Add Maven creds module #8831
Add Maven creds module #8831
Conversation
|
|
||
| def gathernix | ||
| print_status("Unix OS detected") | ||
| return cmd_exec('locate settings.xml').split("\n") |
There was a problem hiding this comment.
If the system doesn't have locate? I think it would fail.
There was a problem hiding this comment.
Yes, do you think I should handle this case by using enum_user_directories in case "locate" does not exist?
There was a problem hiding this comment.
I think enum_user_directories is a good approach.
Is it possible to have that setting.xml somewhere else? for example /opt/something/setting.xml ?
There was a problem hiding this comment.
Yes it can be install anywhere on the FS.
I submit a new version in which I downgrade to enum_user_directories if locate is not installed ;)
| end | ||
|
|
||
| def gatherwin | ||
| print_status("Windows OS detected") |
There was a problem hiding this comment.
Have you consider checking windows registry? Maybe it's more efficient for rare installation cases...
There was a problem hiding this comment.
I'm not sure to understand what you say about the registry? You're talking about Maven registry keys or...?
There was a problem hiding this comment.
I guess when you install the software some registry keys are created. You can search them using metasploit functions.
For example: https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/mdaemon_cred_collector.rb#L60
If no registry key is created and/or no useful information is stored on them, you can ignore this comment.
There was a problem hiding this comment.
Indeed, no registry key are stored with this software, all is in the settings.xml file.
|
@bcoles : I just added the doc to my module ;) |
| # Handle case where locate does not exist (error is returned in first element) | ||
| if files.length == 1 && !directory?(files.first) | ||
| files = [] | ||
| paths = enum_user_directories.map {|d| d} |
There was a problem hiding this comment.
This works with a 'shell' and 'meterpreter'?
Have you tried both?
I think it would be useful if the docs would have evidence of both.
There was a problem hiding this comment.
Yes it works on both, doc is edited
| if sysinfo | ||
| if sysinfo['OS'].include? "Windows" | ||
| files = gatherwin | ||
| else |
There was a problem hiding this comment.
Would this work on other OS? Mac OS X? Android? Either case, I would suggest using if, elsif (as many times and needed) and else (unexpected cases or a catch all for the reminding issues).
There was a problem hiding this comment.
Thx, will use a switch instead
| username = sub.elements['username'].text rescue "<unknown>" | ||
| password = sub.elements['password'].text rescue "<unknown>" | ||
|
|
||
| print_status("Collected the following credentials:") |
There was a problem hiding this comment.
Is it possible to have more than "servers/server" in the XML?
Even if not, I would suggest removing from the each the last lines (there's no need to include them inside a loop)
| print_status("Reading settings.xml file from #{target}") | ||
| data = "" | ||
| if session.type == "shell" | ||
| type = :shell |
There was a problem hiding this comment.
I believe this variable is not being used.
| type = :shell | ||
| data = session.shell_command("cat #{target}") | ||
| else | ||
| type = :meterp |
|
As @jmartin-r7 mentionned in #8774 , I transformed the loots into credentials. |
| module_fullname: self.fullname, | ||
| filename: target, | ||
| service_name: 'maven', | ||
| realm_value: id, |
There was a problem hiding this comment.
For the realm it would be nice to parse out the url from the repository or mirror tag that id is referencing.
Per the maven settings.xml spec for the server tag
id: This is the ID of the server (not of the user to login as) that matches the id element of the repository/mirror that Maven tries to connect to.
There was a problem hiding this comment.
Thanks, I implemented the cross action with these tags !
|
I verified that this worked fine yesterday. Thanks @elenoir |
Merge remote-tracking branch 'upstream/pr/8831' into upstream-master
Release NotesThis adds a post-exploitation module for extracting Artifactory or Nexus credentials are often stored in the Maven settings.xml configuration file. |
Some Artifactory or Nexus credentials are often stored in the Maven settings.xml configuration file.
Example in a settings.xml :
This allows application to reference this server and deploy file automatically to it.
This modules scans all settings.xml on the file system, gathers these credentials and store them as loot.
Verification
List the steps needed to make sure this thing works
msfconsoleuse use post/multi/gather/maven_credsset SESSION <id>runOutput example
Loot output