Module: Metasploit::Credential::Creation

Included in:
Importer::Core, Importer::Pwdump, Migrator
Defined in:
lib/metasploit/credential/creation.rb

Overview

Helper methods for finding or creating a tree of credentials. The method ensure that duplicate credentials are not created.

Instance Method Summary collapse

Instance Method Details

#active_db?Boolean

Returns true if ActiveRecord has an active database connection, false otherwise.

Returns:

  • (Boolean)


12
13
14
# File 'lib/metasploit/credential/creation.rb', line 12

def active_db?
  ActiveRecord::Base.connected?
end

#create_cracked_credential(opts = {}) ⇒ Object

This method takes a few simple parameters and creates a new username/password credential that was obtained by cracking a hash. It reuses the relevant components form the originating Metasploit::Credential::Core and builds new Login objects based on the ones attached to the originating Metasploit::Credential::Core

Parameters:

  • opts (Hash) (defaults to: {})

    a customizable set of options

Options Hash (opts):

  • :username (String)

    the username to find or create the Public from

  • :password (String)

    the password to find or create the Password from

  • :core_id (Fixnum)

    the id for the originating Metasploit::Credential::Core



25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
# File 'lib/metasploit/credential/creation.rb', line 25

def create_cracked_credential(opts={})
  return nil unless active_db?
  username = opts.fetch(:username)
  password = opts.fetch(:password)
  core_id  = opts.fetch(:core_id)

  retry_transaction do
    private  = Metasploit::Credential::Password.where(data: password).first_or_create!
    public   = Metasploit::Credential::Public.where(username: username).first_or_create!
    old_core = Metasploit::Credential::Core.find(core_id)
  end

  retry_transaction do
    core     = Metasploit::Credential::Core.where(public_id: public.id, private_id: private.id, realm_id: nil, workspace_id: old_core.workspace_id).first_or_initialize
    if core.origin_id.nil?
      origin      = Metasploit::Credential::Origin::CrackedPassword.where(metasploit_credential_core_id: core_id).first_or_create!
      core.origin = origin
    end
    core.save!
  end

  old_core.logins.each do ||
    service_id = .service_id
     = Metasploit::Credential::Login.where(core_id: core.id, service_id: service_id).first_or_initialize
    if .status.blank?
      .status =  Metasploit::Model::Login::Status::UNTRIED
    end
    .save!
  end
end

#create_credential(opts = {}) ⇒ NilClass, Metasploit::Credential::Core

This method is responsible for creation Metasploit::Credential::Core objects and all sub-objects that it is dependent upon.

Examples:

Reporting a Bruteforced Credential

create_credential(
  origin_type: :service,
  address: '192.168.1.100',
  port: 445,
  service_name: 'smb',
  protocol: 'tcp',
  module_fullname: 'auxiliary/scanner/smb/smb_login',
  workspace_id: myworkspace.id,
  private_data: 'password1',
  private_type: :password,
  username: 'Administrator'
)

Parameters:

  • opts (Hash) (defaults to: {})

    a customizable set of options

Options Hash (opts):

  • :jtr_format (String)

    The format for John the ripper to use to try and crack this

  • :origin_type (Symbol)

    The Origin type we are trying to create

  • :address (String)

    The address of the ‘Mdm::Host` to link this Origin to

  • :port (Fixnum)

    The port number of the ‘Mdm::Service` to link this Origin to

  • :service_name (String)

    The service name to use for the ‘Mdm::Service`

  • :protocol (String)

    The protocol type of the ‘Mdm::Service` to link this Origin to

  • :module_fullname (String)

    The fullname of the Metasploit Module to link this Origin to

  • :workspace_id (Fixnum)

    The ID of the ‘Mdm::Workspace` to use for the `Mdm::Host`

  • :task_id (Fixnum)

    The ID of the ‘Mdm::Task` to link this Origin and Core to

  • :filename (String)

    The filename of the file that was imported

  • :user_id (Fixnum)

    The ID of the ‘Mdm::User` to link this Origin to

  • :session_id (Fixnum)

    The ID of the ‘Mdm::Session` to link this Origin to

  • :post_reference_name (String)

    The reference name of the Metasploit Post module to link the origin to

  • :private_data (String)

    The actual data for the private (e.g. password, hash, key etc)

  • :private_type (Symbol)

    The type of Private to create

  • :username (String)

