Added module to enumerate through chocolatey applications

[rad10]

Tell us what this change does. If you're fixing a bug, please mention
the github issue number.

Please ensure you are submitting from a unique branch in your repository to master in Rapid7's.

Verification

List the steps needed to make sure this thing works

• Start msfconsole
• Get shell or meterpreter session on target
• use post/windows/gather/enum_chocolatey_applications
• set SESSION [ID]
• run
• Verify That it displays the version of chocolatey on the target
• Verify that it displays a table of applications installed by chocolatey including their versions.
  (https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/post/multi/gather/aws_keys.md))

This simply enters the machine and prints out all applications installed on the machine through chocolatey. Since not all applications installed through chocolatey show up in windows settings, it may be a good way to view other avenues for backdoors.

[github-actions]

Thanks for your pull request! Before this pull request can be merged, it must pass the checks of our automated linting tools.

We use Rubocop and msftidy to ensure the quality of our code. This can be ran from the root directory of Metasploit:

rubocop <directory or file>
tools/dev/msftidy.rb <directory or file>

You can automate most of these changes with the -a flag:

rubocop -a <directory or file>

Please update your branch after these have been made, and reach out if you have any problems.

[github-actions]

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

• Writing Module Documentation
• Template
• Examples

[sempervictus]

This is handy, thankfully stumbled across it before i embarked on a duplicate effort.
I think it needs a tiny bit of fine-tuning, but definitely going to see some use once merged. Thanks @rad10

[sjanusz-r7]

After running a quick test:

payload/python/meterpreter/reverse_tcp (Windows)

msf6 post(windows/gather/enum_chocolatey_applications) > sessions

Active sessions
===============

  Id  Name  Type                       Information  Connection
  --  ----  ----                       -----------  ----------
  1         meterpreter python/python               192.168.129.1:4444 -> 192.168.129.131:49696  (192.168.129.131)

msf6 post(windows/gather/enum_chocolatey_applications) > run

[!] SESSION may not be compatible with this module:
[!]  * incompatible session platform: python
[*] Enumerating applications installed on DESKTOP-T5PBUMF
[*] Targets Chocolatey version: 0.12.1
[*] Getting chocolatey applications.
[+] Successfully grabbed all items
Installed Chocolatey Applications
=================================

 Name                       Version
 ----                       -------
 DotNet4.5.2                4.5.2.20140902
 chocolatey                 0.12.1
 chocolatey-core.extension  1.3.5.1
 vscode                     1.64.0
 vscode.install             1.64.0

[+] Results stored in: /Users/sjanusz/.msf4/loot/20220328111814_default_192.168.129.131_host.application_822234.txt
[*] Post module execution completed

payload/windows/x64/meterpreter/reverse_tcp

msf6 post(windows/gather/enum_chocolatey_applications) > sessions

Active sessions
===============

  Id  Name  Type                     Information                              Connection
  --  ----  ----                     -----------                              ----------
  3         meterpreter x64/windows  DESKTOP-T5PBUMF\simon @ DESKTOP-T5PBUMF  192.168.129.1:4444 -> 192.168.129.131:49723  (192.168.129.131)

msf6 post(windows/gather/enum_chocolatey_applications) > run

[*] Enumerating applications installed on DESKTOP-T5PBUMF
[*] Targets Chocolatey version: 0.12.1
[*] Getting chocolatey applications.
[+] Successfully grabbed all items
Installed Chocolatey Applications
=================================

 Name                       Version
 ----                       -------
 DotNet4.5.2                4.5.2.20140902
 chocolatey                 0.12.1
 chocolatey-core.extension  1.3.5.1
 vscode                     1.64.0
 vscode.install             1.64.0

[+] Results stored in: /Users/sjanusz/.msf4/loot/20220328152732_default_192.168.129.131_host.application_329130.txt
[*] Post module execution completed

[space-r7]

Hey @rad10, thank you for the module! I made a few suggestions based on some things I ran into while testing.

[space-r7]

Hey @rad10, thanks for the updates! The changes look good to me. There was some discussion about consolidating the chocolatey? and chocopath methods amongst the team, but I can do that since it's a small change.

Edit: Going to keep the chocolatey? method after all. For some reason, cmd_exec() is throwing the error even when chocolatey is installed for me, so catching that in the chocolatey? method for each cmd_exec() call makes more sense.

[space-r7]

Currently getting these results with the module:

Installed Chocolatey Applications
=================================

 Name                       Version
 ----                       -------
 Firefox                    98.0.2
 KB2919355                  1.0.20160915
 KB2919442                  1.0.20160915
 adobereader                2022.001.20085
 and                        0
 chocolatey                 1.1.0
 chocolatey-core.extension  1.3.5.1
 performed.                 1
 success(es),               1

It looks like the regex is capturing some extraneous data from the command. Here's the actual output from the chocolatey command that's run:

C:\Users\space>choco.exe list -lo
Chocolatey v1.1.0
2 validations performed. 1 success(es), 1 warning(s), and 0 error(s).

