Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add enum_trusted_locations.rb #6966

Merged
merged 7 commits into from Jun 21, 2016
Merged

Add enum_trusted_locations.rb #6966

merged 7 commits into from Jun 21, 2016

Conversation

vysecurity
Copy link

@vysecurity vysecurity commented Jun 12, 2016
edited by wchen-r7

"A trusted location is typically a folder on your hard disk or a network share. Any file that you put in a trusted location can be opened without being checked by the Trust Center security feature." - https://support.office.com/en-us/article/Create-remove-or-change-a-trusted-location-for-your-files-f5151879-25ea-4998-80a5-4208b3540a62

This adds a post exploitation module to enumerate all trusted locations for different office software on a machine.

Verification

  • Start msfconsole
  • Get a shell
  • use post/windows/gather/enum_trusted_locations
  • set SESSION 1
  • run

Output

msf post(enum_trusted_locations) > run

[*] [2016.06.12-11:07:03] 192.168.100.53:49182 - 
[*] [2016.06.12-11:07:03] 192.168.100.53:49182 - Found Office:
[*] [2016.06.12-11:07:03] 192.168.100.53:49182 - Version found: 15.0
[*] [2016.06.12-11:07:03] 192.168.100.53:49182 - Found applications.
[*] [2016.06.12-11:07:03] 192.168.100.53:49182 - Found trusted locations.
[*] [2016.06.12-11:07:03] 192.168.100.53:49182 - 
[*] [2016.06.12-11:07:03] 192.168.100.53:49182 - Description: Access default location: Wizard Databases
[*] [2016.06.12-11:07:03] 192.168.100.53:49182 - Path: C:\Program Files\Microsoft Office\Office15\ACCWIZ\, AllowSub: False
[*] [2016.06.12-11:07:03] 192.168.100.53:49182 - Found trusted locations.
[*] [2016.06.12-11:07:03] 192.168.100.53:49182 - 
[*] [2016.06.12-11:07:03] 192.168.100.53:49182 - Description: 3
[*] [2016.06.12-11:07:04] 192.168.100.53:49182 - Path: C:\Program Files\Microsoft Office\Office15\XLSTART\, AllowSub: True
[*] [2016.06.12-11:07:04] 192.168.100.53:49182 - 
[*] [2016.06.12-11:07:04] 192.168.100.53:49182 - Description: 4
[*] [2016.06.12-11:07:04] 192.168.100.53:49182 - Path: %APPDATA%\Microsoft\Excel\XLSTART, AllowSub: False
[*] [2016.06.12-11:07:04] 192.168.100.53:49182 - 
[*] [2016.06.12-11:07:04] 192.168.100.53:49182 - Description: 5
[*] [2016.06.12-11:07:04] 192.168.100.53:49182 - Path: %APPDATA%\Microsoft\Templates, AllowSub: False
[*] [2016.06.12-11:07:04] 192.168.100.53:49182 - 
[*] [2016.06.12-11:07:04] 192.168.100.53:49182 - Description: 6
[*] [2016.06.12-11:07:04] 192.168.100.53:49182 - Path: C:\Program Files\Microsoft Office\Templates\, AllowSub: True
[*] [2016.06.12-11:07:04] 192.168.100.53:49182 - 
[*] [2016.06.12-11:07:05] 192.168.100.53:49182 - Description: 7
[*] [2016.06.12-11:07:05] 192.168.100.53:49182 - Path: C:\Program Files\Microsoft Office\Office15\STARTUP\, AllowSub: True
[*] [2016.06.12-11:07:05] 192.168.100.53:49182 - 
[*] [2016.06.12-11:07:05] 192.168.100.53:49182 - Description: 12
[*] [2016.06.12-11:07:05] 192.168.100.53:49182 - Path: C:\Program Files\Microsoft Office\Office15\Library\, AllowSub: True
[*] [2016.06.12-11:07:06] 192.168.100.53:49182 - Found trusted locations.
[*] [2016.06.12-11:07:06] 192.168.100.53:49182 - 
[*] [2016.06.12-11:07:06] 192.168.100.53:49182 - Description: 8
[*] [2016.06.12-11:07:06] 192.168.100.53:49182 - Path: %APPDATA%\Microsoft\Templates, AllowSub: True
[*] [2016.06.12-11:07:06] 192.168.100.53:49182 - 
[*] [2016.06.12-11:07:06] 192.168.100.53:49182 - Description: 9
[*] [2016.06.12-11:07:06] 192.168.100.53:49182 - Path: C:\Program Files\Microsoft Office\Templates\, AllowSub: True
[*] [2016.06.12-11:07:06] 192.168.100.53:49182 - 
[*] [2016.06.12-11:07:06] 192.168.100.53:49182 - Description: 10
[*] [2016.06.12-11:07:06] 192.168.100.53:49182 - Path: %APPDATA%\Microsoft\Addins, AllowSub: False
[*] [2016.06.12-11:07:06] 192.168.100.53:49182 - 
[*] [2016.06.12-11:07:07] 192.168.100.53:49182 - Description: 11
[*] [2016.06.12-11:07:07] 192.168.100.53:49182 - Path: C:\Program Files\Microsoft Office\Document Themes 15\, AllowSub: True
[*] [2016.06.12-11:07:07] 192.168.100.53:49182 - Found trusted locations.
[*] [2016.06.12-11:07:07] 192.168.100.53:49182 - 
[*] [2016.06.12-11:07:07] 192.168.100.53:49182 - Description: 0
[*] [2016.06.12-11:07:08] 192.168.100.53:49182 - Path: %APPDATA%\Microsoft\Templates, AllowSub: False
[*] [2016.06.12-11:07:08] 192.168.100.53:49182 - 
[*] [2016.06.12-11:07:08] 192.168.100.53:49182 - Description: Word 2013 default location: Application Templates
[*] [2016.06.12-11:07:08] 192.168.100.53:49182 - Path: C:\Program Files\Microsoft Office\Templates\, AllowSub: True
[*] [2016.06.12-11:07:08] 192.168.100.53:49182 - 
[*] [2016.06.12-11:07:08] 192.168.100.53:49182 - Description: 2
[*] [2016.06.12-11:07:08] 192.168.100.53:49182 - Path: %APPDATA%\Microsoft\Word\Startup, AllowSub: False
[*] [2016.06.12-11:07:08] 192.168.100.53:49182 - 
[*] [2016.06.12-11:07:08] 192.168.100.53:49182 - Description: 3
[*] [2016.06.12-11:07:08] 192.168.100.53:49182 - Path: C:\Users\Public\Templates, AllowSub: False
[*] [2016.06.12-11:07:08] 192.168.100.53:49182 - 
[*] [2016.06.12-11:07:09] 192.168.100.53:49182 - Description: 
[*] [2016.06.12-11:07:09] 192.168.100.53:49182 - Path: C:\Users\vysec\Desktop\, AllowSub: False
[+] [2016.06.12-11:07:09] 192.168.100.53:49182 - Results stored in: /root/.msf4/loot/20160612110709_default_192.168.100.53_host.trusted_loc_581583.txt
[*] Post module execution completed