    The username to use for the Public

Returns:

Raises:

  • (KeyError)

    if a required option is missing

  • (ArgumentError)

    if an invalid :private_type is specified

  • (ArgumentError)

    if an invalid :origin_type is specified



94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
# File 'lib/metasploit/credential/creation.rb', line 94

def create_credential(opts={})
  return nil unless active_db?

  if opts[:origin]
    origin = opts[:origin]
  else
    origin = create_credential_origin(opts)
  end

  core_opts = {
      origin: origin,
      workspace_id: opts.fetch(:workspace_id)
  }

  if opts.has_key?(:realm_key) && opts.has_key?(:realm_value)
    core_opts[:realm] = create_credential_realm(opts)
  end

  if opts.has_key?(:private_type) && opts.has_key?(:private_data)
    core_opts[:private] = create_credential_private(opts)
  end

  if opts.has_key?(:username)
    core_opts[:public] = create_credential_public(opts)
  end

  if opts.has_key?(:task_id)
    core_opts[:task_id] = opts[:task_id]
  end

  create_credential_core(core_opts)
end

#create_credential_core(opts = {}) ⇒ NilClass, Metasploit::Credential::Core

This method is responsible for creating Metasploit::Credential::Core objects.

Parameters:

  • opts (Hash) (defaults to: {})

    a customizable set of options

Options Hash (opts):

Returns:



136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
# File 'lib/metasploit/credential/creation.rb', line 136

def create_credential_core(opts={})
  return nil unless active_db?
  origin       = opts.fetch(:origin)
  workspace_id = opts.fetch(:workspace_id)

  private_id   = opts[:private].try(:id)
  public_id    = opts[:public].try(:id)
  realm_id     = opts[:realm].try(:id)

  core = nil
  retry_transaction do
    core = Metasploit::Credential::Core.where(private_id: private_id, public_id: public_id, realm_id: realm_id, workspace_id: workspace_id).first_or_initialize
    if core.origin_id.nil?
      core.origin = origin
    end
    if opts[:task_id]
      core.tasks << Mdm::Task.find(opts[:task_id])
    end
    core.save!
  end

  core
end

#create_credential_login(opts = {}) ⇒ NilClass, Metasploit::Credential::Login

This method is responsible for creating a Login object which ties a Metasploit::Credential::Core to the ‘Mdm::Service` it is a valid credential for.

Parameters:

  • opts (Hash) (defaults to: {})

    a customizable set of options

Options Hash (opts):

  • :access_level (String)

    The access level to assign to this login if we know it

  • :address (String)

    The address of the ‘Mdm::Host` to link this Login to

  • :last_attempted_at (DateTime)

    The last time this Login was attempted

  • :core (Metasploit::Credential::Core)

    The Metasploit::Credential::Core to link this login to

  • :port (Fixnum)

    The port number of the ‘Mdm::Service` to link this Login to

  • :service_name (String)

    The service name to use for the ‘Mdm::Service`

  • :status (String)

    The status for the Login object

  • :protocol (String)

    The protocol type of the ‘Mdm::Service` to link this Login to

  • :workspace_id (Fixnum)

    The ID of the ‘Mdm::Workspace` to use for the `Mdm::Host`

  • :task_id (Fixnum)

    The ID of the ‘Mdm::Task` to link this Login to

Returns:

Raises:

  • (KeyError)

    if a required option is missing



177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
# File 'lib/metasploit/credential/creation.rb', line 177

def (opts={})
  return nil unless active_db?
  access_level       = opts.fetch(:access_level, nil)
  core               = opts.fetch(:core)
  last_attempted_at  = opts.fetch(:last_attempted_at, nil)
  status             = opts.fetch(:status)

   = nil
  retry_transaction do
    service_object = create_credential_service(opts)
     = Metasploit::Credential::Login.where(core_id: core.id, service_id: service_object.id).first_or_initialize

    if opts[:task_id]
      .tasks << Mdm::Task.find(opts[:task_id])
    end

    .access_level      = access_level if access_level
    .last_attempted_at = last_attempted_at if last_attempted_at
    .status            = status
    .save!
  end

  
end

#create_credential_origin(opts = {}) ⇒ NilClass, ...

This method is responsible for creating the various Credential::Origin objects. It takes a key for the Origin type and delegates to the correct sub-method.

