CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/windows/gather/enum_proxy.rb
Views: 11655
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Post

7
  include Msf::Post::Windows::Registry

8
  include Msf::Post::Windows::Services

9


10
  def initialize

11
    super(

12
      'Name' => 'Windows Gather Proxy Setting',

13
      'Description' => %q{

14
        This module pulls a user's proxy settings. If neither RHOST or SID

15
        are set it pulls the current user, else it will pull the user's settings

16
        for the specified SID and target host.

17
      },

18
      'Author' => [ 'mubix' ],

19
      'License' => MSF_LICENSE,

20
      'Platform' => [ 'win' ],

21
      'SessionTypes' => %w[meterpreter powershell shell],

22
      'Notes' => {

23
        'Stability' => [CRASH_SAFE],

24
        'Reliability' => [],

25
        'SideEffects' => []

26
      },

27
      'Compat' => {

28
        'Meterpreter' => {

29
          'Commands' => %w[

30
            stdapi_registry_open_key

31
            stdapi_registry_open_remote_key

32
          ]

33
        }

34
      }

35
    )

36


37
    register_options([

38
      OptAddress.new('RHOST', [ false, 'Remote host to clone settings to, defaults to local' ]),

39
      OptString.new('SID', [ false, 'SID of user to clone settings to (SYSTEM is S-1-5-18)' ])

40
    ])

41
  end

42


43
  def run

44
    if datastore['SID']

45
      root_key, base_key = split_key("HKU\\#{datastore['SID']}\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections")

46
    else

47
      root_key, base_key = split_key('HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections')

48
    end

49


50
    if datastore['RHOST']

51
      if session.type != 'meterpreter'

52
        fail_with(Failure::BadConfig, "Cannot query remote registry on #{datastore['RHOST']}. Unsupported sesssion type #{session.type}")

53
      end

54


55
      begin

56
        key = session.sys.registry.open_remote_key(datastore['RHOST'], root_key)

57
      rescue ::Rex::Post::Meterpreter::RequestError

58
        print_error("Unable to contact remote registry service on #{datastore['RHOST']}")

59
        print_status('Attempting to start RemoteRegistry service remotely...')

60
        begin

61
          service_start('RemoteRegistry', datastore['RHOST'])

62
        rescue StandardError

63
          fail_with(Failure::Unknown, 'Unable to start RemoteRegistry service, exiting...')

64
        end

65
        startedreg = true

66
        key = session.sys.registry.open_remote_key(datastore['RHOST'], root_key)

67
      end

68


69
      open_key = key.open_key(base_key)

70
      values = open_key.query_value('DefaultConnectionSettings')

71
      data = values.data

72


73
      # If we started the service we need to stop it.

74
      service_stop('RemoteRegistry', datastore['RHOST']) if startedreg

75
    else

76
      data = registry_getvaldata("#{root_key}\\#{base_key}", 'DefaultConnectionSettings')

77
    end

78


79
    fail_with(Failure::Unknown, "Could not retrieve 'DefaultConnectionSettings' data") if data.blank?

80
    fail_with(Failure::Unknown, "Retrieved malformed proxy settings (too small: #{data.length} bytes <= 24 bytes)") if data.length <= 24

81


82
    print_status("Proxy Counter = #{data[4, 1].unpack('C*')[0]}")

83


84
    case data[8, 1].unpack('C*')[0]

85
    when 1

86
      print_status('Setting: No proxy settings')

87
    when 3

88
      print_status('Setting: Proxy server')

89
    when 5

90
      print_status('Setting: Set proxy via AutoConfigure script')

91
    when 7

92
      print_status('Setting: Proxy server and AutoConfigure script')

93
    when 9

94
      print_status('Setting: WPAD')

95
    when 11

96
      print_status('Setting: WPAD and Proxy server')

97
    when 13

98
      print_status('Setting: WPAD and AutoConfigure script')

99
    when 15

100
      print_status('Setting: WPAD, Proxy server and AutoConfigure script')

101
    else

102
      print_status('Setting: Unknown proxy setting found')

103
    end

104


105
    cursor = 12

106
    proxyserver = data[cursor + 4, data[cursor, 1].unpack('C*')[0]]

107
    print_status("Proxy Server: #{proxyserver}") unless proxyserver.blank?

108


109
    cursor = cursor + 4 + data[cursor].unpack('C*')[0]

110
    additionalinfo = data[cursor + 4, data[cursor, 1].unpack('C*')[0]]

111
    print_status("Additional Info: #{additionalinfo}") unless additionalinfo.blank?

112


113
    cursor = cursor + 4 + data[cursor].unpack('C*')[0]

114
    autoconfigurl = data[cursor + 4, data[cursor, 1].unpack('C*')[0]]

115
    print_status("AutoConfigURL: #{autoconfigurl}") unless autoconfigurl.blank?

116
  end

117
end

118


119