New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Maven creds module #8831
Add Maven creds module #8831
Conversation
|
||
def gathernix | ||
print_status("Unix OS detected") | ||
return cmd_exec('locate settings.xml').split("\n") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the system doesn't have locate
? I think it would fail.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, do you think I should handle this case by using enum_user_directories in case "locate" does not exist?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think enum_user_directories is a good approach.
Is it possible to have that setting.xml somewhere else? for example /opt/something/setting.xml
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes it can be install anywhere on the FS.
I submit a new version in which I downgrade to enum_user_directories if locate is not installed ;)
end | ||
|
||
def gatherwin | ||
print_status("Windows OS detected") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Have you consider checking windows registry? Maybe it's more efficient for rare installation cases...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure to understand what you say about the registry? You're talking about Maven registry keys or...?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess when you install the software some registry keys are created. You can search them using metasploit functions.
For example: https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/mdaemon_cred_collector.rb#L60
If no registry key is created and/or no useful information is stored on them, you can ignore this comment.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Indeed, no registry key are stored with this software, all is in the settings.xml file.
@bcoles : I just added the doc to my module ;) |
# Handle case where locate does not exist (error is returned in first element) | ||
if files.length == 1 && !directory?(files.first) | ||
files = [] | ||
paths = enum_user_directories.map {|d| d} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This works with a 'shell' and 'meterpreter'?
Have you tried both?
I think it would be useful if the docs would have evidence of both.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes it works on both, doc is edited
if sysinfo | ||
if sysinfo['OS'].include? "Windows" | ||
files = gatherwin | ||
else |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would this work on other OS? Mac OS X? Android? Either case, I would suggest using if, elsif (as many times and needed) and else (unexpected cases or a catch all for the reminding issues).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thx, will use a switch instead
username = sub.elements['username'].text rescue "<unknown>" | ||
password = sub.elements['password'].text rescue "<unknown>" | ||
|
||
print_status("Collected the following credentials:") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it possible to have more than "servers/server" in the XML?
Even if not, I would suggest removing from the each the last lines (there's no need to include them inside a loop)
print_status("Reading settings.xml file from #{target}") | ||
data = "" | ||
if session.type == "shell" | ||
type = :shell |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe this variable is not being used.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
type = :shell | ||
data = session.shell_command("cat #{target}") | ||
else | ||
type = :meterp |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same as above.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
As @jmartin-r7 mentionned in #8774 , I transformed the loots into credentials. |
module_fullname: self.fullname, | ||
filename: target, | ||
service_name: 'maven', | ||
realm_value: id, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For the realm it would be nice to parse out the url from the repository or mirror tag that id
is referencing.
Per the maven settings.xml spec for the server tag
id: This is the ID of the server (not of the user to login as) that matches the id element of the repository/mirror that Maven tries to connect to.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, I implemented the cross action with these tags !
I verified that this worked fine yesterday. Thanks @elenoir |
Merge remote-tracking branch 'upstream/pr/8831' into upstream-master
Release NotesThis adds a post-exploitation module for extracting Artifactory or Nexus credentials are often stored in the Maven settings.xml configuration file. |
Some Artifactory or Nexus credentials are often stored in the Maven settings.xml configuration file.
Example in a settings.xml :
This allows application to reference this server and deploy file automatically to it.
This modules scans all settings.xml on the file system, gathers these credentials and store them as loot.
Verification
List the steps needed to make sure this thing works
msfconsole
use use post/multi/gather/maven_creds
set SESSION <id>
run
Output example
Loot output