Parameters:

  • opts (Hash) (defaults to: {})

    a customizable set of options

Options Hash (opts):

  • :origin_type (Symbol)

    The Origin type we are trying to create

  • :address (String)

    The address of the ‘Mdm::Host` to link this Origin to

  • :port (Fixnum)

    The port number of the ‘Mdm::Service` to link this Origin to

  • :service_name (String)

    The service name to use for the ‘Mdm::Service`

  • :protocol (String)

    The protocol type of the ‘Mdm::Service` to link this Origin to

  • :module_fullname (String)

    The fullname of the Metasploit Module to link this Origin to

  • :workspace_id (Fixnum)

    The ID of the ‘Mdm::Workspace` to use for the `Mdm::Host`

  • :task_id (Fixnum)

    The ID of the ‘Mdm::Task` to link this Origin to

  • :filename (String)

    The filename of the file that was imported

  • :user_id (Fixnum)

    The ID of the ‘Mdm::User` to link this Origin to

  • :session_id (Fixnum)

    The ID of the ‘Mdm::Session` to link this Origin to

  • :post_reference_name (String)

    The reference name of the Metasploit Post module to link the origin to

Returns:

Raises:

  • (ArgumentError)

    if an invalid origin_type was provided

  • (KeyError)

    if a required option is missing



224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
# File 'lib/metasploit/credential/creation.rb', line 224

def create_credential_origin(opts={})
  return nil unless active_db?
  case opts[:origin_type]
    when :cracked_password
      create_credential_origin_cracked_password(opts)
    when :import
      create_credential_origin_import(opts)
    when :manual
      create_credential_origin_manual(opts)
    when :service
      create_credential_origin_service(opts)
    when :session
      create_credential_origin_session(opts)
    else
      raise ArgumentError, "Unknown Origin Type #{opts[:origin_type]}"
  end
end

#create_credential_origin_cracked_password(opts = {}) ⇒ NilClass, Metasploit::Credential::Origin::CrackedPassword

This method is responsible for creating Origin::CrackedPassword objects. These are the origins that show that a password Credential was obtained by cracking a hash Credential that previously existed in the database.

Parameters:

  • opts (Hash) (defaults to: {})

    a customizable set of options

Options Hash (opts):

  • :originating_core_id (Fixnum)

    The ID of the originating Credential core.

Returns:



249
250
251
252
253
254
255
256
# File 'lib/metasploit/credential/creation.rb', line 249

def create_credential_origin_cracked_password(opts={})
  return nil unless active_db?
  originating_core_id = opts.fetch(:originating_core_id)

  retry_transaction do
    Metasploit::Credential::Origin::CrackedPassword.where(metasploit_credential_core_id: originating_core_id ).first_or_create!
  end
end

#create_credential_origin_import(opts = {}) ⇒ NilClass, Metasploit::Credential::Origin::Manual

This method is responsible for creating Origin::Import objects.

Parameters:

  • opts (Hash) (defaults to: {})

    a customizable set of options

Options Hash (opts):

  • :filename (String)

    The filename of the file that was imported

Returns:

Raises:

  • (KeyError)

    if a required option is missing



264
265
266
267
268
269
270
271
# File 'lib/metasploit/credential/creation.rb', line 264

def create_credential_origin_import(opts={})
  return nil unless active_db?
  filename = opts.fetch(:filename)

  retry_transaction do
    Metasploit::Credential::Origin::Import.where(filename: filename).first_or_create!
  end
end

#create_credential_origin_manual(opts = {}) ⇒ NilClass, Metasploit::Credential::Origin::Manual

This method is responsible for creating Origin::Manual objects.

Parameters:

  • opts (Hash) (defaults to: {})

    a customizable set of options

Options Hash (opts):

  • :user_id (Fixnum)

    The ID of the ‘Mdm::User` to link this Origin to

Returns:

Raises:

  • (KeyError)

    if a required option is missing



279
280
281
282
283
284
285
286
# File 'lib/metasploit/credential/creation.rb', line 279

def create_credential_origin_manual(opts={})
  return nil unless active_db?
  user_id = opts.fetch(:user_id)

  retry_transaction do
    Metasploit::Credential::Origin::Manual.where(user_id: user_id).first_or_create!
  end
end

#create_credential_origin_service(opts = {}) ⇒ NilClass, Metasploit::Credential::Origin::Service

This method is responsible for creating Origin::Service objects. If there is not a matching ‘Mdm::Host` it will create it. If there is not a matching `Mdm::Service` it will create that too.

