Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add *nix Gather Grub Password module #11426

Open
wants to merge 7 commits into
base: master
from

Conversation

Projects
None yet
4 participants
@dgarvit
Copy link
Contributor

dgarvit commented Feb 17, 2019

#11166

Steps needed to make sure this thing works

  • Start msfconsole
  • Get reverse_tcp shell/meterpreter session
  • use post/multi/gather/grub_password
  • set session <session-id>
  • run
@dgarvit

This comment has been minimized.

Copy link
Contributor Author

dgarvit commented Feb 17, 2019

The virtual machine grub file didn't actually have any password in the grub file, so I tested the function to dump all lines starting with set. Here is a screenshot of the same.

image

@dgarvit dgarvit force-pushed the dgarvit:grub_pass branch from b3419c3 to 22340ab Feb 17, 2019

Show resolved Hide resolved modules/post/multi/gather/grub_password.rb Outdated
Show resolved Hide resolved modules/post/multi/gather/grub_password.rb Outdated
Show resolved Hide resolved modules/post/multi/gather/grub_password.rb Outdated
Show resolved Hide resolved modules/post/multi/gather/grub_password.rb Outdated
Show resolved Hide resolved modules/post/multi/gather/grub_password.rb
Show resolved Hide resolved modules/post/multi/gather/grub_password.rb Outdated
Show resolved Hide resolved modules/post/multi/gather/grub_password.rb Outdated
file.each_line do |line|
line = line.strip
if line.start_with?("password")
print_good("Found password: #{line}")

This comment has been minimized.

Copy link
@h00die

h00die Feb 17, 2019

Contributor

Would be good to add the credit to the database as well.

This comment has been minimized.

Copy link
@dgarvit

dgarvit Feb 17, 2019

Author Contributor

Database as in, the name of the file from which the password was gathered?

This comment has been minimized.

Copy link
@h00die

h00die Feb 17, 2019

Contributor

You could store_loot for the file, but then store_creds or create_creds (forgot which it is) to store the password as well

This comment has been minimized.

Copy link
@dgarvit

dgarvit Feb 17, 2019

Author Contributor

Done! By the way, it was create_credential :)

This comment has been minimized.

Copy link
@bcoles

bcoles Feb 21, 2019

Contributor

Storing credentials in the database should only be performed if the credentials are parsed appropriately.

Parsing the grub config is not as simple as splitting by whitespace. For this reason, the lazy option of simply matching and printing every line beginning with /password/i is far easier.

However, if you want to research GRUB and its various configuration formats, it would be a good learning opportunity, and would make for a far more usable msf module, as creds stored in the database can be sprayed elsewhere :)

Also, private_type: :password is reserved for instances where the clear text password is stored. GRUB passwords can be hashed or encrypted, in which case private_type: :nonreplayable_hash is appropriate.

This comment has been minimized.

Copy link
@dgarvit

dgarvit Feb 21, 2019

Author Contributor

You are right, I was faced with the same challenge. I'll research GRUB for various configuration formats!

This comment has been minimized.

Copy link
@bcoles

bcoles Feb 21, 2019

Contributor

Awesome. This is why I created issue #11166 instead of doing it myself - so parsing can be someone else's problem :P

Also, if you go that route, then a better approach exists for your loop.

Instead of shoving everything in a loop and using a found variable, then relying upon it at the end, you can instead build up a Hash of credentials ([username] / <private> / <private_type>). Then, once all files have been parsed, you can iterate through the Hash, storing each credential in the database, and building a pretty table for output to console.

You can find some examples of this code pattern with:

grep -rn "cred_table" modules/

Here's an example.

And here's some pretty example output which may help with motivation:

msf > use auxiliary/scanner/http/surgenews_user_creds 
msf auxiliary(surgenews_user_creds) > set rhosts 172.16.191.133 172.16.191.166
rhosts => 172.16.191.133 172.16.191.166
msf auxiliary(surgenews_user_creds) > run

[+] Found administrator credentials (admin:admin)

SurgeNews User Credentials
==========================

 Username   Password  Password Hash                           Admin
 --------   --------  -------------                           -----
 admin      admin                                             true
 qwerty@bt            {ssha}BuFLjIFUUSy1IltX3AuN420qV2ZFU7EL  false
 user@bt              {ssha}HFTkDsnNlLiaHN+sIS9VQarVGGXmYISn  false

[+] Credentials saved in: /root/.msf4/loot/20170616185817_default_172.16.191.133_surgenews.user.c_633569.txt
[*] Scanned 1 of 2 hosts (50% complete)
[+] Found administrator credentials (test:test)
[+] Found user credentials (zxcv@win-sgbsd5tqutq:zxcv)

SurgeNews User Credentials
==========================

 Username              Password  Password Hash                           Admin
 --------              --------  -------------                           -----
 asdf@win-sgbsd5tqutq            {ssha}8ytixKjxf3kaBc6T471R1Re/C8MUnKnF  false
 test                  test                                              true
 test@win-sgbsd5tqutq            {ssha}Vw8EkFxAJuiZrb98Fz+sdr/yEEmBZ2Jc  false
 test@win-sgbsd5tqutq            {ssha}j4teSf4CgA3+XVRJscFHyqoOQJRoLg4K  false
 zxcv@win-sgbsd5tqutq  zxcv                                              false

[+] Credentials saved in: /root/.msf4/loot/20170616185817_default_172.16.191.166_surgenews.user.c_077983.txt
[*] Scanned 2 of 2 hosts (100% complete)
[*] Auxiliary module execution completed

dgarvit added some commits Feb 17, 2019

@bcoles bcoles added docs and removed needs-docs labels Feb 17, 2019

@bcoles bcoles added the delayed label Feb 28, 2019

@wchen-r7

This comment has been minimized.

Copy link
Contributor

wchen-r7 commented Mar 5, 2019

@bcoles I see that there's a delayed label. What kind of improvements are you looking for, perhaps I could assist?

@bcoles

This comment has been minimized.

Copy link
Contributor

bcoles commented Mar 5, 2019

@bcoles I see that there's a delayed label. What kind of improvements are you looking for, perhaps I could assist?

Thread: #11426 (comment) - Specifically: #11426 (comment)

The module should be updated with appropriate parsing for the extracted password.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.