New post module mdaemon #7287
Merged
New post module mdaemon #7287
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
New post module for windows. It gathers the users and cracks the password of MDaemon Mail server. NOTE: The module have a bug and I would appreciate help fixing it (problem when storing credentials)
Remove the 2nd element of the array at line 102. Add .downcase for line 103. Fix to find filenames on systems that created the userlist.dat on uppercase.
New Post Module for Mdaemon.
Remove the need to check for the session type manually. It will be automatically validated at the time of module run.
Better format and more info
|
Minor change; please correct "SMPT" to "SMTP" in the module and docs. |
|
@scriptjunkie: Done. Thanks!! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The category of the module is: post/windows/gather/credentials/
Explanation
It retrieves the users and crack the password of MDaemon Email Server.
Does some techniques to find the file (userlist.dat), then proceed to read it and crack it.
At the end saves the results in the DB.
It's been tested on:
AWS --> Microsoft Windows Server 2012 R2 Base - ami-8d0acfed Instance: t2.micro @ July-August 2016 x64 bits with meterpreter of 32 and 64 bits. Both work but 32 bits couldn't find the path through Register.
VM --> Microsoft Windows 7 on VMWare.
How to run
1.- Get a meterpreter on a windows with MDaemon
2.- Load the module
3.- Set the correct session on the module. Optional: you can add the remote path of the installation.
4.- Run the module and enjoy the loot :)
Documentation
Here's the information of the module: https://github.com/AgoraSecurity/metasploit-framework/blob/master/documentation/modules/post/windows/gather/mdaemon_cred_collector.md
Instructions on how to setup the vulnerable environment:
1.- Download and Install: http://www.altn.com/Downloads/MDaemon-Mail-Server-Free-Trial/
Note: You require a valid licence, but there's a demo for 30 days.
2.- Get a meterpreter running on the victim machine.
3.- Execute the module.
Extra:
No SYSTEM access is requiered.
If the machine runs on 64bits and the meterpreter is 32 bits, it won't be able to find the installation path in the registry, but it will search some default paths. If it is installed on a non-default path you can give the RPATH and it will work.
Info on the vuln: http://www.securityfocus.com/bid/4686
Note: It's an improvement on my old PR (#7257). The current PR is based on a new branch (just for the module)