Validation Warnings:
 - A pending system reboot request has been detected, however, this is
   being ignored due to the current command being used 'list'.
   It is recommended that you reboot at your earliest convenience.

adobereader 2022.001.20085
chocolatey 1.1.0
chocolatey-core.extension 1.3.5.1
Firefox 98.0.2
KB2919355 1.0.20160915
KB2919442 1.0.20160915
6 packages installed.
                                                                                                                                                                                              

[space-r7]

Per my earlier comment, it looks like this regex is grabbing data that's not related to the program name / version. I didn't test this extensively, but it seemed to work with the output I'm getting from chocolatey.

Suggested change

	items = data.scan(/(\S+)\s(\d+(?:\.\d+)*)/m)
	items = data.scan(/([\w\-\.]+)\s(v?\d+(?:\.\d+)*)\r?\n/)

Pry Output

[1] pry(#<Msf::Modules::Post__Windows__Gather__Enum_chocolatey_applications::MetasploitModule>)> data = cmd_exec(choco_path, 'list -lo')
=> "Chocolatey v1.1.0\r\n2 validations performed. 1 success(es), 1 warning(s), and 0 error(s).\r\n\r\nValidation Warnings:\r\n - A pending system reboot request has been detected, however, this is\r\n   being ignored due to the current command being used 'list'.\r\n   It is recommended that you reboot at your earliest convenience.\r\n\r\nadobereader 2022.001.20085\r\nchocolatey 1.1.0\r\nchocolatey-core.extension 1.3.5.1\r\nFirefox 98.0.2\r\nKB2919355 1.0.20160915\r\nKB2919442 1.0.20160915\r\n6 packages installed."
[2] pry(#<Msf::Modules::Post__Windows__Gather__Enum_chocolatey_applications::MetasploitModule>)> items = data.scan(/([\w\-\.]+)\s(v?\d+(?:\.\d+)*)\r?\n/)
=> [["Chocolatey", "v1.1.0"],
 ["adobereader", "2022.001.20085"],
 ["chocolatey", "1.1.0"],
 ["chocolatey-core.extension", "1.3.5.1"],
 ["Firefox", "98.0.2"],
 ["KB2919355", "1.0.20160915"],
 ["KB2919442", "1.0.20160915"]]

Results table

Installed Chocolatey Applications
=================================

 Name                       Version
 ----                       -------
 Chocolatey                 v1.1.0
 Firefox                    98.0.2
 KB2919355                  1.0.20160915
 KB2919442                  1.0.20160915
 adobereader                2022.001.20085
 chocolatey                 1.1.0
 chocolatey-core.extension  1.3.5.1

[rad10]

I added a fix to the regex. I didnt invlude the v into the version because I notices that only chocolatey includes the v in the version for itself. Since theres no point in including chocolatey twice, I decided to not include it. I tested it on a sample of 300 packages, and this line managed to grab all of them and ignore the rest

[space-r7]

Makes sense to me! Thanks!

[space-r7]

Changes look good to me and confirmed that we get the program names and versions:

Target with Chocolatey applications

msf6 exploit(multi/handler) > use post/windows/gather/enum_chocolatey_applications 
msf6 post(windows/gather/enum_chocolatey_applications) > set session 1
session => 1
msf6 post(windows/gather/enum_chocolatey_applications) > run

[*] Enumerating applications installed on DESKTOP-P1UHERT
[*] Targets Chocolatey version: 1.1.0
[*] Getting chocolatey applications.
[+] Successfully grabbed all items
Installed Chocolatey Applications
=================================

 Name                       Version
 ----                       -------
 Firefox                    98.0.2
 KB2919355                  1.0.20160915
 KB2919442                  1.0.20160915
 adobereader                2022.001.20085
 chocolatey                 1.1.0
 chocolatey-core.extension  1.3.5.1

[*] Post module execution completed

Target without Chocolatey

msf6 post(**windows/gather/enum_chocolatey_applications**) > set session 2
session => 2
msf6 post(**windows/gather/enum_chocolatey_applications**) > run
  
**[-]** Post aborted due to failure: not-found: Chocolatey path not found
**[*]** Post module execution completed

[space-r7]

I ended up adding an additional commit (79df619) that makes sure that chocopath() is only called once and returns nil if no path is found.

[space-r7]

Release Notes

This adds a post module that enumerates applications installed with Chocolatey on Windows systems.

[adfoster-r7]

Thanks for the module @rad10 🎉

[rad10]

Glad to have contributed!