(tbl.to_s)
525
    else
526
      output_file.write(tbl.to_csv) if output_formatter.nil?
527
      output_file.close
528
      print_status("Wrote creds to #{output_file.path}")
529
    end
530

531
    if mode == :delete
532
      result = framework.db.delete_credentials(ids: matched_cred_ids.concat(cracked_cred_ids).uniq)
533
      delete_count = result.size
534
    end
535

536
    # Finally, handle the case where the user wants the resulting list
537
    # of hosts to go into RHOSTS.
538
    set_rhosts_from_addrs(rhosts.uniq) if set_rhosts
539
    print_status("Deleted #{delete_count} creds") if delete_count > 0
540
  end
541

542
  def cmd_creds_tabs(str, words)
543
    case words.length
544
    when 1
545
      # subcommands
546
      tabs = [ 'add-ntlm', 'add-password', 'add-hash', 'add-ssh-key', ]
547
    when 2
548
      tabs = if words[1] == 'add-ssh-key'
549
               tab_complete_filenames(str, words)
550
             else
551
               []
552
             end
553
    #when 5
554
    #  tabs = Metasploit::Model::Realm::Key::SHORT_NAMES.keys
555
    else
556
      tabs = []
557
    end
558
    return tabs
559
  end
560

561
  protected
562

563
  # @param [Array<Metasploit::Credential::Core>] cores The list of cores to filter
564
  # @param [Hash] opts
565
  # @param [Array<Rex::Socket::RangeWalker>] origin_ranges
566
  # @param [Array<Rex::Socket::RangeWalker>] host_ranges
567
  # @yieldparam [Metasploit::Credential::Core] core
568
  # @yieldparam [Mdm::Service] service
569
  # @yieldparam [Metasploit::Credential::Origin] origin
570
  # @yieldparam [Metasploit::Credential::Origin::CrackedPassword] cracked_password_core
571
  def filter_cred_cores(cores, opts, origin_ranges, host_ranges)
572
    # Some creds may have been cracked that exist outside of the filtered cores list, let's resolve them all to show the cracked value
573
    cores_by_id = cores.each_with_object({}) { |core, hash| hash[core.id] = core }
574
    # Map of any originating core ids that have been cracked; The value is cracked core value
575
    cracked_core_id_to_cracked_value = cores.each_with_object({}) do |core, hash|
576
      next unless core.origin.kind_of?(Metasploit::Credential::Origin::CrackedPassword)
577
      hash[core.origin.metasploit_credential_core_id] = core
578
    end
579

580
    cores.each do |core|
581
      # Skip the cracked password if it's planned to be shown on the originating core row in a separate column
582
      is_duplicate_cracked_password_row = core.origin.kind_of?(Metasploit::Credential::Origin::CrackedPassword) &&
583
        cracked_core_id_to_cracked_value.key?(core.origin.metasploit_credential_core_id) &&
584
        # The core might exist outside of the currently available cores to render
585
        cores_by_id.key?(core.origin.metasploit_credential_core_id)
586
      next if is_duplicate_cracked_password_row
587

588
      # Exclude non-blank username creds if that's what we're after
589
      if opts[:user] == '' && core.public && !(core.public.username.blank?)
590
        next
591
      end
592

593
      # Exclude non-blank password creds if that's what we're after
594
      if opts[:pass] == '' && core.private && !(core.private.data.blank?)
595
        next
596
      end
597

598
      origin = ''
599
      if core.origin.kind_of?(Metasploit::Credential::Origin::Service)
600
        service = framework.db.services(id: core.origin.service_id).first
601
        origin = service.host.address
602
      elsif core.origin.kind_of?(Metasploit::Credential::Origin::Session)
603
        session = framework.db.sessions(id: core.origin.session_id).first
604
        origin = session.host.address
605
      end
606

607
      if origin_ranges.present? && !origin_ranges.any? { |range| range.include?(origin) }
608
        next
609
      end
610

611
      cracked_password_core = cracked_core_id_to_cracked_value.fetch(core.id, nil)
612
      if core.logins.empty?
613
        service = service_from_origin(core)
614
        next if service.nil? && host_ranges.present? # If we're filtering by login IP and we're here there's no associated login, so skip
615

616
        yield core, service, origin, cracked_password_core
617
      else
618
        core.logins.each do |login|
619
          service = framework.db.services(id: login.service_id).first
620
          # If none of this Core's associated Logins is for a host within
621
          # the user-supplied RangeWalker, then we don't have any reason to
622
          # print it out. However, we treat the absence of ranges as meaning
623
          # all hosts.
624
          if host_ranges.present? && !host_ranges.any? { |range| range.include?(service.host.address) }
625
            next
626
          end
627

628
          yield core, service, origin, cracked_password_core
629
        end
630
      end
631
    end
632
  end
633

634
end
635

636
end end end end
637

638