Parameters:

  • opts (Hash) (defaults to: {})

    a customizable set of options

Options Hash (opts):

  • :address (String)

    The address of the ‘Mdm::Host` to link this Origin to

  • :port (Fixnum)

    The port number of the ‘Mdm::Service` to link this Origin to

  • :service_name (String)

    The service name to use for the ‘Mdm::Service`

  • :protocol (String)

    The protocol type of the ‘Mdm::Service` to link this Origin to

  • :module_fullname (String)

    The fullname of the Metasploit Module to link this Origin to

Returns:

Raises:

  • (KeyError)

    if a required option is missing



300
301
302
303
304
305
306
307
308
309
310
# File 'lib/metasploit/credential/creation.rb', line 300

def create_credential_origin_service(opts={})
  return nil unless active_db?
  module_fullname  = opts.fetch(:module_fullname)

  service_object = create_credential_service(opts)

  retry_transaction do
    Metasploit::Credential::Origin::Service.where(service_id: service_object.id, module_full_name: module_fullname).first_or_create!
  end

end

#create_credential_origin_session(opts = {}) ⇒ NilClass, Metasploit::Credential::Origin::Session

This method is responsible for creating Origin::Session objects.

Parameters:

  • opts (Hash) (defaults to: {})

    a customizable set of options

Options Hash (opts):

  • :session_id (Fixnum)

    The ID of the ‘Mdm::Session` to link this Origin to

  • :post_reference_name (String)

    The reference name of the Metasploit Post module to link the origin to

Returns:

Raises:

  • (KeyError)

    if a required option is missing



319
320
321
322
323
324
325
326
327
# File 'lib/metasploit/credential/creation.rb', line 319

def create_credential_origin_session(opts={})
  return nil unless active_db?
  session_id           = opts.fetch(:session_id)
  post_reference_name  = opts.fetch(:post_reference_name)

  retry_transaction do
    Metasploit::Credential::Origin::Session.where(session_id: session_id, post_reference_name: post_reference_name).first_or_create!
  end
end

#create_credential_private(opts = {}) ⇒ NilClass, ...

This method is responsible for the creation of Private objects. It will create the correct subclass based on the type.

Parameters:

  • opts (Hash) (defaults to: {})

    a customizable set of options

Options Hash (opts):

  • :jtr_format (String)

    The format for John the ripper to use to try and crack this

  • :private_data (String)

    The actual data for the private (e.g. password, hash, key etc)

  • :private_type (Symbol)

    The type of Private to create

Returns:

Raises:

  • (ArgumentError)

    if a valid type is not supplied

  • (KeyError)

    if a required option is missing



342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
# File 'lib/metasploit/credential/creation.rb', line 342

def create_credential_private(opts={})
  return nil unless active_db?
  private_data = opts.fetch(:private_data)
  private_type = opts.fetch(:private_type)

  private_object = nil

  retry_transaction do
    case private_type
      when :password
        private_object = Metasploit::Credential::Password.where(data: private_data).first_or_create
      when :ssh_key
        private_object = Metasploit::Credential::SSHKey.where(data: private_data).first_or_create
      when :ntlm_hash
        private_object = Metasploit::Credential::NTLMHash.where(data: private_data).first_or_create
        private_object.jtr_format = 'nt,lm'
      when :nonreplayable_hash
        private_object = Metasploit::Credential::NonreplayableHash.where(data: private_data).first_or_create
        if opts[:jtr_format].present?
          private_object.jtr_format = opts[:jtr_format]
        end
      else
        raise ArgumentError, "Invalid Private type: #{private_type}"
    end
    private_object.save!
  end
  private_object
end

#create_credential_public(opts = {}) ⇒ NilClass, Metasploit::Credential::Public

This method is responsible for the creation of Public objects.

Parameters:

  • opts (Hash) (defaults to: {})

    a customizable set of options

Options Hash (opts):

  • :username (String)

    The username to use for the Public

Returns:

Raises:

  • (KeyError)

    if a required option is missing



377
378
379
380
381
382
383
384
# File 'lib/metasploit/credential/creation.rb', line 377

def create_credential_public(opts={})
  return nil unless active_db?
  username = opts.fetch(:username)

  retry_transaction do
    Metasploit::Credential::Public.where(username: username).first_or_create!
  end
end

#create_credential_realm(opts = {}) ⇒ NilClass, Metasploit::Credential::Realm

This method is responsible for creating the Realm objects that may be required.