Quickly enumerates trusted locations for file planting :)

@vysec
Add enum_trusted_locations.rb
2e03c35 
Quickly enumerates trusted locations for file planting :)
@vysec
Update enum_trusted_locations.rb
a2a97d0 
Fix some changes, I had emet references.
@vysecurity
Copy link
Author

As always, I am sure there are code improvemnets you guys have for me :)

@vysec
Fixed MSFTidy
1ba33ff 
Fixed MSFTidy stuff
@vysecurity
Copy link
Author

Fixed some msftidy issues.

@sempervictus
Copy link
Contributor

Thank you, looks neat, will test this out.
It might be useful to expand this to different targets such as Java or other common clients. With a bit of crafty mitm and local certificate store abuse, you can get some very useful credentials passed to these trusted endpoints.

@vysecurity
Copy link
Author

vysecurity commented Jun 13, 2016
edited

For future I am looking at modules such as:

post/windows/gather/av/enum_comodo
post/windows/gather/av/enum_mcafee
post/windows/gather/enum_srp_policy

post/windows/gather/enum_applocker?

Easy enough to make and saves remembering paths for registry keys. Also this helps you automate it.

wvu
wvu reviewed Jun 13, 2016
View reviewed changes
modules/post/windows/gather/enum_trusted_locations.rb
print_good("Results stored in: #{path}")
end
end
end
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the end, beautiful friend / This is the end, my only friend, the end

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

or hopefully not as I want to write more :D

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we can refactor the level of nesting here. :)

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

my Ruby sucks but any advice hugely appreciated.

@vysecurity
Copy link
Author

haha @wvu-r7 yes it is the end.

@vysec
Update enum_trusted_locations.rb
4871418 
Added product it found the locations in.
@vysec
Update enum_trusted_locations.rb
8a68e86 
Changed some colours
@Meatballs1 Meatballs1 self-assigned this Jun 15, 2016
@Meatballs1
Copy link
Contributor

Some tidyup vysecurity#1

@vysecurity
Copy link
Author

Thanks Meatballs :)

@Meatballs1 Meatballs1 merged commit 674470c into rapid7:master Jun 21, 2016
Meatballs1 added a commit that referenced this pull request Jun 21, 2016
@Meatballs1
Land #6966, Microsoft Office Trusted Locations Enumeration
81f30ca
@wchen-r7 wchen-r7 added this to the v4.12.0-2016062701 milestone Jun 29, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@Meatballs1 Meatballs1

Labels
feature module
Projects
None yet
Milestone
v4.12.0-2016062701
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@vysecurity @sempervictus @Meatballs1 @wvu @wchen-r7 @tdoan-r7 @vysec