-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added module to enumerate through chocolatey applications #16381
Conversation
Thanks for your pull request! Before this pull request can be merged, it must pass the checks of our automated linting tools. We use Rubocop and msftidy to ensure the quality of our code. This can be ran from the root directory of Metasploit:
You can automate most of these changes with the
Please update your branch after these have been made, and reach out if you have any problems. |
Thanks for your pull request! Before this can be merged, we need the following documentation for your module: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is handy, thankfully stumbled across it before i embarked on a duplicate effort.
I think it needs a tiny bit of fine-tuning, but definitely going to see some use once merged. Thanks @rad10
After running a quick test: payload/python/meterpreter/reverse_tcp (Windows)
payload/windows/x64/meterpreter/reverse_tcp
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey @rad10, thank you for the module! I made a few suggestions based on some things I ran into while testing.
Added spelling corrections to descriptions Co-authored-by: Shelby Pace <40177151+space-r7@users.noreply.github.com>
Changed at symbol in author Co-authored-by: Shelby Pace <40177151+space-r7@users.noreply.github.com>
…ploit-framework into enum_chocolatey_applications
Hey @rad10, thanks for the updates! The changes look good to me. There was some discussion about consolidating the Edit: Going to keep the |
Currently getting these results with the module:
It looks like the regex is capturing some extraneous data from the command. Here's the actual output from the chocolatey command that's run:
|
) | ||
|
||
# collecting all lines that match and placing them into table. | ||
items = data.scan(/(\S+)\s(\d+(?:\.\d+)*)/m) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Per my earlier comment, it looks like this regex is grabbing data that's not related to the program name / version. I didn't test this extensively, but it seemed to work with the output I'm getting from chocolatey.
items = data.scan(/(\S+)\s(\d+(?:\.\d+)*)/m) | |
items = data.scan(/([\w\-\.]+)\s(v?\d+(?:\.\d+)*)\r?\n/) |
Pry Output
[1] pry(#<Msf::Modules::Post__Windows__Gather__Enum_chocolatey_applications::MetasploitModule>)> data = cmd_exec(choco_path, 'list -lo')
=> "Chocolatey v1.1.0\r\n2 validations performed. 1 success(es), 1 warning(s), and 0 error(s).\r\n\r\nValidation Warnings:\r\n - A pending system reboot request has been detected, however, this is\r\n being ignored due to the current command being used 'list'.\r\n It is recommended that you reboot at your earliest convenience.\r\n\r\nadobereader 2022.001.20085\r\nchocolatey 1.1.0\r\nchocolatey-core.extension 1.3.5.1\r\nFirefox 98.0.2\r\nKB2919355 1.0.20160915\r\nKB2919442 1.0.20160915\r\n6 packages installed."
[2] pry(#<Msf::Modules::Post__Windows__Gather__Enum_chocolatey_applications::MetasploitModule>)> items = data.scan(/([\w\-\.]+)\s(v?\d+(?:\.\d+)*)\r?\n/)
=> [["Chocolatey", "v1.1.0"],
["adobereader", "2022.001.20085"],
["chocolatey", "1.1.0"],
["chocolatey-core.extension", "1.3.5.1"],
["Firefox", "98.0.2"],
["KB2919355", "1.0.20160915"],
["KB2919442", "1.0.20160915"]]
Results table
Installed Chocolatey Applications
=================================
Name Version
---- -------
Chocolatey v1.1.0
Firefox 98.0.2
KB2919355 1.0.20160915
KB2919442 1.0.20160915
adobereader 2022.001.20085
chocolatey 1.1.0
chocolatey-core.extension 1.3.5.1
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added a fix to the regex. I didnt invlude the v into the version because I notices that only chocolatey includes the v in the version for itself. Since theres no point in including chocolatey twice, I decided to not include it. I tested it on a sample of 300 packages, and this line managed to grab all of them and ignore the rest
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Makes sense to me! Thanks!
Changes look good to me and confirmed that we get the program names and versions: Target with Chocolatey applications
Target without Chocolatey
|
I ended up adding an additional commit (79df619) that makes sure that |
Release NotesThis adds a post module that enumerates applications installed with Chocolatey on Windows systems. |
Thanks for the module @rad10 🎉 |
Glad to have contributed! |
Tell us what this change does. If you're fixing a bug, please mention
the github issue number.
Please ensure you are submitting from a unique branch in your repository to master in Rapid7's.
Verification
List the steps needed to make sure this thing works
msfconsole
use post/windows/gather/enum_chocolatey_applications
set SESSION [ID]
run
(https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/post/multi/gather/aws_keys.md))
This simply enters the machine and prints out all applications installed on the machine through chocolatey. Since not all applications installed through chocolatey show up in windows settings, it may be a good way to view other avenues for backdoors.