Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Group Policy Preferences (creds) support to db_import #10507

Merged
merged 5 commits into from
Aug 28, 2018
Merged

Add Group Policy Preferences (creds) support to db_import #10507

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
b1c633f
Add Group Policy Preferences support to db_import
wvu Aug 22, 2018
6fa0495
Store parsed GPP data as a note
wvu Aug 22, 2018
1e4eb0e
Revert report_note, since it added nothing
wvu Aug 22, 2018
2891255
Clarify what is being imported currently
wvu Aug 22, 2018
9b3e0d8
Add additional root tags for GPP XML
wvu Aug 22, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions lib/msf/core/db_manager/import.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ module Msf::DBManager::Import
autoload :CI, 'msf/core/db_manager/import/ci'
autoload :Foundstone, 'msf/core/db_manager/import/foundstone'
autoload :FusionVM, 'msf/core/db_manager/import/fusion_vm'
autoload :GPP, 'msf/core/db_manager/import/gpp'
autoload :IP360, 'msf/core/db_manager/import/ip360'
autoload :IPList, 'msf/core/db_manager/import/ip_list'
autoload :Libpcap, 'msf/core/db_manager/import/libpcap'
Expand All @@ -47,6 +48,7 @@ module Msf::DBManager::Import
include Msf::DBManager::Import::CI
include Msf::DBManager::Import::Foundstone
include Msf::DBManager::Import::FusionVM
include Msf::DBManager::Import::GPP
include Msf::DBManager::Import::IP360
include Msf::DBManager::Import::IPList
include Msf::DBManager::Import::Libpcap
Expand Down Expand Up @@ -164,6 +166,7 @@ def import_file(args={}, &block)
# :ci_xml
# :foundstone_xml
# :fusionvm_xml
# :gpp_xml
# :ip360_aspl_xml
# :ip360_xml_v3
# :ip_list
Expand Down Expand Up @@ -358,6 +361,9 @@ def import_filetype_detect(data)
when "main"
@import_filedata[:type] = "Outpost24 XML"
return :outpost24_xml
when /Groups|DataSources|Drives|ScheduledTasks|NTServices/
@import_filedata[:type] = "Group Policy Preferences Credentials"
return :gpp_xml
else
# Give up if we haven't hit the root tag in the first few lines
break if line_count > 10
Expand Down
41 changes: 41 additions & 0 deletions lib/msf/core/db_manager/import/gpp.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
require 'rex/parser/group_policy_preferences'

module Msf::DBManager::Import::GPP
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm leaving the name as GPP for future expansion... and I'm more liable to screw up the rename now.

def import_gpp_xml(args = {}, &block)
return unless args && args[:data] && !args[:data].empty?

gpp = Rex::Parser::GPP.parse(args[:data])

return unless gpp && gpp.any?

wspace = find_workspace(args[:workspace])

return unless wspace && wspace.respond_to?(:id)

gpp.each do |p|
# Skip incomplete creds
next unless p[:USER] && p[:PASS]

# Store decrypted creds
create_credential(
workspace_id: wspace.id,
origin_type: :import,
filename: args[:filename],
username: p[:USER],
Copy link
Contributor Author

@wvu wvu Aug 22, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While we're at it, these values should be checked for existence each loop. Done.

private_data: p[:PASS],
private_type: :password
)
end

# Store entire file as loot, including metadata
report_loot(
workspace: wspace,
path: args[:filename],
name: File.basename(args[:filename]),
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure I see the point of this if it's just the basename. But it fills in a column.

data: args[:data],
type: 'microsoft.windows.gpp',
ctype: 'text/xml',
info: gpp
)
end
end
1 change: 1 addition & 0 deletions lib/msf/core/rpc/v10/rpc_db.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1493,6 +1493,7 @@ def rpc_loots(xopts)
# * :ci_xml
# * :foundstone_xml
# * :fusionvm_xml
# * :gpp_xml
# * :ip360_aspl_xml
# * :ip360_xml_v3
# * :ip_list
Expand Down
1 change: 1 addition & 0 deletions lib/msf/ui/console/command_dispatcher/db.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1428,6 +1428,7 @@ def cmd_db_import_help
print_line " CI"
print_line " Foundstone"
print_line " FusionVM XML"
print_line " Group Policy Preferences Credentials"
print_line " IP Address List"
print_line " IP360 ASPL"
print_line " IP360 XML v3"
Expand Down
1 change: 1 addition & 0 deletions spec/lib/msf/ui/console/command_dispatcher/db_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,7 @@
" CI",
" Foundstone",
" FusionVM XML",
" Group Policy Preferences Credentials",
" IP Address List",
" IP360 ASPL",
" IP360 XML v3",
Expand Down
3 changes: 2 additions & 1 deletion spec/support/shared/examples/msf/db_manager/import.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@
it_should_behave_like 'Msf::DBManager::Import::CI'
it_should_behave_like 'Msf::DBManager::Import::Foundstone'
it_should_behave_like 'Msf::DBManager::Import::FusionVM'
it_should_behave_like 'Msf::DBManager::Import::GPP'
it_should_behave_like 'Msf::DBManager::Import::IP360'
it_should_behave_like 'Msf::DBManager::Import::IPList'
it_should_behave_like 'Msf::DBManager::Import::Libpcap'
Expand All @@ -38,4 +39,4 @@
it_should_behave_like 'Msf::DBManager::Import::Retina'
it_should_behave_like 'Msf::DBManager::Import::Spiceworks'
it_should_behave_like 'Msf::DBManager::Import::Wapiti'
end
end
3 changes: 3 additions & 0 deletions spec/support/shared/examples/msf/db_manager/import/gpp.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
RSpec.shared_examples_for 'Msf::DBManager::Import::GPP' do
it { is_expected.to respond_to :import_gpp_xml }
end