Parameters:

  • opts (Hash) (defaults to: {})

    a customizable set of options

Options Hash (opts):

  • :realm_key (String)

    The type of Realm this is (e.g. ‘Active Directory Domain’)

  • :realm_value (String)

    The actual Realm name (e.g. contosso)

Returns:

Raises:

  • (KeyError)

    if a required option is missing



394
395
396
397
398
399
400
401
402
# File 'lib/metasploit/credential/creation.rb', line 394

def create_credential_realm(opts={})
  return nil unless active_db?
  realm_key   = opts.fetch(:realm_key)
  realm_value = opts.fetch(:realm_value)

  retry_transaction do
    Metasploit::Credential::Realm.where(key: realm_key, value: realm_value).first_or_create!
  end
end

#create_credential_service(opts = {}) ⇒ NilClass, Mdm::Service

This method is responsible for creating a barebones ‘Mdm::Service` object for use by Credential object creation.

Parameters:

  • opts (Hash) (defaults to: {})

    a customizable set of options

Options Hash (opts):

  • :address (String)

    The address of the ‘Mdm::Host`

  • :port (Fixnum)

    The port number of the ‘Mdm::Service`

  • :service_name (String)

    The service name to use for the ‘Mdm::Service`

  • :protocol (String)

    The protocol type of the ‘Mdm::Service“

  • :workspace_id (Fixnum)

    The ID of the ‘Mdm::Workspace` to use for the `Mdm::Host`

Returns:

  • (NilClass)

    if there is no connected database

  • (Mdm::Service)

Raises:

  • (KeyError)

    if a required option is missing



417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
# File 'lib/metasploit/credential/creation.rb', line 417

def create_credential_service(opts={})
  return nil unless active_db?
  address          = opts.fetch(:address)
  port             = opts.fetch(:port)
  service_name     = opts.fetch(:service_name)
  protocol         = opts.fetch(:protocol)
  workspace_id     = opts.fetch(:workspace_id)

  host_object    = Mdm::Host.where(address: address, workspace_id: workspace_id).first_or_create
  service_object = Mdm::Service.where(host_id: host_object.id, port: port, proto: protocol).first_or_initialize

  service_object.name  = service_name
  service_object.state = "open"
  service_object.save!

  service_object
end

#invalidate_login(opts = {}) ⇒ void

This method returns an undefined value.

This method checks to see if a Login exists for a given set of details. If it does exists, we then appropriately set the status to one of our failure statuses.

Parameters:

  • opts (Hash) (defaults to: {})

    a customizable set of options

Options Hash (opts):

  • :address (String)

    The address of the host we attempted

  • :port (Fixnum)

    the port of the service we attempted

  • :protocol (String)

    the transport protocol of the service we attempted

  • :public (String)

    A string representation of the public we tried

  • :private (String)

    A string representation of the private we tried

  • :status (Symbol)

    The status symbol from the Framework::LoginScanner::Result

Raises:

  • (KeyError)

    if any of the above options are missing



447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
# File 'lib/metasploit/credential/creation.rb', line 447

def (opts = {})
  return nil unless active_db?
  address     = opts.fetch(:address)
  port        = opts.fetch(:port)
  protocol    = opts.fetch(:protocol)
  public      = opts.fetch(:username, nil)
  private     = opts.fetch(:private_data, nil)
  realm_key   = opts.fetch(:realm_key, nil)
  realm_value = opts.fetch(:realm_value, nil)
  status      = opts.fetch(:status)


  pub_obj = Metasploit::Credential::Public.where(username: public).first.try(:id)
  priv_obj = Metasploit::Credential::Private.where(data: private).first.try(:id)
  realm_obj = Metasploit::Credential::Realm.where(key: realm_key, value: realm_value).first.try(:id)

  core = Metasploit::Credential::Core.where(public_id: pub_obj, private_id: priv_obj, realm_id: realm_obj).first

  # Do nothing else if we have no matching core. Otherwise look for a Login.
  if core.present?
     = core.logins.joins(service: :host).where(services: { port: port, proto: protocol } ).where( hosts: {address: address}).readonly(false).first

    if .present?
      .status = status
      .last_attempted_at = DateTime.now
      .save!
    end

  end

end